You have been hired as the Chief Information Security Officer (CISO) for a hospital. During the former CISO’s tenure, your new boss, the Chief Information Officer, commissioned an outside consulting firm to conduct a risk assessment of the hospital’s network. The consultant delivered the completed risk assessment that is the companion to this exam and after reading it, the CEO and the Board of Directors demanded answers from the CIO. The CIO explained that your predecessor, the CISO, was hired specifically to “take charge” of information assurance at the hospital and that he and he alone was responsible for the bad results of the outside consultant’s risk assessment. As a further demonstration to the Board of Directors and the CEO that he meant business, the CIO fired the CISO. After you were hired as the new CISO, the CIO directed you to implement its recommendations over the next three months.
Drawing from the textbooks and class discussions, please prepare a complete information security management plan to implement the risk assessment’s recommendations pursuant to the CIO’s directions. Your finished product may be in outline form, but must include sufficient narrative to explain the contents of your plan. You do not have to write policies, but you may make policy recommendations as part of your management plan.
If you decide to use materials published in other documents, please cite to your sources to avoid any implication of plagiarism.