CYB 207 Wk 3 – NIST RMF Step 3: Implement Security Controls and Step 4: Assess Security Controls

0 items
CYB 207 Wk 3 - NIST RMF Step 3: Implement Security Controls and Step 4: Assess Security Controls
CYB 207 Wk 3 – NIST RMF Step 3: Implement Security Controls and Step 4: Assess Security Controls
$9.00
  • Description

CYB 207 Wk 3 – NIST RMF Step 3: Implement Security Controls and Step 4: Assess Security Controls

As the team leader for Phoenix Security Services’ SureMarket account, you continue your SOX assessment of compliance using the NIST RMF as described in NIST SP 800-37:

  • Step 1: Categorize Information Systems
  • Step 2: Select Security Controls
  • Step 3: Implement Security Controls
  • Step 4: Assess Security Controls
  • Step 5: Authorize Information System
  • Step 6: Monitor Security Controls

 

Review the security controls outlined in Step 2 of the SureMarket IT Systems Security Audit Results.

 

Your next task is complete Steps 3 and 4 of the NIST RMF process by continuing to document information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

 

Part A

To prepare your documentation for Step 3, create a 2- to 3-page table in Microsoft Word mapping each of the 5 vulnerabilities from the SureMarket IT Systems Security Audit Results document to the ineffective or non-existent security controls. The landscape table should include the following 5 columns:

  • IT System with the Vulnerability
  • Vulnerability Title
  • Vulnerability Description
  • Security Control that is Not Compliant
  • Type of Security Control (Technical or Non-technical)

 

Part B

To prepare your documentation for Step 4, use the information from Steps 1 through 3 to create a 10- to 11-slide Microsoft PowerPoint® presentation documenting the risk assessment for the selected security controls for each IT system. You will present this to the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) prior to the presentation with the SureMarket leadership (prepared in your Week 4 assignment) to be sure the CIO and CISO approve the Phoenix Security Services contract work.

 

Your presentation should include the following:

  • A table for each IT System (1 slide per system) that shows:
  • IT System Categorization for confidentiality, integrity, and availability
  • Vulnerability Title
  • Vulnerability Description
  • Security Control Name (e.g., AC-2)
  • Likelihood Determination
  • Impact Determination
  • A 5 x 5 Risk Matrix for each IT System as derived from NIST SP 800-30 (1 slide per system) with the overall risk assessment identified
  • A table summarizing the overall risk for each IT system (on a single slide)
  • DETAILED SLIDE NOTESin the Notes section of each slide.

 

Note: You will use this week’s assignments to help you complete the Week 4 assignment.

 

Submit your assignment.