About the Case Study
You have just been employed as CISO for a growing Dubai-based food importer named Alibaba’s Fine Food LLC (medium size company). Alibaba’s Fine Food LLC is a rapidly expanding business which imports packaged food items from all over the world into United Arab Emirates, supplying grocers, retailers, restaurants, supermarkets and other food outlets throughout the country.
The company is headquartered in Jumeirah, near the Port of Jebel Ali, which is where majority (approximately 80%) of its shipments arrive. In addition to importing through the Port of Jebel Ali, Alibaba’s Fine Food LLC imports through Port of Al Ain, Port of Abu Dhabiand Port of Fujeirah.
Alibaba’s Fine Food LLC has offices in each of these ports (5 employees in Port of Jebel Ali, 3 employees each in Port of Al-Ain, Port of Abu Dhabi and Port of Fujairah). In addition,Alibaba’s Fine Food LLC has sales offices (6 employees each) in downtown Dubai, Sharjah, Fujeirah and Ajman. The company also has distribution points in Business Bay, Al-Ain, Abu Dhabi, Jumeirah, Deira and Al Quoz. When shipments arrive at the port, the company’s trucks bring the imported products to the distribution point temporarily, until being delivered to the company’s customers across United Arab Emirates by truck. The company owns its own fleet of delivery trucks, and employs over 100 drivers.
It has three servers located at its headquarters—an Active Directory server, a Linux application server, and an Oracle database server. The application server hosts Alibaba’s Fine Food LLC’s primary software application, which is a proprietary program managing the suppliers, distribution and customer information. The database server manages all data stored locally with direct-attached storage.
All sales offices and distribution points use Ethernet-cabled local area networks (LANs) to connect the users’ Windows 7 workstations via industry-standard managed switches.
The delivery trucks connect to headquarters via handheld devices with Wifi connections provided by an external Internet service provider (ISP).They go through Internet connection through a firewall at headquarters.
Alibaba’s Fine Food LLC has grown so rapidly that it still does not have good quality information security governance structures and policies. Your first job as CISO is to develop a plan for the information security management system which you will put in place at Alibaba’s Fine Food LLC. You don’t need to work out every detail at this stage. This is a starting point that you can show the board and senior management that you know what you are doing and the overall direction you plan to move in. The company’s main requirements are in the areas of policies, contingency planning, and SETA. The sections that you will address in your proposal are given below.
A full proposal includes all of the following sections:
1 Overview of the Company (see chapter 1-2)
Provide an overview of the company history, including an organization chart (job titles), number of employees, description of physical facilities, and general description of organization computing and in-place security resources. Your overview should also include a mission statement, vision statement and values statement for the company. You may make up any details you need so long as they are consistent with the facts given in “About the Case Study" above.
2 Business Impact Analysis (risk assessment(threats) based on It infrastructure mention in the study case we cum up with list of threats, then we talk about the impact of each threat) & listing operations and the systems used (see chapter 3)
You are asked to perform a Business Impact Analysis based on the IT infrastructure described in the case.
These should also include the identification of risks, threats, and vulnerabilities; classification of the risks, threats, and vulnerabilities, and prioritization. This section should summarize and address the risk assessment findings, risk assessment impact, and recommendations (technical controls for threats) to remediate areas of noncompliance.
Remember that when you are asked to review the IT systems, hardware, software, and communications infrastructure that support business operations and functions, you need to define how to maximize availability for developing a backup and recovery procedure. This alignment of IT systems and components must be based on business operations, functions, and prioritizations. This prioritization is usually the result of a risk assessment and how those risks, threats, and vulnerabilities impact business operations and functions.
You may find templates online that could be used and require minor modification.
3 -Contingency Planning(based on the company mentioned in the study case above we fill a template of Contingency Planning choosing one of the three components below to write about.) (see chapter 3)
You are then expected to produce a planning framework for contingency planning by providing a template for at least ONE of the following components:
• Incident Response Plan
• Disaster Recovery Plan
• Business Continuity Plan
This does not require you to complete these components; only provide a detailed outline that the company can fill in to create these plans. You may find templates online that could be used and require minor modification.
4 Enterprise Information Security Policy. (see chapter 4)
Create an Enterprise Information Security Policy for the company, based on the template in the text. Feel free to use assumptions to fill the policy with information as if you are the CISO of the company. A detailed policy is not required.
5 Issue Specific Policies. (see chapter 4)
Create a list outlining the ISSPs that the company will need (up to 10), and specify what each policy should address (1 - 3 sentences each). As an example, create one detailed issue-specific security policy for the case, based on the template in the text. Feel free to use assumptions to fill the policy with information as if you are the CISO.
6 Security Education, Training, and Awareness. (see chapter 5)
Create a plan for a Security Education, Training, and Awareness (SETA) program for the company. Base your program on material and ideas presented in chapter 5 of your text and associated in-class readings. The program’s plan should list role-appropriate SETA activities for all categories of employees in the company, with a plan for a training cycle. You should also develop two example security awareness materials: one security awareness brochure, and one security awareness poster.
7 Security Staff. (see chapter 5)
Identify the key roles and responsibilities of individuals and departments within the organization as they pertain to risk management. Build a security team for this size organization including specifications for the numbers and types of security professionals needed. For each position state qualifications and experience required for the new staff that will be recruited.
For each section of your project write at least half a page (and place it at the start of the section) justifying the templates that you chose. Explain why you are using a particular template or explain your approach or make comments about the template.
Additionally, for each section of the project, list the main headings that you have in the template for that section. You must ensure that you do not omit any important part. For example, for the BIA you must say what are the main headings or parts to your BIA and you should be confident that you have not missed something important.
The final grade you receive for the project will be based upon an interview with your instructor and your observed performance of project tasks throughout the semester. You must demonstrate a thorough understanding of everything in your assignment.
Please be aware of the plagiarism policy in this course specified in the course syllabus.