CYB 207 All Discussions

0 items
CYB 207 All Discussions
CYB 207 All Discussions
$12.00
Go to the store page
  • Description

CYB 207 Wk 1 Discussion

Post a total of 3 substantive responses over 2 separate days for full participation. This includes your initial post and 2 replies to classmates or your faculty member.

Read Faculty Note below, and review the Discussion Grading Rubric each week.

Option 1

Due Thursday 

The National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) 27000 series are considered the two best practices for implementing security risk management frameworks. They have some commonalities, along with some differences.

As described in this week’s reading from the NIST and the ISO 27000 series publications, describe two areas within each security risk management framework for NIST and ISO 27000. Compare and contrast how each relates to the other.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

Option 2

Due Thursday

The first major step in any risk management framework is to categorize information systems. An information security professional must understand the sensitivity of the data an information system processes and stores before categorizing an information system. It is important for the information security professional to understand the sensitivity (Low, Medium, High) of the organization’s data elements to ensure the protection of the confidentiality, integrity, and availability of the data.

For example, data categories and data elements that apply to a hospital environment include patient health information (PHI), personal identification information (PII), payment card industry (PCI), to name a few. There are elements within each data category, such as patient name, surgical procedure, prescription information, etc. that make up the PHI data category.

List at least 2 data categories and at least three data elements within each category for a typical financial institution (e.g., bank, savings and loan, etc.).

Use this week’s reading “Minimum Security Requirements for Federal Information and Information Systems” as a guide to map each element to a sensitivity level (Low, Medium, High) for Confidentiality, Integrity, and Availability.

Explain why this identification is important for the risk management framework.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

 

CYB 207 Wk 2 Discussion

Post a total of 3 substantive responses over 2 separate days for full participation. This includes your initial post and 2 replies to classmates or your faculty member.

Option 1

Due Thursday 

NOTE: This is a confusing and complex approach for assessing risk. I will give full credit for any attempt at this, but I recommend completing Option 2 instead.

Selecting controls is based on the categorization of an organization’s data. The higher the sensitivity (Low, Medium, High) of the data, the more protection is required. The CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems is a companion document for NIST SP 800-53, which is referenced in this week’s assignment. It describes the processes for data categorization and security control selection.

 

Within the Risk Assessment (RA) family of security controls, as listed in Appendix D-1 table of CNSSI No. 1253, assign those specific security controls required to be assessed for two IT Systems, X and Y, with data categorized as follows:

  • IT System X:

  • Confidentiality: High

  • Integrity: High

  • Availability: High

  • IT System Y:

  • Confidentiality: Low

  • Integrity: Low

  • Availability: Low

Discuss the control selection for each IT system.

  • Which IT system that had more RA security controls required for risk assessment?

  • What RA security controls that were selected in common for both IT systems?

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

Option 2

Due Thursday

Defense in Depth is a security concept that relies on multiple security controls to protect the confidentiality, integrity, and availability of a company’s assets and data.

Define the term “Defense in Depth.”

Describe an example where a mix of technical, administrative, and physical security controls are used to provide protection for your chosen example.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

 

CYB 207 Wk 3 Discussion

Post a total of 3 substantive responses over 2 separate days for full participation. This includes your initial post and 2 replies to classmates or your faculty member.

Option 1

Due Thursday

The NIST SP 800-37 defines two important roles within the RMF process, especially during the authorization steps: (1) information system owner and (2) information owner. During Step 1 of the NIST RMF process, the two roles work together to classify information and categorize the IT systems. The two roles also have a significant stake in the authorization of an IT system in order to conduct operations. In some cases, they may have differing objectives.

Research each role (information system owner and information owner) and describe how the authorization process must consider the perspectives of each role.

Provide an example where the roles may conflict.

Explain a situation where the authorizing official may need to resolve a decision based on the risks presented in the risk assessment report.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

Option 2

Due Thursday

Appendices D and E of the NIST SP 800-37 describe the roles and responsibilities involved in the RMF process.

Describe two of the roles, beyond the Information System Owner and Information Owner, which have a direct stake in the authorization process.

Explain how they would collaborate together during Step 5 of the NIST RMF process. Include their specific RMF tasks during Step 5, and explain any conflicts that may arise between the two roles.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

 

CYB 207 Wk 4 Discussion

Post a total of 3 substantive responses over 2 separate days for full participation. This includes your initial post and 2 replies to classmates or your faculty member.

Option 1

Due Thursday

The NIST SP 800-37 defines two important roles within the RMF process, especially during the authorization steps: (1) information system owner and (2) information owner. During Step 1 of the NIST RMF process, the two roles work together to classify information and categorize the IT systems. The two roles also have a significant stake in the authorization of an IT system in order to conduct operations. In some cases, they may have differing objectives.

Research each role (information system owner and information owner) and describe how the authorization process must consider the perspectives of each role.

Provide an example where the roles may conflict.

Explain a situation where the authorizing official may need to resolve a decision based on the risks presented in the risk assessment report.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

Option 2

Due Thursday

Appendices D and E of the NIST SP 800-37 describe the roles and responsibilities involved in the RMF process.

Describe two of the roles, beyond the Information System Owner and Information Owner, which have a direct stake in the authorization process.

Explain how they would collaborate together during Step 5 of the NIST RMF process. Include their specific RMF tasks during Step 5, and explain any conflicts that may arise between the two roles.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

 

CYB 207 Wk 5 Discussion

Post a total of 3 substantive responses over 2 separate days for full participation. This includes your initial post and 2 replies to classmates or your faculty member.

Option 1

Due Thursday

Penetration testing and vulnerability scanning are important technical mechanisms that support continuous monitoring and vulnerability management. However, penetration testing and vulnerability scanning are often used interchangeably when they are actually two different methods used for different purposes.

Compare and contrast the two different methods.

Explain how each are used for the following:

  • Identifying new vulnerabilities in IT systems

  • Justifying any changes in the security of the system that may need re-assessment and re-authorization

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.

Option 2

Due Thursday

Reauthorization (i.e., going through all six steps of the NIST RMF process) is required after a specified period, which is typically two or three years or when there has been a significant change to an IT system.

Research the decision process for reauthorization.

Explain the process and include the major stakeholders in the process for deciding on reauthorization. Discuss how security metrics would cause the need for reauthorization.

Due Monday

Post 2 replies to classmates or your faculty member. Be constructive and professional.