Control Family Per Risk Corporate Profile Part 2
Corporate Profile Part 2: Security Controls & Risk Mitigation Recommendations
In part 1 of this project, you were asked to provide the following information.
- Company’s needs or requirements for cybersecurity. What information and/or business operations need to be protected? What are the likely sources of threats or attacks for each type of information or business operation? (e.g. Protect customer information from disclosure or theft during online purchase transactions.)
- “Buying Forecast” section in which you discuss the company’s likely future purchases for cybersecurity products and services. In this section, you should identify and discuss three or more categories of cybersecurity products or services which this company is likely to purchase.
For this assignment, you will use your analysis from Part 1 to develop a set of recommended security controls and risk mitigation strategies which, if adopted, would help your selected company reduce and control the cyber risk that you previously identified. You will present your recommendations in table form.
Risk ID |
Risk |
800-53 Control Family |
800-53 Security Controls: |
Risk Mitigation Strategy |
Required Products or Services |
001 |
Theft of customer information from online transactions |
SC System and Communications Protection |
SC-8 Transmission Confidentiality and Integrity |
Encrypt all communications between customers and the company’s online ordering system. |
Server Certificates to be used to encrypt communications between Online purchasing system and customers’ browsers. |
You will need to do additional research to identify security controls, products, and services which could be included in the company’s risk response (actions it will take to manage cybersecurity related risk).
Research
- Review the Risk section of the company’s SEC Form 10-K. Develop a list of 5 or more specific cyberspace or cybersecurity related risks which the company included in its report to investors. Your list should include the source(s) of the risks and the potential impacts as identified by the company.
- For each risk, identify the risk management or mitigation strategies which the company has implemented or plans to implement. (Use the example format provided above.)
- Next, consult the control families listed in the NIST Special Publication 800-53 rev 4 (or higher) http://dx.doi.org/10.6028/NIST.SP.800-53r4 to identify general categories of controls which could be used or added to the company’s risk management strategy for each risk in your list. Identify specific controls as appropriate (be concise – you will usually only use one or two specific controls from the control family per risk mitigation).
- For each control family, develop a description of how the company should implement these controls (“implementation approach”) as part of its risk management strategy. What commercial products or services will be needed to implement your recommended strategy?
Write
- Download and open the Table 1 file attached to the assignment entry in LEO.
- Write an introductory paragraph for your Security Controls and Risk Mitigation Recommendations (summarize information about your company using narrative from your submission for part 1). Remember to include citations to the original sources of information used in your introduction.
- Using the information from your research and analysis, complete Table 1.
- For an “A” on this assignment, you must provide recommended security controls and mitigations for 10 or more unique risks.
- Copy the security control family names and control names EXACTLY as provided in NIST SP 800-53. This usage does not require citations.
- Paraphrase the information used in your risk mitigation recommendations. Do NOT paste in copied narrative. Citations are not normally required for Table 1 since this table should predominantly consist of your own work.
Additional Information
- Table 1 should be professional in appearance with consistent use of fonts, font sizes, margins, etc.
- Your submission should use standard terms and definitions for cybersecurity. See Course Resources for recommended glossaries and other sources of standard terminology.
- USE THE TEMPLATE FILE. This file contains the required cover page, an “introduction section,” template for Table 1, and the references page. Make sure that you complete each of these sections of this assignment. Do not delete the section breaks!
- For the introduction, you are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
- You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
- Consult the grading rubric for specific content and formatting requirements for this assignment.
Table 1. Recommended Security Controls and Risk Mitigations
Risk ID |
Risk |
800-53 Control Family |
800-53 Security Controls: |
Risk Mitigation Strategy |
Required Products or Services |
001 |
Theft of customer information from online transactions |
SC System and Communications Protection |
SC-8 Transmission Confidentiality and Integrity |
Encrypt all communications between customers and the company’s online ordering system. |
Server Certificates to be used to encrypt communications between Online purchasing system and customers’ browsers. |
In part 1 of this project, you were asked to provide the following information.
- Company’s needs or requirements for cybersecurity. What information and/or business operations need to be protected? What are the likely sources of threats or attacks for each type of information or business operation? (e.g. Protect customer information from disclosure or theft during online purchase transactions.)
- “Buying Forecast” section in which you discuss the company’s likely future purchases for cybersecurity products and services. In this section, you should identify and discuss three or more categories of cybersecurity products or services which this company is likely to purchase.
For this assignment, you will use your analysis from Part 1 to develop a set of recommended security controls and risk mitigation strategies which, if adopted, would help your selected company reduce and control the cyber risk that you previously identified. You will present your recommendations in table form.
Risk ID |
Risk |
800-53 Control Family |
800-53 Security Controls: |
Risk Mitigation Strategy |
Required Products or Services |
001 |
Theft of customer information from online transactions |
SC System and Communications Protection |
SC-8 Transmission Confidentiality and Integrity |
Encrypt all communications between customers and the company’s online ordering system. |
Server Certificates to be used to encrypt communications between Online purchasing system and customers’ browsers. |
You will need to do additional research to identify security controls, products, and services which could be included in the company’s risk response (actions it will take to manage cybersecurity related risk).
Research
- Review the Risk section of the company’s SEC Form 10-K. Develop a list of 5 or more specific cyberspace or cybersecurity related risks which the company included in its report to investors. Your list should include the source(s) of the risks and the potential impacts as identified by the company.
- For each risk, identify the risk management or mitigation strategies which the company has implemented or plans to implement. (Use the example format provided above.)
- Next, consult the control families listed in the NIST Special Publication 800-53 rev 4 (or higher) http://dx.doi.org/10.6028/NIST.SP.800-53r4 to identify general categories of controls which could be used or added to the company’s risk management strategy for each risk in your list. Identify specific controls as appropriate (be concise – you will usually only use one or two specific controls from the control family per risk mitigation).
- For each control family, develop a description of how the company should implement these controls (“implementation approach”) as part of its risk management strategy. What commercial products or services will be needed to implement your recommended strategy?
Write
- Download and open the Table 1 file attached to the assignment entry in LEO.
- Write an introductory paragraph for your Security Controls and Risk Mitigation Recommendations (summarize information about your company using narrative from your submission for part 1). Remember to include citations to the original sources of information used in your introduction.
- Using the information from your research and analysis, complete Table 1.
- For an “A” on this assignment, you must provide recommended security controls and mitigations for 10 or more unique risks.
- Copy the security control family names and control names EXACTLY as provided in NIST SP 800-53. This usage does not require citations.
- Paraphrase the information used in your risk mitigation recommendations. Do NOT paste in copied narrative. Citations are not normally required for Table 1 since this table should predominantly consist of your own work.
Additional Information
- Table 1 should be professional in appearance with consistent use of fonts, font sizes, margins, etc.
- Your submission should use standard terms and definitions for cybersecurity. See Course Resources for recommended glossaries and other sources of standard terminology.
- USE THE TEMPLATE FILE. This file contains the required cover page, an “introduction section,” template for Table 1, and the references page. Make sure that you complete each of these sections of this assignment. Do not delete the section breaks!
- For the introduction, you are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
- You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
- Consult the grading rubric for specific content and formatting requirements for this assignment.
Table 1. Recommended Security Controls and Risk Mitigations
Risk ID |
Risk |
800-53 Control Family |
800-53 Security Controls: |
Risk Mitigation Strategy |
Required Products or Services |
001 |
Theft of customer information from online transactions |
SC System and Communications Protection |
SC-8 Transmission Confidentiality and Integrity |
Encrypt all communications between customers and the company’s online ordering system. |
Server Certificates to be used to encrypt communications between Online purchasing system and customers’ browsers. |