SME Security Governance

Problem Statement & Student Guide

Version 3: 24th November 2015
Scenario

Leading Edge Removals is an SME, based in Skelmersdale. The company

provides professional, high quality services to and from the UK to
international destinations. Founded as a family business in 1954, it has
many years of experience in the moving industry. It has grown from a local
and regional removals company and recently has started international
removals. A regional office is planned to be opened in Bristol. Both sites will
offer a household storage facility. The company is ambitious and sees
opportunities to expand, especially in the storage business (e.g. company
archive and self-storage) and international removals.
The company currently employs approximately 50 staff. The management
team does not fully appreciate Information Security risks or measures
needed to control them, and they are seen as a burden. The company has
limited financial and technical resources and the most important thing, for
them, is their need must fit their revenue.
You are the newly appointed IT manager, in your previous job you worked in
a large company, initially as a network administrator but subsequently you
moved to Information Assurance, and had responsibility for internal security
audits, based on ISO27001:2013.
Your job description includes references to IT security and ensuring levels
of service availability, but in your day-to day work in the company you notice
that no serious consideration has been given to ownership of information
and data, or access rights. Furthermore, the IT infrastructure has developed
piecemeal with several servers of various ages running different systems
(e.g. Accounts system, Moveware logistics system, Domain controller for
user authentication). There have been some system failures recently, both
hardware and software which have caused some significant delays and lost
work time. Some users have also succumbed to phishing emails and have
downloaded viruses. Security Culture certainly isnt a phrase that youd use
to describe the situation. You are surprised to find that email is not hosted by
the ISP, but is on a server running MS Exchange in the LAN, rather than
DMZ.
There are no company policies relating to information security, acceptable
use etc. In addition, to this, your discussions with the MD shows that he has
little understanding of information security governance as a process and his
view of threats is limited to viruses, fire and server failure. He also gives the
very strong impression that he considers it all your responsibility.
You wonder if you should have taken the job, but its a bit too late for that,
so you decide you need to take the initiative before you get landed with a
career-limiting security incident. Youre familiar with ISO27001, but youre
not sure if thats overkill for this company- particularly the costs involved.
Youve also heard of the UK Governments Cyber Essentials programme and
10 steps to Cyber Security guidance from CESG which might be relevant.
You also went to a recent Northern Chapter meeting of ISACA meeting where
the Business Model for Information Security (BMIS) which you vaguely
1

remember and might be relevant given the MDs attitude to security and the
need for ROI.
Learning Outcomes

The specific learning outcomes will depend on how the scenario is used. The
following are suggested technical learning outcomes.
On completion of the scenario, students will be able to:
1

Articulate the major security risks and legal compliance issues for an
SME.

Explain approaches to justification of investment on Infosec controls,

including ROSI (Return on Security Investment).

Explain the key features of ISO27001 and risk assessment

Explain key features and requirements for an Information Security culture

and suggest activities for developing it.

Analyse and discuss the relevance of Cyber Essentials and BMIS to the
scenario.

Identify and outline key policies required and HR processes.

Identify and justify technical controls for securing remote access and data
governance.

Your Task Stage 1: Analysis

Analyse the scenario above, identify aspects of it that you do not understand
and need to research before moving forward. Then create and deliver a
presentation which discusses the following.
1. What do you see as the major security issues here?
2. An outline plan of action to improve the security of this
company.
3. What further information do you need from the company in
order to propose a way forward?
Your Task Stage 2: Proposal and Plan

Using the additional information youve obtained from the company,

together with your research you should now consider the detailed actions
that need to be taken to increase security,
There are two deliverables:
1. A plan for influencing the board (actions/supporting information needed/
presentation)
2. A detailed proposal for securing the company assets and developing a
security culture. It should identify key assets, risk, controls, (particularly
data governance) and ROSI.
3. You will present your proposal to the board.

Reflection on Learning

It is also important that at the end of the scenario you should reflect on your
learning and team working and identify what worked well, what didnt and
actions for future improvement.

The Consulting Process

One of the benefits of Problem-based Learning is that you learn professional

skills as well as technical knowledge. The process we ask you to follow to
explore and provide solutions to the problem also mirror those used in
consultancy.
In order to assist you with the process, the following table shows the
activities we would expect you to complete in your PBL team. You should
read this carefully and make sure you are familiar with both the generic
activities (in column 2) and the specific ones in column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your
learning.
Step 3 c) takes place as a sharing and teaching session at the next tutorial.
This process of sharing and teaching others is extremely beneficial to your
own learning.
Step 4, 5, 6 consist of team work and whilst they are logically distinct, they
may take place at the same meeting as stage 3c) depending on the
schedule of meetings.
Step 7: In this Scenario you will not be implementing a solution, so step 7 is
not undertaken in this scenario
Step 8 should be completed at the end of the scenario, both individually and
as a team, to identify what youve learned and how you can improve your
learning and team performance in future.
Your tutor/ facilitator will discuss it with you.

The CSKE Consulting/ Learning Model

Problem-solving
model

Understanding
organizational history
and context

What PBL normally includes

What you will be doing at each

stage

Scenario analysis

Socio-technical organizational
analysis.
Clarification of ambiguities

b
c

Requirements Analysis: identify

key issues
Simulated consultation with
stakeholders (e.g. through roleplay and/or online interaction).
Reviewing technology/ processes
in use.
Identifying learning goals.

Facilitator Guidance.

Determining the
problem to be
resolved

a
b
c

Identifying/ learning
necessary knowledge

Identifying
alternative solutions

Individual research & learning to

resolve knowledge gaps.
Summarising & reflection.

Teams share learning.

Determining and agreeing

evaluation criteria and process.
Identifying technical possibilities,
considering acceptance issues
and organizational fit.
Facilitator Guidance.

Choosing optimal
solution

Planning the
implementation

Implementation

Final evaluation

Deciding on best technical,

organizational and social
outcomes.
Proposing solution with
justification
Applying planning and
scheduling techniques.
Proposing plan and deadlines.

Individual and team review of

scenario text and video resources.
Team discussion.
Clarification of ambiguities with
tutor/facilitator.

Team review of scenario:

identifying key issues.
Identifying learning goals.
Team publish action list &
summary in forum.

Individual research & learning

to resolve knowledge gaps.
Individually creating summary of
learning and how it applies to the
scenario.
Team sharing learning/ teach each
other.

Determining evaluation criteria

through team discussion.
Team identification of options
considering acceptance issues
and organizational fit.
Facilitator Guidance.

Team decision and justification.

Review Scenario text and

resources.
Produce Report.
Produce plan/schedule.
Presentation to tutor in role of
main stakeholders.

b
c
d

Building the solution (if

appropriate).
Deploying the solution (if
appropriate).
Formal evaluation methods re
project success.
Personal reflection and
evaluation.

a
b

Team evaluation of performance

and project success.
Individual reflection on personal
learning & development.

Resources

Alnatheer, M., Chan, T. & Nelson, K. (2012) Understanding And Measuring

Information Security Culture. Proceedings of the Pacific Asia Conference on
Information Systems

A useful review of Security culture factors, followed by development of

metrics, which are probably less useful for this task..

Bojanc,R., Borka J. (2008) An economic modelling approach to information

security risk management. International Journal of Information
Management.28, 413422

The paper introduces methods for identification of the assets, the

threats, the vulnerabilities and Risk of systems and proposes a
procedure that enables selection of the optimal investment of the
necessary security technology based on the quantification of the
values of the protected systems. This paper analyzes several
approaches enabling assessment of the necessary investment in
security technology from the economic point of view. Useful to discuss
ROSI.

Brecht, M & Nowey, RT. (2012) A Closer Look at Information Security Costs,
http://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf [Last
accessed 29-May-2015]

This paper is useful for discussing ROSI. It identifies and describes the
problems and difficulties in quantifying an enterprise's cost for
information security in a comprehensive way. The paper discusses
four approaches to categorise and determine information security
costs in an enterprise. Not as good as Sonnerich (see below) in my
opinion, but useful.

British Standards ISO 27001 Overview: http://www.bsigroup.com/en-GB/iso27001-information-security/ [Last accessed 22-Nov-2015]

A very useful introduction to ISO27001, before looking at the

standards documents themselves.

HM Government (2015) Small businesses: what you need to know about

cyber security: DBIS.
https://www.gov.uk/government/uploads/system/uploads/attachment_data/fil
e/412017/BIS-15-147-small-businesses-cyber-guide-March-2015.pdf [Last
accessed 22-Nov-2015]

An excellent, introductory overview to information security. A good

starting point.

ISACA, 2013. CISM Review Manual. Rolling Meadows: ISACA.

The CISM review manuals provide detailed, though quite dense

discussion of the knowledge, skills and tasks associated with each of
the CISM domains. A p[particularly useful aspect is the inclusion of
test questions (and answers) which are very thought provoking and
good for discussion.

ISO 22301:2012 Societal security -- Business continuity management

systems --- Requirements

A related standard that clearly is relevant, but more detailed than

necessary for this scenario

ISO/IEC 27001:2013 Information technology Security techniques

Information security management systems Requirements
5

A surprisingly readable and brief standard that is well-worth reading

for this scenario.

ISO/IEC 27002:2013 Information technology Security techniques Code

of practice for information security controls

The partner to ISO27001, providing details of the controls, a useful

reference document to help explain the annex in ISO27001.

ISO/IEC 27035:2011 Information technology Security techniques

Information security incident management

This standard is being updated, 2011 is the old version. There is

increasing acknowledgement that the question of how to respond to
incidents is one of the most critical, it is not a matter of if you will
suffer, but when. Thus, increased emphasis on incident management
is important.

Melek,A. (2014) Cybersecurity: engaging with the board, ISACA

A 31-slide presentation which provides a nice overview, discussing the

threat landscape, lessons from the past, actions to improve cyber
defences and key considerations for the Board and senior managers.

Posthumus, S., & Von Solms, R. (2004). A framework for the governance of
information security. Computers & Security, 23(8), pp. 638-646. [Online].
Available from:
http://www.sciencedirect.com/science/article/pii/S0167404804002639
[Accessed on 22/11/2015]

Whilst this is not a new article, it is a good discussion of Information

Security Governance.

Sonnenreich,W. Albanese,J. and Stout,B. (2006) Return on Security

Investment (ROSI) A Practical Quantitative Model, Journal of Research and
Practice in Information Technology, 38, 1,

A paper that is well-written and essential reading for ROSI in this

scenario.

Stuntz,J. (2014) A Review of Return on Investment for Cybersecurity ,

McDonough School of Business

Provides a good overview of ROSI. Not as detailed as Sonnereich

Von Solms, R., Thomson, K. L., & Maninjwa, M. (2011). Information security
governance control through comprehensive policy architectures. In
Information Security South Africa (ISSA), (pp. 1-6). IEEE. [Online]. Available
from: http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6027522,
[Accessed on 11/03/2015]

A short (6-page) conference paper that gives a useful overview of

InfoSec governance and argues for a more complete information
security policy architecture that will facilitate complete control, and
therefore compliance, to ensure sound Information Security
Governance.

Assessment Grading Criteria

Learning
Outcome
LO1.
Articulat
e the major
security risks
and legal
compliance
issues for an
SME.
LO2.
Explain
approaches
to
justification
of
investment
on Infosec
controls,
including
ROSI (Return
on Security
Investment).
LO3.
Explain
the key
features of
ISO27001
and risk
assessment
LO4.
Explain
key features
and
requirement
s for an
Information
Security
culture and
suggest
activities for
developing
it.
LO5.
Analyse
and discuss
the
relevance of
Cyber
Essentials
and BMIS to
the scenario.
LO6.
Identify
and outline
key policies
required and
HR
processes.
LO7.
Identify
and justify
technical
controls for
securing
remote
access and
data
governance.

Working With
Others:
Participate
7
constructively in
team by Taking
responsibility,
Showing
sensitivity and
provide

Eviden
ce
Sound Pass (50- Very Good Pass
Pass (40-49%)
(grade
59%)
(60-69%)
d on)

Almost all
threats and
Most
risks identified
appropriate
correctly and in
threats,
suitable format,
vulnerabilities and prioritised
and reasoned
appropriately.
risk levels
Addresses all
assigned.
major risks, with
Appropriate risk appropriate
treatment
controls. Links
measures for
are made
major risks.
between
Security culture risks/threats
and solutions,
and standards
including culture.
discussed
briefly.
Most risks
Team
Report

Some risks
relating to legal
regulations
explicitly
identified.
Some
indicators of
Return on
Investment
identified
Reports are
structured
with appropriate
headings.
Acceptable
spelling and
grammar.
Mostly
relevant
content.

relating to legal
regulations
explicitly
identified.
Clear links to
ISO27k, BMIS
and Cyber
Essentials.
Key points of
ROSI explicitly
discussed
Alternatives are
discussed, but
may be briefly.
Report structured
with appropriate
headings.
Generally
appropriate
level of detail,
but inconsistent

As sound pass
Present As pass and
and
ation is presentation
presentation
consist emphasises
clearly links
ent
key points and features/ benefits
with,
has balanced
of solution with
report. content.
client needs and
problems.
Usually
communicates
quickly with
Timeke
others if
eping,
problems
oral
attending or
contrib
meeting
utions,
commitments,
VLE
On time for
posting
most meetings,
s,
Completes most
timelin

Considered
reliable by team
mates.
Almost always
communicates
quickly with others
& renegotiates if
problems
attending or

Consistent
treatment of
assets/threats/ris
ks, correct id & in
suitable format.

Excellent (70100%)
Comprehensive
list of threats,
risks, and impact
clearly related and
in suitable format,
evaluated and
prioritised
appropriately.

Report is detailed,
addresses all
As sound pass
major risks,
and clearly linked appropriate
to most
controls, including
requirements.
culture, clearly
Benefits of
linked to most
solution
requirements and
identified.
critical
Systematic and evaluation of
alternate
complete
treatment of legal solutions
provided.
regulations.
Systematic and
ISO27k, BMIS
complete
and Cyber
treatment of legal
Essentials.
regulations.
integrated into
the report
Convincing
discussion of
ROSI.

Wei
ght

70
%

ISO27k, BMIS
and Cyber
Essentials.
integrated into
the report

Alternatives are
Convincing
discussed
highlighting key discussion of
ROSI.
issues.
Alternatives are
Written in clear
discussed
consistent and
critically
appropriate
(business) style of highlighting key
issues
English.
complete/consist
Technical detail
ent solution.
explained
Clear, concise and
appropriately.
complete with
appropriate level
of detail
throughout
almost all report.
Presentation is
persuasive,
balanced,
thorough and
clearly links
features/benefit
s of solution to
client
needs/problems

As Sound pass
and on time for
almost all
meetings,
Completes all

Presentation is
consistent with,
and relates to
report.

20
%

As Very good pass

and shows
10
initiative /
%
leadership in some
areas of work.