Word Limit: ~3000 words (excluding references, tables, and appendices)

Group Size: 3 students per group Submission Mode: Upload as a single PDF document via LMS

Submission: Single PDF document uploaded to FORUM

Deadline: October 30, 2025

Overview

This group assignment requires you to design a comprehensive security program for a chosen sector. The assignment builds on your work in Assignment #1 (threat analysis survey) and progresses through three main components:

1. Security Policies for Risk Management
2. Risk Management Framework & SETA Program
3. Information Security Management System (ISMS)

Your project should produce a professional-level security program that could be presented to senior management for approval.

Assignment Parts:

The assignment offers each group an opportunity to select the type of the organization they need to deal with as follows:

*********************

Step 1: Select a Sector

You will choose one sector from the following five options:

1. Healthcare (Hospitals and Clinics and Insurance Companies)
   • Particularities: Strict privacy/confidentiality requirements (HIPAA/GDPR equivalents); reliance on IoT/medical devices; insider risks from staff accessing patient records; availability is critical for patient safety in addition to local regulations of UAE.
2. Banking and Financial Services
   • Particularities: High-value assets attract cybercriminals; compliance with regulations (Basel, PCI-DSS, ISO, GRDP, etc.); phishing and social engineering common; availability of online/mobile banking services is critical in addition to local regulations of UAE.
3. Higher Education Institutions
   • Particularities: Open access culture; diverse users (faculty, students, researchers, contractors); compliance with regulations (GDRP, CIS, COBIT, ITIL, ISO, etc.), research data protection; BYOD environment; limited IT security budgets compared to financial or government institutions in addition to local regulations of UAE..
4. Energy and Utilities (Power Plants, Smart Grids, Oil & Gas)
   • Particularities: SCADA/ICS systems with legacy vulnerabilities; nation-state level threats; safety and resilience are paramount; downtime has severe societal and economic consequences. compliance with regulations (NIST, ISO, etc.) in addition to local regulations of UAE.
5. E-Commerce and Retail
   • Particularities: Handling large amounts of PII and payment data; heavy reliance on cloud platforms and third-party services; DDoS and ransomware threats; brand reputation directly tied to customer trust. compliance with regulations (PCI-DSS, ISO, etc.) in addition to local regulations of UAE.

Your Task:

Your group should state clearly in the introduction which sector is chosen, and explain briefly why (based on risk, importance, or group preference).

Part 1 Security Policies for Risk Management (Approx. 800 words)

Develop security policies based on threats identified in Assignment #1. For each two types of threats (Human + Cyber):

1. Human Threat Example:
   • Employee deliberately grants unauthorized access OR unintentionally shares sensitive data.
2. Cyber Threat Example:
   • Hacker breaches the access control database, steals data, or alters permissions.

Deliverables:

Draft two security policies per threat (total 4 policies minimum).

Each policy must have:

• Non-technical measures (awareness, procedures, compliance).
• Technical measures (system configurations, monitoring, access controls).
• Implementation steps for each technical policy (detailed and actionable).

**********************

Part 2 Risk Management Framework & SETA Program

Develop a risk management framework and SETA program for your chosen organization/sector.

Deliverables:

1. Risk Management Framework
   • Align to ISO 27001/2 and ISO 27005.
   • Define: risk appetite, tolerance levels, likelihood/impact (use a scale).
   • Quantify residual risk after controls are applied.
   • Justify risk treatment options with evidence (research, case studies, references).
2. SETA Program Components
   • Workshops: Topics relevant to the identified threats.
   • Quizzes: At least 57 questions linked to Assignment #1 threats.
   • ISO Mapping: Link each training/control activity to specific clauses/controls of ISO 27001/2 and ISO 27005.
   • Show how controls mitigate threats (reducing likelihood or impact).
3. Cross-reference Frameworks:
   • Support analysis with concepts from GDRP,CIS, NIST CSF, COBIT, SANS, etc.

Output should resemble a professional training & risk report to be presented to senior management.

*********************

Part 3 Design of ISMS (Approx. 1200 words)

Combine Parts 1 & 2 into a complete Information Security Management System (ISMS) for the selected sector.

Deliverables:

1. Current Security Posture Assessment
   • Evaluate existing strengths and weaknesses of the chosen sector.
   • Identify compliance requirements (ISO, GRC, industry regulations).
2. ISMS Roadmap Proposal
   • Tools, techniques, frameworks, and control sets to adopt.
   • Integration of GRC (Governance, Risk, Compliance) requirements.
   • Short-term vs. long-term priorities (e.g., quick fixes vs. structural changes).
3. Holistic View
   • Show how the ISMS ties policies, risk management, and training into one program.
   • Demonstrate measurable improvements to organizational security posture