CYB 207 Wk 1 – NIST RMF Step 1 Categorize Information Systems

0 items
CYB 207 Wk 1 - NIST RMF Step 1 Categorize Information Systems
CYB 207 Wk 1 – NIST RMF Step 1 Categorize Information Systems
$9.00
Go to the store page
  • Description

CYB 207 Wk 1 – NIST RMF Step 1 Categorize Information Systems

Your company, Phoenix Security Services, is a managed security services contractor that consults with U.S. businesses that require assistance in complying with the Sarbanes-Oxley Act (SOX). Your company has a proven track record in providing information program security management, information security governance programs, risk management programs, and regulatory and compliance recommendations. Phoenix Security Services’ newest client, a national grocery company called SureMarket, must report to the Securities and Exchange Commission (SEC) with proof of their compliance to the Sarbanes-Oxley Act of 2002 (SOX).

 

You are appointed to lead the security team assigned to the SureMarket account. You must conduct a SOX assessment of compliance on SureMarket using the NIST Risk Management Framework (RMF) as described in NIST Special Publication 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37) as follows:

  • Step 1: Categorize Information Systems

  • Step 2: Select Security Controls

  • Step 3: Implement Security Controls

  • Step 4: Assess Security Controls

  • Step 5: Authorize Information System

  • Step 6: Monitor Security Controls

 

Review the Grading Rubric at the right.

 

Review the SureMarket IT Systems Profile to become familiar with the SureMarket business and IT systems relevant to a Sarbanes-Oxley Act (SOX) audit.

 

Your first task is to complete Step 1 of the NIST RMF process by documenting the information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

 

To prepare your documentation, create a 3-5-page Microsoft® Word document with the following sections of lists and tables:

  • IT Systems Descriptions (List): Describes the following of SureMarket’s primary IT systems subject to a SOX assessment:

  • Point of Sale (POS) Check System

  • Self-checkout POS

  • Cash Management (CashMan) System

  • Accounting & Finance Management System (AFMS)

  • Audit Trail Management System (ATMS)

  • Data Mapped to IT Systems (Table): Maps the security requirements outlined in this week’s reading, “Minimum Security Requirements for Federal Information and Information Systems,” with these SureMarket IT Systems:

  • Point of Sale (POS) Check System

  • Self-checkout POS

  • Cash Management (CashMan) System

  • Accounting & Finance Management System (AFMS)

  • Audit Trail Management System (ATMS)

  • Protection of Data (List): Describes the data stored, processed, and exchanged which must be adequately protected to meet SOX regulatory requirements

  • Categorization of Data (Table): Categorizes the data for each IT system as high, medium, or low sensitivity mapped to confidentiality, integrity, and availability

  • Categorization of IT Systems (Table): Categorizes each IT system based on the data elements a particular IT system processes, stores, and exchanges

  • Top 5 prioritized Security Family Areas Applicable to Each SureMarket IT System for SOX Assessment (Table): Illustrates, in a table, the family security-areas correlated with specific SOX IT system validation requirements (Note: The Access Control (AC) Family should be in the top 5 prioritized list based on information security fundamentals.)

 

Note: You will use this week’s assignment to help you complete your Week 2 assignment.

 

Submit your assignment.