- Description
CYB 207 Wk 1 – NIST RMF Step 1 Categorize Information Systems
Your company, Phoenix Security Services, is a managed security services contractor that consults with U.S. businesses that require assistance in complying with the Sarbanes-Oxley Act (SOX). Your company has a proven track record in providing information program security management, information security governance programs, risk management programs, and regulatory and compliance recommendations. Phoenix Security Services’ newest client, a national grocery company called SureMarket, must report to the Securities and Exchange Commission (SEC) with proof of their compliance to the Sarbanes-Oxley Act of 2002 (SOX).
You are appointed to lead the security team assigned to the SureMarket account. You must conduct a SOX assessment of compliance on SureMarket using the NIST Risk Management Framework (RMF) as described in NIST Special Publication 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37) as follows:
- Step 1: Categorize Information Systems
- Step 2: Select Security Controls
- Step 3: Implement Security Controls
- Step 4: Assess Security Controls
- Step 5: Authorize Information System
- Step 6: Monitor Security Controls
Review the Grading Rubric at the right.
Review the SureMarket IT Systems Profile to become familiar with the SureMarket business and IT systems relevant to a Sarbanes-Oxley Act (SOX) audit.
Your first task is to complete Step 1 of the NIST RMF process by documenting the information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.
To prepare your documentation, create a 3-5-page Microsoft® Word document with the following sections of lists and tables:
- IT Systems Descriptions (List): Describes the following of SureMarket’s primary IT systems subject to a SOX assessment:
- Point of Sale (POS) Check System
- Self-checkout POS
- Cash Management (CashMan) System
- Accounting & Finance Management System (AFMS)
- Audit Trail Management System (ATMS)
- Data Mapped to IT Systems (Table): Maps the security requirements outlined in this week’s reading, “Minimum Security Requirements for Federal Information and Information Systems,” with these SureMarket IT Systems:
- Point of Sale (POS) Check System
- Self-checkout POS
- Cash Management (CashMan) System
- Accounting & Finance Management System (AFMS)
- Audit Trail Management System (ATMS)
- Protection of Data (List): Describes the data stored, processed, and exchanged which must be adequately protected to meet SOX regulatory requirements
- Categorization of Data (Table): Categorizes the data for each IT system as high, medium, or low sensitivity mapped to confidentiality, integrity, and availability
- Categorization of IT Systems (Table): Categorizes each IT system based on the data elements a particular IT system processes, stores, and exchanges
- Top 5 prioritized Security Family Areas Applicable to Each SureMarket IT System for SOX Assessment (Table): Illustrates, in a table, the family security-areas correlated with specific SOX IT system validation requirements (Note: The Access Control (AC) Family should be in the top 5 prioritized list based on information security fundamentals.)
Note: You will use this week’s assignment to help you complete your Week 2 assignment.
Submit your assignment.