Instructions
Cyber Security Framework
This assignment builds upon your previous two assignments, so the framework should be based on your choice of industries: aerospace, healthcare, or government agencies.
You must include the following information in your assignment:
- a title page containing the company name and your name;
- the contents of the security framework, which should include at least 12 control identifiers (ID) with family notation of your choice and should include whether the control identifier is of low risk, moderate risk, or high risk impact;
- a gap analysis including a minimum of three controls for ID; and
- a reference page that must contain at least three references.
Your security framework must be at least one page in length, not including the title page and references page. This security framework will be added to your outline to produce a completed project at the end of the course. (Hint: Be sure to read your Study Guide.) Adhere to APA Style when creating citations and references for this assignment. APA formatting, however, is not necessary.
Unit SEC 4320, IS Security Capstone 1 Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to: 2. Create an IS Security Plan. 2.1 Examine control identifiers to develop a security framework for an organization. 5. Construct preventative measures to ensure critical assets are secure. 5.1 Classify control identifiers as either low, medium, or high impact for the assets at risk. Course/Unit Learning Outcomes Learning Activity 2.1 Unit Lesson eBook: Implementing the ISO/IEC 27001 ISMS Standard Report: Security and Privacy Controls for Federal Information Systems and Organizations Unit III Assignment 5.1 Unit Lesson Article: “The Cybersecurity 202: Lawmakers Slam State Department for Failing to Meet Basic Cybersecurity Standards” Report: Security and Privacy Controls for Federal Information Systems and Organizations Unit III Assignment Required Unit Resources In order to access the following resources, click the links below. Hawkins, D. (2018, September 12). The Cybersecurity 202: Lawmakers slam State Department for failing to meet basic cybersecurity standards. The Washington Post. https://link.gale.com/apps/doc/A554016570/GIC?u=oran95108&sid=GIC&xid=870e8ac9 Read pp. 1–9 and 45–59 of the e-book below. Humphreys, T. (2016). Implementing the ISO/IEC 27001 ISMS Standard (2nd ed.). https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=e000xna&AN=1485197&site=ehost-live&scope=site Read pp. 24–29, 30–40, and 37–68 of the publication below. National Institute of Standards and Technology, Joint Taskforce Transformation Initiative. (2013). Security and privacy controls for federal information systems and organizations (Special Publication No. 800- 53). http://dx.doi.org/10.6028/NIST.SP.800-53r4 UNIT III STUDY GUIDE IT Security Policy Framework/Gap Analysis https://link.gale.com/apps/doc/A554016570/GIC?u=oran95108&sid=GIC&xid=870e8ac9 https://link.gale.com/apps/doc/A554016570/GIC?u=oran95108&sid=GIC&xid=870e8ac9 https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=e000xna&AN=1485197&site=ehost-live&scope=site http://dx.doi.org/10.6028/NIST.SP.800-53r4 http://dx.doi.org/10.6028/NIST.SP.800-53r4 SEC 4320, IS Security Capstone 2 UNIT x STUDY GUIDE Title Unit Lesson In today’s environment, we are surrounded by a plethora of technology that is controlled by standards, regulations, policies, procedures, and so on regarding proper usage. Without documentation of such standardization, no one technology will work in synchronization between systems. Why do we need standards? According to Humphreys (2016) in his book titled Implementing the ISO/IEC 27001 ISMS Standard, laws and regulations have a business impact on any organization. Organizations must comply and demonstrate their compliance with the laws and regulations governing them. One of many examples of not following standards was from the U.S. State Department in which the federal government failed to institute multi-factor authentication (passwords) to prevent phishing attacks from potential Russian hackers (Hawkins, 2018). Instead, the State Department opted to use low-security measures. Therefore, the organizations who decide not to use standards are easily subjected to risks that affect the business of the organization. These risks do not just harm the information technology of the organization but also the individual employees who work with these technologies on a daily basis. The question is: Where do security professionals begin looking for a standardized security policy framework that will fit the needs of the organization’s information technolog? They need not look any further than the National Institute of Standards and Technology (NIST). So, what or who is NIST? NIST falls under the U.S. Commerce Department and used to be known as the National Bureau of Standards. The main emphasis of NIST is to provide industries, governmental agencies, academics, and businesses with measurement standards. More importantly, NIST is in authority over the development of information security standards and guidelines for information systems. You can learn more about this organization at the NIST website. You can also view the video NIST Cyber Security Framework Explained WBW to learn more information about the NIST Cyber Security Framework. A transcript and closed captioning are available once you access the video. One of the many NIST documents that you must be very familiar with and that will help you develop a security framework for your organization is the NIST publication Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53) by the Joint Task Force Transformation Initiative Interagency Working Group (JTFTIIW). This document specifically details a process that can be used by any organization looking to develop a security framework. It is highly recommended that you read all three chapters of the NIST document as the bulk of the documentation contains appendices to which you will refer during your reading. How does a security professional develop a security framework using this document? One of the key areas for doing this is knowing what security control identifiers and family names are listed in Section 2.2 on page 9 of NIST SP 800-53 linked above. These codes are important as they are used in the different areas within the appendices when developing a security control framework for the organization. For example, under the ID “AC,” the family is “Access Control.” You can find a summary of the security controls that deals with access control on page D-2, Table D-2 Security Control Baselines, which is found in Appendix D of the NIST publication. Therefore, you must look through the different appendices for the ID and family to see what you need to add to your security framework. Hint: A security professional should always indicate the risk for each ID and family by identifying if each control is either low-impact, moderate impact, or high impact for information systems. Such information can be found in Appendix D of the NIST publication. There are times when a security control baseline is not enough and other security controls and/or control enhancements are needed to strengthen the initial security baselines. This additional supplement is known commonly as the gap analysis in which additional security augmentation is needed to reinforce the current security baseline. These additional security enhancements can be found in Appendix F of the NIST publication. You can also view the video What is a Cybersecurity Gap Analysis? I Banking Bits and Bytes with Brendan to learn more about gap analysis. A transcript and closed captioning are available once you access the video. https://www.nist.gov/ https://c24.page/bhue6t2jpct7fukfqx5bbn5u6j http://dx.doi.org/10.6028/NIST.SP.800-53r4 http://dx.doi.org/10.6028/NIST.SP.800-53r4 https://c24.page/psfazvtf65tbznxnj223pkru9f SEC 4320, IS Security Capstone 3 UNIT x STUDY GUIDE Title The NIST publication linked above might seem very large and exhaustive, but it contains important information already developed and categorized for the security professional to develop a security framework for his or her organization. Using this documentation will ensure that your organization has met all of the standards necessary to protect its information systems and personnel. References Hawkins, D. (2018, September 12). The Cybersecurity 202: Lawmakers slam State Department for failing to meet basic cybersecurity standards. The Washington Post. https://link.gale.com/apps/doc/A554016570/GIC?u=oran95108&sid=GIC&xid=870e8ac9 Humphreys, T. (2016). Implementing the ISO/IEC 27001 ISMS Standard (2nd ed.). https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direc t=true&db=e000xna&AN=1485197&site=ehost-live&scope=site Course Learning Outcomes for Unit III Required Unit Resources Unit Lesson References