You have been assigned to support the
Padgett-Beale Merger & Acquisition (M&A) team working under the direct
supervision of Padgett-Beale’s Chief Information Security Officer (CISO). The
M&A team is in the planning stages for how it will integrate a new
acquisition, Island Banking Services, into the company as its financial
services arm (PBI-FS). Initially, PBI-FS will function as a wholly owned
subsidiary which means that it must have its own separate cybersecurity
Your first major task (Project #1) will be
to help develop a Cybersecurity Strategy & Plan of Action for PBI-FS.
Island Banking Services never had a formal cybersecurity program so you’re
starting from scratch. You will need to research best practices as well as
relying heavily upon what you learned in your undergraduate studies in
Cybersecurity Management and Policy. The CISO has provided detailed instructions
for this task. (These appear after the Background section below.)
After five years of operation, Island
Banking Services — a non-U.S. firm — was forced into bankruptcy after
criminal money laundering charges were filed against the company and its
officers. Padgett-Beale, Inc. purchased the digital assets and records of this
financial services firm from the bankruptcy courts. The purchased assets
include licenses for office productivity software, financial transactions
processing software, database software, and operating systems for workstations
and servers. Additional assets included in the sale include the hardware,
software, and licensing required to operate the company’s internal computer
1. Island Banking Services IT Infrastructure Purchased by Padgett-Beale, Inc.
Padgett-Beale’s legal counsel successfully
negotiated with the bankruptcy court and the criminal courts for the return of
copies of the company’s records so that it could restart Island Banking
Service’s operations. The courts agreed to do so after Padgett-Beale committed
in writing to reopening the customer service call center (but not the branch
offices) on the island. Reopening the call center will provide continued
employment for 10 island residents including 2 call center supervisors.
Padgett-Beale intends to relocate the call center to a company owned property
approximately 10 miles away from the current location and adjacent to a newly
opened Padgett-Beale resort.
Padgett-Beale’s Risk Manager has
recommended that the Merger & Acquisition plan be amended such that Island
Banking Services would be operated as a wholly owned subsidiary for a period of
5 years rather than being immediately and fully integrated as an operating
element of Padgett-Beale. The company’s attorneys agreed that this would be the
best approach given the potential for additional legal troubles related to the
actions of the previous owners and employees. The Board of Directors has signed
off on this amendment to the M&A plan and stipulated that the new
subsidiary will be named PBI Financial Services (PBI-FS). The company officers
and senior managers for PBI-FS will be named at a later date. For now, the
leader of the M&A Team will serve as the Chief Operating Officer. Padgett-Beale’s
Chief Information Security Officer will be loaned to PBI-FS while a search is
conducted for a dedicated CISO for the subsidiary.
CISO’s Detailed Instructions to You
The CISO has given you and your team mates
a set of instructions (below) which you should follow as you complete this
Task #0: Read and Analyze the Background Materials
If you have not already done so, read the
Background information in this file. Next, review the Padgett-Beale M&A
Profile 2020 which was posted to the LEO classroom. You should also review all
materials from the classroom for Weeks 1 – 4 as these provide needed
information about the Financial Services industry and the legal and regulatory
requirements which apply to this industry.
Task #1: Perform a Gap Analysis & Construct a Risk Register
Using the information available to you, determine
the most likely information technology/security gaps which existed at Island
Banking Services prior to its being acquired by PBI. Next, determine which of
these, if not addressed, will likely exist in the newly formed subsidiary
PBI-FS. Document your analysis and evaluation in a Gap Analysis.
Your Gap Analysis should address operating
issues relating to confidentiality, integrity, and availability (CIA) of
information, information systems, and information infrastructures owned or used
by PBI-FS. Your analysis should also consider and use the People, Process,
and Technology framework.
Step 1: Identify 10 or more significant cybersecurity
issues/challenges/risks which the background information and M&A profile
indicate currently exist at PBI-FS / Island Banking Services. You are allowed
to “read between the lines” but must be able to map your analysis and findings
to specific statements from these documents. These items will become your
“Gaps” for the Gap Analysis. Use one or more cybersecurity frameworks or
standards (e.g. NIST CSF; People, Processes, and Technologies; Confidentiality,
integrity, availability) to organize your analysis.
Note: there was
significant criminal behavior found at Island Banking Services. Your analysis
must address internal weaknesses which allowed this to occur without being
discovered by the employees who were not involved in the crimes.
Step 2: Using
your Gap Analysis (step 1) create a Risk Register in which you list 10 or more
specific and separate risks. For each risk, assign a category (confidentiality,
integrity, availability, people, process, technology) and a severity (impact
level using a 1 – 5 scale with 5 being the highest potential impact).
Step 3: Review
the laws and regulatory guidance which apply to the Financial Services industry
and companies like Island Banking Services. For each entry in your risk
register, identify and record the laws, regulations, or standards which provide
guidance as to how the identified risks must be addressed or mitigated. Record
this in your risk register.
Step 4: Review
laws and regulations which apply to all companies, i.e. Sarbanes Oxley, IRS
regulations for Business Records, SEC regulations and reporting requirements,
etc. Review your Risk Register and either map these requirements to existing
entries in your risk register or insert new entries for significant legal or
regulatory requirements which you were not able to map to your previously
identified risks. (Include risk related to non-compliance.)
Step 5: Review section 1.2 Risk Management and the Cybersecurity Framework
in the NIST Cybersecurity Framework v1.1 (https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. CSWP. 04162018.pdf)
Using this information, determine the best
strategy for addressing (“treating”) each of your identified risks. Remember
the four types of risk mitigation strategies (accept, avoid, control,
business impact for each of your mitigation strategies (e.g. if you applied an
“avoid” strategy across the board, the company would not be able to operate in
the financial services industry because it would need to shut down all
Record your risk mitigation strategy for
each risk in your risk register. For each of your “control” entries, include
the corresponding control category and subcategory (if applicable) from the
NIST Cybersecurity Framework (see Tables 1 and 2 in version 1.1).
Examples: ID.AM Asset Management or PR.AC Identity Management and Access
Control. Remember to cite your sources.
Develop a Cybersecurity Strategy that presents five or more specific
actions (strategies) that the company should take to implement your recommended
risk mitigations. Include information from your gap analysis, legal and
regulatory analysis, risk analysis and proposed risk mitigations. Under each strategy
include information about how the strategy will affect or leverage people,
policies, processes, and technologies (hardware, software, infrastructure). Include
examples and other pertinent information about Island Banking Services and Padgett-Beale.
You should have at least one technology related strategy which includes an
updated Network Diagram. This diagram must show the to-be state of the IT
infrastructure including recommended mitigating or “control” technologies, e.g.
intrusion detection, firewalls, DMZ’s, etc. (start with the diagram provided in
this assignment file).
strategy will be presented to the Board of Directors by the executive who is
leading the Merger & Acquisition Team so make sure that you write in
appropriate language and include sufficient detail to explain your recommended
Step 7: Develop and document a proposed plan of action and implementation
timeline that addresses each element of the cybersecurity strategy that you
identified previously (in step 6). Provide time, effort, and cost estimates for
implementing your recommended actions (include appropriate explanations of your
reasoning). Include the resources (people, money, etc.) necessary for
completing each task in the timeline.
Step 8: Develop a set of 5 or more high-level summary of recommendations
regarding the next steps to take in mitigating the risks that you identified in
steps 1-7. These recommendations should logically flow from your analysis and
be supported by your Cybersecurity Strategy and Plan of Action.
Putting It All Together
Format your work for Steps
1-7 as a Cybersecurity Strategy and Plan of Action. The six major elements listed below should appear in this order in
a single file. Your MS Word format document file must include:Introduction (what is in this
document and to what organization does it apply)Gap Analysis (Step 1)Legal & Regulatory
Requirements Analysis (Steps 3, 4)Risk Analysis & Risk
Register (Steps 2, 3, 4, 5)Cybersecurity Strategy (Step 6)Plan of Action and
Implementation Timeline (Step 7)
Strategy and Plan of Action is a comprehensive MS Word document that
includes a separate title page followed by the six major elements (see list
under step 7) and ending with a reference list. Your document must include a
reference list and appropriate citations throughout. You will need 10 – 12
pages to fully document your strategy and plan. Use section headings and
sub headings to organize your work. You may use internal title pages (section
titles) to make it clear where each of the major elements begins and ends.
Title pages and reference pages are not included in the recommended length.
Format your recommendations
from Step 8 as a Cover Letter / Recommendations Memo to accompany your Security Strategy document.
The Recommendation Memo is a 2 page,
professionally formatted memorandum addressed to the Merger & Acquisition
Team. This cover letter / memo should summarize why this package is being forwarded
to the M&A team for “review and action.” The memo should introduce and
provide a brief summary of the purpose and contents of the Cybersecurity Strategy and Plan
of Action (name and
describe each of the major sections). Use a professional format for your memo (consider using one of
the MS Word templates). The memo does not include citations or references but,
you may need to name laws or regulations.
Notes on Constructing Your Network Diagram (for step 6):
Your diagram must be based upon the
provided network diagram with additions or deletions that are clearly your own
work. You may use MS Word’s drawing tools, Power Point, or other drawing
program. When you have completed your diagram, you may find it helpful to take
a screen snapshot and then pasted that into your deliverable file(s).
You may use commercial or “free” clip-art
to represent individual end point devices or network appliances such as
routers, firewalls, IDPS, etc.) Clip art does not need to be cited provided
that it is clip art (not screen captures from another author’s work).
the grading rubric for specific content and formatting requirements for this
paper should be professional in appearance with consistent use of fonts, font
sizes, margins, etc. You should use headings and page breaks to organize your
paper should use standard terms and definitions for cybersecurity. The
CSIA program recommends that you follow standard APA formatting since this will
give you a document that meets the “professional appearance” requirements. APA
formatting guidelines and examples are found under Course Resources > APA
Resources. An APA template file (MS Word format) has also been provided for
your use CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx. All
submission files must begin with a cover page with the assignment title, your
name, and the due date. Your reference list must be on a separate page at the
end of your file. You
are expected to write grammatically correct English in every assignment that
you submit for grading. Do not turn in any work without (a) using spell check,
(b) using grammar check, (c) verifying that your punctuation is correct and (d)
reviewing your work for correct word usage and correctly structured sentences
and paragraphs. You
are expected to credit your sources using in-text citations and reference list
entries. Both your citations and your reference list entries must follow a
consistent citation style (APA, MLA, etc.).
The post Project #1: Cybersecurity Strategy & Plan of Action
Assignment status: Solved by our experts