Assignment task 1: Understanding the Work of the IT Governance Board
Post your initial response of at least 150 words
The work of the company's governance boards and committees is extremely important since these groups plan, design, negotiate, implement and provide oversight for the processes, policies, procedures, and other mechanisms used to guide, monitor, control, and assess the operations of the company. Each board is comprised of executives who each represent their functional areas or a group of internal stakeholders. Usually, there is a chair position that rotates among the members. If you would like to learn more about corporate governance in general, Deloitte's report Developing an effective governance operating model: A guide for financial services boards and management teams provides a brief but comprehensive overview. You may also find this article What is a management system? from the International Standards Organization, helpful as it explains what a management system is and why standards are needed to define repeatable steps that organizations can use to ensure the effectiveness and efficiency of their management activities.
The next meeting of the IT Governance board will include a set of orientation briefings for the new members. If you had to make a recommendation to the IT Governance board for standards that should be followed as it relates to Cybersecurity in an organization, what would that standard be? For example, the following IT management / IT security management frameworks, standards, and models.
COBIT
ITIL
ISO 27001 (ISMS Program Management)
NIST Cybersecurity Framework
NIST Security and Privacy Controls (NIST SP 800-53)
NIST Risk Management Framework (NIST SP 800-37)
Cite your sources as appropriate.
Assignment task 2:
Research Report: Data Breach Incident Analysis and Report
Scenario:
Padgett-Beale Inc.'s (PBI) insurance company, CyberOne Business and Casualty Insurance Ltd, sent an audit team to review the company's security policies, processes, and plans. The auditors found that the majority of PBI's operating units did not have specific plans in place to address data breaches and, in general, the company was deemed "not ready" to effectively prevent and/or respond to a major data breach. The insurance company has indicated that it will not renew PBI's cyber insurance policy if PBI does not address this deficiency by putting an effective data breach response policy and plan in place. PBI's executive leadership team has established an internal task force to address these problems and close the gaps because they know that the company cannot afford to have its cyber insurance policy cancelled.
Unfortunately, due to the sensitivity of the issues, no management interns will be allowed to shadow the task force members as they work on this high priority initiative. The Chief of Staff (CoS), however, is not one to let a good learning opportunity go to waste ... especially for the management interns. Your assignment from the CoS is to review a set of news articles, legal opinions, and court documents for multiple data breaches that affected a competitor, Marriott International (Starwood Hotels division). After you have done so, the CoS has asked that you write a research report that can be shared with middle managers and senior staff to help them understand the problems and issues arising from legal actions taken against Marriott International in response to this data breach in one of its subsidiaries (Starwood Hotels).
Research
1. Read / Review the readings for Weeks 1, 2, 3, and 4.
2. Research the types of insurance coverage that apply to data breaches. Pay attention to the security measures required by the insurance companies before they will grant coverage ("underwriting requirements") and provisions for technical support from the insurer in the event of a breach. Here are three resources to help you get started.
a. Woodruff Sawyer- Guide to Cyber Liability Insurance
b. Prepare Your Business with Cyber Insurance Coverage and Solutions
c. Woodruff Sawyer- Cyber 101: Understand the Basics of Cyber Liability Insurance
3. Read / Review at least 3 of the following documents about the Marriott International / Starwood Hotels data breach and liability lawsuits.
a. Marriott Starwood Data Breach Highlights Silent Cyber Risk in Acquisitions
b. Marriott Hotels fined £18.4m for data breach that hit millions
c. Marriott First Response Letter
d. What every hotel owner (and operator) needs to know about "data security" after the Wyndham Worldwide case
e. The Marriott data breach
f. Marriott International Update on Starwood Reservation Database Security Incident
4. Find and review at least 2 additional resources on your own that provide information about data breaches and/or best practices for preventing and responding to such incidents.
Write:
Write a 4-5 page report using your research. At a minimum, your report must include the following:
1. An introduction or overview of the problem (cyber insurance company's audit findings regarding the company's lack of readiness to respond to data breaches). This introduction should be suitable for an executive audience and should explain what cyber insurance is and why the company needs it.
2. An analysis section in which you discuss the following:
a. Specific types of data involved in the Starwood Hotels data breaches and the harm
b. Findings by government agencies / courts regarding actions Starwood Hotels / Marriott International should have taken
c. Findings by government agencies / courts regarding liability and penalties (fines) assessed against Marriott International.
3. A review of best practices which includes 8 or more specific recommendations that should be implemented as part of Padgett-Beale's updated data breach response policy and plans. Your review should identify and discuss at least 2 best practices for each of the following areas: people, processes, policies, and technologies. Be sure to describe the difference between processes and policies.
4. A closing section (summary) in which you summarize the issues and your recommendations for policies, processes, and/or technologies that Padgett-Beale, Inc. should implement.