Enterprise Cybersecurity Program Project 4 is a culmination of the research and reports delivered in the previous three projects. It is the creation of a

Click here to Order a Custom answer to this Question from our writers. It’s fast and plagiarism-free.

Project 4 is a culmination of the research and reports delivered in the previous three projects. It is the creation of a strategic policy framework the CEO references as the Enterprise Cybersecurity Program.

After you earn a Master’s in Cybersecurity, you will likely have the opportunity to sit at the management table. As the chief information security officer in this scenario, your opinion and recent education will bring value. However, it will be critical that you possess above-average skills in presenting your material.

Based on this expectation, the final assignment will include a 12- to 15-page Enterprise Cybersecurity Program Report as well as a five- to 10-minute audio presentation for the senior leadership team. Any questions should be directed to your boss, the CIO (course instructor). With 19 steps and five assignments to deliver in the next 19 days, it is time to start on Step 1.

Step 1: Select a Framework

The first order of business in designing an enterprise cybersecurity program is to make a list of what you need to know, an inventory of the key elements to a cybersecurity framework. You will have to assess the cybersecurity posture currently taken at your financial institution. Select the framework you feel your organization is currently using.

Make notes, a paragraph or two, on the specifics of the framework to use in the next step of identifying any vulnerabilities.

Cybersecurity Frameworks

Print

The NIST Cybersecurity Framework (NIST CSF), produced by the Department of Commerce’s National Institute of Standards and Technology (NIST), provides a policy framework for private sector computer security.

Version 1.0 was published in 2014, originally aimed at specific operators of critical infrastructure. The next version is in the draft stage, with operators encouraged to comment on the proposed policy framework, which also addresses increased privacy and civil liberty concerns.

The upcoming NIST CSF 2.0 executive summary notes that cybersecurity threats to infrastructure systems can put the economy, public safety, and health at risk, and can affect “a company’s bottom line … [cybersecurity risk] can harm an organization’s ability to innovate and to gain and maintain customers” (NIST, 2017). The framework’s “core” provides guidance in the form of cybersecurity activities, outcomes, and it references “common across critical infrastructure sectors” (NIST, 2017). The 2.0 version continues to offer advice and guidance, based on the collaboration between the government and private sector.

ISO/IEC 27001:2013 is an information security standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This information security standard is a specification for an information security management system (ISMS) with “requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization,” according to the ISO’s website. The standard also includes requirements for the assessment and treatment of information security risks (ISO, 2013). The goal is for organizations to meet this standard and securely pass a compliance “audit” by an independent accreditation body.

The standard places emphasis on organization “controls” to respond to security incidents. Such important controls include: information security policies; organization of information security; human resource security controls that are applied before, during, or after employment; asset management; access control; cryptography; physical and environmental security; operations security; communications security; system acquisition, development and maintenance; information security incident management; and compliance with internal requirements, such as policies, and with external requirements, such as laws (ISO, 2013).

References

International Organization for Standardization (ISO). (2013).ISO/IEC 27001:2013. Information technology — security techniques — information security management systems — requirements. https://www.iso.org/standard/54534.html

National Institute of Standards and Technology (NIST). (2017, January 10). Framework for improving critical infrastructure cybersecurity, draft version 1.1. https://www.nist.gov/sites/default/files/documents/2017/01/30/draft-cybersecurity-framework-v1.1.pdf

Step 2: Identify Current Vulnerabilities

The cybersecurity framework selected in the previous step is only a structure or blueprint of possible solutions. Specific solutions, application, and implementation within a given framework are industry-driven. For example, in response to the credit card fraud in the retail industry, the bank card industry adopted the chip-and-PIN standard for credit cards.

Based on your knowledge of the current state of cyber attack vectors and the notes made in the previous step, create a list of vulnerabilities and how to address them within the chosen framework. Identify both technical and policy options to improve the defense posture of the institution. Add this list to your notes from the previous step. You will use this work in the next step of the project.

Attack Vectors

Print

Attack vectors are paths by which malicious actors gain unauthorized access to computer systems or data. These vectors can be existing avenues that are not adequately protected and hence used for unintended purposes, or they can be paths which are intentionally established for malicious activities. Attacks can come from internal or external sources.

Attack vectors generally exist because of vulnerabilities in hardware or software, or because of human factors (e.g., insider threats). Understanding the characteristics and behaviors related to attack vectors provides the potential to identify threats. Such identification then enables the development of mitigations as well as informing risk management and resource allocation plans. 

There are active attacks and passive attacks. Passive attacks are stealthy and usually not detectable to the untrained eye. Network sniffers, brute-force attacks, and keystroke loggers are good examples of passive attacks. Active attacks are likely to modify the systems or data, many times using social engineering, such as phishing, to gain access to the systems and networks. Spoofed email attacks are active.

You should be familiar with the common schemas and frameworks such as brute force, SQL injection, Trojan horses, phishing variations, password cracking, buffer overflows, cross-site scripting, smurf attacks, wireless attacks, and logic bombs. Injection attacks are common, where redirection script is introduced in place of user input during log-in, use of web applications, or database entry. Attack vector lists can be found online (e.g., www.tecapi.com).

Enumerated attack vectors are used in formulating attack patterns which identify and characterize threats to guide risk management and development practices for software assurance. A schema for attack pattern enumeration is Common Attack Pattern Enumeration and Classification, or CAPEC (MITRE, n.d.). The attack pattern CAPEC-100 Overflow Buffers, for instance, outlines a buffer overflow attack in accordance with the CAPEC schema. Here, the attack vector is buffer overflow, and the attack pattern is the way buffer overflow is enabled through a vulnerability and implemented by an attacker to affect the information system.

Best software assurance and more generally risk management practices include use of industry-wide schemas and frameworks. CAPEC is part of a family of schemas developed in association with the Open Web Application Security Project (OWASP, n.d.), and is independent of any specific commercial interest. The Vocabulary for Event Recording and Incident Sharing, or VERIS (Verizon, n.d.), is another important schema for threat incident and breach enumeration, centered on Verizon Communications Inc. Further, as a service to the community, Verizon annually publishes the Data Breach Investigations Report (Verizon, 2016).

Public sharing of incident and breach data using VERIS leads to software assurance through threat identification, for instance by describing attack vectors in a common language and posting the information in the publicly accessible VERIS Community Database.

References

MITRE Corporation. (n.d.). About CAPEC. In Common attack pattern enumeration and classification: A community resource for identifying and understanding attacks. https://capec.mitre.org/about/

Open Web Application Security Project (OWASP). (n.d.). Welcome to OWASP. https://www.owasp.org/index.php/Main_Page

Verizon. (n.d.). The Veris Community Database (VCDB). http://veriscommunity.net/vcdb.html

Verizon. (2016). 2016 Data breach investigations report.

Step 3: Prioritize the Vulnerabilities

Now that you have selected a defense framework and identified the type of cyber attack vectors to which your organization may be vulnerable, rank the cybersecurity vulnerability from both a probability of occurrence and financial impact on operations perspective. As you are ranking the vulnerabilities, make notes on your decision process. These notes will come in handy in the next step, where you will design a specific defense for your enterprise.

Step 4: Evaluate the Framework

Review the notes taken regarding which framework should be used and the prioritized vulnerabilities. Thoroughly state the existing framework being applied by your organization. Break down both technology and policy components of the framework and how they complement each other to produce the optimum framework. Consider what works well, what could be improved, and vulnerabilities that are not currently being addressed.

You will build upon this evaluation in the next step.

Step 5: Propose a Framework

Using the framework evaluation from the previous step, identify potential improvements or solutions to missing elements for your financial services organization. The improvements or solutions you identify in this step will be used to design your organization’s framework in a future step.

Submit your Framework Enhancement Proposal for evaluation.

Step 6: Design a Framework

Using notes from previous steps, design and describe an enterprise cybersecurity framework specific to your organization. You should create a comprehensive framework covering all aspects of the previous steps in both technology and policy. Fully explain the baseline framework and why it was selected, demonstrate a thorough knowledge of cybersecurity vulnerability that the framework addresses, and use the rankings to explain recommended enhancements to the framework.

In the next step, you will begin to compose your report on the framework.

Step 7: Compose the Framework Report

The Framework Report should be two to three pages, explaining the enhanced cybersecurity framework that will serve as the foundation for the final Enterprise Cybersecurity Program Report. Include your proposal for framework improvements and solutions as an appendix. Submit the completed Framework Report for feedback before moving to the next step, in which you will design a simulation for employees.

Step 8: Design a Simulation Experience

Now that the design of the cybersecurity framework for your organization is complete, it’s time to begin to develop the specific elements needed for the enterprise cybersecurity program. The best plan is one that can reveal points of possible failure, providing an opportunity for adjustment ahead of time. It is also beneficial for the enterprise to practice implementation of the framework in such a way that the response is timely and with minimal error.

Using the Cybersecurity Framework Report and feedback received, design a cybersecurity simulation program for key employees to hone their responses to potential cyberattacks. The design of any training program will consider the following elements:

· training objectives

· audience

· scenario types

· simulation types

· timeframe

· cost

· evaluation

Compile your ideas from this step to create a simulation program design document in the next step.

Cybersecurity Simulation Program

Students are often called to develop competencies in a variety of disciplines. The purpose of learning and training is to allow students to gain this competence in an environment which exposes them to the issues within a discipline, to be able to ask questions and solve challenges, and to produce predictable results in the future. The purpose of modeling or engaging in fact-based scenarios, or “simulations,” is to allow for as close to real-world responses as possible.

Research indicates that the use of simulations is generally more cost-effective, safer, and more efficient than conducting real-world experiments. Variables, such as the simulation environment, teaching style, and emphasis, can be reduced to produce uniform testing. Simulations can also be even more realistic because they can combine a variety of facts and factors to produce the best possible crisis scenario for students to resolve. “The hallmark of a good candidate for simulation is an activity that is complex, dangerous, and/or expensive” (Fite, 2014).

The use of scenarios also permits consistent repetition and, much like other private industry approaches, the ability to discount variables or testing data that was not consistent or was contaminated. One of the world’s largest proponent of simulations is the US Department of Defense. Throughout the many branches and departments within the US military, simulations are a cost-effective tool to engage service members without placing them in harm’s way or compromising critical systems or equipment.

Simulations in cybersecurity programs are used because of their effectiveness in understanding the complexity of the issues faced by cybersecurity professionals. Whether it is the critical thinking that goes into creating adequate policies and procedures to combat problems (such as in the NIST Framework) or the implementation of the defined institutional goals, it is important to gain from the experience of tackling these issues. Institutional responses require individual initiative and a solid foundation for any such action. Participants have to know what they need to know, know how to answer the questions they are likely to face, and then find answers to questions they have never experienced before. This is the reason for simulations: to test knowledge and assess performance.

References

Fite, B. (2014, February 11). Simulating cyber operations: A cyber security training framework. https://www.sans.org/reading-room/whitepapers/bestprac/simulating-cyber-operations-cyber-security-training-framework-34510

Step 9: Compose the Simulation Program Design

The Simulation Design Template will assist you in molding your ideas from the last step into a Simulation Program Design. Follow the instructions on the template and submit it for feedback.

Simulation Design Template

As in other instances, the best plan is one that has been executed to find points of possible failure and adjust them if necessary. Simulations are used to improve and support procedures and institutional defense postures. The US Department of Defense designs and runs its simulations in accordance to best practices defined by scholars and acquisition professionals. Before you can create a simulation, however, you must consider and identify the components of a successful design plan.

This is also an opportunity for you to think creatively. Begin by asking the following questions:

· What could you learn from a simulation?

· Could you measure response times?

· Could you find gaps in the process?

· Are there potential communication break points from one organization to the other in executing a timely response?

· How would you implement such a simulation?

Then, use the following format to guide you in creating your simulation design.

I. Training objectives: Include three to five objectives that simulation program participants should meet through the training. These objectives should be a preferred behavior or outcome that a participant of the simulation will demonstrate. For example: The participant will recognize and respond appropriately to a cyberattack within the given amount of time.

II. Audience: Define the key stakeholders of the simulation(s). This should include any role within or attached to the organization that will benefit from participants completing the simulation. Some general examples might include: shareholder, customers, coworkers, etc.

III. Scenario types: Define the types of scenario or scenarios that will be addressed in the simulation program. A scenario should be simple enough to carry out within the constraints of the resources provided by the simulation, yet realistic enough to mimic a real-life event.

IV. Simulation types: Identify and briefly describe the types of simulations that will be included in the program. Simulations could encompass any type of practice necessary to protect the organization. Depending on the chosen scenario, a simulation could use only technical tools, or could be a combination of practice running physical processes and procedures and using technical tools.

V. Timeframe: Define the timeframe for each identified simulation. Will your simulation run for an hour, a day, or a series of days?

VI. Cost: Identify each element of the simulation that will require budget considerations. This should not require a great deal of research, but should be a basic estimate. The goal is to be aware of the costs involved in running a simulation.

VII. Evaluation: Briefly describe how simulation participants will be evaluated and how the simulation program will be evaluated. Evaluations could include paper assessments, trainer observations, or automated computer assessments.

Reference


Johns Hopkins University – Applied Physics Laboratory. (2010). Best practices for the development of models and simulations. Retrieved from https://docs.google.com/viewer?url=https%3A%2F%2Fwww.msco.mil%2FDocumentLibrary%2FMSReferences%2FMSDevelopment%2F10-S-2_26_952%2520-%2520SIW10F%2520-%2520MS%2520Development%2520Best%2520Practices%2520Final%2520Report%2520-%2520Diem%2520-%252020100812%2520-%2520Dist%2520A%2520(3).pdf

Step 10: Evaluate for Policy Improvements

The previous steps dealt with the element of practice in an enterprise cybersecurity program. In this step, turn your attention to policy. Using notes taken in earlier steps as well as the Defense Framework Enhancement Proposal and the Cybersecurity Framework Report, compile a list of the policies that will best support the cybersecurity framework.

As the CISO, you will be expected to consider both strategic foresight leadership and strategic alignment to core business functions when reviewing cybersecurity policies. Include potential policy improvements or solutions to missing elements for your financial services organization. Note positives and negatives of aspects of each policy. The next step will build upon this work.

Step 11: Compose the Cybersecurity Policy Report

Using the evaluation of policy improvements in the previous step, as well as the Defense Framework Enhancement Proposal and the Cybersecurity Framework Report, create a brief, one- to two-page description of how these policy solutions should be incorporated into the given framework. The description should thoroughly analyze the positives and negatives of all policy aspects of the foundational framework.

Submit the Cybersecurity Policy Report for feedback before moving onto the next step. Integrate feedback into this report to be used in the development of the final Enterprise Cybersecurity Program Report.

Step 12: Evaluate Current Cybersecurity Technologies

You have incorporated both simulation and policy into the design of the enhanced enterprise cybersecurity program. The final element is to consider the NIST Cybersecurity Framework. Using the Defense Framework Enhancement Proposal and the Defense Framework Report, compile a list of cybersecurity technologies suggested for various cyber attack vectors. Look at whether these technologies are appropriate and current. The next step will build upon this work.

Step 13: Compose the Cybersecurity Technology Report

Using the evaluation of current technologies in the previous step, as well as the Defense Framework Enhancement Proposal and the Cybersecurity Framework Report, create a brief, one- to two-page description of how these technologies should be incorporated into the given defense framework.

Submit the Cybersecurity Technology Report for feedback before moving to the next step. Integrate feedback into this report to be used in the development of the final Enterprise Cybersecurity Program Report.

Step 14: Design the Enterprise Cybersecurity Program

Based upon all of the reports submitted thus far, as well as feedback received, design the enterprise cybersecurity program. Begin with the enhanced defense framework as a foundation to your cybersecurity program design. Included in the design should be the three program components of simulation, policy, and technology. Finally, the program design should incorporate strategic foresight leadership and strategic alignment to core business functions.

You will include the cybersecurity program design as a section in the final Enterprise Cybersecurity Program Report to the board of directors.

In the next step, you will check the credibility of your resources.

Step 15: Incorporate Credible Support

In order to thoroughly explain why each concept is important, you may need to support your statements with scholarly references. A large part of the final result should be a focus on policies and procedures that should be implemented to leverage the technology, not just depend on the technology to provide maximum cybersecurity defense capabilities. Scan and make note of resources to support your statements in your report. In the next step, you will compile the report

Step 16: Compile the Enterprise Cybersecurity Program Report

Throughout this project, you have completed all of the pieces critical to an enterprise cybersecurity program. Use the Enterprise Cybersecurity Program Report Instructions to help compile the work into a comprehensive report. This report will document and explain the components of the new cybersecurity program you have designed for the organization. The report will also support your program design. This report will accompany your oral presentation to the board of directors. Use this report in the next several steps to prepare the presentation.

Enterprise Cybersecurity Program Report Instructions

Assignment: Enterprise Cybersecurity Program Report and Presentation

All of the work that has been done up to this point within this project has prepared you to present the Enterprise Cybersecurity Program. You will create and submit a five- to 10-minute audio presentation accompanied by a 15- to 20-page report documenting the results of your work. The CEO knows you are the best person to put the report together, but wants to hear the presentation to provide any fine-tuning for the formal verbal presentation that is delivered to the board of directors.

The written portion of the Enterprise Cybersecurity Program Report should be in a formal format and include supplemental items to unify it for the board for directors. The items listed below should be included, and any supporting documentation that helped you to reach your conclusions can be included as addendums.

· Table of Contents

· Executive Overview (introduction and purpose)

· Framework Enhancement Proposal (brief two- to three-page description, from Steps 1-5)

· Include:

· identification of the vulnerabilities of current enterprise defense framework

· proposed policy and technology solutions to counter such vulnerabilities

· Cybersecurity Framework Report (brief two- to three-page description, from Steps 6-7)

· Include the designed cybersecurity defense framework from initial proposed outline

· Simulation Program Design (brief two- to three-page page description, from Steps 8-9)

· Include practice processes and procedures to:

· communicate plan of vulnerabilities

· counterattack initiatives

· Cybersecurity Policy Report (brief two- to three-page description, from Steps 10-11)

· Include policies that support the proposed cybersecurity defense framework

· Cybersecurity Technology Report (brief two- to three-page description, from Steps 12-13)

· Include the cybersecurity defense framework implementation plan from initial proposed outline

· Enterprise Cybersecurity Program Report (comprehensive 15-20 page enterprise cybersecurity plan and audio presentation of recommendations)

Step 17: Write Presentation Script

Use the Enterprise Cybersecurity Program Report completed in the previous step to prepare your oral presentation to the board of directors. Write the presentation by first outlining the key points to be covered during the presentation.

Remember that there will be nontechnical executives in the audience to whom you will have to sell your program. You will have five to 10 minutes to present your findings, help the executive leaders understand why the program will work, and why it is a good investment for the institution. You will practice and record the presentation in the next step.

Step 18: Record the Presentation

Now that you have written your presentation script, you will need to prepare for the presentation through review and practice. Review your presentation for clarity, making sure the board of directors will understand your proposed cybersecurity program, why it will work, and why it is a good investment for the institution.

Once you are satisfied with the script, practice reading through it two or three times, timing yourself to make sure you are within the five- to 10-minute range. After you are satisfied with your delivery, record the presentation. The type of device that you will use to make your recording will determine how you will record the audio file. Refer to the documentation for your specific device for more information. Once you are ready to move forward, record your oral presentation in MP3 format.

Step 19: Submit the Enterprise Cybersecurity Program Report and Oral Presentation

Congratulations on designing a solid enterprise cybersecurity program for your organization! Submit your Enterprise Cybersecurity Program Report and Oral Presentation files to the CIO.

Place your order now for a similar assignment and have exceptional work written by one of our experts, guaranteeing you an A result.

Need an Essay Written?

This sample is available to anyone. If you want a unique paper order it from one of our professional writers.

Get help with your academic paper right away

Quality & Timely Delivery

Free Editing & Plagiarism Check

Security, Privacy & Confidentiality