CYB 207 Entire Course

0 items
CYB 207 Entire Course
CYB 207 Entire Course
$39.00
Go to the store page
  • Description

CYB 207 Wk 1 – NIST RMF Step 1 Categorize Information Systems

Your company, Phoenix Security Services, is a managed security services contractor that consults with U.S. businesses that require assistance in complying with the Sarbanes-Oxley Act (SOX). Your company has a proven track record in providing information program security management, information security governance programs, risk management programs, and regulatory and compliance recommendations. Phoenix Security Services’ newest client, a national grocery company called SureMarket, must report to the Securities and Exchange Commission (SEC) with proof of their compliance to the Sarbanes-Oxley Act of 2002 (SOX).

 

You are appointed to lead the security team assigned to the SureMarket account. You must conduct a SOX assessment of compliance on SureMarket using the NIST Risk Management Framework (RMF) as described in NIST Special Publication 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37) as follows:

  • Step 1: Categorize Information Systems

  • Step 2: Select Security Controls

  • Step 3: Implement Security Controls

  • Step 4: Assess Security Controls

  • Step 5: Authorize Information System

  • Step 6: Monitor Security Controls

 

Review the Grading Rubric at the right.

 

Review the SureMarket IT Systems Profile to become familiar with the SureMarket business and IT systems relevant to a Sarbanes-Oxley Act (SOX) audit.

 

Your first task is to complete Step 1 of the NIST RMF process by documenting the information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

 

To prepare your documentation, create a 3-5-page Microsoft® Word document with the following sections of lists and tables:

  • IT Systems Descriptions (List): Describes the following of SureMarket’s primary IT systems subject to a SOX assessment:

  • Point of Sale (POS) Check System

  • Self-checkout POS

  • Cash Management (CashMan) System

  • Accounting & Finance Management System (AFMS)

  • Audit Trail Management System (ATMS)

  • Data Mapped to IT Systems (Table): Maps the security requirements outlined in this week’s reading, “Minimum Security Requirements for Federal Information and Information Systems,” with these SureMarket IT Systems:

  • Point of Sale (POS) Check System

  • Self-checkout POS

  • Cash Management (CashMan) System

  • Accounting & Finance Management System (AFMS)

  • Audit Trail Management System (ATMS)

  • Protection of Data (List): Describes the data stored, processed, and exchanged which must be adequately protected to meet SOX regulatory requirements

  • Categorization of Data (Table): Categorizes the data for each IT system as high, medium, or low sensitivity mapped to confidentiality, integrity, and availability

  • Categorization of IT Systems (Table): Categorizes each IT system based on the data elements a particular IT system processes, stores, and exchanges

  • Top 5 prioritized Security Family Areas Applicable to Each SureMarket IT System for SOX Assessment (Table): Illustrates, in a table, the family security-areas correlated with specific SOX IT system validation requirements (Note: The Access Control (AC) Family should be in the top 5 prioritized list based on information security fundamentals.)

 

Note: You will use this week’s assignment to help you complete your Week 2 assignment.

 

Submit your assignment.

 

CYB 207 Wk 2 – NIST RMF Step 2: Select Security Controls

As the team leader for Phoenix Security Services’ SureMarket account, you continue your SOX assessment of compliance using the NIST RMF as described in NIST SP 800-37:

  • Step 1: Categorize Information Systems

  • Step 2: Select Security Controls

  • Step 3: Implement Security Controls

  • Step 4: Assess Security Controls

  • Step 5: Authorize Information System

  • Step 6: Monitor Security Controls

 

Review each security family you identified in Step 1. Use NIST SP 800-53a to determine the specific security controls for each as it applies to the SureMarket Sarbanes-Oxley Act (SOX) assessment.

 

Your next task is to complete Step 2 of the NIST RMF process by continuing to document information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

 

To prepare your documentation, create a 5- to 6-page table in Microsoft Word mapping each security family to the specific security controls contained with NIST SP 800-53a. Each security family will have more than one security control. Organize your information in a table with the following columns:

  • Security Family Area

  • Specific Security Controls Within Each Family Area

  • Description of Each Security Control

 

Note: You will use this week’s assignment to help you complete your Week 3 assignment.

 

Submit your assignment.

 

CYB 207 Wk 3 – NIST RMF Step 3: Implement Security Controls and Step 4: Assess Security Controls

As the team leader for Phoenix Security Services’ SureMarket account, you continue your SOX assessment of compliance using the NIST RMF as described in NIST SP 800-37:

  • Step 1: Categorize Information Systems

  • Step 2: Select Security Controls

  • Step 3: Implement Security Controls

  • Step 4: Assess Security Controls

  • Step 5: Authorize Information System

  • Step 6: Monitor Security Controls

 

Review the security controls outlined in Step 2 of the SureMarket IT Systems Security Audit Results.

 

Your next task is complete Steps 3 and 4 of the NIST RMF process by continuing to document information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

 

Part A

To prepare your documentation for Step 3, create a 2- to 3-page table in Microsoft Word mapping each of the 5 vulnerabilities from the SureMarket IT Systems Security Audit Results document to the ineffective or non-existent security controls. The landscape table should include the following 5 columns:

  • IT System with the Vulnerability

  • Vulnerability Title

  • Vulnerability Description

  • Security Control that is Not Compliant

  • Type of Security Control (Technical or Non-technical)

 

Part B

To prepare your documentation for Step 4, use the information from Steps 1 through 3 to create a 10- to 11-slide Microsoft PowerPoint® presentation documenting the risk assessment for the selected security controls for each IT system. You will present this to the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) prior to the presentation with the SureMarket leadership (prepared in your Week 4 assignment) to be sure the CIO and CISO approve the Phoenix Security Services contract work.

 

Your presentation should include the following:

  • A table for each IT System (1 slide per system) that shows:

  • IT System Categorization for confidentiality, integrity, and availability

  • Vulnerability Title

  • Vulnerability Description

  • Security Control Name (e.g., AC-2)

  • Likelihood Determination

  • Impact Determination

  • A 5 x 5 Risk Matrix for each IT System as derived from NIST SP 800-30 (1 slide per system) with the overall risk assessment identified

  • A table summarizing the overall risk for each IT system (on a single slide)

  • DETAILED SLIDE NOTESin the Notes section of each slide.

 

Note: You will use this week’s assignments to help you complete the Week 4 assignment.

 

Submit your assignment.

 

CYB 207 Wk 4 – NIST RMF Step 5: Authorize Information System

As the team leader for Phoenix Security Services’ SureMarket account, you continue your SOX assessment of compliance using the NIST RMF as described in NIST SP 800-37:

  • Step 1: Categorize Information Systems

  • Step 2: Select Security Controls

  • Step 3: Implement Security Controls

  • Step 4: Assess Security Controls

  • Step 5: Authorize Information System

  • Step 6: Monitor Security Controls

 

Research your documentation for Steps 1 through 4.

 

Your next task is to complete Step 5 of the NIST RMF process by developing a risk mitigation plan and presenting your assessments to the SureMarket senior leadership in order to gain authorization for continuing operations of the 5 SureMarket IT Systems.

 

Part A

To prepare your risk mitigation plan, complete the 2- to- 3-page SureMarket Risk Mitigation Plan template using the results from Steps 3 and 4 of the NIST RMF process, along with your recommended mitigation actions, estimated completion date, and milestones. This information will be summarized in your presentation to senior leadership for approval of the mitigation plan in Part B.

 

Part B

Create a media-rich, 10- to 12-slide Microsoft PowerPoint presentation or an infographic using an infographic maker, such as Piktochart™, Venngage™, or Canva®, to the SureMarket senior leadership that includes the following:

  • Summarize the 5 IT systems, including their respective categorization (Low, Medium, High)

  • Summarize each IT system’s vulnerabilities

  • Summarize each IT system’s risks using the 5 x 5 Risk Matrix from NIST SP 800-30

  • Summarize how each of the risks can impact SureMarket business objectives and SOX compliance if the risks are not mitigated

  • Document your recommended mitigation plan in priority order

  • Include DETAILED SLIDE NOTESin the notes section of each slide

 

Note: You will use this week’s assignment to help you complete the Week 5 assignment.

 

Submit your completed template and presentation or infographic (if you made one) saved as a PDF.

 

CYB 207 Wk 5 – NIST RMF Step 6: Monitor Security Controls

As the team leader for Phoenix Security Services’ SureMarket account, you completed your SOX assessment of compliance. Now your company is being retained to monitor the status of SureMarket’s security posture, including maintaining compliance with the Sarbanes-Oxley (SOX) act using the NIST RMF as described in NIST SP 800-37:

  • Step 1: Categorize Information Systems

  • Step 2: Select Security Controls

  • Step 3: Implement Security Controls

  • Step 4: Assess Security Controls

  • Step 5: Authorize Information System

  • Step 6: Monitor Security Controls

 

Review the security controls implemented and assessed during Steps 3 and 4.

 

Your next task as team leader is to complete Step 6 of the NIST RMF process by requiring various methods of monitoring, including security metrics and vulnerability management.

 

Security metrics are used to gain a holistic view of the effectiveness of the overall security program, while vulnerability management constantly monitors for any new vulnerabilities and applies mitigation actions in order to reduce the risks of those newly identified vulnerabilities. In some cases, the process will start over with Step 1 of the NIST RMF process.

 

Part A: Metrics Plan

To prepare a metrics plan for the SureMarket information security department, create a 3- to 4-page Microsoft Word document that includes the following:

  • Describe the security strategy for measuring the effectiveness of the implemented security controls and risk mitigation put into place during Step 5 of the NIST RMF process. Include the following for each of the vulnerabilities with respect to the SureMarket IT systems:

  • How to measure mitigated risk

  • How to identify new vulnerabilities

  • How to measure SOX compliance

  • Describe the tools that you would use to measure and track trends, including key performance indicators and thresholds.

  • Illustrate how you would present metrics to senior leadership, including the requirement for reauthorization.

 

Part B: Vulnerability Management Plan

To prepare a vulnerability management plan for the SureMarket information security department, create a 2- to 3-page Microsoft Word document that includes the following:

  • Describe the strategy for continuously monitoring the SureMarket network and IT systems for new vulnerabilities. Include the methods and frequency for conducting the following:

  • Vulnerability scanning

  • Penetration testing

  • Describe a decision tree for mitigating newly identified vulnerabilities.

 

Format your citations according to APA guidelines.