You and your partners are security consultants assigned to perform an information security policy and governance assessment of City of Omaha. You can found all policy post under this link: https://hr.cityofomaha.org/public-documents/hr-policies. And please free use ant source you found, there are no limit.
You need to complete an assessment of the organization, write a report summarizing your findings, and give a short presentation to senior management on your findings. So except the 5 page paper, you also need to produce a 3 slide powerpoint summarize your findings.
And I attached an rubrics, please match all of them.
PART 1: Overview and Security Governance (5 Pages; 50 POINTS)
Choose an organization with publicly-available security information (examples include Government, University, or other public entity). Develop an overall understanding of the security governance for the organization that contains information about your client, its governance objectives, and the security policy profile. If you are unable to locate one or more of the items below, then provide statement of justification.
This section should include the following components:
Executive Summary (2 pages) of your client organization does. Be sure to include at least the following elements:
Clients critical technology services (3-5 key services)
How does IT support the organization to achieve the stated goals and manage/protect the organization?
Provide a summary of the legal and regulatory environment that applies to the organization.
Be sure to include any applicable laws (e.g. FERPA, HIPPA), regulations, and industry-specific frameworks.
Risk Appetite / Tolerance Statements
Provide a summary of clients overall risk appetite (This may not be explicitly stated – you may have to infer from evidence gathered.)
Provide a summary of all supporting risk tolerance processes.
Security Governance (Both business and IT)
What is the current state maturity of the clients security governance processes, including composition of security committees, reporting relationships and security risk management processes?
Are you able to determine the security governance priorities?
Can you provide a summary of how risk appetite directs the clients security program?
Security Policy Governance and Framework
Provide a summary of the organizations security policies, including what security framework they leveraged, if any, (NIST, CIS, etc. if any), source of their policies, and any other pertinent information.
What is the clients audit process, including development of audit program, reporting relationships (including management and audit committee)?
What is the clients compliance process?
How do they ensure they are compliant with their security policies and standards?