SME Security Governance
Problem Statement & Student Guide
Version 3: 24th November 2015
Scenario
Leading Edge Removals is an SME, based in Skelmersdale. The company provides
professional, high quality services to and from the UK to international destinations.
Founded as a family business in 1954, it has many years of experience in the moving
industry. It has grown from a local and regional removals company and recently has
started international removals. A regional office is planned to be opened in Bristol. Both
sites will offer a household storage facility. The company is ambitious and sees
opportunities to expand, especially in the storage business (e.g. company archive and selfstorage) and international removals.
The company currently employs approximately 50 staff. The management team does not
fully appreciate Information Security risks or measures needed to control them, and they
are seen as a burden. The company has limited financial and technical resources and the
most important thing, for them, is their need must fit their revenue.
You are the newly appointed IT manager, in your previous job you worked in a large
company, initially as a network administrator but subsequently you moved to Information
Assurance, and had responsibility for internal security audits, based on ISO27001:2013.
Your job description includes references to ‘IT security’ and ensuring levels of service
availability, but in your day-to day work in the company you notice that no serious
consideration has been given to ownership of information and data, or access rights.
Furthermore, the IT infrastructure has developed piecemeal with several servers of
various ages running different systems (e.g. Accounts system, Moveware logistics system,
Domain controller for user authentication). There have been some system failures
recently, both hardware and software which have caused some significant delays and lost
work time. Some users have also succumbed to phishing emails and have downloaded
viruses. ‘Security Culture’ certainly isn’t a phrase that you’d use to describe the situation.
You are surprised to find that email is not hosted by the ISP, but is on a server running MS
Exchange in the LAN, rather than DMZ.
There are no company policies relating to information security, acceptable use etc. In
addition, to this, your discussions with the MD shows that he has little understanding of
information security governance as a process and his view of threats is limited to viruses,
fire and server failure. He also gives the very strong impression that he considers it all
your responsibility.
You wonder if you should have taken the job, but it’s a bit too late for that, so you decide
you need to take the initiative before you get landed with a career-limiting security
incident. You’re familiar with ISO27001, but you’re not sure if that’s overkill for this
company- particularly the costs involved. You’ve also heard of the UK Government’s
‘Cyber Essentials’ programme and ’10 steps to Cyber Security’ guidance from CESG –
which might be relevant. You also went to a recent Northern Chapter meeting of ISACA
meeting where the Business Model for Information Security (BMIS) which you vaguely
remember and might be relevant given the MD’s attitude to security and the need for
ROI.
Learning Outcomes
The specific learning outcomes will depend on how the scenario is used. The following are
suggested technical learning outcomes.
On completion of the scenario, students will be able to:
1. Articulate the major security risks and legal compliance issues for an SME.
2. Explain approaches to justification of investment on Infosec controls, including ROSI
(Return on Security Investment).
3. Explain the key features of ISO27001 and risk assessment
4. Explain key features and requirements for an Information Security culture and
suggest activities for developing it.
5. Analyse and discuss the relevance of Cyber Essentials and BMIS to the scenario.
6. Identify and outline key policies required and HR processes.
7. Identify and justify technical controls for securing remote access and data
governance.
Your Task – Stage 1: Analysis
Analyse the scenario above, identify aspects of it that you do not understand and need to
research before moving forward. Then create and deliver a presentation which discusses
the following.
1. What do you see as the major security issues here?
2. An outline plan of action to improve the security of this company.
3. What further information do you need from the company in order to propose
a way forward?
Your Task – Stage 2: Proposal and Plan
Using the additional information you’ve obtained from the company, together with your
research you should now consider the detailed actions that need to be taken to increase
security,
There are two deliverables:
1. A plan for influencing the board (actions/supporting information needed/
presentation)
2. A detailed proposal for securing the company assets and developing a security
culture. It should identify key assets, risk, controls, (particularly data governance) and
ROSI.
3. You will present your proposal to the board.
Reflection on Learning
It is also important that at the end of the scenario you should reflect on your learning and
team working and identify what worked well, what didn’t and actions for future
improvement.
The Consulting Process
One of the benefits of Problem-based Learning is that you learn professional skills as well
as technical knowledge. The process we ask you to follow to explore and provide
solutions to the problem also mirror those used in consultancy.
In order to assist you with the process, the following table shows the activities we would
expect you to complete in your PBL team. You should read this carefully and make sure
you are familiar with both the generic activities (in column 2) and the specific ones in
column 3.
Steps 1 & 2 will be conducted in the first PBL tutorial.
Step 3 a) and b) comprises your individual research, and summarizing your learning.
Step 3 c) takes place as a sharing and teaching session at the next tutorial. This process of
sharing and teaching others is extremely beneficial to your own learning.
Step 4, 5, 6 consist of team work and whilst they are logically distinct, they may take place
at the same meeting as stage 3c) depending on the schedule of meetings.
Step 7: In this Scenario you will not be implementing a solution, so step 7 is not
undertaken in this scenario
Step 8 should be completed at the end of the scenario, both individually and as a team, to
identify what you’ve learned and how you can improve your learning and team
performance in future.
Your tutor/ facilitator will discuss it with you.
The CSKE Consulting/ Learning Model
Problem-solving model
1
Understanding
organizational history
and context
What PBL normally includes’
2
Determining the problem
to be resolved
a)

Scenario analysis


Socio-technical organizational analysis.
Clarification of ambiguities

Requirements Analysis: identify key
issues
Simulated consultation with
stakeholders (e.g. through role-play
and/or online interaction).
Reviewing technology/ processes in
use.




What you will be doing at each stage
b)
c)
a)
b)
c)
3
Identifying/ learning
necessary knowledge



4
Identifying alternative
solutions


5
6
7
8
Choosing optimal
solution
Planning the
implementation
Implementation



Individual research & learning to
resolve knowledge gaps.
Summarising & reflection.
Teams share learning.
Determining and agreeing evaluation
criteria and process.
Identifying technical possibilities,
considering acceptance issues and
organizational fit.
Facilitator Guidance.
Deciding on best technical,
organizational and social outcomes.
Proposing solution with justification

Applying planning and scheduling
techniques.
Proposing plan and deadlines.

Building the solution (if appropriate).

Deploying the solution (if
appropriate).

Formal evaluation methods re project
success.
Personal reflection and evaluation.
Final evaluation

Team review of scenario: identifying key
issues.
Identifying learning goals.
Team publish action list & summary in
forum.
Identifying learning goals.
Facilitator Guidance.
a)

Individual and team review of scenario
text and video resources.
Team discussion.
Clarification of ambiguities with
tutor/facilitator.
b)
c)
a)
Individual research & learning to
resolve knowledge gaps.
Individually creating summary of
learning and how it applies to the
scenario.
Team sharing learning/ teach each
other.
c)
Determining evaluation criteria through
team discussion.
Team identification of options
considering acceptance issues and
organizational fit.
Facilitator Guidance.
a)
Team decision and justification.
a)
b)
c)
d)
Review Scenario text and resources.
Produce Report.
Produce plan/schedule.
Presentation to tutor in role of main
stakeholders.
a)
Team evaluation of performance and
project success.
Individual reflection on personal
learning & development.
b)
b)
Resources
Alnatheer, M., Chan, T. & Nelson, K. (2012) Understanding And Measuring Information
Security Culture. Proceedings of the Pacific Asia Conference on Information Systems

A useful review of Security culture factors, followed by development of metrics,
which are probably less useful for this task..
Bojanc,R., Borka J. (2008) An economic modelling approach to information security risk
management. International Journal of Information Management.28, 413–422

The paper introduces methods for identification of the assets, the threats, the
vulnerabilities and Risk of systems and proposes a procedure that enables
selection of the optimal investment of the necessary security technology based
on the quantification of the values of the protected systems. This paper analyzes
several approaches enabling assessment of the necessary investment in security
technology from the economic point of view. Useful to discuss ROSI.
Brecht, M & Nowey, RT. (2012) A Closer Look at Information Security Costs,
http://weis2012.econinfosec.org/papers/Brecht_WEIS2012.pdf [Last accessed 29-May2015]

This paper is useful for discussing ROSI. It identifies and describes the problems
and difficulties in quantifying an enterprise's cost for information security in a
comprehensive way. The paper discusses four approaches to categorise and
determine information security costs in an enterprise. Not as good as Sonnerich
(see below) in my opinion, but useful.
British Standards ISO 27001 Overview: http://www.bsigroup.com/en-GB/iso-27001information-security/ [Last accessed 22-Nov-2015]

A very useful introduction to ISO27001, before looking at the standards
documents themselves.
HM Government (2015) Small businesses: what you need to know about cyber security:
DBIS.
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412017
/BIS-15-147-small-businesses-cyber-guide-March-2015.pdf [Last accessed 22-Nov-2015]

An excellent, introductory overview to information security. A good starting
point.
ISACA, 2013. CISM Review Manual. Rolling Meadows: ISACA.

The CISM review manuals provide detailed, though quite dense discussion of the
knowledge, skills and tasks associated with each of the CISM domains. A
p[particularly useful aspect is the inclusion of test questions (and answers) which
are very thought provoking and good for discussion.
ISO 22301:2012 Societal security -- Business continuity management systems --Requirements

A related standard that clearly is relevant, but more detailed than necessary for
this scenario
ISO/IEC 27001:2013 Information technology — Security techniques — Information security
management systems — Requirements

A surprisingly readable and brief standard that is well-worth reading for this
scenario.
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for
information security controls

The partner to ISO27001, providing details of the controls, a useful reference
document to help explain the annex in ISO27001.
ISO/IEC 27035:2011 Information technology — Security techniques — Information security
incident management

This standard is being updated, 2011 is the old version. There is increasing
acknowledgement that the question of how to respond to incidents is one of the
most critical, it is not a matter of if you will suffer, but when. Thus, increased
emphasis on incident management is important.
Melek,A. (2014) Cybersecurity: engaging with the board, ISACA

A 31-slide presentation which provides a nice overview, discussing the threat
landscape, lessons from the past, actions to improve cyber defences and key
considerations for the Board and senior managers.
Posthumus, S., & Von Solms, R. (2004). A framework for the governance of information
security. Computers & Security, 23(8), pp. 638-646. [Online]. Available from:
http://www.sciencedirect.com/science/article/pii/S0167404804002639 [Accessed on
22/11/2015]

Whilst this is not a new article, it is a good discussion of Information Security
Governance.
Sonnenreich,W. Albanese,J. and Stout,B. (2006) Return on Security Investment (ROSI) – A
Practical Quantitative Model, Journal of Research and Practice in Information Technology,
38, 1,

A paper that is well-written and essential reading for ROSI in this scenario.
Stuntz,J. (2014) A Review of Return on Investment for Cybersecurity , McDonough School
of Business

Provides a good overview of ROSI. Not as detailed as Sonnereich
Von Solms, R., Thomson, K. L., & Maninjwa, M. (2011). Information security governance
control through comprehensive policy architectures. In Information Security South Africa
(ISSA), (pp. 1-6). IEEE. [Online]. Available from:
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6027522, [Accessed on
11/03/2015]

A short (6-page) conference paper that gives a useful overview of InfoSec
governance and argues for a “more complete information security policy
architecture that will facilitate complete control, and therefore compliance, to
ensure sound Information Security Governance.”
Assessment Grading Criteria
Learning Outcome
LO1. Articulate the major security
risks and legal compliance
issues for an SME.
LO2. Explain approaches to
justification of investment
on Infosec controls,
including ROSI (Return on
Security Investment).
LO3. Explain the key features of
ISO27001 and risk
assessment
LO4. Explain key features and
requirements for an
Information Security culture
and suggest activities for
developing it.
LO5. Analyse and discuss the
relevance of Cyber
Essentials and BMIS to the
scenario.
LO6. Identify and outline key
policies required and HR
processes.
LO7. Identify and justify technical
controls for securing remote
access and data governance.
Working With Others:
Participate constructively in
team by Taking responsibility,
Showing sensitivity and provide
supportive feedback to others,
Meeting deadlines
Evidence
(graded on)
Pass (40-49%)
Most appropriate threats,
vulnerabilities and reasoned
risk levels assigned.
Appropriate risk treatment
measures for major risks.
Security culture and standards
discussed briefly.
Team Report
Sound Pass (50-59%)
Very Good Pass (60-69%)
Almost all threats and risks
identified correctly and in suitable
format, and prioritised
appropriately.
Addresses all major risks, with
appropriate controls. Links are
made between risks/threats and
solutions, including culture.
Most risks relating to legal
regulations explicitly identified.
Some risks relating to legal
regulations explicitly identified. Clear links to ISO27k, BMIS and
Cyber Essentials.
Some indicators of Return on
Key points of ROSI explicitly
Investment identified
discussed
Reports are structured with
appropriate headings.
Alternatives are discussed, but may
be briefly.
Acceptable spelling and
grammar.
Report structured with appropriate
headings.
Mostly relevant content.
Generally appropriate level of
detail, but inconsistent
Presentation is As pass and presentation
consistent with, emphasises key points and has
report.
balanced content.
Timekeeping,
oral
contributions,
VLE postings,
timeliness of
work produced.
Usually communicates quickly
with others if problems
attending or meeting
commitments, On time for most
meetings, Completes most work
allocated. NB Students can be
excluded from teams for not
meeting these requirements.
As sound pass and presentation
clearly links features/ benefits of
solution with client needs and
problems.
Weight
Comprehensive list of threats, risks,
Consistent treatment of
and impact clearly related and in
assets/threats/risks, correct id & in suitable format, evaluated and
suitable format.
prioritised appropriately.
As sound pass and clearly linked to Report is detailed, addresses all
most requirements. Benefits of
major risks, appropriate controls,
solution identified.
including culture, clearly linked to
most requirements and critical
Systematic and complete
evaluation of alternate solutions
treatment of legal regulations.
provided.
ISO27k, BMIS and Cyber
Systematic and complete treatment
Essentials. integrated into the
of legal regulations.
report
Convincing discussion of ROSI.
Alternatives are discussed
highlighting key issues.
Written in clear consistent and
appropriate (business) style of
English.
Technical detail explained
appropriately.
70%
ISO27k, BMIS and Cyber Essentials.
integrated into the report
Convincing discussion of ROSI.
Alternatives are discussed critically
highlighting key issues
complete/consistent solution.
Clear, concise and complete with
appropriate level of detail
throughout almost all report.
Presentation is persuasive,
balanced, thorough and clearly
Presentation is consistent with, and
links features/benefits of solution relates to report.
to client needs/problems
Considered reliable by team mates.
Almost always communicates
As Sound pass and on time for
quickly with others & renegotiates if almost all meetings, Completes all
problems attending or meeting
work as agreed.
commitments, Shares work with
others in timely way.
7
Excellent (70-100%)
As Very good pass and shows
initiative / leadership in some areas
of work.
20%
10%