InfoSec policy, regulation, personnel security requirement development and analysis
Objectives:
This assessment is designed to assess your level of understanding of the following topics:
- Personnel security in an enterprise including roles, responsibilities and personalities
- Legal and ethical issues with respect to managing information and information system security
The context
The VirtualSpaceTours.com mangers were impressed with your work in the risk assessment and they have decided to take you on board in the role of CISO.(unique_solution)
In the new position, you have soon realised that you need an information security program manager who can help you with the planning, implementing and managing the company information security programs. However, you have to convince the company director board about the necessity of creating a dedicated information security manager position beside CISO.
The tasks
Task-1: Convince the director board
In in task, you will convince the company director board about the necessity of having a dedicate information security program manager position beside CISO by showing them that it is not a good practice for an organization to have one person to perform all information security roles ranging from planning to implementation.
Task-2: Identify job security requirements
You have been successful in convincing the company manager board for creating a new information security program manager position. As a CISO, you will develop the job selection criteria and requirements for the recruiting position. Being a security professional, you clearly understand how important it is for the company to meet the mandatory personnel security requirements, especially for the recruiting role. Therefore, in this task you will identify the mandatory security requirements to be checked for the recruiting role. As the company is Australian based, you will use the following documents to help you with the task:
https://www.protectivesecurity.gov.au/personnelsecurity/Documents/AustralianGovernmentPersonnelSecurityManagementProtocol.pdf
https://www.protectivesecurity.gov.au/personnelsecurity/Documents/Personnel-security-guidelines-Agency-personnel-security-responsibilities.pdf
To explain your work to the director board, where possible briefly discuss why each requirement is selected.
Task-3: Develop job selection criteria
After you have identified the mandatory security requirements, you now have to develop a complete selection criteria for the recruiting role. In particular, you will look at aspects like education and qualification, experience and personality and of cause security. Since the company operates over the Internet and takes online payment, you would prefer the candidate to have some experience in the legal aspect related to these activities. In your selection criteria, specify the laws and regulations you would prefer the candidate to have experience with.
Use the knowledge you have learned in week 1, 5 and 6 and similar job ads for this task. Where applicable briefly discuss about each criterion and why do you select it. Note that you need to take into account the context as described assignment-2 and this assignment and be creative in designing the criteria.
Submission
Create a separate answer sheet in MS Word with your name and student ID and submit for marking by the due date.