CYB670 - Advanced Cybersecurity Risk Management Report
Advanced Cybersecurity Risk Management Report
CYB-670
Section 1: RMF Preparation
1.1 Roles and Responsibilities
Authorizing Official:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
Chief Information Officer:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
System Owner:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
Information Systems Security Officer:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
System Administrator:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
Information Owner:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
System User:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
Control Accessor:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
Security Architect:
|
Name: |
|
|
Title: |
|
|
Work Phone: |
|
|
Responsibilities: |
|
1.2 Possible Risks for a Cloud-based Application
List and describe risks associated with a cloud-based application. Be sure to include references for your sources of information.
1.3 System Categorization
The categorization has already been determined by another team as:
SC information system = {(confidentiality, LOW), (integrity, MODERATE), (availability, LOW)}
This results in a high water mark of MODERATE.
Section 2: Selecting Security Controls
List the security controls that have been selected based on the System categorization using FIPS-200 guidance and the NIST SP-800-53 baseline security controls.
Table 1. Selected Security Controls
|
ID |
Control or Control Enhancement Name |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Provide appropriate organization-assigned parameters for these specific controls.
Table 2. Security Control ID and organizational-controlled parameters to complete
|
Security Control ID |
Organization-controlled Parameters |
|
AT-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
AU-4 |
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. |
|
CA-3 |
a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; c. Review and update the agreements [Assignment: organization-defined frequency]. |
|
CP-4 |
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests] |
|
IR-4 |
Control Enhancements: (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES Support the incident handling process using [Assignment: organization-defined automated mechanisms].
(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.
(11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period] |
|
PE-2 |
(2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification]. (3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS Restrict unescorted access to the facility where the system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations]]. |
|
PM-23 |
Control: Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities] |
Section 3: Implement and Assess Security Controls
Using the templates provided in this attachment, complete the policies and documents for each of the following:
· Configuration Management Policy (CM-1)
· Maintenance Policy (MA-1)
· Acceptable Use Policy (PS-6)
· Contingency Planning Policy (CP-1)
· Identification and Authentication Policy (IA-1)
· Security Awareness Training Policy (PM-13)
In your submission submit the completed templates as an upload for your instructor to review.
Describe the process associated with implementing and documenting security controls. Estimate the timeline and number of people you might need to complete all 238 controls.
Section 4: Assess Security Controls
A representative table of your results is shown below.
|
Security Control |
Examine |
Interview |
Test |
|
AC-1 |
|
|
|
|
AC-2 |
|
|
|
|
AC-3 |
|
|
|
|
AC-4 |
|
|
|
|
AC-5 |
|
|
|
|
AC-6 |
|
|
|
Section 5: Continuous Monitoring
Table X. Automation Tools and alignment with Security Controls
|
Functionality |
Tool name and description |
Main features |
Security Control |
|
Vulnerability Scanning |
|
|
|
|
Malware detection |
|
|
|
|
Security Information and Event Management (SIEM) |
|
|
|
|
Incident Management |
|
|
|
|
Certificate Management (e.g. SSL) |
|
|
|
|
Patch Management |
|
|
|
Section 6: References
-
Rating:
/5
Solution: CYB670 - Advanced Cybersecurity Risk Management Report