Regional Bank has been growing rapidly. In the past two years,it has acquired six smaller financial institutions. The long-termstrategic plan is for the bank to keep growing and to “go public”within the next three to five years. FDIC regulators have toldmanagement that they will not approve any additional acquisitionsuntil the bank strengthens its information security program. Theregulators commented that Regional Bank’s information securitypolicy is confusing, lacking in structure, and filled withdiscrepancies.
- What are some first steps for this project?
- Is it feasible to use any material from the originaldocument?
- Should other materials should be requested?
- Is it wise to interview the author of the original policy?
- Who else should interviewed?
- Should the bank work toward ISO certification?
- Which ISO 27002:2013 domains and sections should beincluded?
- Would you use NIST’s Cybersecurity Framework (CIA securitymodel) and related tools?
- Which methods of communication would be best for sending thepolicy?
- What other criteria should be considered?
