Regional Bank has been growing rapidly. In the past two years, it has acquired six smaller financial institutions. The long-term strategic plan is for the bank to keep growing and to “go public” within the next three to five years. FDIC regulators have told management that they will not approve any additional acquisitions until the bank strengthens its information security program. The regulators commented that Regional Bank’s information security policy is confusing, lacking in structure, and filled with discrepancies.

Should the bank work toward ISO certification?

Which ISO 27002:2013 domains and sections should be included?

Would you use NIST’s Cybersecurity Framework (CIA security model) and related tools?

Which methods of communication would be best for sending the policy?

What other criteria should be considered?

Which methods of communication would be best for sending the policy?

What other criteria should be considered?