The task is to carry out an information security risk assessment for an organization and develop an Information Security Strategy for that organization. This should include, at least:
- a prioritized list of the risks identified (4 - 5 information risks) as follows:
i) Identify & analyse information risks with clear identification of assets, vulnerabilities and threats (TVA analysis). When you identify these risks make sure to classify them properly (for example, loss of information is a general risk, so you should clarify if it is loss of confidentiality, integrity or Availability).
ii) Give an estimate of single loss expectancy (SLE), annualized rate of occurrence (ARO) and then calculate the annualized loss expectancy (ALE). SLE & ARO should be justified form previous info. sec reports such as 2014 Information security breaches survey (http://www.pwc.co.uk/audit-assurance/publications/2014-information-security-breaches-survey.jhtml)
- a list of specific controls that should be put in place, and any relevant guidance on how the controls should be implemented, along with clear rationales, in terms of costs and benefits, for the choices that have been made (see control examples).
- an outline of the information security policies that should be established.
- an audit strategy for the controls that have been proposed.
- a suitable incident response plan.
You should make use of whatever accepted industry or international standards you feel are appropriate in carrying out this task, but either COBIT 5 or ISO 27000 series standards, or a combination of both are recommended.
If you feel that additional areas need to be addressed in the strategy, then please add them, with a brief explanation of why.
In selecting an organization to focus on, you may choose a specific organization with which one or more of your group are familiar. In the case where you choose an organization that not all of the group members are familiar with, you should clearly define the roles that each member of the group will take in the assignment work, bearing in mind the prior knowledge that each member has.