Need help completing
Advanced Cybersecurity Risk Management Report
CYB-670
Student Name:
Instructor Name:
Section 1: RMF Preparation
1.1 Roles and Responsibilities
Authorizing Official:
Name:
Title:
Work Phone:
Responsibilities:
Chief Information Officer:
Name:
Title:
Work Phone:
Responsibilities:
System Owner:
Name:
Title:
Work Phone:
Responsibilities:
Information Systems Security Officer:
Name:
Title:
Work Phone:
Responsibilities:
System Administrator:
Name:
Title:
Work Phone:
Responsibilities:
Information Owner:
Name:
Title:
Work Phone:
Responsibilities:
System User:
Name:
Title:
Work Phone:
Responsibilities:
Control Accessor:
Name:
Title:
Work Phone:
Responsibilities:
Security Architect:
Name:
Title:
Work Phone:
Responsibilities:
1.2 Possible Risks for a Cloud-based Application
1.3 System Categorization
The categorization has already been determined by another team as:
SC information system = {(confidentiality, LOW), (integrity, MODERATE), (availability, LOW)}
This results in a high water mark of MODERATE.
Section 2: Selecting Security Controls
List the security controls that have been selected based on the System categorization using FIPS-200 guidance and the NIST SP-800-53 baseline security controls.
Table 1. Selected Security Controls
ID
Control or Control Enhancement Name
Provide appropriate organization-assigned parameters for these specific controls.
Table 2. Security Control ID and organizational-controlled parameters to complete
Security Control ID
Organization-controlled Parameters
AT-1
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AU-4
Control: Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].
(1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.
CA-3
a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];
c. Review and update the agreements [Assignment: organization-defined frequency].
CP-4
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]
IR-4
Control Enhancements:
(1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
Support the incident handling process using [Assignment: organization-defined automated mechanisms].
(5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM
Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected.
(11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]
PE-2
(2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION
Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification].
(3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS
Restrict unescorted access to the facility where the system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations]].
PM-23
Control: Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities]
Section 3: Implement and Assess Security Controls
Using the templates provided in this attachment, complete the policies and documents for each of the following:
· Configuration Management Policy (CM-1)
· Maintenance Policy (MA-1)
· Acceptable Use Policy (PS-6)
· Contingency Planning Policy (CP-1)
· Identification and Authentication Policy (IA-1)
· Security Awareness Training Policy (PM-13)
In your submission submit the completed templates as an upload for your instructor to review.
Describe the process associated with implementing and documenting security controls. Estimate the timeline and number of people you might need to complete all 238 controls.
Section 4: Assess Security Controls
A representative table of your results is shown below.
Security Control
Examine
Interview
Test
AC-1
AC-2
AC-3
AC-4
AC-5
AC-6
Section 5: Continuous Monitoring
Table X. Automation Tools and alignment with Security Controls
Functionality
Tool name and description
Main features
Security Control
Vulnerability Scanning
Malware detection
Security Information and Event Management (SIEM)
Incident Management
Certificate Management (e.g. SSL)
Patch Management
Section 6: References