Security Awareness Report: An individual assessment in the form of a business report.
Using the organisation, context and risk profile documented in Continuous Assessment 1 (attached as Continuous assessment 1 word file), write a report detailing the approach you would take to designing, developing and implementing an effective security awareness program for this organisation, based on the following scenario:
Your organisation has identified that its people are their best line of defence against the rising threat of cyber-attacks.
As the Cyber Security Manager, you have been tasked with developing an ongoing program of security awareness. The key objective is to change the behaviour of all employees to be aware of the various cyber threats and know how to take appropriate action to protect, detect and respond to security incidents.
Recent security incidents within the organisation have been traced back to human error and have given rise to the following security events:
1. Phishing email which resulted in the loss of credentials of a sensitive system.
2. Ransomware infection which resulted in business disruption to a key business unit.
3. Data breach of personally identifiable information which resulted in a data breach notification to impacted individuals (per the Australian Privacy Act).
In addition to documenting a broad-based program of security awareness, you will need to research and analyse one of these threats and discuss cost-effective awareness measures to mitigate against them, given the context of your organisation.
Finally, as future investment in cyber security is dependent on demonstrating the effectiveness of the security awareness program, you have also been asked to research and document an effective approach to measuring the effectiveness of the overall program.
Note: Any assumptions made about the nature of the existing IT controls at the organisation should be documented in the report.
The report should be written in a professional business language, aimed at the senior leadership/Executive team of your organisation and cover the following areas:
· Executive Summary (including business context)
· Security Awareness Needs Assessment
· Security Awareness Strategy and Plan
· Methods for Delivery of Security Awareness
· Threat Discussion (as chosen above)
· Security Awareness Measures and Metrics
Your report should be 3,000 words (+/-10%) in length. You will need to concentrate on delivering a concise report while ensuring that all relevant topics are covered with consideration of the intended audience.
All references and readings must be cited in the report’s bibliography.
Note: The Executive Summary should briefly summarise the key actions / recommendations arising from the report. It is not a summary the different sections or approach contained within the report.
The intent of an Exec Summary is so that corporate Executives (with v. little time on their hands) can quickly become acquainted with a large body of material without having to read the whole report.