For the first part of your project, you have been given a partial audit, performed by a NASA Blue Team. This audit was part of their Certification and Authorization (C&A) process to ensure Co

 

Module 01 Content

  1. For the first part of your project, you have been given a partial audit, performed by a NASA Blue Team. This audit was part of their Certification and Authorization (C&A) process to ensure Country Roads Space Systems (CRSS) has authorization to operate as a 3rd party entity to NASA and allowed to work with NASA assets. The C&A process includes a line-by-line review of all security controls identified within NIST 800-53b documentation, and their sub-sections. During the initial review process, NASA reviewed the existing security controls employed by CRSS and evaluated their compliance to the identified security controls. All items that were found to be non-compliant are documented for review, and a Plan of Action & Milestones (POAM) document was generated as a guideline to correct or evaluate any exemptions found in the initial C&A audit.

    CRSS_InitialPOAM.xlsx

    You will be responsible for reviewing the POAM and familiarizing yourself with the findings. However, you will only be responsible for auditing two security controls that are found to be non-compliant for the audit that you will perform during this course. Please be aware that once you choose your two specific security controls in this Module, you will continue to build on your analysis of these two controls throughout this course. Therefore, you should be take time to consider which controls you choose. In addition, for your two choices, you must choose:

    • One security control from the group of IA-2, IA-3 or IA-5. (NOTE: IA-5 is a common control that often requires remediation in actual security settings. Student who choose IA-5 will be presented with a challenge, but will also find greater documentation when researching remediation.)
    • One other security control from the group of AC-5, PE-13, RA-5.
    • For your Module One Project, start by taking the time to familiarize yourself with the POAM and understand how various systems are evaluated against a common set of compliance frameworks. Study the controls in the POAM and review them against NIST and COBIT frameworks for similar type of controls. In addition, review these security controls against the standards in ISO 27000.Take note on how security controls can be met in diverse ways and still meet overall compliance. With your review of these controls and standards complete, you should feel confident in picking two security control identified in the POAM listed as being compliant. As part you audit, you should also review the company’s network. Please review the CRSS Network Diagram.

      CRSS Network Diagram.pptx

      NOTE: The various frameworks are usually very similar, though differences exist relevant to their industry focus. ISO 27000 and COBIT are meant to focus on private sector compliance, while NIST is focused on public sector.

      You can review each framework at:
      NIST
      COBIT
      ISO 2700

      For this week, you will use the IA security control you chose and in a brief report address the following:

    • Explain the significance of this control and, in your own words, how it protects CRSS and NASA assets. Do you agree with the assessment of the vulnerability described in Column E “Weakness Description”?
    • Next, look up your IA security control in NIST and summarize the NIST standard for one of your controls.
    • Now find the similar standards in ISO27000 and COBIT. Once you find references to security controls that that are closest to the security controls you chose in ISO27000 and COBIT, write a brief explaining the similarities and/or differences between the three standards with regard to one of your security controls.
    • Highlight if you think NIST is the most appropriate set of regulations for CRSS, when compared to the other standards. Which do you this is the most appropriate standard?
    • Do you agree with how the control is remediated in Column K “Overall Remediation Plan”? If so, explain why. If not, please provide an alternative to the Overall Remediation Plan.
    • Submit your completed assignment by following the directions linked below. Please check the Course Calendar for specific due dates.

Closed POA&M Items

FedRAMP Plan of Action and Milestones (POA&M) Template
CSP System Name Impact Level POAM Date
Text Text Low, Moderate, High Date
POAM ID Controls Weakness Name Weakness Description Weakness Detector Source Weakness Source Identifier Asset Identifier Point of Contact Resources Required Overall Remediation Plan Original Detection Date Scheduled Completion Date Planned Milestones Milestone Changes Status Date Vendor Dependency Last Vendor Check-in Date Vendor Dependent Product Name Original Risk Rating Adjusted Risk Rating Risk Adjustment False Positive Operational Requirement Deviation Rationale Supporting Documents Comments
V-001 IA-2 Authentication only takes place by single mechanism Users are only required to enter a password for access to domain assets. Interviews, and policy investigations. N/A Domain Wide Director of Systems and Architecture Domain modifications and group policy edits Implemented two factor authentication system. Users were enrolled in new two factor system and issued RSA token devices that auto generates a number to append to their password. 20160821 20170324 N/A N/A N/A N/A N/A N/A Moderate Moderate No No No N/A None None
V-002 IA-3 Rogue devices are allowed access to the network This weakness can be exploited on the wired network via physical access (plugging-in) and the wireless network, if wifi password is known. Testing, Wireless scans and physically plugging into wired network. N/A Entire CRSS network, administrative and secure networks. Sr. Network Administrator None It has been found that the border firewall meets NIST standards, phyiscal access to the CRSS campus is limited by guards and NIST approved physical access controls, and wifi logon is controled by Domain Authentication, which is now two factor. 20160821 20170511 N/A N/A N/A N/A N/A N/A Moderate Low Yes No No N/A None None
V-003 IA-5 Lack of Authentication Mangement CRSS only utilizes single factor authentication and the Help Desk has a process for resetting a user's password. The user is given a temporary password (over the phone, via email, or in person). Interviews and policy review N/A Entire Domain Director of Systems and Architecture None A web portal has been established for password changes and all password requests will be directed to this portal. With the new two factor authentication and issuance of RSA token devices, a procedure has been established to decomission lost and stolen devices and issue a new device. 20160821 20170502 N/A N/A N/A N/A N/A N/A Low Moderate Yes No No N/A None None
V-004 AC-5 Domain Administrator accounts have full domain acess Systems Administrators have full Domain access; inluding access to local logs, account modifications, and domain configurations Interviews, which led to investigations on Primary Domain Controller. N/A Domain Wide Director of Systems and Architecture Nothing beyond existing Created multiple accounts with various levels of access which are logged in the local domain event logs. Domain administrator account has a random password that has been secured in a safe. No account belongs to the domain or enterprise administrator group. Specialized Security groups have been created for varying levels of access. 20160821 20170211 N/A N/A N/A N/A N/A N/A High High No No No N/A None None
V-005 PE-13 Halon 1301 is currently deployed in the main data center as the fire supression system Halon has been identified as an Ozone depleating substance in 1994 and new production has been banned by the EPA. They current supply cannot be replensihed from new sources and only from recycled methods. Physical inspection of data center N/A Data Center fire supression system Director of Systems and Architecture None This weakness has been accepted, since Halon is safe to electrical equipment and has a low toxicity for humans. It has been determined to keep the existing system in place and find spare Halon from recycled systems. 20160821 20160923 N/A N/A N/A N/A N/A N/A Low Low No No No N/A None None
V-006 RA-5 Lack of strong scans being perfromed. , Interviews, Inspection of reports N/A Nessus server Information Security Officer SIEM, Splunk licensing and hardware The Nessus server has been moved to a secure portion of the network and access has been limited to a specific security group. The Nessus server can reach hosts via specialized firewall rules into the Administration and Classified Networks. An information security analyst has been tasked to monitor scan reports for bad data. Credentialed scans have not been implemented due to security concerns raised by data stakeholders. 20160821 20170612 N/A N/A N/A N/A N/A N/A Moderate Moderate No No No N/A None None

,

CRSS Network Diagram

Copyright Rasmussen, Inc. 2013. Proprietary and Confidential.

1

1

image3.png

image5.png

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.

Related Posts

All Rights Reserved Terms and Conditions
College pals.com Privacy Policy 2010-2018