Congratulations! DigiHealth and Co has just contracted you for assisting the Chief Information

Security Officer $($CISO$)$ of the company for designing its Information Security Management System

$($ISMS$)$ based on the ISO$27001$ Information Security Framework.

As an expert in information security and cryptography you are invited to prepare a report for the

CISO addressing the following points raised during meetings. You need to prepare a formal report to

be submitted to the CISO that addresses all the following points.

DigiHealth and Co provides a platform that offers automated diagnosis and health$-$related

advice to their customers using health and diet related data collected via company$$s

wearables and mobile applications supporting Android and iOS at the moment.

The company has four major departments;

$$ Research and Development $($R&D$)$ department specialising in automated statistical

analysis with offices in UK $($London$)$ and Greece $($Athens$),$

$$ Manufacturing Department specialising in designing hardware for wearables in

China,

$$ Information Security and Technology Department that is responsible for the in$-$house

infrastructure as well as the cloud$-$based infrastructure hosted in Amazon Web

Services $($AWS$)$ in two locations USA and EU $($Ireland$),$

$$ Legal, Accounting, Billing and Invoicing department based in Cyprus $($UK$).$

a$)$ List the $10$ most critical operations of DigiHealth and Co;

b$)$ Define the scope according to the ISO$27001$ framework;

c$)$ Identify $10$ critical assets of the company and conduct a risk assessment for

each asset by identifying $2$ possible threats and $2$ possible vulnerabilities for

each threat for each asset.

You should include the following columns in your risk assessment table: name

of the asset, threat, vulnerability, current situation, impact, likelihood, risk,

suggested controls, residual risks.

In the current situation you are free to imagine any scenario that you would

like, e$.$g$.$ the server$$s data are encrypted with outdated encryption

algorithms.

d$)$ Identify $10$ policies according to ISO$27001$ that you plan to launch and for

each policy define $2$ metrics that can be used to measure their effectiveness

$($Refer to ISO$27001/$Annex A$).$