You will be taking on the role of Chief Information Assurance Officer (CIAO) in a small manufacturing
company ABC Inc. Recently ABC’s internal network was compromised and administrative and financial
operations were curtailed for a few weeks. You have been tasked with creating a set of information assurance (IA) policies and procedures to reduce the risk of company disruption and of internal proprietary information being compromised again. Your initial deliverable will be a report about what happened, some of the apparent consequences of the breach, and policies and procedures to be put in place to reduce the likelihood of future incidents.

As the incoming CIAO, you are tasked with writing a detailed report about the incident, its consequences,
and detailed measures to prevent a recurrence. With that in mind:
1. Assume that this report will be submitted to your new boss. Your continued employment depends on
the objectivity, and thoroughness of your investigation.
2. With self preservation in mind; there should be:
(a) A summary of what happened.
(b) A background section outlining ABC’s commercial responsibilities, intellectual properties, strategic and corporate alliances, and a discussion of the strengths and weaknesses of the network
infrastructure.
(c) What were the consequences of what happened?
(d) A vulnerability assessment of the company’s assets and ability to function (i.e., perform services,
charge for services, receive payment for services, and pay for services). Label each as to whether
they are critical, essential, or ancillary to the company’s operation. Remember the goal of IA is the
assurance of services, including: • integrity, • availability, • confidentiality, and • non-repudiation.
(e) A threat matrix risk based based on your vulnerability assessment (see Figure 1).
(f) A recommended company communications plan (make sure to address both internal and external
communications).
(g) How will you ensure that it won’t happen again?