Deliverables/Tasks USPS Security Control Assessment 1 Identify all Systems Stakeholders (Systems Owner, Systems Administrators etc) Schedule Security Control Assessment Kick Off meeting and invite all stakeholders 2 Develop artifacts collection spreadsheet 3 Develop Security Control Assessment (SAP) Plan 4 Conduct Security Control Assessment Kick Off Meeting 5 Collect Evidence/Artifact and Clarification 6 Conduct Security Control Assessment 7 Develop Security Assessment Report 8 Total Days for work Total work week Duration (days) 10 1 1 7 0.5 3 25 10 57.5 7.2 Level of Effort (hrs) 80 8 8 56 4 24 200 80 460 Project Scope Statement Template PROJECT SCOPE STATEMENT Note: Any work not explicitly included in the Project Scope Statement is implicitly excluded from the project. Project Name: Security Control Assessment Prepared by: Date (MM/DD/YYYY): 03/23/2018 Version History Version Date (MM/DD/YYYY) 1.0 03/23/2018 United States Postal Service Comments Project Scope Statement Template 1. Executive Summary This project is expected to take place within eight weeks (May 7 th to July 2nd 2018) The main purpose of this security control assessment is to know the security posture of the information systems in the USPS. To find out if the security controls were implemented correctly, working as intended and meeting the USPS security requirements using the NIST’s (National Institutes of Standards and Technology) RMF (Risks Management Framework) as a procedure for assessing security controls, analyze the risks and discover the inherent vulnerabilities and also formulate strategies to mitigate identified risks and vulnerabilities. 2. Business Objectives 2.1 Product Description (Solution): Assessing the security controls of the information systems will help to discover inherent vulnerabilities in the systems. 2.2 Business Objectives: Strategies to mitigate identified risks and vulnerabilities will be formulated to ensure the availability, confidentiality and integrity of information and information systems. 3. Project Description For each area below, provide sufficient detail to define this project adequately: ▪ Includes (list Deliverables): Security Authorization packages such as the system security plan (SSP), security assessment plans (SAP), security assessment report (SAR) among others will be reviewed and updated in accordance to NIST’s (National Institutes of Standards and Technology) guidelines. The Security Assessment Plan (SAP) developed using NIST SP 80037, Guidelines for Applying the Risk Management Framework to Federal Information Systems and incorporated policy from the USPS Policy Guide Documentation will be used in support of the Security Assessment and Authorization efforts for Employee Self Service System of the USPS by the Authorizing officials. This SAP calls for system security test and evaluation (ST&E) to exercise the security features and procedures of NIST 800-53rev 4 against all applicable security requirements of USPS. Identified vulnerabilities would be documented by the assessors in the Plan of Action and Milestones (POAM) for remediation. ▪ Does Not Include: The scope of this System Security Test and Evaluation (ST&E) does not include penetration (intrusion) testing. United States Postal Service Project Scope Statement Template 3. Project Description 3.2 Project Completion Criteria: - Additional tests will be devised as needed to assess newly identified vulnerabilities during the security assessment. Elements to be tested are defined within the authorization boundary of the system. -Reports detailing the identified vulnerabilities will be created in the Security Assessment Report (SAR) and the steps taken to remediate them in the Plan of Action and Milestones (POA&M). -Remediated controls will be re-assessed for effectiveness. 3.3 External Dependencies: No external dependency has been identified as this system is located in the server room at the USPS facility. Contract with the Application developing organization forbids any delay to completion and no other part of the system is to be developed or maintained outside of the restricted location onsite 3.4 Assumptions: The assessment is expected to ensure the security of information systems in the organization. - - 3.5 Constraints: The security assessment team will have assess to all relevant documentation for the systems Both the hardware and software is configured for operational use throughout the duration of the testing The security assessment will be conducted in a controlled development/test environment . -- Not all System Owners (SOs) have technical competence. - Security Authorization Packages like the Security Assessment Report (SAR), Plan of Action and Milestones (POA&M) and others are not constantly updated. - Security tool agents may not be installed on all USPS network systems United States Postal Service Project Scope Statement Template United States Postal Service Risk Evaluation Grid Project Name: Prepared by: Date: Identified Risk Misconfiguration of Firewall Rules, misconfiguration of Routing protocols on router and misconfiguring V-LANs on switch. Losing high valuable resource: Network architect or senior network engineers switches job or even project. Implementing server network infrastructure in a Bank Impact on Project Creates security loopholes makes the network vulnerable to external threats, creates network slowdown and reduced bandwidth resulting in irresponsive applications. Increases costs, loss of customers, affects reputation thereby affecting whole business. Project comes to an outright halt if the network architect switches project or job in design phase. Network engineer leaving job results in delay of deployment. Procurement of hardware: Hardware vendor delays the delivery of Hardware such as cables, routers, switches, firewalls and computer hardware or delivered hardware is faulty. Delay in procurement of cables delays testing phase and delay in procurement of network hardware results in delay of implementation phase thereby affecting overall project completion time. Facility unavailability: The site is not on available on time, there are issues with power supply, power boards are not adequate, site is still under mantainence. Delays project resulting in loss of customers and also increase in costs. Security issues: Some employees, third parties, vendors may Creates security gaps and may lead to compromise of high compromise security by leaking the network design and valuable information. sensitive network configuration documents . Impact rating Probability of occurring A B 5 0.4 4 0.3 3 0.3 3 0.4 4 0.1 Risk Evaluation Grid Note: For additional rows highlight the entire Risk Evaluation w (click the upper left corner of the worksheet). Risk Evaluation Grid A B 1 2 3 Then, on the Format menu, point to Row, and then click Unhide. This will unhide an additional 8 Rows. If more rows are needed, select the last row, then on the necessary to insert any additional rows before the last row to retain any Risk Evaluation Grid Risk priority number Mitigation action AxB 2 To prevent this from occuring there should be efficient network design, steps required to configure the network needed to be documented, following configuration document at the time of deployment and documenting the steps and commands used while deployment. If there is any such issue after implementation, senior network engineer should look into the configuration document, review the configuration steps, identify the misconfiguration and resolve it at the earliest. 1.2 There is high demand for valuable resources, to retain them in the project or job these resources should be kept satisfied and contended at all times by offering them good perks, incentives, benefits and lauding their performance. If they work on multiple projects a feasible schedule should be worked out for their availability. Planning to have multiple resources or hiring new resources is solution if any valuable resource leaves the project or organization. 0.9 Having service level agreements with the hardware vendors, having contracts with multiple vendors and agreement for testing the hardware before delivery of hardware. 1.2 Communicate with the administrative staff, ensure all facilities are available at the site, ensure there are adequate power outlets, adequate power supply and backup power supply and also ensuring the necessary equipment is available on time. This should be taken care of at the planning phase so that there are no hassles at the time of implementation. Coordinate with the administrative staff until the problem is resolved. 0.4 Network design, configuration details and protocols documentation should be kept highly confidential among the top brass. Access to these documents should be restricted for subordinates, or third party vendors, technicians and workers. There should be physical security in place and only authorized personnel should have access to the site. 0 Risk Evaluation Grid 0 0 0 0 0 0 0 0 0 0 0 0 ighlight the entire Risk Evaluation worksheet er left corner of the worksheet). Risk Evaluation Grid ded, select the last row, then on the Insert menu, point to Row to insert the additional row. This will insert the row before the selected row. It is ows before the last row to retain any format/formulas. Completing the Risk Analysis and Mitigation Matrix The Matrix • Open the matrix • Review the contents • • • • • • Identified risk Impact on the project Impact rating Probability rating Risk priority Mitigation action • Review the PowerPoint on Risk (also contained within this assignment) The Heading • Place the contents asked for at the top of the form • Project name (from your Scope Statement) • Prepared by (place your name here) • Date (place the date you complete the form here) Identified Risk • In each cell under this column, identify a risk to your project (not the business) • It should be specific and complete • Review the sample also included with this assignment Impact on the Project • In the cell next to each risk, describe the impact the risk would have on your project should it occur • Be specific and complete • Do not be satisfied with short terms like “budget” and “schedule” Impact and Probability Ratings • In the cells next to the impact statement for each risk, place a number that identifies the impact and probability ratings for each risk • The risk priority number column contains a formula that will identify the priority • Review the risk PowerPoint for these numbers • A summary is on the next slide Probability ratings: Very low = 0.1 Low = o.3 Moderate = 0.5 High = 0.7 Very High = 0.9 Impact ratings: Very low = 1 Low = 2 Moderate = 3 High = 4 Very High = 5 Risk Score for a Specific Risk Probability Risk Score = P x I 0.9 0.90 1.80 2.70 3.60 4.50 0.7 0.70 1.40 2.10 2.80 3.50 0.5 0.50 1.00 1.50 2.00 2.50 0.3 0.30 0.60 0.90 1.20 1.50 0.1 0.10 0.20 0.30 0.40 0.50 1 2 3 4 5 Impact on an Objective (e.g., cost, time, or scope) Mitigation Action • In the cell next to the priority number for each risk, identify the action you will take at the time of the risk should it occur • Be specific and complete You’re finished! Submit your completed matrix for a grade Risk Score for a Specific Risk Probability Risk Score = P x I 0.9 0.90 1.80 2.70 3.60 4.50 0.7 0.70 1.40 2.10 2.80 3.50 0.5 0.50 1.00 1.50 2.00 2.50 0.3 0.30 0.60 0.90 1.20 1.50 0.1 0.10 0.20 0.30 0.40 0.50 1 2 3 4 5 Impact on an Objective (e.g., cost, time, or scope)
Purchase answer to see full attachment