As a consultant to TechCare, study the case study below in proposing a draft Corporate Information Security Policy (CISP) for TechCare.com. STEP 1: In preparation for drafting the CISP contents (Step 2), you need to motivate every statement in the policy by using direct and exact statements and explanations provided in the text. Such statements in text would typically indicate a specific risk to TechCare. Each policy statement must be linked to a specific criterion stated in ISO27002 Clause 5. Together with the motivation (taken directly from the text), list the line numbers from where you got the information in the text. Your answer must be presented in a table with three columns, including the relevant criterion from ISO27002 Clause 5, the motivation/s from the case study, and the supporting policy statement. The table below serves as an example as to how this should be presented. Take note that some CISP policy statements may be motivated by multiple in-text statements from within the case study. ISO27002 Clause 5 Criteria Motivation from the case study (Indicate Line # and direct in-text statement) CISP Policy Statement (follow guidelines in prescribed textbook) STEP 2: Draft a complete CISP for TechCare using the guidelines provided in your prescribed textbook. This must include all aspects of such a CISP, together with the statements listed in Step 1. DO NOT include any policy statements that do not appear in Step 1. It is very important to take the following into account when drafting a Corporate Information Security Policy (CISP): o Each of the criteria set in ISO27002 Clause 5 should be met. o All statements in a CISP must be at a high level no detail or technology specifics should be mentioned in the CISP. This detail should appear in lower level policies. o CISP should be rather static and not changing often. o CISP should also not be too long. Detail must appear in lower level policies which is not part of this assignment. Page 3 of 16 TECHCARE.COM The following series of conversations and documents describes a case study of a company, called TechCare, that manufactures and distributes computer hardware, mainly in South Africa. TechCare is located in Coega, an industry park located near Gqeberha. Currently, TechCare has 85 employees. Most of these employees, 45 of them, are working in the production division which is managed by Mr Mbalo. The accounting division has got 7 employees and are managed by Ms Bobo. The human resources division is managed by Mr Collard and has 6 employees working in the division. Other divisions are; Marketing & Public Relations with 4 employees and managed by Ms Davids, Information Technology with 12 employees and managed by Mr Ramiah and Maintenance and Security with 9 employees and managed by Mr Fourie. Ms Harley is the managing director and Chief Executive Officer of TechCare and Mr Holden the director responsible for operations. Conversation between the CEO, Ms Harley, and Mr Ramiah, the IT manager, on Monday, 19 January 2022. Ms Harley: Mr Ramiah, I spoke to a friend on the golf course on Saturday and since then Ive been thinking a lot. This friend of mine was talking a lot about the huge damage his company sustained having been hacked during the week. Apparently the hacker got access to their IT systems in some mysterious way and destroyed most of the critical data files. What makes the matter worse is that their backup files turned out to be totally useless. Apparently they lost millions of rands. I am very worried that something similar might happen to us. You know, my biggest fear is that our database gets hacked and all those credit card numbers get compromised. Can you imagine how that could hurt us? Mr Ramiah: Yes maam, nowadays one must make sure that your information is adequately protected. I am also not convinced that our protection is adequate. You know, we are so dependent on our computer driven manufacturing system. If that system malfunctions or is not running for any reason, our complete production is halted and the financial losses can be huge. You know, our accounting system is linked to the Internet to handle all those electronic payments, and we all know that the Internet is very risky. Page 13 of 16 Ms Collard: All I can think of is when we had the AIDS Awareness Campaign in the organisation, about a year ago. We divided all the employees in three groups. Each group had an extensive education session of about three hours. I do not think it was really successful as Ms Harley and Mr Holden were the only company employees that did not attend. That created a very negative feeling amongst the employees. Further, all that the employees had to do after the respective training sessions, was to complete an anonymous questionnaire on how they appreciated the session. Most of the employees made an absolute joke of the presentation as well as completing the questionnaires. The education sessions were offered by one of our employees, who were tasked to do it, but who was no real authority on the matter. Generally speaking, the whole idea of training and education sessions does not work very well in the organisation. Mr Ngundu: When I started working here, I had to work through a one day induction program, offered electronically on the Intranet. I learnt a lot about the way the organisation functions and found that quite useful. Ms Collard: Yes, we spent a lot of time and effort to develop that self-study course on the Intranet, and it is really working well. Specifically, because the new employees have to write a simple test following the self-study program. All new employees, having past this simple test are then officially welcomed in the weekly newspaper, prepared and distributed by our division. This weekly newspaper is a great hit amongst the employees, as you might have learnt. Mr Ngundu: Yes, I must say, the employees cannot wait for Fridays to read about the weeks happenings at TechCare and specifically the gossip column. I must say that the person drawing those funny cartoons is really good. I must also mention that TechCare is really serious about AIDS education as there are large AIDS posters on all notice boards. Have TechCare had any information related compromises that you are aware of? Ms Collard: Let me think. As we have open plan offices, we had some problems with some employees leaving sensitive documents on their desks when they leave their desks. Further, about a month ago, a lot of finance people could not perform any work as one of the employees changed the password of the finance division as a joke, as all employees in a division share the same user ID and password. That employee was unfortunately ill for two days and the network administrator was on a course, so nobody could get into the financial system. Page 14 of 16 Another case that I can recall is about a year ago, somebody did some unauthorised financial transactions during lunch time. We never found out who did it, but it must have taken place over lunch time by an unauthorised staff member working on one of the machines of a financial officer who did not sign off when he/she left her office over lunch. Oh yes. Last year we had a disciplinary hearing when one employee was caught downloading pornographic material from the Internet after work. Mr Ngundu: Thank you, till next time. Conversation between Mr Ngundu and Mr Ramiah, on 15 March. Mr Ngundu: Mr Ramiah, please tell me about some of the problems you experience with the end-users of information. What frustrates you the most? Mr Ramiah: Well, actually I have a lot of problems with them. Many of them snoop around in the system and see information that they do not need for their job. I wish I can stop that. Further, many of them store valuable information on their local hard drives. In many cases these drives crash or the files get corrupted and then that critical information is lost. Also, some of the secretaries are known to talk about confidential matters discussed in meetings where they take minutes. Mr Ngundu: Do you agree that business requirements should dictate the access control policy? Mr Ramiah: Yes, certainly. Business requirements should play a definite role in defining access control and this should be properly documented. Mr Ngundu: Along this definition and documentation of access privileges, do you agree that there should be formal procedures in place to control the authentication of users to help enforcing these access control rights? Mr Ramiah: Definitely. Specifically the registration of users on the system and the associated management of passwords are very important. Mr Ngundu: Correct, Mr Ramiah. I can already see you have become more security aware. Obviously, the proper use of passwords is very important and users should be educated in this regard.

Page 15 of 16 Mr Ramiah: That should address a lot of our problems we experience currently. Mr Ngundu: Is it true that many users still use the TechCare system, long after they have left the organisation? Mr Ramiah: That might be true, as user IDs and passwords are shared and HR never informs me if an employee resigns. Mr Ngundu: Thanks Sir, go well. MEMORANDUM To: Ms Harley From: Mr Ngundu 29 March 2022. Information Security Plan The development of the Information Security Plan for TechCare is well underway. I have conducted a number of meetings with various parties and can report the following: The Information Security Plan will be based on four strategic elements - they are in no particular order: - The Vision and Objectives of TechCare towards Information Security - International standards - Top management support - Organisational structure towards information security The Information Security Plan will be based on four operational elements - they are in this sequential order: - High Level Risk Assessment - Corporate Information Security Policy - Control standards - User education. The core elements of the plan will be: Page 16 of 16 - The Corporate Information Security Policy - A series of secondary, issue-specific security policies - An information security awareness program. The polices will be prepared in the hierarchical structure that is used at TechCare. The Corporate Policy will not contain any technical detail, be fairly static and generic. The secondary level, issue specific policies will contain more technical detail, be more dynamic and more specific. Once all these core elements have been defined and developed, it will be implemented, which may take several months. Once implemented, the information security system will be fully operational and properly maintained. The IT department, which acts as custodian for the storage, transmission and security of information, will extensively be involved in installing the bulk of the technical controls. The information security manager will be responsible for the maintenance of the policy on a continual basis or following any major security incident, acquisition or implementation of hardware and/or software, change to the Scope of Influence to this policy or any event affecting the applicability of this policy. I am positive, that this information security system will meet international best practice standards and that we should be in a position to certify our system within the next two years as ISO27002 compliant.