MHY6750 Milestone 2 - Chiedozie Ilechie v100

Milestone 2: Revised Cybersecurity Implementation Guideline and Implementation Action Plan Chiedozie Ilechie 135297102 Masters of Business Administration, Nexford University MHY 6750: Cybersecurity Leadership Professor Rajan Thapaliya

Revised Cybersecurity Implementation Guideline and Implementation Action Plan Executive Summary As the new Chief Information Security Officer for First Independent Power Limited (FIPL), the Board of Directors assigned the task of developing a cybersecurity implementation guideline to ensure that FIPL is adequately protected against cyber-attacks. Based on this directive, a Cybersecurity Implementation Guideline and Implementation Action Plan was prepared and shared with the Board of Directors on the 25 th of January 2024. Following the review and comments by the Board of Directors on the submission, this Revised Cybersecurity Implementation Guideline and Implementation Action Plan has been developed. Attached as an appendix to this document is a draft Implementation Action Plan Matrix. Background of First Independent Power Limited Located in Port Harcourt Nigeria, First Independent Power Limited (FIPL), is an electricity generation company that produces power using gas turbine technology. The electricity produced is sold to the national grid. For seamless and efficient operations, FIPL relies significantly on computer systems, software, and the Internet to dispatch its obligations effectively and to communicate with stakeholders both internally and externally. Hence, for the security and protection of computer systems from cyber attackers, FIPL requires a robust and up-to-date cybersecurity implementation guideline. The chief aim of cybersecurity is to protect internet-connected systems against malicious attacks by cybercriminals and hackers. Cybersecurity protection typically covers phishing schemes, ransomware attacks, data breaches, and identity theft. Standard frameworks such as the CIS Critical Security Controls and the NIST Cybersecurity Framework (CSF) will be utilized for this purpose (Kalley, 2023).

• Framework Implementation Benefits 1. To foster an organizational environment that safeguards valuable digital assets from cyber threats and data breaches (Poggi, 2024). 2. Ability to recognize and address potential threats, promptly detect and respond to cyber-attacks, and ensure a robust incidence response with adequate recovery in the event of a cybersecurity incident (Poggi, 2024). 3. It builds trust and assurance with customers, stakeholders, and partners by demonstrating a solid commitment to cybersecurity and the safeguarding of sensitive data (Poggi, 2024). 4. It ensures that the company complies with relevant legislation and regulations (Poggi, 2024). Framework Guidance Resources • Resources and Requirements Used for Development of the Guideline People 1. Cybersecurity Architect 2. Project Manager 3. Chief Information Security Officer 4. Network Security Engineers 5. System Administrators Other Resources 1. Expenses on training and raising awareness. 2. Cost for risk assessment and strategic planning. 3. Costs related to technological infrastructure. 4. Expenses for compliance certifications. 5. Expenditure on third-party services.

Proposed Budget S/N Items Cost 1 Security Audit and Assessment N5,600,000.00 2 Procedure and Policy Development N3,000,000.00 3 Awareness and Training N2,500,000.00 4 Technology & Infrastructure Set Up N15,000,000.00 5 Other Costs N10,000.000.00 Total Cost N36,100,000.00 Steps to Implementation of the CIS Critical Controls / Framework 1. Prioritize and Scope: The first step of the CIS Critical Controls/Framework implementation is to decide the scope of the risk assessment. This could be the entire organization or may focus on a particular business unit, or a specific assessment of business operations such as online payment processing. Support from all stakeholders whose activities can affect the scope is pertinent. Since resources are scarce, it is vital to prioritize properly (Cobb, 2024). 2. Create a Current Profile: This step involves tailoring the framework to the specific needs of the business. This will enable the understanding of the present position and help to determine where the organization needs to be (Sahai, 2018). 3. Conduct a Risk Assessment and Create Target Scores: The risk assessment enables the determination of the current cybersecurity status of the organization. The target scores are then developed to benchmark different aspects of the cybersecurity architecture. The outcome of this step will show the organization its cybersecurity risks, vulnerabilities, and threats. All this should be documented (Sahai, 2018). 4. Determine, Analyse, and Prioritize Gaps: The organization must begin by determining the cybersecurity gaps prevalent within its business and analyze the potential impact in the event an

References Cisa.gov. (2020, May). Emergency Services Sector. Cybersecurity Framework Implementation Guideline https://www.cisa.gov/sites/default/files/publications/Emergency_Services_Sector_Cybersecurity_ Framework_Implementation_Guidance_FINAL_508.pdf Cobb, M. (2024, January 18). How to perform a cybersecurity risk assessment in 5 steps https://www.techtarget.com/searchsecurity/tip/How-to-perform-a-cybersecurity-risk-assessment- step-by-step Kelley, K. (2023, October 25). What is Cybersecurity and Why It is Important? https://www.simplilearn.com/tutorials/cyber-security-tutorial/what-is-cyber- security#:~:text=Cybersecurity%20is%20crucial%20because%20it,information%20systems% Poggi, N. (2024, January 22). Cybersecurity Frameworks 101. https://preyproject.com/blog/cybersecurity-frameworks- 101#:~:text=A%20cybersecurity%20framework%20is%20a,requiring%20a%20username%20and Sahai, A. (2018, January 04). Cybersecurity frameworks 101 - overview, types & importance https://preyproject.com/blog/cybersecurity-frameworks- 101#:~:text=A%20cybersecurity%20framework%20is%20a,requiring%20a%20username%20and %20password.

Appendix Cybersecurity Implementation Plan Matrix Ref No. Task Year to be Completed Responsible Owner Board Rule Budget/Source Key dates Status Next Steps A1 Cybersecurity risk assessment audit 2024 Chief Information Security Officer - CISO BR #24-01 IT 2024 Budget/Cybersecurity Vendor March 2024 Ongoing Complete scoping and contract external vendors for assessment A2 Implementation of Cybersecurity training and awareness program 2024 Human Resource Manager BR #24-02 In-House Technical and Admin Resource March 2024 Ongoing Continuous training gap analysis, continuous training, and promoting awareness A3 Development and Implementation of a Cybersecurity Policy and Framework 2024 Chief Information Security Officer - CISO BR #24-03 IT 2024 Budget/Cybersecurity Vendor March 2024 Ongoing Send draft policy framework to the Board for approval A4 Installation of anti-malware, anti-virus, and anti-spyware on computer systems 2024 IT Team BR #24-04 IT 2024 Budget/Product Manufacturer April 2024 Yet to Start Test for functionality and plan for updates and upgrades A5 Physical Security Enhancement for server rooms and other sensitive devices 2024 IT Team BR #24-05 IT 2024 Budget/Cybersecurity Vendor March 2024 Yet to Start Test for functionality and plan for updates and upgrades A6 Development of Incident Response Plan 2024 Chief Information Security Officer - CISO BR #24-06 IT 2024 Budget/IT Team March 2024 Yet to Start Secure approval for the Incident Response Plan and conduct drills A7 Establish Relationships with Industry Players and Register with Professional Organizations 2024 Chief Information Security Officer - CISO BR #24-07 IT 2024 Budget April 2024 Yet to Start Maintain key industry relationship and stay up to date with current trends