Critical evaluation of Information Systems Security Policies and Procedure (ISSPP) in your chosen organization (Must be an ISO27001 certified and NIST CSF with security maturity level 4) and propose recommendations.

General
Information

This course is
assessed through submission of an individual investigative report. Information Systems Security
Policies and Procedure (ISSPP) establish guidelines for the
application of information security controls within an organization. It
outlines what relevant stakeholders are expected to comply with while using
company information assets. With the help of strong policies and procedures, organisation
can incorporate actions that are consistent, effective, and efficient. This
helps combat security threats by creating proper awareness. Further. documented
policies and procedures can also define how organisation incorporate and manage
technology in the corporate environment. You are required to investigate Information Systems
Security Policies and Procedure (ISSPP) documentation aligned to corporate
business requirements relating to a company of mid-large size and demonstrate
your information security knowledge.

It is essential to meet below defined
learning outcomes in your study by understanding and critically
assessing the adequacy of key elements, which is relevant and appropriate for
the course module. You are
expected to submit 4000-word report “introduction to conclusion”.

Learning
outcomes addressed in this assignment:

1.      Analyse
information security objectives, risk management strategies, controls designed
and implemented to address security requirements.

2.      Critically
discuss how corporate security objectives are impacted by business, regulatory
and environmental constraints, and by relevant threats and vulnerabilities.

3.      Analyse
the control requirements relating to the processing, transmission and storage
of data and information relating to emerging technologies such as Generative AI
& cloud computing.

4.      Evaluate
elements of best practices in in information security standards (ISO27001) and frameworks (NIST CSF, NIST SP 800-53, NIST SP800-37, NIST RMF).

Expectations
of the assignment.

Address above
learning outcomes of the assignment by demonstrating your knowledge gained,
completing the Information Security module. Use the knowledge gained through
the course (both direct and indirect learning), comprehensive literature survey and your own experience,
analyse concepts/issues relating to the context and produce a research-based
report. You are also expected to develop your own arguments and analysis based
on your knowledge and experience.

Lecturer
Tips:

1.      Chosen
company must have minimum 500 employees and must be certified with ISO27001
with voluntary adoption of some of these NIST frameworks (NIST CSF, NIST SP
800-53, NIST RMF, NIST SP 800-37). Minimum security maturity level of the
organization must be level 4.

2.     Must
carried out Interviews from 3 personnel who drives business such as CISO, CFO,
Head of Information Security or Head of IT, etc to get their opinion on what’s
the current status of ISSPP and how far it satisfies the organizational strategic
objectives. Annual Information Security budget allocations APRX as per CFO.

3.     
Policies
and procedures> ISMS (ISO27001)> Standard Operating Procedures (SOP)> Roles
& Responsibilities (RASI Matrix Table)

4.     
Add
Non-Conformity Records (table) reported during previous years and what measures
that company has taken to reduce it gradually. 

5.     
Measuring
metrics for policies and period: annually, by annually, quarterly. KPIs, KGIs

6.     
Accountability
for key processes (Incident management process, Asset management process,
Change management process, Risk management process, etc)

7.     
Risk
management process, Risk registrar, Residual risks in the organisation.

8.     
Use graphs,
charts and tables to save the word count.

Report structure
(Mandatory sections):

1.     
Introduction

Company, Industry background, description relevant to the given area

2.     
Justification
for selecting the company and feasibility of it.

3.     
Identification
of a clear information security strategy/ plan

4.     
Analysis

5.     
Discussion

6.     
Recommendations

7.     
Conclusion

Report Formatting

§  Paper Size                          : A4

§  Word Count                       :
Individual Report – 4000 +/- 10% (Introduction to Conclusion)

§  Printing Margins              : LHS; RHS: 1 Inch

§  Binding Margin                 : ½ Inch

§  Header and
Footer        : 1 Inch

§  Printing                               :
Single Sided

§ 
Basic Font Size                   12

§  Font Style                           : Arial/Times New Roman

§  Presentation                    :
Bound Document

Important Information for Students

§  Please
note that plagiarism is treated as a serious offence and therefore the
work you produce must be individual and original although you may work
in groups in some instances (Please refer to Student Handbook on Plagiarism
& Cheating).

§ 
All sources of information must be referenced using “Harvard referencing” where a

reference
listing should be included at the end of the assignment. References & citations
should be within current 4 year period 2020-2024.