Writer did an excellent job on completing the discussion board assignment questions in a timely manner and the revising. I will be hiring this writer for future assignments.
You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As a member of IT security consultant team, one of your responsibilities is to ensure the security of assets as well as provide a secure environment for customers, partners and employees. You and the team play a key role in defining, implementing and maintaining the IT security strategy in organizations.
A government agency called the Bureau of Research and Intelligence (BRI) is tasked with gathering and analyzing information to support U.S. diplomats.
In a series of New York Times articles, BRI was exposed as being the victim of several security breaches. As a follow up, the United States Government Accountability Office (GAO) conducted a comprehensive review of the agency’s information security controls and identified numerous issues.
The head of the agency has contracted your company to conduct an IT security risk assessment on its operations. This risk assessment was determined to be necessary to address security gaps in the agency’s critical operational areas and to determine actions to close those gaps. It is also meant to ensure that the agency invests time and money in the right areas and does not waste resources. After conducting the assessment, you are to develop a final report that summarizes the findings and provides a set of recommendations. You are to convince the agency to implement your recommendations.
This learning activity focuses on IT security which is an overarching concern that involves practically all facets of an organization’s activities. You will learn about the key steps of preparing for and conducting a security risk assessment and how to present the findings to leaders and convince them into taking appropriate action.
Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT personnel are expected to possess. Information security is a significant concern among every organization and it may spell success or failure of its mission. Effective IT professionals are expected to be up-to-date on trends in IT security, current threats and vulnerabilities, state-of-the-art security safeguards, and security policies and procedures. IT professionals must be able to communicate effectively (oral and written) to executive level management in a non-jargon, executive level manner that convincingly justifies the need to invest in IT security improvements. This learning demonstration is designed to strengthen these essential knowledge, skills, and abilities needed by IT professionals.
3. Steps to Completion
Your instructor will form the teams. Each member is expected to contribute to the team agreement which documents the members’ contact information and sets goals and expectations for the team.
1) Review the Setting and Situation
The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multiple-source intelligence to American diplomats. It must ensure that intelligence activities are consistent with U.S. foreign policy and kept totally confidential. BRI has intelligence analysts who understand U.S. foreign policy concerns as well as the type of information needed by diplomats.
The agency is in a dynamic environment in which events affecting foreign policy occur every day. Also, technology is rapidly changing and therefore new types of security opportunities and threats are emerging which may impact the agency.
Due to Congressional budget restrictions, BRI is forced to be selective in the type of security measures that it will implement. Prioritization of proposed security programs and controls based on a sound risk assessment procedure is necessary for this environment.
The following incidents involving BRI’s systems occurred and reported in the New York Times and other media outlets:
These reports prompted the U.S. Government Accountability Office to conduct a comprehensive review of BRI’s information security posture. Using standards and guidance provided by the National Institute of Standards and Technology and other parties, they had the following findings:
Identification and Authentication Controls
• User account passwords had no expiration dates.
• Passwords are the sole means for authentication.
End User Security
An internal audit report indicated that the organization needed several security programs including a security awareness and training program, a privacy protection program and a business continuity/disaster recovery programs. These programs will need special attention.
2) Examine Background Resources
This learning demonstration focuses on the National Institute of Standards and Technology’s (NIST) “Guide for Conducting Risk Assessments”
(http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf). See Pg. 23 to view the description of the risk management process.
Throughout this learning activity, feel free to use other references such as:
Other NIST publications (http://csrc.nist.gov/publications/PubsSPs.html),
SANS Reading Room (http://www.sans.org/reading-room/),
CSO Magazine (http://www.csoonline.com/),
Information Security Magazine (http://www.infosecurity-magazine.com/white-papers/),
Homeland Security News Wire (http://www.homelandsecuritynewswire.com/topics/cybersecurity)
Other useful references on security risk management include: https://books.google.com/books?id=cW1ytnWjObYC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false
3) Prepare the Risk Assessment Plan
Using the NIST report as your guide, address the following items:
Document your above analysis in the “Interim Risk Assessment Planning Report.” (An interim report will be consolidated to a final deliverable in a later step.)
All interim reports should be at least 500 words long and include at least five references for each report. These reports will eventually be presented to management for their review.
4) Conduct the Assessment
Again, use the NIST report to address the following:
1) Identify threat sources and events 2) Identify vulnerabilities and predisposing conditions 3) Determine likelihood of occurrence 4) Determine magnitude of impact 5) Determine risk
You are free to make assumptions but be sure to state them in your findings.
In determining risk, include the assessment tables reflect BRI’s risk levels. Refer to Appendix I. on risk determination in Special Publication 800-30.
Document your analysis from this step in the “Interim Risk Assessment Findings Report.” Be sure to include the final risk evaluations in this report.
5) Identify Needed Controls and Programs
Research and specify security controls needed to close the security gaps in BRI.
Also, be sure to include a description of the following programs for securing BRI:
You should justify the need for the agency to invest in your recommendations.
Document your findings and recommendations from this step in the “Interim Security Recommendations Report.”
6) Communicate the Overall Findings and Recommendations
Integrate of your earlier interim reports into a final management report. Be sure to address:
Also provide a presentation to management. The presentation should consist of 15-20 slides. It should include audio narration (directions are found at: https://support.office.com/en-au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c). The narration should also be captured in the slide notes.
Prepare a peer evaluation report.
Except for the presentation, combine all of the files into one Word document. Provide an abstract, introduction, table of contents and conclusion in this one document.
Title your files using this protocol: GroupNumber_G-2_AssignmentName_Date.
In lieu of submitting the presentation, the team leader may provide a link to the presentation file.
NOTE: At the end of the project, each member of the team should email a completed Peer Evaluation form to your instructor.
Ross, R. (2014). Security and privacy controls for federal information systems and organizations. NIST Special Publication 800-53. Retrieved from http://dx.doi.org/10.6028/NIST.SP.800-53r4
Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J. & Thomas, R. (2002). Contingency planning guide for information technology systems. NIST Special Publication 800-34. Retrieved from http://ithandbook.ffiec.gov/media/22151/ex_nist_sp_800_34.pdf
Wilson, M. & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication 800-50. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more