CISO E-mail

Welcome to SwiftTech! As we discussed during your interview, SwiftTech is very interested in obtaining a SOCII attestation report. We recently hired Firehawk Security to perform a readiness assessment and I’d like for you take lead on remediating some of their findings/recommendations. I know you’re the right person for the job. Specifically, I would like for you to:

1. Security Posture - Write a paragraph that explains SwiftTech’s overall cybersecurity risk posture. You know a little about SwiftTech’s goals and what drives its success. In the first sentence, you should describe SwiftTech’s cybersecurity risk posture as Risk Accepting, Risk Neutral, or Risk Averse. In the remainder of the paragraph, please go on to explain why you chose your position on SwiftTech’s risk posture and support your explanation with key facts from your knowledge about SwiftTech.

Please include your paragraph in a separate slide in the provided presentation

2. Relevant Frameworks - Based on what you currently understand about potential customers for ProjectTrackPlus and the attached MSA excerpt from a healthcare provider in Minnesota, identify two or three regulatory frameworks, standards, or guidance that you believe we should use to measure our existing security controls and incorporate into our risk management framework. Please write an explanatory paragraph that clearly identifies the frameworks you’ve chosen and explains why you chose those frameworks.

Please include your paragraph in a separate slide in the provided presentation

3. Audit Against Frameworks - After you have identified relevant security frameworks, please examine the attached diagrams. There is a SwiftTech Network diagram and a Data Flow diagram for our new ProTrackPlus product. Firehawk has already reviewed these and made notes about some areas of concern. I want to make sure we’re all on the same page, so I’d like for you to compare their notes against the frameworks you’ve chosen to work from. You should be able to either validate or discard each concern. Don’t forget to use the attached MSA as well. There may be specific security requirements that are more stringent in the MSA than those required by the compliance frameworks you’ve chosen.

Please annotate your answers in the presentation provided by Firehawk on a separate slide. For instance, for the first item (which mentions AES-128 encryption) is that the correct level of encryption, is it too low, what should we be using based on your research from item 2 above?

4. Risk Assessment – We also need to perform a risk assessment this year. I want to keep it simple, so I went ahead and started a basic risk assessment just using the controls that Firehawk pointed out. Please only use those items - the same controls that you’ve been working with in Item 3 above. Based on your knowledge of GRC can you complete the risk assessment? Here are a few things to keep in mind:

• A control, or lack of a control could create multiple risks
• I added a second placeholder for any control items that I felt had at least two risks that might be associated.

Please try to come up with a primary and secondary risk for those items.

• I also created logical Risk Categories to correspond with each risk.

Please choose the risk category that you feel best corresponds to your state risk. Please make sure to include your reasoning as to why a particular risk’s likelihood and impact are scored as high, medium, or low. Make your changes in the included RiskAssessment spreadsheet.

5. Security Policy Development – I started to put together a new Information Security Policy but, frankly, I’m too swamped to finish it. I’d like for you to finish writing the policy to incorporate just the sections that relate to the controls pointed out by Firehawk. Make sure whatever we say in the policy aligns to the best practices that you’ve developed in your previous work and please make sure those practices are explicit in the policy.

• Be sure to read the whole policy carefully. There may be something in it that isn’t congruent with our new goals.
  Please make your changes directly in the included Security Policy document.

5. Governance – I’m very concerned about maintaining great End User Management controls. Based on your assessment of the end-user management controls pointed out by Firehawk, can you please design governance mechanisms to make sure we are always in compliance? For instance:

• For password length – how can we make sure all our users always have the right password length (whatever that is based on your assessment) – and successfully audit against the control.

Please include your ideas in a separate slide in the provided presentation

Oh, by the way, can you get all this done by the end of the day? I’ve got a meeting with our executive leadership team in the morning and they’re expecting a status report.

Welcome aboard!