Assignment Details:

You have just been offered a well-paid and highly responsible job managing a national running organisation, called Run4Charities (R4C). R4C matches people wanting to run for a good cause with opportunities in various races around the country.

R4C has six offices in the country, with a head office based in a major city. They were originally formed by one person in their home, using ocial media platforms to advertise services and complete the matching of runners to events and opportunities to raise money. Within six months of starting the business demand had exceeded the capability of one person so an office space was set up and three part-time employees were found. Two years later it was clear that there was an opportunity to expand to other sites around the country and so as of today there are six offices and one head office. Each office has a manager and up to six staff. There are IT support teams (two people) in each office.

R4C currently uses their own server equipment to store all their data, which is backed up manually once a day. The offices open 9am-5pm Monday-Friday, and 10am-2pm on Saturdays, but IT support can be requested outside of these hours, serviced by a team based at the Head Office via telephone.

R4C administer their matching services via their website and mobile application (which currently links back to their website using a responsive user interface). Runners and charities can sign up online.

Charities register using their official registered charities number but there is currently no check as to whether they are genuine, and as such a disclaimer has been included on the sign up page for runners. Head Office are worried that there is the potential for someone posing as a charity to sign up and claim sponsorship money which was meant for the charity. R4C asks charities for a £3 payment each time someone signs up to their fundraising opportunity.

Runners register and are required to share personal details including medical information, next of kin, name, address, date of birth, affiliation with running clubs etc. Runners identify and select a fundraising opportunity and then R4C registers the runner on the event. The runner pays R4C the standard entry fee (which R4C pays to the event organisers), plus 10% to cover the administration costs.

The previous manager has just taken retirement and you have been offered the job based on your computing background, and knowledge of Data Governance and the ITIL framework. G4C are struggling to understand the complexities of implementing the GDPR adequately, and are subsequently at risk of fines, or worse. From regular staff meetings you are aware that there is a big demand for training of staff to ensure they understand GDPR and its implications. You will be leading on that training.

You are also keen to enhance the operational and environmental security of the organisation after undertaking initial discussions with local office managers. You have decided to implement the following consistently across all offices:

• A full risk assessment for IT services and related data.
  · A disaster management and recovery plan.
  · A set of enhanced IT policies to also include Data Protection/GDPR, a Whistle-blowing policy, Acceptable Use policy, Backup policy, Staff Training policy and a Password policy.

You are concerned by the vulnerability of the IT kit held in the centre, as the building is mostly glass on the ground floor, with very few internal lockable doors. As you have occasional visitors you need to be able to keep some areas of the building secure.

As R4C continues to grow in its day to day operations it needs a simple, reliable method for backing up the data it collects and manages on a daily basis. It keeps sensitive data on charities, runners, staff (including payroll, pensions, national insurance etc.), visitors accessing IT systems as well as important day-to-day operational data such as numbers of visitors, costs to heat the building etc. – all of which (when analysed) can contribute to reduced running costs. You have looked at the possibility of using cloud services more widely, but will need to convince the board of directors this is required.

You are also keen to expand into offering online training courses and IT support for staff, with live chat at key times. Part of your job will be to ensure that you can resource this without bringing in external help.

Your task is to put together the following items (in total around 4000 words):

1. A proposal to the board of directors for enhancing the operational and environmental security of R4C. This should include a full risk assessment relating to IT services and data security and your recommendations for systems/physical security/staff training/policy changes. Within this proposal you need to show that you have a Business Continuity Plan (how the business will continue to operate if something goes wrong). [40 marks]
2. A guide for all staff concerning ethical, legal and regulatory compliance pertaining to this scenario, to include clear information on all applicable laws and industry best practice (such as ISO27001). The guide should include clear details about the potential costs to the organisation should a breach occur (financial and reputational) and should indicate the responsibilities of everyone involved. You can also link back to any policies you plan to create for item 1. This guide will be used to supplement staff training days and will serve as a useful reminder to those who have attended the mandatory training. Finally, the guide should include a process explaining how staff can report any suspicious incident or suspected fraudulent activity. [40 marks]
3. An A4 electronic poster showing the steps to be taken for Disaster Recovery. It should indicate responsibilities and have a clear start and end. This poster is to be followed by your IT teams in the event of an IT related disaster. [20 marks]