Part - Scenario-based Management Report
ALOE INSURANCE
Aloe Insurance AS (henceforth referred to as Aloe) is a Norwegian financial services firm listed on the Oslo Stock Exchange.
With a market capitalization of NOK 28.4 billion and an embedded value of NOK 41.2 billion as at 30 June 2020, Aloe remains one of Norwa 's lar est life insurers and integrated financial services companies and offers the following products and services for both individuals and companies:
• Long and short-term Insurance
• Employee benefits including healthcare and retirement provision
• Asset management, property management, investments, and savings
• Client engagement solutions, including the Aloe LEAF wellness and rewards program
Aloe's current operational strategy, as articulated in the 2019 year-end results presentation, reflects a reset and growth strategy with a focus on delivery and implementation. This is spearheaded by dynamic new leadership and operational changes from within the Aloe Group in 2019. Aloe's strategy remains focused on client centricity, growth and excellence.
Purpose and Vision
Aloe's strategy aims to generate superior shareholder returns through leading products, valuable distribution partnerships and excellent client experiences. These capabilities will enable businesses and people from all walks of life to achieve their most important financial goals and life aspirations. The result of financial wellness remains at the core of what they do.
The key principles underpinning Aloe's IT strategy are:
• Aligning architecture across the group
• Reducing our application and data footprint
• Commoditizing common functions and processes
• Leveraging our digital offering
In a recent sitting of the Executive Steering Committee (ExCo), the executive of Aloe expressed concern in the growing number of cyber incidents within the financial services sector. Many of Aloe's competitors have in recent times fallen victim to such incidents, negatively affecting operations, revenue, and brand reputation.
As such, Aloe has appointed you as the newest member of their management team, heading up their information security department. Your duties will include building up an information security team, implementing information security controls and management structures and embedding an information security culture in the organization. The executive has taken these steps, to harden their security resilience and ho .e to not become art of the statistics.
The Aloe organogram has therefore been expanded with the new information security function, and your role within the management structures:
As their Head of Information Security, you report directly to the Chief Information Officer. For your first order of business, you've been tasked to compile a management report. The management report to the ExCo will outline things like what Information Security is, why it is important, and how they should go about implementing an ISMS.
To add value to your report and to solidify the importance and need for information security management within Aloe, you want to outline potential risks that already exist within Aloe, considering the context of the firm (industry, revenue, services, client data processing and storage etc.). Therefore, in preparation for this report to ExCo, you want to have meetings with various managers within the broader ICT function to identify obvious risks in their current processes. The point of this exercise is to emphasize to the executive, that without any extensive analysis or audit, you are able to identify major information security risks in the organization.
Management Report - Requirements:
With the foregoing in mind, you need to consider the following as part of your Management Report. Please make use of the provided document structure for this document, which can be downloaded from Moodie called "Management Report Structure.docx"
• Explain to the ExCo what Information Security is
• Motivate why Information Security is important, considering the context of the organization and threat landscape
• Explain where Information Security fits into and forms part of the larger ICT governance and corporate governance domains
• Report the results from your preliminary risk landscape analysis (1 page each)
o State the risks that you identified and their severity rating
o Motivate the severity of the risks by explaining how it could impact the firm
o Suggest any mitigating controls (not device/system/technology specific, see 27002 controVs that could mitigate the risk)
• Motivate and explain why implementing controls in isolation won't be as effective as implementing an ISMS
• Outline and explain the phases that Aloe will have to undertake if they were to implement an ISMS based on the "it governance" institute 9-step approach mentioned in Lecture 6 (pdf on Moodie)
o You need to outline to the executive, the phases of an ISMS implementation and explain each phase to them (i.e. requirements, outputs etc.), walk them through the phases within the context of Aloe (company purpose/mission, industry, market worth, threat landscape etc.)
Requirements:
1) Read all instructions carefully
2) Keep in consideration all the concepts covered throughout the ISM course
3) Your report needs to use the Aloe branding, logo's, colors etc.
4) Your report needs to make use of the 'Management Report Structure' provided on Moodie within the 'Resit Resources' folder
5) The Management Report
a. Must be a .pdf document
b. Neatly and professionally structured
c. Consistent formatting
d. Use Aloe corporate branding
General Guidance:
Focus on what the aim of the report is - selling the need for an ISMS. ExCo needs to feel that investing the money is key to the business surviving in the current threat landscape, and at the same time get comfort that you know what needs to be done and how it needs to be done. The report should be professional and fit the target audience. Make sure all elements detailed in the instructions are addressed.
Attachment:- Management Report Structure.rar