Company hiring a New CISO
Introduction
A well-known company (you select the industry or the company that will help you design the plan) has suffered a breach and is concluding its return to normal operation after hiring a forensic firm. As a result of the intrusion, the CISO was terminated. The CEO and CFO are hiring you to be the new company CISO.
They have asked you to create a 90-day plan for the company that will address the issues of the breach and will implement a comprehensive security program. The CEO and CFO want a five (5) to ten (10) minute presentation of your plan that will be at the quarterly company board meeting. You must be able to submit your security program to the board-of-directors before the meeting.
At a minimum your security plan should cover recommendation regarding corrective measures and activities that will improve the company (you may make assumptions regarding the cause of the breach and the weaknesses of the organization, but, you must explain those assumptions):
- Create a 90 day plan (suggest use of a timeline) that includes the following components:
- Reference at least 3 CIS controls and the reason you need the control, how you would use the control and what the expected benefit will be to implement them and mitigate the weakness you identify (3 pages; one page per control maximum).
- Identify 3 Risks that might impact the company and your proposed mitigation plan (what are the 3 risks and what will happen to the company if they are not mitigated; remember they may not mitigated completely). (1 -2 pages maximum)
- Compose a Security Blueprint that contains at least 3 areas that you will be addressing. (any format you choose)
- Describe at least two security education or awareness actions you would implement and what they would contain. (1-2 pages)
- Prepare a 5 minute presentation to be presented in addition to the written document.