Security Transport Professionals Incorporated (STP), has its home office located in
Lexington, Kentucky and in addition has more than 3,000 employees located in each of its branch offices located in Houston, Texas and San Diego, California.
STP is primarily a nationwide freight hauler. Its customer are comprised of major market
retailers particularly in the medical and pharmaceutical industry, the federal government, and
several state governments. STP operates a fleet of trucks and private cargo planes that it uses to move “goods” belonging to its customers from one destination to another across the continental United States. Its fleet of truck carriers are located in Lexington, Kentucky with it planes located in Louisville, Kentucky.
STP carries and transports highly controlled, narcotics and scheduled prescription drugs,
toxic, radioactive, nuclear, and top secret materials from one facility belonging to its customer to another. The method of transport depends on the type of cargo being hauled. In addition to
hauling/forwarding its customers products/goods, STP is required from time to time to store its
customer goods for brief periods of time. Two years ago STP began contracting with a number of subcontractors hereafter referred to as either “limited joint partners (LJPs)” or “independent
subcontractor alliances (ISAs)” for the purpose of expanding its freight forwarding, storage, and
delivery service. Due to the confidential nature of the freight that it transports, STP vets its
employees, as well as any subcontractors (LJPs and ISAs) that it engages.
STP’s business objectives and goals include the confidential, safe and secure movement of
its customer goods, from the customer/distributor to its client, or from one of its customer’s
locations to another of the customer’s locations in a timely and efficient manner using costeffective methods. Alternatively, STP may transfer this responsibility to one of its limited joint partners (LJPs) or independent subcontractor alliances (ISAs), if it is more cost-effective and the income differential is within acceptable limits. There are 3 LJPs with which STP had entered into contracts.LJPs are corporate organizations in the same industry that offer essentially the same services as STP, and who are generally competitors of STP. However, when the job requires resources that exceed those of STP or its competitor, the two will enter into an agreement to jointly undertake the contract together, and will together provide the same full range of services, with both entering into the same contract or joint venture with the customer. Independent subcontractor alliances (ISAs) differ from Limited Joint Partners (LJPs) in that a ISA is not a direct competitor of STP. Rather, the ISA is a company that offers a subset of services to STP, or contracts with STP to provide it with necessary resources to perform the particular job at hand. For example, an ISA may be a warehousing company that provides only storage facilities for STP. Alternatively, an ISA may be a company that is engaged in service and repairs for STP’s trucks and planes, and/or provide sterilization and cleaning services for STP’s trucks and planes
upon completion of a job, where STP had transported hazardous or toxic materials, requiring
specific types of sterilization or cleaning services for its transport vehicles. There are other types of ISA that STP engages and contracts with. With regard to ISAs, STP is the only organization that will contract with its customer or who will be identified to the customer. It will then enter into its own separate subcontractor contract with its ISA, and the ISA is not identified to STP’s customer. There is no definitive number of ISAs that contract with STP. The specific ISAs used
(if any) will vary depending on the geographic location or area of the country involved and the
availability and cost of the ISA available to service the area.
STP is also under pressure from several of its competitors in the industry. The competitive market
is driving STP to improve its routes, delivery methods, fleet vehicles, and other facets of its
business to increase profits (a strategic goal) and to reduce costs. The company realizes that its
information technology infrastructure has been neglected for some time and that many operating
locations are running on outdated hardware and software. On several occasions last year, STP
suffered no less than four network compromises through one of its LJP Internet sites that led to the
disclosure of sensitive and strategic information on contracts and mergers.
The chief information officer (CIO) made a strategic presentation to the board of directors and
executive management to first assess the aging infrastructure and then, develop a multi-year phased
approach to have all sites (except for LJP and ISA) on the same hardware and software platforms.
Information about the assessment indicates that the current state core infrastructure (switches,
routers, firewalls, servers, and so on) must be capable of withstanding 10-15% growth every year
for the next seven years with a three-to-four-year phased technology refresh cycle.
There is a hodgepodge of servers, switches, routers, and internal hardware firewalls. Nearly all of
the infrastructure is woefully out-of-date in terms of patches and upgrades. This operational neglect
has unduly increased the risk to the network, in terms of confidentiality, integrity, and availability.
Since this will be a multi-year technology upgrade project, something must be done to reduce
STP’s exposure to vulnerabilities to increase the overall security profile and reduce the risk profile.
Now that the funding has been approved for the infrastructure assessment, the CIO has decided
that it might be a good idea to implement an Information Governance Program into the
organization, assuming he can sell the corporation on its benefits. To that end, the CIO has hired
you as IG Project Manager to assist in initial preparatory stages.
STP Job Roles: In addition to the CIO, below is a list of individuals at STP to whom you have
been introduced. The CIO has informed you that you can call upon any or all of the individuals
who hold these job roles/titles for assistance and may name any of them to be on your project team.
You may also call upon any of the heads of the various business units for assistance, as well as a
designated contact person for each of STP’s LJPs and ISAs.
Chief Executive Officer (CEO)*
Chief Information Officer (CIO)*
Chief Financial Officer (CFO)*
Executive VP of Marketing*
VP of Human Resources
In-house Counsel
In-house Financial Analyst and Risk Manager
Senior Records Manager
Senior IT Manager
IT Security Expert
Overland Transport Manager
Airway Transport Manager
Overland Transport Manager
Airway Transport Manager
Southern Region General Manager (Houston, Florida)
Western Region General Manager (San Diego, California)
Information Security Specialist
1. This phase will involve performing a records inventory. The organization is far too large to
undertake a records inventory for the entire company. You will need to make a
determination of which program or division or functional area whether that be (a) the
narcotic/drugs that you ship/store, (b) the top secret materials that you ship/store, or (c) the
toxic or dangerous materials that you ship/store to include in its records inventory. Once
you have made that determination, decide which of the managers/personnel previously
identified that you will need to contact/interview and work with in order to complete the
records inventory for the functional area that your group has selected. It will most likely
include more than one of the personnel/departments listed above. As project manager you
have decided to collect information using a two-step approach where you first send out
survey questions and then once you have received the responses you will follow up by
conducting interviews.
(a) State whether you intend to focus on the narcotic/drug area, top secret materials for
the government, or toxic or dangerous materials/chemicals.
(b) Identify which of the above department(s)/areas/units that you will need to survey
and subsequently interview, depending on which one of the three functional areas you have
decided to focus your attention on.
(c) For the functional area that you have selected you want to be able to speak
intelligently to the knowledge personnel within that department and ask appropriate and
relevant questions. Therefore, you need to do some preparation and brainstorming before
making contact with the departments/units that you have identified as essential. To that
end, identify (using diagram, table, hierarchy chart, taxonomy, or other form that is most
descriptive) the “record types” that you expect are created and maintained in each of the
departments/areas/units that you have decided to focus on. Use descriptive names for each
record type and tell the type of information that would be retained in each record type. This
can be as specific as creating a taxonomy for the record if you should decide to do so (see
Appendix A in your text book), or you may conduct research and determine what other
structure would be appropriate in order to convey this information. The most effective way
to convey this information to me would be in the form of a table that identifies the Record
Type, Responsible Department, and the Event that triggers the creation of each record type.
[For example, if we were dealing with a health care provider (WHICH WE ARE NOT, I
am only using this unrelated example to give you an idea of what I want you to do), an
example of a record type that your doctor’s office might keep would be an Insurance
Record that would include things like information about the Insurer, information about the
patient, information about the insured if different from the patient, information about the
plan options and conditions of coverage, information about the insured history of using
this insurance in the past and the prior payment record.] [Another example: You will find
a record type used on page 172 of your text book to describe a workers’ compensation
insurance company’s accident/injury report as part of its record retention schedule.]
(d) Develop a Records Inventory Survey Form that you are going to use in surveying
the departmental unit(s) you have identified above. The purpose for your survey is to be
able to identify the kinds of records (contracts, financial reports, memorandum, invoices,
etc.), which department owns the records, which departments access the records, what
application creates the record, where the record is stored physically and logically, date
created, last changed, whether it is a vital record, and whether there are other forms of the
record. You want to be able to use this information to make decisions related to retention
and disposal of the records. Explain who will receive the survey and why. The survey will
be sent about one month prior to the follow up interviews. This will allow for two (2) weeks
to complete and return the survey and two weeks to tabulate and review it, and to tweak
your interview questions, depending on the results of the survey. Explain the rationale for
the questions that you included in your survey.
(e) Develop an initial set of interview questions that you plan to use as a follow up to
the initial survey that you drafted in (d) above.
(f) Based upon the records you have identified above, develop a record retention
schedule and for the record types. Include in this the method of destruction when the record
is marked for destruction. Explain whether you are going to use event-based retention for
any of your record types and if so why, and identify the triggering event. For this question,
you need to discuss the legal requirements and compliance considerations.
THE RESEARCH PAPER: While your research paper will undoubtedly include a number of
tables, diagrams, lists and other illustrations, the paper is to be written in narrative form. The
illustrations may be included in appendix at the end of the paper, or may imbedded in the body.
But please don’t forget that the paper itself is written in narrative form. Include citations to your
research.
work should include no fewer than five (5) sources. under ten (10) pages, excluding illustrations.