Assessment Answers | Enterprise Risk Management: ISYS1003

Preview text

Running head: CYBERSECURITY MANAGEMENT
CYBERSECURITY MANAGEMENT
Name of the Student
Name of the University
Author Note
1 CYBERSECURITY MANAGEMENT
Table of Contents
Task 1: ……………………………………………………………………………………………………………………… 2
Task 2: ……………………………………………………………………………………………………………………… 3
Task 4: ……………………………………………………………………………………………………………………… 4
Task 5: ……………………………………………………………………………………………………………………… 8
References: ……………………………………………………………………………………………………………….. 9
2 CYBERSECURITY MANAGEMENT
Task 1:
Enterprise risk management (ERM) is designed to manage all the risks present in a
firm. The ERM can provide an enterprise specific strategic direction for identifying the
potential event that might affect the business entities (Sax and Andersen 2019) .The ERM
manages the risk within its environment, assuring achieving the business objectives. The
ERM frameworks establish aconsistent risk management culture regardless of the posture
and industry standard.
The NIST Risk management framework (RMF) facilitates management of information
privacy and security in a seven step procedure for helping systems and organizations
implement risk management programs meeting the standards of the Federal Information
Security Modernization Act (FISMA) (Force 2018) .
The steps of ERP by NIST are as follows:
Preparation: The most vital activities are adopted to prepare the organisation to manage the
privacy and security issue.
Categorization: The impact analysis categorises the information stored, processed or
transmitted.
Selection: NIST SP 800-53 controls are selected for protecting the systems basing on the risk
assessments (Ross 2018) .
Implementation: The controls selected are implemented, and proper documentation is done
for the deployment steps.
Assessment: The assessments are done for determining whether the controls would be
operating as itwas intended, secured in place and producing desired output.
3 CYBERSECURITY MANAGEMENT
Authorization: The system thus can be authorized for operation by the senior officials making
arisk-based decision.
Monitoring: The Monitoring procedure is done continuously to check the control
implementations and identify risks to the system.
Task 2:
Advanced Medicos Limited is anew company growing rapidly as aprivate healthcare
provider. The company manages many sensitive and personal client information, selling its
product online. The company has realized their low level of security on the poorly built
network. This significant lack of security measures might lead to terrible financial and
personal information privacy and security disasters.
The minimum security requirement of Access control management are:
The unique identification of the individual users of the system grants minimum access to the
users (Lopez and Rubio 2018)
Manage the passwords and process them securely.
Meeting contractual and regulatory obligations.
Revoke the access on breach of contract.
The network and data security requirements are:
Least-privilege and default denied policies on the firewalls on the network (Venugopal,
Alves-Foss and Rabindrababu 2019) .
Securely configuring the network infrastructure parts
Maintain documentation on information
4 CYBERSECURITY MANAGEMENT
The NIST framework for identity and access management helps research emerging
technologies and implement identity and access solutions. The framework allows the creation
of an enhanced suite of interoperable privacy-enhancing and secure solutions for
authentication and authorization. The framework can address specific cybersecurity issues in
the business, meeting organizational needs.
The framework for Network Security by NIST allows identifying the organizational risks that
might affect the network, system and assets. The protection is facilitated by developing and
implementing appropriate measures and safeguards to ensure critical service delivery (Kure,
Islam and Mouratidis 2022) .The measures are developed for detecting the incident once it
occurs by active monitoring. The framework responds to the incident by taking action on the
incident. Finally, the plans are developed to quickly recover lost files restoring business
capabilities affected during the incident.
Task 4:
THE INFORMATION SECURITY POLICY
Policy: The policy is made adhering to the NIST cybersecurity framework offered by the
Multi-State Information Sharing & Analysis Center (MS-ISAC), facilitating aguide for the
Nationwide Cybersecurity Review (NCSR) and MS-ISAC members, being the resource of
assistance for applying and advancing the current cybersecurity policies (Wolff and Lehr
2018) .
Objectives:
The objective of the policy is to:
5 CYBERSECURITY MANAGEMENT
Use privacy and risk-based approach to protect informational assessments’ integrity,
confidentiality, and availability by monitoring, assessing, and mitigating information security
risks, improving controls while protecting other customers and employees from real incidents.
IDENTIFICATION PHASE:
Asset Management:
Physical devices and the various system inside the organization are listed and inventoried.
The software applications and platforms are identified and inventoried
The external devices and information systems are listed
The hardware, software, and data are prioritized according to the level of criticality
classification and shared value to the business.
Roles are established for the entire organizational employees and stakeholders
Risk Management Strategy:
Risk management processes would be developed, managed and accepted by the key
stakeholders
Supply Chain Risk Management:
A cyber risk assessment is conducted to identify, assess and prioritize suppliers and partners
of the services, components and information systems.
The suppliers and partners are actively assessed by using audits and tests confirming that they
breach contractual obligations.
Recovery and response planning and testing are introduced to the suppliers and partners.
PROTECTION PHASE:
6 CYBERSECURITY MANAGEMENT
Identity and Access Management:
The identification and appropriate credentials would be created, issued, verified and managed
with audits for authenticated device processes and users.
The remote access functionality is managed
Access authorizations and permits must be managed and ingrained with the separation of
duties and least privilege principles.
The network integrity is protected by segmentation and segregation.
Training and Awareness:
The users are trained and informed
The data in hand is protected
The data in transition is protected
Transfers, removals and dispositions manage the asset.
The integrity checking approach allows verification of hardware integrity.
Information protection:
The baseline configuration for the IT technology and control system is created for
maintenance by incorporating security principles
Backups are conducted regularly, tested and maintained.
The unused data are destroyed accordingly
Response and recovery plans are in place for management and tested continuously
Maintenance:
7 CYBERSECURITY MANAGEMENT
The remote maintenance for assets of the organization is approved, logged, and conducted to
prevent unauthorized access.
Protective Technologies:
The Audit logs are documented, defined, implemented, and to be reviewed according to the
policy
The removable forms of media must be protected and restricted according to the policies
The control and communication network are secured and protected
DETECTION:
Events and Anomalies:
The data of the incident is collected and correlated with multiple sensors and sources (NIST
Cybersecurity Framework Policy Template Guide 2022)
Security Monitoring:
The network can be monitored to detect cybercrime incidents
The malicious codes can be detected
Monitoring for unauthenticated connections, user’s devices
Detection Processes:
The responsibilities and roles of detection are well described for ensuring accountability
The communication is done with the detection information
RESPONSE PHASE:
Response and plans:
8 CYBERSECURITY MANAGEMENT
The response plan can be executed during the incident or after the incident
Communication:
The employees must know their roles and operation to be performed while the response is
required
The incident to be reported must be consistent with the criteria established earlier
Information is shared consistently throughout the organization.
Task 5:
Information security Governance can provide massive help to Advanced Medicos
Limited to protect the life cycle of the information critical to the company’s success. The
threats to the data can come from hackers, vendors and employees. The information security
governance is termed as the subset for the enterprise governance providing strategic opinions
and directions ensuring that the objective can be achieved by managing all the risk with
appropriate measures utilizing the organization’s resources with best practices, and
monitoring the success and failure of the security program (Moss Adams 2021).
The information security governance can be vital for Advanced Medicos Limited as the
framework allows the preparation of the incidents that occur by continuously revaluating IT
and business factors. The governance allows integration of risk management functionalities,
the threats and vulnerabilities are identified and analysed, data is governed along with threat
protection and aligning the IT and the business strategy (AlGhamdi, Win and Vlahu-
Gjorgievska 2020) .The main components of the Information security framework are the
alignment of the business and IT strategies, implementation of appropriate regulations and
policies, aligning the operation with the business objectives, and monitoring of the
effectiveness of the program conducted.
9 CYBERSECURITY MANAGEMENT
References:
Sax, J. and Andersen, T.J., 2019. Making risk management strategic: Integrating enterprise
risk management with strategic planning. European Management Review ,16 (3), pp.719-740.
Force, J.T., 2018. Risk management framework for information systems and organizations.
NIST Special Publication ,800 ,p.37.
Ross, R.S., 2018. Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy.
Lopez, J. and Rubio, J.E., 2018. Access control for cyber-physical systems interconnected to
the cloud. Computer Networks ,134 ,pp.46-54.
Venugopal, V., Alves-Foss, J. and Ravindrababu, S.G., 2019, December. Use of an SDN
Switch in Support of NIST ICS Security Recommendations and Least Privilege Networking.
In Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop (pp.
11-20).
Kure, H.I., Islam, S. and Mouratidis, H., 2022. An integrated cyber security risk management
framework and risk predication for the critical infrastructure protection. Neural Computing
and Applications ,pp.1-31.
Wolff, J. and Lehr, W., 2018. When cyber threats loom, what can state and local governments
do. Geo. J. Int’l Aff. ,19 ,p.67.
NIST Cybersecurity Framework Policy Template Guide 2022 Available at:
https://www.cisecurity.org/-
10 CYBERSECURITY MANAGEMENT
/jssmedia/Project/cisecurity/cisecurity/data/media/files/uploads/2021/11/NIST-Cybersecurity-
Framework-Policy-Template-Guide-v2111Online.pdf [Accessed May 13, 2022].
Moss Adams, 2021. How security governance can help protect you from cyberthreats.
Information Security Governance and Risk Management | Moss Adams . Available at:
https://www.mossadams.com/articles/2021/08/information-security-governance-
framework#:~:text=Information%20security%20governance%20is%20defined,security%20p
rogram%2C%E2%80%9D%20according%20to%20the [Accessed May 13, 2022].
AlGhamdi, S., Win, K.T. and Vlahu-Gjorgievska, E., 2020. Information security governance
challenges and critical success factors: Systematic review. Computers & Security ,99 ,
p.102030.