INSTITUTE OF TECHNOLOGY CARLOW.
Added on - 20 Sep 2019
Assignment 2The organisation ABC has suffered 3 information security related breaches in the past 18months and wants to implement an Information Security Management System (ISMS) toaddress major shortcomings in its management of information security.You have been recruited as the Chief Information Security Officer (CISO) and your first taskis to prepare a plan for implementing an ISMS within ABC, with the long term aim ofachieving ISO 27001 certification.For the purpose of this assignment you are being asked to complete a number of tasksassociated with the planning stage of an ISMS.Note: The organisation you choose as ABC can be in any industry or sector. It can be a realorganisation you are familiar with or a made-up organisation. You will need to clearlydescribe the organisation and its systems when you define the scope of the ISMS.Your assignment should incorporateallof the following elements:•Define the Scope of the ISMS. The scope of the ISMS describes the boundaries of theISMS in terms of organisational characteristics such as location(s), business functions,assets, and technology. It should include a list of important business functions that arecritical to the organisation’s mission and survival. It should also include a list ofimportant information, information technology and system assets.•Prepare an information security policy statement for you chosen organisation. Thisshould include a statement of management commitment as well as setting out theorganisation’s approach to managing information security.•Carry out a risk assessment that should identify at least 12 information security risks toyou chosen organisation, its network, systems and information. Use one of the riskassessment models such as NIST SP 800-30. Identify relevant threat events and sourcesand determine their relevance. Identify vulnerabilities (and their severity) within theorganisation that could be exploited by the threat events you identified. You should selectvulnerabilities that are appropriate to your chosen organisation. Determine the likelihoodof the threat events occurring and being successful, and the type and magnitude of the