Reference no: EM131202615

Task Sheet

TASK SCENARIO:

An information security management system (ISMS) represents a systematic approach to designing, implementing, maintaining, and auditing an organization's information system security objectives. As with any process, if an ISMS is not continually monitored, its effectiveness will tend to deteriorate.

Most organizations perform important information security activities, but the majority of firms do not do so as part of an organization-wide initiative. When organizations place a strategic emphasis on a culture of securing their information assets, they increase the likelihood of maintaining control of their information assets, and they lower their risk of losing customers, market share, or other resources due to a breach in confidentiality, integrity, or availability of key business assets.

For this task you will be using the attached "Healthy Body Wellness Center Risk Assessment" case study. You will be required to conduct a partial as-is audit of the Healthy Body Wellness Center organization.

The idea behind using an as-is question set is to determine the current compliance levels and awareness of the organization's security posture. If you answer yes to a main category question, the questions that follow help outline the quality and detail of that question. The three key aspects of the question set are to determine if x has appropriate policies, procedures, and practices in place to adhere to ISO 27002 for the ISMS.

TASK:

A. Complete the attached "As-Is Question Set."

B. Develop two additional question categories for the "As-Is Question Set."

Note: You may consider your own industry, organization, or situation when developing your additional question categories.

1. Justify the inclusion of each additional question.

C. When you use sources, include all in-text citations and references in APA format.

Course Mentor Tips

For Part A -

- Complete the table. If the policy, procedure, or practice does not exist, provide justification as to why it is needed or why it should exist. If it does exist, give evidence (i.e., page number, brief description) where it is found in the risk assessment. Relate your justifications to the ISO 27002 standard.

NOTE: The idea behind using an as-is question set is to determine the current compliance levels and awareness of the organization's security posture. If you answer yes to a main category question, the questions that follow help outline the quality and detail of that question. The three key aspects of the question set are to determine if x has appropriate policies, procedures, and practices in place to adhere to ISO 27002 for the ISMS. Make sure to relate your justifications to the scenario.

For Part B -

- Create two additional question sets (The category and questions). Tip: Use two of the ISO 27002 controls. Create a policy, procedure and practice section for each question set. Include 2-3 questions under each section. Provide justification as to why the control is needed. Relate your justifications to ISO 27002. Also identify the category of your additional questions. For example, Access Control, Asset Management, etc.

As-Is Question Set

Question	If yes, page number	If no, justification
Policy
Does a policy that addresses the need for risk management exist?	Yes. Page 7 under the Purpose Section
Is the acceptable risk posture for the organization included in the policy?	No	The organization did not have a SSP for the SHGTS system. So they are not showing they are prepared to accept the risk of this application not being secure. An organization should be familiar with its risk posture in order to reduce risk from it achieving its business objectives. The risk posture helps an organization identify risk, and manage risk effectively. This helps to ensure the organization reduce the threats that can prevent it from achieving its business objectives.
Does the policy include details about a risk assessment?	Yes. Page 7 under the Background, Purpose, & Scope sections. These sections state that a risk assessment is limited to the SHGTS system so the other organization systems have already had risk assessment conducted.
Is there a section in the policy that includes multi-perspectives on risk including the following: Threat Asset Vulnerability space Business impact assessment
Is there a section in the policy that includes reporting results of risk assessments?
Is there a section in the policy that includes a remediation analysis report based on risk assessments (i.e., how to reduce risk or increase security posture)?
Procedures
Is there a procedure in existence that describes how to implement and enforce risk management policies?
Does the procedure include a breadth of scope? Does the breadth of scope include the following: Threat Asset Vulnerability space Business impact assessment
Does the procedure include depth of scope? Does the depth of scope include the following: Interviews (asking) Verification (seeing) Validation (hands-on)
Practice
Does the organization practice the procedures described above?

Attachment:- Healthy Body Wellness Center Risk Assessment.pdf