SALT (Smart and Living Technologies) is a medium sized Software Development company in Jamaica which was established in 2004. It is present in two premises, both of which have their offices. Additionally, they have hosted their information systems in a hosted data center facility with a service provider. That is the only instance of their IT infrastructure.

SALT is providing software solutions and consulting services who fall under small to medium sized businesses. The departmental heads are mostly the people who were there since first day of the business, except the CISO that is a new role introduced recently. This explains why heads of department in SALT have a good knowledge about their business processes but did not make much effort towards formal documentation. Alex Smith is the CEO of SALT. He started the company in partnership with a friend Brett. Brett is an investor in the company but has a dormant role as far as the business operations are concerned. Mr. Smith is an engineer but he has no modern technical understanding of IT security issues.

Alex has had no problems with IT Security until very recently when the Company's network was subject to a series of attacks. In the period of 3 days, the company's website was defaced, a serious virus infected the company e-mail and large quantities of data were corrupted. Alex's IT security risk management concerns are wide ranging. He needs to determine whether the same hackers are likely to hack the company again.

He believes the recent attacks suggest the hackers were interested in either proprietary theft of sensitive information for personal and/ or financial gain or, to disrupt the reputation of the company. There is also an evidence of a previous disgruntled employee planning for revenge against the company. Smith is worried about cyberterrorism and is concerned about becoming a victim of e-crime. After discussing with the Executive committee, he appoints you as a Chief Information Security Officer (CISO).

The CEO has shared a recent audit report to start with and the shocking results are listed below:

Internal Audit Report:

1. General info

- Improper operating procedures used by employees.

- Lack of security awareness and general security laziness.

- Nil acceptance of security responsibility.

- In-adequate standard operating procedures.

- Unattended machines.

- Failure to take care of media.

- Printing sensitive material.

- Failure to turn off computers at the end of the working day.

- Failure to backup information.

2. Hardware problems:

- Failure to adequately secure the hardware (eg laptops unsecured).

- Effects from the physical environment causing damage.

3. Software concerns:

- Some application software is of inferior quality and untested in the field and therefore not able to be trusted in the office environment.

- Nil audit logs.

- Lack of adequate access control.

- Lack of secure identification and authentication techniques.

- Limited antivirus software.

- Lack of restrictions to specific files when certain applications are operating.

- Lack of security awareness and general security laziness.

Task:

Based on the findings of the Audit report, discuss the major risks and threats the company is currently facing in the current scenario as of September 2022. Your discussion can be categorized under the broad categories of people, process and technology. Please also prepare one of the four major components of contingency planning:

a. Business impact analysis (BIA)

b. Incident response plan (IR plan)

c. Disaster recovery plan (DR plan)

d. Business continuity plan (BC plan)

FULLY DETAILED

A SUCCESSFUL ATTEMPT WILL BE REWARDED.