Cybersecurity Strategic Plan

Part 2: Final Paper Details (Please use ffin.com (First Financial Bankshares, Inc.) as the company
It is difficult to improve what you don’t measure. Metrics are a critical component of any
security program. They provide valuable information to help business leaders make
appropriate risk trade-off decisions and allow you to manage the performance of your
security team and program. By reviewing the class session on performance management
measurements and the learning materials, you will be able to see the many areas of
performance measurement responsibility that fall within the security organization.
Select four (4) security related measurements that you will track and report. For each
metric, you must at least include the following explanation points as part of your
justification:

● What exactly are you collecting?
● Why are you collecting the metric?
● How will the metric be used?
● Who is the audience for the metric?
● What is the frequency of collection and reporting?
● Who is responsible for collecting, analyzing, and reporting?

Again, these items must be addressed for each measurement, but you are free to include
other aspects if you feel they are appropriate for your situation.

Availability is one of the core tenets of security and hence Business Continuity is a critical
part of any security program. Using the textbook and learning materials as a guide, create a
Business Continuity plan for your company by describing your high-level continuity strategy.
You must include the following key components as part of your explanation of the plan:

● What specific continuity strategy will be used?
• A cloud back-up strategy, hot/warm/cold site, or other approach?
● What is and is not covered under the plan?
● Who are the key organizational players and their roles?
● How will the plan be tested?

Again, these items must be addressed in your Business Continuity plan, but you are free to
include other aspects if you feel they are appropriate for your situation.

Security incidents are inevitable so there is no excuse to be caught unprepared. These days,
Ransomware is a growing threat to all businesses. Using the textbook and learning
materials as a guide, create an Incident Response playbook for your company by describing
your high-level approach to responding to a Ransomware incident. You must at least include
the following key components as part of your explanation of the plan:

• What technologies are critical to detect, contain, and remediate the threat?
• Who are the key organizational players and their roles?
• How will the plan be tested?
• Will you pay the ransom (why or why not)?
• Will you contact law enforcement (why or why not)?

Again, these items must be addressed in your Incident Response playbook, but you are free
to include other aspects if you feel they are appropriate for your situation.

People are the most critical and important resource of any company and security staff is no
exception. Being able to recruit, motivate, and retain top talent is a critical skill for security
leaders. Using the textbook and learning materials as a guide, create a security staffing
strategy for your company. You must at least include the following key components as part
of your explanation of the strategy:

● Where will you get your new hires?
● What skills are most important to you?
● What is the interviewing and on-boarding process?
● How will you attract top talent to your company?
● How will you train them once they are onboard?
● How will you retain your security staff long term?
● How will you handle a security employee who leaves the company?

Again, these items must be addressed in your security staffing strategy, but you are free to
include other aspects if you feel they are appropriate for your situation.

Next, you need to hire a security employee. Pick any security role in your Cybersecurity
team and write a complete job description want-ad for that position. You can research
various job postings on-line for examples, but you must create your own format with
appropriate content that is specific to your team and company. Do not simply copy and
paste a job posting from the Internet.

Awareness and education are needed to help employees understand their roles and
responsibilities as they relate to cybersecurity. Using the textbook and learning materials as
a guide, create a security awareness blueprint for your company. You must at least include
the following key components as part of your explanation of your ideas:

● What are the elements of your awareness and education program?
● What communication and training techniques will you use?
● What are the key themes and topics to be covered?
● What is the frequency of the communication and training?
● Who are the creators, distributors, and audience?
● How will you measure the impact of your program?

Again, these items must be addressed in your security awareness blueprint, but you are
free to include other aspects if you feel they are appropriate for your situation.

Next, I want you to create a one (1) page security newsletter. It must be no more than one
(1) page in length. It should be formatted to look presentable in both electronic and print
format. You are not required to adhere to APA 7th edition for this single page as I expect
you will want to get creative and make something visually appealing. You must specify and
decide on the target audience for this communication. You may select any security topic or
issue that is important and relevant to your company. People cannot support or follow the
elements of your Cybersecurity strategy if they cannot understand it or be inspired by it. Be
educational and interesting.

Budget: No plan is complete with a budget. Please create a budget spreadsheet for your
security department. Include and provide a high-level estimate for the major components
such as hardware, software, and people costs. You should be as detailed as you feel
necessary to convey the costs of your various security initiatives and responsibilities. Group
the cost items however you believe will be the most effective. Look at it from the point of
view of your boss to determine if it would be acceptable.

Finally, prepare a compelling conclusion that summarizes how Part-2 of the security
strategy aligns and supports the overall business strategy while reducing risk to the
organization.