Project 4 Enterprise Cybersecurity Program Step 7 Compose The Framework Report see attachment Project 4: Enterprise Cybersecurity Program Step 6: Design a Framework
Using notes from previous steps, design and describe an enterprise cybersecurity framework specific to your organization. You should create a comprehensive framework covering all aspects of the previous steps in both technology and policy. Fully explain the baseline framework and why it was selected, demonstrate a thorough knowledge of cybersecurity vulnerability that the framework addresses, and use the rankings to explain recommended enhancements to the framework.
In the next step, you will begin to compose your report on the framework.
The NIST Cybersecurity Framework (NIST CSF), produced by the Department of Commerce’s National Institute of Standards and Technology (NIST), provides a policy framework for private sector computer security.
Version 1.0 was published in 2014, originally aimed at specific operators of critical infrastructure. The next version is in the draft stage, with operators encouraged to comment on the proposed policy framework, which also addresses increased privacy and civil liberty concerns.
The upcoming NIST CSF 2.0 executive summary notes that cybersecurity threats to infrastructure systems can put the economy, public safety, and health at risk, and can affect “a company’s bottom line … [cybersecurity risk] can harm an organization’s ability to innovate and to gain and maintain customers” (NIST, 2017). The framework’s “core” provides guidance in the form of cybersecurity activities, outcomes, and it references “common across critical infrastructure sectors” (NIST, 2017). The 2.0 version continues to offer advice and guidance, based on the collaboration between the government and private sector.
ISO/IEC 27001:2013 is an information security standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This information security standard is a specification for an information security management system (ISMS) with “requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization,” according to the ISO’s website. The standard also includes requirements for the assessment and treatment of information security risks (ISO, 2013). The goal is for organizations to meet this standard and securely pass a compliance “audit” by an independent accreditation body.
The standard places emphasis on organization “controls” to respond to security incidents. Such important controls include: information security policies; organization of information security; human resource security controls that are applied before, during, or after employment; asset management; access control; cryptography; physical and environmental security; operations security; communications security; system acquisition, development and maintenance; information security incident management; and compliance with internal requirements, such as policies, and with external requirements, such as laws (ISO, 2013).
International Organization for Standardization (ISO). (2013).ISO/IEC 27001:2013. Information technology — security techniques — information security management systems — requirements. https://www.iso.org/standard/54534.html
National Institute of Standards and Technology (NIST). (2017, January 10). Framework for improving critical infrastructure cybersecurity, draft version 1.1. https://www.nist.gov/sites/default/files/documents/2017/01/30/draft-cybersecurity-framework-v1.1.pdf
· ISO/IEC 27001:2013
· ISO/IEC 27004:2016
· Framework for Improving Critical Infrastructure Cybersecurity
An old adage goes: “The only computer that is not in danger is a computer that is turned off.” Cybersecurity professionals must identify and explain the main vulnerabilities against a company’s critical infrastructure.
A cybersecurity vulnerability is any weakness that may compromise the CIA triad (confidentiality, integrity, and availability) of a product. A cybersecurity vulnerability can never be completely eliminated; therefore, countermeasures must be in place to mitigate the potential disaster to a business’s ability to operate after a potential attack.
The confidentiality, integrity, and availability (CIA) triad is at the core of information system security. Information system security professionals use the CIA triad as a mechanism for quantifying the key security considerations of an information system. When a system is under development, each of the CIA concepts must be considered as part of the system’s design objectives. Below is a model of the CIA triad.
Confidentiality, Integrity, Availability (CIA)
Source: Janet Zimmer
Confidentiality refers to the methods used to protect information from unauthorized disclosure. Protecting the confidentiality of proprietary or sensitive information is of vital importance.
Integrity refers to the processes that ensure accuracy of information.
Availability addresses the need of a system to provide continued, reliable access to information while maintaining an acceptable level of performance. Consider organizations with technology and services that must be nearly 100 percent available 24 hours a day, 365 days a year, such as financial institutions, emergency service providers, power providers, and communication providers. Every moment that these organizations cannot exchange information, there is the potential for serious financial loss, injury, or even death.
· Protect Your Information From Physical Threats
· Vulnerability Scanning With Metasploit Using Nessus
Project 4: Enterprise Cybersecurity Program Step 7: Compose the Framework Report
The Framework Report should be two to three pages, explaining the enhanced cybersecurity framework that will serve as the foundation for the final Enterprise Cybersecurity Program Report. Include your proposal for framework improvements and solutions as an appendix. Submit the completed Defense Framework Report for feedback before moving to the next step, in which you will design a simulation for employees.
Submission for Project 4: Cybersecurity Framework Report