Risk Mitigation Strategy
Project 3 – Risk Mitigation Strategy
Description
For this project, you will leverage your research from Project #1 and analysis from Project #2 to develop a risk mitigation strategy for your chosen company. If necessary, you can adjust your Information Usage Profile or your Risk Profile using feedback from your instructor and additional information from your readings and research. The deliverable for this project will be a Risk Mitigation Strategy that includes a Security Controls Profile based upon the security and privacy controls catalog from NIST SP 800-53 Revision 5 and the security functions and identifiers from the NIST Cybersecurity Framework (CSF) Version 1.1.
• NIST SP 800-53 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
• NIST CSF https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Note: Table 2 Framework Core in Appendix A of the NIST Cybersecurity Framework provides a cross-reference for each function/category/sub-category to the security and privacy controls from NIST SP 800-53.
Review Guidance for Information Security Functions & Controls
1. Review the NIST Cybersecurity Framework with a particular focus on the Functions, Categories, and Sub-Categories. Consider how these functions can be employed to mitigate the risks you identified and documented in Project #2.
2. Review Chapter 2 in Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53). Pay special attention to section 2.2 Control Structure and Organization.
3. Review Appendix A in the NIST CSF to identify security Functions/Categories/Sub-Categories which specifies risk mitigations which could be implemented to reduce or eliminate each risk listed in your Risk Mitigation Strategy Controls Profile (Table 2).
Develop and Document Your Security Controls Profile
1. Review the sample security controls profile provided in Tables 1 & 2 at the end of this file. Use this sample to guide your security controls analysis and the formatting of your Risk Mitigation Strategy Security Controls Profile. The sample entry in Table 2 was derived from the entry shown below (source: NIST CSF Appendix A Table 2 Framework Core).
2. Copy your Risk Profile (Table 1) from Project #2 into a new file (for your assignment submission). Then copy the Risk Mitigation Strategy Security Controls Profile (Table #2) from this assignment file into your project submission file (place it after Table #1). Delete the sample text from Table #2.
3. Transfer the RISK ID and RISK TITLE columns from Table 1 into Table 2. This is how you will link your Risk Profile to your Risk Mitigation Strategy. You should have 15 or more risks related to the company’s business operations, use of the Internet, the company’s IT systems and infrastructures (including “technologies in use”), and the types and collections of information used by the company.
4. For each row in your Table 2 (Risk Mitigation Strategy Security Controls Profile), choose a security function from the NIST CSF which could be implemented to mitigate the identified risk. Then, review the Category and Sub-Category information for that function. Choose one or more sub-categories and enter those into your table in the CSF Category ID column.
5. Using the Informative References provided in the NIST CSF Appendix A Table 2: Framework Core, identify 2 or 3 security controls which, if implemented, will serve to mitigate the specific risk listed in your risk profile.
6. Write a brief narrative description of the risk mitigation strategy for your identified risk. This strategy should derive from your selected security function and controls. Use the ABC hallmark for writing for executive audiences: accuracy, brevity, and clarity.
Develop Your Risk Mitigation Strategy
1. Review Chapter 1: The Business Case for Decision Assurance and Information Security in the (ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide (the course textbook). This resource will help you determine what information to include as part of your Risk Mitigation Strategy for your selected company. Another helpful resource for understanding what information should be included in your strategy is: https://www.workfront.com/project-management/life-cycle/initiation/business-case
Note: this assignment does not require a full business case. You are not required to provide financial information, implementation plans, etc. Your presentation of your strategy should focus on these sections of a business case:
o Business problem or opportunity
o Benefits
o Risk
o Technical Solutions
o Timescale
o Impact on Operations
2. Identify best practices for information security and reasons / justifications for allocating resources (people, money, technologies) to implement security controls. You will find relevant best practices and justifications listed in the Executive Summaries and opening chapters of NIST SP 800-30, NIST SP 800-37, NIST SP 800-53, and the NIST Cybersecurity Framework. You may wish to discuss your recommendations in terms of timeframe for implementation: immediate, near-term (6 months?), medium term (12-18 months), within the next two years, etc. Keep in mind that there may need to be tradeoffs between time and money.
3. Organize your recommendations to formulate your Risk Mitigation Strategy. At a minimum, this section should include a summary of the business problem (reduce risks related to information and IT systems and infrastructures), the benefits of implementing security controls, the general types of risks to be mitigated (focus on the CIA triad), and the policy, processes, and technical solutions being recommended.
Write
1. An introduction section which provides a brief introduction to the company and the information / information technology risks that it faces (you may reuse some of your narrative from Project #1 and/or Project #2). Your introduction should include a brief overview of the company’s business operations. Follow this with a description of the purpose and contents of this Risk Mitigation Strategy deliverable.
2. A separate analysis section in which you present your Risk Profile. Start with a summary of your Risk Profile. You may reuse your introductory paragraph from Project #2 (revise if necessary) where you explained your risk profile (what information is contained in the table and what sources were used to obtain this information). Include a description of the process and documents used to construct the Risk Profile. Explain the benefits of using a risk profile to help manage risk. The citations and named documents in this paragraph will serve as citations and attributions for the contents of Table #1 (bring Table #1 Risk Profile forward from Project #2 and update if needed). Place Table #1 at the end of this section.
3. A separate analysis section (Security Controls Profile) in which you present your Security Controls Profile. Provide an introductory paragraph that explains the security controls profile, e.g., what information is contained in the table and what sources were used to obtain this information. Describe the process and documents used to construct the Security Controls Profile.
4. A separate section (Risk Mitigation Strategy) in which you present a high-level strategy for implementing the risk mitigations (security controls) presented earlier in this deliverable. This section should include a summary of the business problem (reduce risks related to information and IT systems and infrastructures), the general types of risks to be mitigated (focus on the CIA triad and summarize the risks you previously identified), the benefits of implementing security controls listed in your Security Controls Profile, and the policy, processes, and technical solutions being recommended for implementation (aligned to your Security Controls Profile).
5. A separate Recommendations and Conclusions section which provides a summary of the information contained in this deliverable and presents your concluding statements regarding the business need and business benefits which support implementing your Risk Mitigation Strategy and the allocation of resources by the company.
Submit Your Work for Grading and Feedback
Before you submit your work, check the rubric (displayed in the Assignment Folder entry) to make sure that you have covered all required content including citations and references.
Submit your work in MS Word format (.docx or .doc file) using the Project #3 Assignment in your assignment folder. (Attach the file.)
Additional Information
1. Your 8 to 10 page deliverable should be professional in appearance with consistent use of fonts, font sizes, colors, margins, etc. You should use headings and sub-headings to organize your paper. Use headings which correspond to the content rows in the rubric – this will make it easier for your instructor to find required content elements and will help you ensure that you have covered all required sections and content in your paper.
2. The stated page length is a recommendation based upon the content requirements of the assignment. All pages submitted will be graded but, for the highest grades, your work must be clear, concise, and accurate. Exceeding the recommended length will not necessarily result in a higher grade. Shorter submissions may not fully meet the content requirements resulting in a lower grade.
3. The INFA program requires that graduate students follow standard APA style guidance for both formatting and citing/reference sources. Your file submission must be in MS Word format (.docx). PDF, ODF, and other types of files are not acceptable.
4. You must include a cover page with the course, the assignment title, your name, your instructor’s name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s minimum page count.
5. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
6. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow APA Style guidance. Use of required readings from the course as sources is expected and encouraged. Where used, you must cite and provide references for these readings.
7. When using Security and Privacy controls from NIST SP 800-53, you must use the exact numbering and names (titles) when referring to those controls. This information does not need to be treated as quotations. You may paraphrase or quote from the descriptions of the controls provided that you appropriately mark copied text (if any) and attach a citation for both quoted and paraphrased information.
8. Consult the grading rubric for specific content and formatting requirements for this assignment.
9. All work submitted to the Assignment Folder will be scanned by the Turn It In service. We use this service to help identify areas for improvement in student writing.
Table 1. Risk Profile for [company]
Risk ID Risk Title Description Risk Category Impact Level
001 Unauthorized disclosure of customer information. Disclosure of or access to customer information must be restricted to authorized individuals with a need to know. Unauthorized disclosure or access could result in harm to customers and financial liabilities for the company. People Medium
002
003
004
005
006
007
008
009
010
011
012
013
014
015
Table 2. Risk Mitigation Strategy Security Controls Profile
Risk ID Risk Title Risk Mitigation Strategy CSF Category ID Security Controls
001 Unauthorized disclosure of customer information. Implementation of role-based access controls will reduce the risk of unauthorized access to customer information by controlling which individuals are granted access to the systems and software used to collect, process, transmit, and store this information. PR.AC Identity Management, Authentication, and Access Control: PR.AC-4 AC-3 (7) Access Enforcement | Role Based Access Control; AC-3 (11) Access Enforcement | Restrict Access to Specific Information Types
002
003
004
005
006
007
008
009
010
011
012
013
014
015
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
