Application: Aligning Security with Business Objectives

The security policy of an organization is not an one-for-all solution; it varies with the organization. As you begin your exploration of information assurance and risk management, consider how organizations in different countries, and even different states, are distinct, with their own structures, culture, and dynamics, as well as unique security-related regulations. Some of this may be due to the nature of the organization, its size, and its business use cases-that is, situations in which a technique may be used profitably. Other concerns can be attributed to the laws, regulations, and industry standards for its location. Even organizations doing business on the Internet may face regulations when doing business in another country or state.

To prepare for this Assignment, assume the role of a consultant working for a bank in your home country that is expanding its online banking to mobile devices. At the same time, it will be opening its first branch office in another country. Choose the location of the new office and use the Internet as well as the Learning Resources in this unit to research regulations and industry standards relevant to the new location. Also research the privacy laws (including Internet privacy regulations) that apply for both the locations. Examples could be the Gramm-Leach-Bliley Act (financial services regulation in United States) or the California Breach Notification Law applicable for United States scenarios. You will need to refer to Brotby, "Layered Security" and "An Introduction to ISO 27001, ISO 27002....ISO 27008" in addition to other reading resources.

Write a 5- to 7-page paper explaining how to align the security policy of the organization with its business objectives, keeping in mind the regulations, privacy laws, and industry standards you have identified. Clearly state any assumptions, and provide citations for reputable sources used in your research.
Cover the following points:

• Explain how the regulations, privacy-related laws, and industry standards you identified apply to this scenario.

• Identify concerns you feel the bank will need to focus on because of expanding its online banking to mobile devices and opening its international branch office. Identify three areas where you will need to apply security controls to manage the risk involved in the scenario.

• For each of these three areas, develop a key goal indicator (KGI) as explained in the textbook

• For each KGI, indicate the security controls (these involve policies, processes, and tools) that will need to be developed and applied.

• Justify how the key goal indicators and the security controls you have chosen align with business objectives and enable business processes.

• Explain how industry standards and best practices are beneficial to implementing security policies that are aligned with business objectives.