Project #3: IT Security Controls Baseline for Red Clay Renovations

Content Type

User Generated

User

Vzurerjvgugurtrne

Subject

Computer Science

Description

Prepare a two-page briefing paper (5 to 7 paragraphs) for the senior leadership and corporate board of Red Clay Renovations which addresses planning (what do we need to do?), programming (how will we do it?), and budgeting (how will we pay for it?) processes for IT security program management.

1. Use the company profile and enterprise architecture diagrams to identify five or more riskswhich require a financial investment. Financial investments should be categorized as: people investments, process investments, and/or technology investments.

2. Choose one of the four strategies for reducing the costs associated with responding to cyberattacks from the Rand report (A Framework for Programming and Budgeting for Cybersecurity):

Minimize Exposure
Neutralize Attacks
Increase Resilience
Accelerate Recovery

3. Discuss how your selected strategy (make it clear which strategy you selected) can be used in the planning (what do we need to do?) and programming (how will we do it?) phases of budget preparation to identify less costly solutions for implementing technical, operational, and management controls.

Provide in-text citations and references for 3 or more authoritative sources. Put the reference list at the end of your posting.

Unformatted Attachment Preview

Project #3: IT Security Controls Baseline for Red Clay Renovations To ensure compatibility with existing policy and documentation, Red Clay Renovations’ IT Security policies, plans, and procedures will continue to use the following security control classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6). Security Controls Baseline Red Clay Renovations Security Controls Baseline shall include the security controls listed below. Security control definitions and implementation guidance shall be obtained from the most recent version of NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. 1. AC: Access Controls (Technical Controls Category) AC-1 AC-2 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-11 AC-12 Access Control Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Logon Attempts System Use Notification Session Lock Session Termination AC-1 AC-2 (1) (2) (3) (4) AC-3 AC-4 AC-5 AC-6 (1) (2) (5) (9) (10) AC-7 AC-8 AC-11 (1) AC-12 AC-14 Permitted Actions without Identification or AC-14 Authentication AC-17 Remote Access AC-17 (1) (2) (3) (4) AC-18 Wireless Access AC-18 (1) AC-19 Access Control for Mobile Devices AC-19 (5) AC-20 Use of External Information Systems AC-20 (1) (2) AC-21 Information Sharing AC-21 AC-22 Publicly Accessible Content AC-22 2. AT: Awareness and Training (Operational Controls Category) AT-1 AT-2 AT-3 AT-4 Security Awareness and Training Policy and Procedures Security Awareness Training Role-Based Security Training Security Training Records AT-1 AT-2 (2) AT-3 AT-4 3. AU: Audit and Accountability (Technical Controls Category) AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11 AU-12 Audit and Accountability Policy and Procedures Audit Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information Non-repudiation Audit Record Retention Audit Generation AU-1 AU-2 (3) AU-3 (1) AU-4 AU-5 AU-6 (1) (3) AU-7 (1) AU-8 (1) AU-9 (4) Not Selected AU-11 AU-12 4. CA: Security Assessment and Authorization (Management Controls Category) CA-1 CA-2 CA-3 CA-5 CA-6 CA-7 CA-9 Security Assessment and Authorization Policies and Procedures Security Assessments System Interconnections Plan of Action and Milestones Security Authorization Continuous Monitoring Internal System Connections CA-1 CA-2 (1) CA-3 (5) CA-5 CA-6 CA-7 (1) CA-9 5. CM: Configuration Management (Operational Controls Category) CM-1 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality CM-1 CM-2 (1) (3) (7) CM-3 (2) CM-4 CM-5 CM-6 CM-7 (1) (2) (4) CM-8 CM-9 CM-10 CM-11 Information System Component Inventory Configuration Management Plan Software Usage Restrictions User-Installed Software CM-8 (1) (3) (5) CM-9 CM-10 CM-11 6. Contingency Planning (Operational Controls Category) CP-1 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9 CP-10 Contingency Planning Policy and Procedures Contingency Plan Contingency Training Contingency Plan Testing Withdrawn Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup Information System Recovery and Reconstitution CP-1 CP-2 (1) (3) (8) CP-3 CP-4 (1) --CP-6 (1) (3) CP-7 (1) (2) (3) CP-8 (1) (2) CP-9 (1) CP-10 (2) 7. IA: Identification and Authentication (Technical Controls Category) IA-1 IA-2 IA-3 IA-4 IA-5 IA-6 IA-7 IA-8 Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) Device Identification and Authentication Identifier Management Authenticator Management Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (Non-Organizational Users) IA-1 IA-2 (1) (2) (3) (8) (11) (12) IA-3 IA-4 IA-5 (1) (2) (3) (11) IA-6 IA-7 IA-8 (1) (2) (3) (4) 8. IR: Incident Response (Operational Controls Category) IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 Incident Response Policy and Procedures Incident Response Training Incident Response Testing Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan IR-1 IR-2 IR-3 (2) IR-4 (1) IR-5 IR-6 (1) IR-7 (1) IR-8 9. MA: Maintenance (Operational Controls Category) MA-1 MA-2 MA-3 System Maintenance Policy and Procedures Controlled Maintenance Maintenance Tools MA-1 MA-2 MA-3 (1) (2) MA-4 MA-5 Nonlocal Maintenance Maintenance Personnel MA-4 (2) MA-5 10. MP: Media Protection (Operational Controls Category) MP-1 MP-2 MP-3 MP-4 MP-5 MP-6 MP-7 Media Protection Policy and Procedures Media Access Media Marking Media Storage Media Transport Media Sanitization Media Use MP-1 MP-2 MP-3 MP-4 MP-5 (4) MP-6 MP-7 (1) 11. PE: Physical and Environmental Protection (Operational Controls Category) PE-1 PE-2 PE-3 PE-4 PE-5 PE-6 PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Medium Access Control for Output Devices Monitoring Physical Access Visitor Access Records Power Equipment and Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site PE-1 PE-2 PE-3 PE-4 PE-5 PE-6 (1) PE-8 PE-9 PE-10 PE-11 PE-12 PE-13 (3) PE-14 PE-15 PE-16 PE-17 12. PL: Planning (Management Controls Category) PL-1 PL-2 PL-4 PL-8 Security Planning Policy and Procedures System Security Plan Rules of Behavior Information Security Architecture PL-1 PL-2 (3) PL-4 (1) PL-8 13. PS: Personnel Security (Operational Controls Category) PS-1 PS-2 Personnel Security Policy and Procedures Position Risk Designation PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 Personnel Screening Personnel Termination Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 14. RA: Risk Assessment (Management Controls Category) RA-1 RA-2 RA-3 RA-5 Risk Assessment Policy and Procedures Security Categorization Risk Assessment Vulnerability Scanning RA-1 RA-2 RA-3 RA-5 (1) (2) (5) 15. SA: System and Services Acquisition (Management Controls Category) SA-1 SA-2 SA-3 SA-4 SA-5 SA-8 SA-9 SA-10 SA-11 System and Services Acquisition Policy and Procedures Allocation of Resources System Development Life Cycle Acquisition Process Information System Documentation Security Engineering Principles External Information System Services Developer Configuration Management Developer Security Testing and Evaluation SA-1 SA-2 SA-3 SA-4 (1) (2) (9) (10) SA-5 SA-8 SA-9 (2) SA-10 SA-11 16. SC: System and Communications Protection (Technical Controls Category) SC-1 SC-5 SC-7 SC-8 SC-18 SC-19 SC-28 SC-39 System and Communications Protection Policy and Procedures Denial of Service Protection Boundary Protection Transmission Confidentiality Mobile Code Voice Over Internet Protocol Protection of Information at Rest Process Isolation SC-1 SC-5 SC-7 SC-8 SC-18 SC-19 SC-28 SC-39 17. SI: System and Information Integrity (Operational Controls Category) SI-1 SI-2 SI-3 SI-4 SI-5 SI-7 SI-8 SI-10 System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring Security Alerts, Advisories, and Directives Software, Firmware, and Information Integrity Spam Protection Information Input Validation SI-1 SI-2 (2) SI-3 (1) (2) SI-4 (2) (4) (5) SI-5 SI-7 (1) (7) SI-8 (1) (2) SI-10 SI-11 SI-12 SI-16 Error Handling Information Handling and Retention Memory Protection SI-11 SI-12 SI-16 18. PM: Program Management (Management Controls Family) PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 PM-12 PM-13 PM-14 PM-15 PM-16 Information Security Program Plan Senior Information Security Officer Information Security Resources Plan of Action and Milestones Process Information System Inventory Information Security Measures of Performance Enterprise Architecture Critical Infrastructure Plan Risk Management Strategy Security Authorization Process Mission/Business Process Definition Insider Threat Program Information Security Workforce Testing, Training, and Monitoring Contacts with Security Groups and Associations Threat Awareness Program all all all all all all all all all all all all all all all all
Purchase answer to see full attachment

Tags: security cyber security control IT Security IT Project

User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: CYBERSECURITY BRIEFING

Cybersecurity Briefing
Name
Instructor
Institutional Affiliation
Date

1

CYBERSECURITY BRIEFING

2

Red Clay Renovation Company depends on Information Security management programs
to aid in designing and implementing measures that will protect various entity process and IT
assets. The emergence of disruptive technologies in society today in social, mobile, and cloud
systems has made IT security programs management difficult (Andress, 2016). Thus, every
strategy should adapt with attackers who are in the forefront to harm systems. Therefore, as a
board and management in Red Clay Renovation (RCR) Company, it’s critical to devise policy
and security measures to prepare for the ever-changing threats in businesses (Wheeler, 2011).
For clear accountability and establishment of risk-based controls leaders will need to have an
effective program that will ensure help the...