In this evaluation, you are tasked with crafting a comprehensive security strategy for the
organization depicted in the provided case study. Your approach should encompass a thorough
analysis of the organizational context, including the alignment of business objectives, an overview of
the prevailing threat landscape and associated risks, as well as a clear delineation of roles and
responsibilities integral to the cybersecurity framework. Your insights and strategic
recommendations should be meticulously documented and presented as a formal business report.
Case Study: EduTech Corp
Background:
EduTech Corp, a burgeoning educational technology firm, specializes in providing robust learning
management systems and comprehensive online course platforms tailored for higher education
institutions. Amidst the surging trend towards digital learning, EduTech Corp has experienced a
marked expansion. The company is responsible for safeguarding an extensive repository of
sensitive data encompassing student personal details, academic records, and financial transactions.
Current Situation:
In recent times, EduTech Corp has found itself besieged by an array of cyber threats, ranging from
sophisticated phishing schemes and ransomware attacks to a significant security breach that
compromised the personal data of over 100,000 students. These incidents have laid bare numerous
vulnerabilities within the company’s cybersecurity framework, notably the use of obsolete security
solutions, a deficiency in employee cybersecurity awareness, and the absence of a robust, well-
defined governance structure for cybersecurity. The board of directors, acutely aware of the potential legal ramifications, financial fallout, and reputational damage stemming from these
breaches, has entrusted the recently appointed Chief Information Security Officer (CISO) with the
mission to architect and enforce a holistic cybersecurity governance and strategy framework aimed
at mitigating future threats.
Challenges:
A primary challenge confronting EduTech Corp is the misalignment between its cybersecurity
measures and its overarching business goals and expansion strategies. The recent series of cyber-
attacks has underscored this misalignment, spotlighting the pressing need for a cybersecurity
strategy that not only addresses immediate security concerns but is also intricately woven into the
company’s business fabric. Additionally, the company faces the challenge of clearly defining and
demarcating the roles and responsibilities across strategic, tactical, and operational tiers to ensure a
cohesive and coordinated approach to cybersecurity.
Marking criteria
This evaluation will rigorously assess your proficiency and depth of understanding in pivotal areas of
cybersecurity governance. The points allocated to each criterion are indicative of the relative weight
and importance of that competency:
▪ Introduction (5 pts):
o Organisational information and contexts
▪ Governance Mapping ( 12 pts):
o Evaluate your adeptness in applying the strategic alignment outcome and the COBIT
5 framework, ensuring seamless integration with the organization’s mission, strategic
goals, and overarching objectives. Your justification should reflect a profound
comprehension of how governance principles, outcomes, and frameworks
significantly enhance the organization’s cybersecurity posture.
▪ Development of a Comprehensive Cybersecurity Strategy (13 pts):
o Measure your proficiency in devising a cogent and robust cybersecurity strategy. This
entails a nuanced understanding of the organizational context, setting clear and
attainable goals, and proposing well-defined strategic objectives and initiatives. The
strategy should demonstrate a deep insight into cybersecurity governance outcomes
and exhibit a strategic congruence with the business environment.
Target audience
The target audience for this report is the board of directors for the selected organisation, therefore
this should be explained using formal business language that can be understood by people with
minimal technical knowledge. Technical terms should also be explained.
Recommended length and structure
Your report will be approximately 1500 words long (+/-10%), excluding tables, figures, appendices
and references. It should include the following sections:
• Introduction (approx. 150 words)
o Brief overview of the organization
o Mission and vision of the organization
o Current cybersecurity threat landscape, business needs, and other contexts.
• Cybersecurity Governance Mapping ( 750 words)
o Define 3-5 specific business goals of EduTech Corp to achieve its vision
o Mapp the Specific Goals to COBIT 5 Enterprise Goals
o Mapp the selected COBIT 5 Enterprise Goals to COBIT 5 Alignment Goals
o Mapp the selected COBIT 5 Alignment Goals to COBIT 5 Governance and
Management Objectives • Cyber security Strategy (approx. 600 words)
o Cybersecurity Vision/Mission
o Roles and responsibilities
o Strategic objectives (redefine the COBIT 5 governance and management objectives
defined above)
o Strategic initiatives
• References
Required references
You should aim to cite at least 10 references from reputable sources (e.g., academic, industry body
publications, white papers).
Referencing guidelines
Use RMIT Harvard referencing style for this assessment. If you are using secondary sources,
include these as a reference list in your report.
You must acknowledge all the sources of information you have used in your assessments.