Running head: CYBERSECURITY STRATEGY & PLAN OF ACTION 1

Cybersecurity Strategy & Plan of Action

Student’s Name:

Instructor’s Name:

Course:

Date:
CYBERSECURITY STRATEGY & PLAN OF ACTION 2

Introduction

Island Banking Services went bankrupt, and the Padgett-Beale purchased the financial

services that it was offering. There are risks associated with this process, and therefore, this

document identifies them and indicates the mitigation strategies that would be used. There are

laws and regulations which are associated with cybersecurity risks and challenges. They guide

how to resolves some of the risks. The document states cybersecurity strategies that would be

effective in controlling and eliminating the risks. An implementation timeline demonstrates the

actions that will be performed in implementing the cybersecurity strategies. 

Information technology/security gaps which existed at Island Banking Services prior to its

being acquired by PBI

One of the technology gaps is the lack of an intrusion detection system. The systems help

in detecting any network threats. In that case, the company does not get to be hacked, and it

prevents unauthorized people from accessing the network. Another security gap is the lack of

access control strategies. It is essential to limit access to the top-secret files. The other

technology gaps are authentication strategies and lack of vulnerability management. The

technology or the security gaps which are likely to exist in the PBS-FI are detections of threats,

unauthorized access, and the existence of vulnerabilities.

Gap Analysis (Step 1)

One of the cybersecurity issues is the data breach. Padgett-Beale has bought that financial

services that were offered by Island Banking services. It means that they will have access to the

details of the customers. Having two companies that are aware of the customer’s details is risky.

The second cybersecurity issue is a violation of confidentiality. The employees or workers from

the Island Banking services may forget to delete some private information stored in their
CYBERSECURITY STRATEGY & PLAN OF ACTION 3

computers. Padgett-Beale purchased the digital assets, which include word documents, electronic

mails, presentations, spreadsheets and logos. Therefore, the Island Banking services had to

forward all the digital assets. The third cybersecurity issue is data theft. The process of sharing

these details, many people will be handling the information. Therefore, there is a very high risk

of someone stealing the data in digital assets. Fourthly, hacking is a potential cybersecurity issue

since the financial transactions processing software is also being sold. The software is vital in the

banking industry since the financial services are provided through the implementation of the

software. A cyber attacker may find a vulnerability in the system and hence hacking this. The

fifth cybersecurity issue is the lack of professionals to handle PBI-Financial Services (PBI-FS). 

The sixth cybersecurity issue is finding a dedicated and experienced Chief Information

Security Officer (CISO). Skilled and qualified individuals are required in this field to ensure that

the subsidiary’s information is protected from attacks. The seventh cybersecurity challenge is

using the same software used by the previous company. There is updated and better software,

and therefore using outdated software creates vulnerability in the system. The eighth

cybersecurity risk is a malware attack. The attack is executed through the sharing of files or the

use of free software programs. The ninth risk is an inside threat. There may occur that there is

someone who is not happy with the business happening between Island Banking Services and

Padgett-Beale. Therefore, they may be an inside threat where they will be stealing data or

helping hackers in accessing the company’s network. The tenth cybersecurity issue is the lack of

detecting threats. The computer systems are the same ones that were used in Island Banking

Services Company and therefore, no improvements are made on the hardware. Therefore,

detecting threats or identifying vulnerabilities is challenging.

 CYBERSECURITY STRATEGY & PLAN OF ACTION 4

Risk Analysis & Risk Register, Legal & Regulatory Requirements Analysis,

(Steps 2, 3, 4, 5)

Risk Risk category Impact Laws & Laws Mitigation Control

level regulations applying to strategy category

all

companies
Data breach Confidentiality 3 Federal Federal Protecting data Data security

Information Information (Control (Barrett,

Security Security strategy) 2018)

Management Management

Act Act

(FISMA) (FISMA)
Violation of Process 1 Financial Financial Encrypting and Protective

confidentialit Privacy Rule Privacy Rule managing technology

y access of

sensitive

information

(Control

strategy)
Data theft People, 3 Federal Federal Access control Protective

technology Deposit Deposit (control technology

Insurance Insurance strategy)

Corporation Corporation

law law
Hacking Technology 5 Computer Computer Improving the Improvements
 CYBERSECURITY STRATEGY & PLAN OF ACTION 5

Fraud and Fraud and security of

Abuse Abuse computer

Act (CFAA) Act (CFAA) systems

(control

strategy)
Lack of Technology 2 Employment Employment Advertisement Response

professionals laws laws s of job planning

vacancies

(accept

strategy)
Having an People 2 Employment Employment Giving tasks to Response

unexperience & labor law & labor law service planning

d Chief providers

Information (transfer

Security strategy)

Officer
Malware Process 3 IEEE IEEE Antivirus and Mitigation

attack standard standard firewall

(control

strategies)
Having an Integrity, 3 International International Identify the Governance

inside threat availability Association Association inside threat

of Privacy of Privacy and eliminate

Professional Professionals (control

s (IAPP) (IAPP) strategy)

Lack of Technology 3 SIEM rules SIEM rules Deploying Detection
 CYBERSECURITY STRATEGY & PLAN OF ACTION 6

detecting intrusion processes

threats detection

system (control

strategy)

Cybersecurity strategy (Step 6)

One of the cybersecurity strategies that Padgett-Beale can implement is the introduction

of intrusion detection and intrusion prevention systems. These are important so that any threats

or risks can be detected before they materialize. It is essential to mitigate these risks since they

can cause significant damage to the company. Wireless intrusion prevention system (WIPS) can

be deployed to serve the purpose of monitoring the wireless frequencies (“TechTarget,” 2015).

In the monitoring process, it identifies unauthorized devices. It there is any, it is eliminated from

the WI-FI network. Another intrusion detection system is the McAfee Network Security

Platform. It helps in protecting data and computer systems of an organization. The services being

offered by Padgett-Beale are sensitive, considering that the access to the consumer’s details

would affect the firm and the clients.

Another cybersecurity strategy that the company can implement is the use of firewalls.

Firewalls are essential, considering that the majority of the activities are carried out through the

internet. The firewall ensures that the data being exchanged is safe or not. It determines whether

the packets are as per the rules that have been set up. The firewalls will help in protecting the

computer systems and the server. In that case, users who are not authorized to use the network

cannot access the private network (“About firewalls,” 2019). It will be an effective cybersecurity
CYBERSECURITY STRATEGY & PLAN OF ACTION 7

strategy for Padgett-Beale to ensure that other people cannot access the network hence

minimizing the chances of being hacked through the use of the net. We have cyber-attacks which

are initialized through accessing a company’s network. In that case, a cyber-attacker can see the

data being exchanged and can access information or files belonging to the company. The firewall

will ensure that the communication channel, the internet, is safe.

Multifactor authentication is another strategy that can be used. It helps in controlling

access to certain rooms, network, or systems. For instance, data theft can be mitigated through

the implementation of access control strategies. The firm could consider classifying people and

deciding what each of them can access. Some files should be protected using a unique and strong

password, and they will be given to certain people. For the sensitive files, Padgett-Beale should

only allow the manager and some few employees to access the files. In that case, the probability

of the files getting accessed by other people is minimal since only three individuals, for instance,

have the access details. The multifactor authentication could be fingerprint and a keycard lock. It

could also be an iris scan and a keycard. Anyone who wants a file will have to ask the authorized

individuals to provide them with the necessary files. Therefore, files stored as hard copies will be

safe from theft.

The employees need to be informed of how to protect the machines and how to form

strong passwords. Padgett-Beale should hire an It professional to train the employees on creating

strong passwords and the importance of locking their computers when they are getting out of

office. Some errors happen since people do not have the necessary information. They need to be

informed that the passwords should be private. They should not share them with anyone.

Besides, they need to be educated about phishing emails. They should not open files from
CYBERSECURITY STRATEGY & PLAN OF ACTION 8

unknown resources since they may be containing malicious codes. It is one of the strategies used

by the cyber attackers in accessing the systems of a firm. The employees will be equipped with

cybersecurity information which contributes to ensuring that safety of the systems and the data

files in the company. Also, Padgett-Beale needs to consider if any employees use personal

computers in performing some tasks for the firm. If there are, then they need to take good care of

their computers since they can be used by attackers to access specific company’s information.

Therefore, education is a cybersecurity strategy since it enlightens the employees on

cybersecurity matters.

Encryption of data files is essential to ensure that the right recipient accesses the data

files. For instance, Padgett-Beale’s employees could be using the RSA where there is the public

key and the private key. Employees will exchange their public keys with the people whom they

are sending files to. Therefore, they will encrypt the files using the public key of the receiver,

and the receiver will decrypt it using their private key (Lake, 2018). The private key and the

public key must match. Therefore, it is difficult for anyone eavesdropping to access the content

of the files. It is because they do not know the private key that matches the public key used to

encrypt the file.

Proposed plan of action and implementation timeline (Step 7)

Action Required Starting Date due Cost Effort Explanation

description resources date estimate (In a

(in scale

dollars) of 1-5)

Educating IT 16/6/2020 14/7/202 70, 000 4 Educating

CYBERSECURITY STRATEGY & PLAN OF ACTION 9

employees professional, 0 employees is

about computers. a practice that

phishing requires

emails and enough time

forming to ensure that

strong they

passwords. comprehend

what they are

taught and are

in a position

to employ

them.

Installation of People (IT 16/6/2020 30/6/202 600,000 5 IT

Intrusion professionals), 0 professionals

detection and detection are required

intrusion systems, cables in installing

prevention the detection

systems systems.

Cables will

be needed in

connecting

them. Two

weeks are
CYBERSECURITY STRATEGY & PLAN OF ACTION 10

enough for

completion of

the task. The

capital

requires in

purchasing

the systems

and paying

the workers is

about $

600,000

Firewalls People (IT 5/7/2020 12/7/202 100,000 5 IT

professionals), 0 professionals

cables are required

in installing

the firewalls

effectively

and this will

take about 7

days. The

capital will be

enough for

buying the
CYBERSECURITY STRATEGY & PLAN OF ACTION 11

firewalls and

paying the

workers.

Multifactor Finger print 20/7/2020 5/8/2020 500,000 5 The

authenticatio scanners, iris authentication

n scanners, systems are

Service expensive

provider for and hence the

keycard locks allocation of

$500,000. 16

days will be

enough for

the

completion of

this task.

Training on People, 10/8/2020 2/9/2020 70,000 4 Training the

encryption of computer employees on

data files systems encrypting

their data

files is quite

difficult and

hence the

need to have
CYBERSECURITY STRATEGY & PLAN OF ACTION 12

23 days of

training. They

will have a

qualified IT

professional

as the trainer.

Network architecture diagram showing pilot test environment

Internet

Intrusion detection sensor

Intrusion response systems
Firewall
Email, web, &
database servers
CYBERSECURITY STRATEGY & PLAN OF ACTION 13

Router
Switch

Wireless access point

Data center

Wireless devices
Computer

MEMORANDUM

TO: Merger & Acquisition Team

FROM:

DATE: June 16th, 2020

CYBERSECURITY STRATEGY & PLAN OF ACTION 14

SUBJECT: Recommendations for mitigating the identified risks.

I am forwarding this package to you so that you can review my recommendations

regarding the mitigations of the identified risks. I identified different risks associated with the

transfer to files, hardware, and software from Island Banking Services to Padgett-Beale.

Therefore, I believe these recommendations will help secure the systems and data files.

The Cybersecurity Strategy and Plan of Action includes the gap analysis, which identifies

the risks. Legal and regulatory requirements analysis was included to demonstrate the procedures

that the company would use in eliminating or mitigating the risks. The risk registers contain

components such as risk category, the impact level of the risks, laws and regulations, the

mitigation strategies and the control strategy. The cybersecurity strategies are the recommended

actions to enhance the security of the systems and the data. I have provided the plan of action,

and the implementation timeline, which displays the resources requires in implementing the

identified cybersecurity strategies. Also, it contains the time range for the completion of the tasks

and the cost estimate.

I would recommend that you, Merger & Acquisition Team, review the laws and

regulations related to the mitigation of the risks. For instance, the Federal Information Security

Management Act (FISMA) guides how companies can handle issues related to data breaches.

Other laws are such as the Computer Fraud and Abuse Act (CFAA), International Association of

Privacy Professionals (IAPP) and SIEM rules. Having enough knowledge on this will help in

identifying the actions that mitigate the risk and still adhere to the laws and regulations.

 Merger & Acquisition Team need to plan on how you will access the IT professionals

who will help in implementing the cybersecurity strategies. Experienced and skilled individuals

are required to ensure that they provide the correct information to the employees during training.
CYBERSECURITY STRATEGY & PLAN OF ACTION 15

Also, the detection and authentication systems need to be installed expertly. It is a project that

requires people who are committed and ready to give your best. The Merger & Acquisition Team

needs to figure out where they will find qualified IT professionals.

Merger & Acquisition Team should inform the employees in advance about the changes

that are about to be implemented. The employees need to be aware so that they can be prepared

psychologically for the change. They will be significantly affected by the change, and therefore,

they are stakeholders that should be considered. People adapt to change differently, and this

explains the need to explain to them the benefits related to the change. Some of them may take

time to research on the systems that they were told to implement, and therefore, they will have an

idea before the training begins.

The Merger & Acquisition Team should identify the individuals who should have access

to the sensitive files of PBI-Financial Services (PBI-FS). It is a strategy of access control.

Limiting the number of people accessing the files minimizes the risk of the files getting leaked or

being accessed by unauthorized people. The team is responsible for deciding on who should be

allowed to access the top-secret files. Another recommendation is that the Merger & Acquisition

Team should ensure that all the risks have been identified to enhance the effectiveness of the

operations of PBI-Financial Services (PBI-FS). 

Signature

Name

Student’s Name
CYBERSECURITY STRATEGY & PLAN OF ACTION 16

References

Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity version

1.1 (No. NIST Cybersecurity Framework).

CYBERSECURITY STRATEGY & PLAN OF ACTION 17

TechTarget. (2015, March). WIPS (wireless intrusion prevention system). Retrieved from

https://whatis.techtarget.com/definition/WIPS-wireless-intrusion-prevention-system

Josh Lake. (2018, December). What is RSA encryption and how does it work? Retrieved from

https://www.comparitech.com/blog/information-security/rsa-encryption/

About firewalls. (2019, February). Retrieved from

https://kb.iu.edu/d/aoru