Submit a simplified cyber security plan. Use the lessons learned from this course and any additional research of your own. You can write it using a fictitious organization, or an organization that you have studied, or learned from the course.

Final Project – Develop a Cyber Security Plan

Review the announcements on submission requirements and grading criteria.

Submit a simplified cyber security plan. Use the lessons learned from this course and any additional research of your own. You can write it using a fictitious organization, or an organization that you have studied, or learned from the course. Even if you have found partial information on an organization, you can make up the values/numbers using your judgment. I understand that you may not be able to find all the pieces of information, thus use your judgment. Please do not include any information that is confidential. In your answer, be specific with the names of the tool, technology, software, hardware, network, version, patch, name of the control/standard, as applicable.

By reading the paper, I will expect to get a good overview of the Information Technology (IT) landscape and cyber security practices of the organization with the names of the tools, technology, hardware, software, version, patch management policy, firewall policy, etc. that are applicable. In other words, name them with specifics. For example:

– Instead of just writing “software is used for a web application” name what software it is, version, etc.

– Instead of just writing “firewall is used”, state any specific configuration of the firewall, the name of the device, etc.

– Instead of just writing “security controls are in place”, state the name of the security control, what exact security policy, etc.

– Instead of just writing “database is used”, name the database, the volume of the data, any data backup policy, etc.

– Instead of just writing “hardware is up to date”, name the hardware components, any license renewal, etc.

Submit a well-written paper in MS Word/PDF format. The paper is double spaced, with 12 fonts with a standard margin. The paper should cover the following sections. Underline each section in your answer so that I can differentiate between the sections. You are welcome to add additional sections than the ones noted below.

Summary:

This is an executive summary of your project explaining briefly what you are accomplishing, what approaches are taken, what the final result and recommendation are.

This section in its entirety is roughly half a page but no more than 1 page.

Research Findings:

If you have researched from different resources (websites, company literature, particular course lesson, etc.), state those resources in the reference section (at the end of your submission), and in this section state what you have learned from those resources (also cite the resources inline within the body of the writing). If you chose to write on a fictitious organization, then clearly state in this section that it is a fictitious organization. Even if you choose a fictitious organization, you may benefit by researching other resources to see what kind of Information Technology (IT) infrastructure they have in place, its use, and its security controls. If you have learned from other resources that have helped with this project, state your findings in this section.

This section in its entirety could be as little as one or two sentences if you did not have a need to research but any more than 1 page.

Description of the Business and How it uses IT to Drive Business:

For the organization that you have chosen, state the nature of the business, products, and services they offer, their strategic directions, operational work, what was the reason to choose this organization in your project.

This section in its entirety is roughly half a page but no more than 1 page.

Identification of the IT Components and their Use:

For the organization that you have chosen, identify any three IT components and state what they are and their usage with specific names of the tools, technology, version, patch, etc. as applicable.

Number each component as I, ii, iii, etc., so that I can clearly identify them. A few examples of the components to assess are the following and you may choose the ones noted below or a different one of your own. The following are examples and hints, and you can come up with a different one.

– Network (Various networking components, firewall configuration, local area network, wireless network, VPN, router, server, etc., as applicable)

– Hardware (any appliance, device, type of computer, server with the operating system, etc., as applicable)

– Software (proprietary, open course, a third party, a software application created and how they are accessed such as using the internet and if requires secure access, how to keep its uptime high, maintenance schedule, etc.)

– Database (what database is in use, the volume of use, how to scale for a higher volume, etc.)

Other components of interest could be IoT, Cryptocurrency, Cloud, Tools, and products used by the organization, and any other component as you find applicable

This section in its entirety is no less than half a page but no more than 2 pages.

Identification of Current Cyber Security Practices in Place and Map to NIST, CIS Top 18, OWASP 10:

For the IT components identified, state what security practices are already in place and map the security practice with the name of the specific NIST and/or CIS Top 18 and/or OWASP 10. Number the IT components as i, ii, iii, etc. so that I can clearly identify them.

For a given IT component (depending on what it is), a few of the security practices to consider (although they would vary from one type of component to another) are patch management and its frequency, ensuring redundancy and backup, virus protection, access control with password protection, browser security, phishing, privately identifiable data, data protection and encryption at rest and transit, firewall, etc.

An example of identifying an IT component, its security practice, and mapping to the name of NIST/CIS/OWASP is:

The Oracle database used in the organization (database is an IT component) the data at rest is encrypted using Oracle’s Transparent Data Encryption and it maps to CIS 03 control of data protection because (and elaborate in this manner by stating the technology and tools used).

This section in its entirety is no less than half a page but no more than 2 pages.

Analyze the Current Risk

Refer to the course lessons on:

Risk = Likelihood x Impact

Likelihood = Threats x Vulnerabilities

Impact = Time x Cost

Keep the above notion in mind but I suggest that you simplify it to Risk = Likehood X Impact and only assign numeric values for Likelihood and Impact.

You may choose a percentage for Likelihood and a numeric value (e.g. 1 being lowest) for Impact or any other valuation and clearly state your approach.

Based on this, for each IT component that you have already identified, calculate the risk. Number each component as i, ii, ii, etc. so that I can clearly differentiate them. For each component, explain why a numeric value was chosen. An example is:

For IT component i,

Risk = 30% x1 = 0.33 x1 = 0.33

Explain the reason for choosing these values for IT component 1

For IT component ii,

Risk = 45% x2 = 0.45 x2 = 0.9

Explain the reason for choosing these values for IT component 2

Cost-Benefit of Cyber Security

For the IT components noted, analyze the total cost and its benefit. You can include any direct and indirect cost in terms of money and do your best to quantify in money the benefit. Also analyze, how much time it takes to break even the cost (investment made)

Number each IT component as Ii, ii, ii, etc. so that I can clearly differentiate. This gives the students an opportunity to analyze costs and benefit from different angles.

For example, for IT component i,

The cost of procuring the new software is $100,00, yearly support of $30,000, yearly training cost is $10,000.

If the software is not procured, the company will be charged $20,000 per month. As such, in 7 months, the cost of non-compliance would be $140,000.

In seven months, we will break even the initial investment of $140,000

Other reasons for new investment (incurring new cost) could be a new business contract, loss of a customer for not upgrading, merger with another company, and many more. Consider how to translate them to money.

It is hoped that the cost of security for an IT component is less than the benefit but that may not always be the case. If you find so, explain why. Often cost calculation is more complex and so is the benefit and the benefit could be realized over many years through goodwill etc. and you are not expected to delve that deep. Your analysis of the cost and benefit is a simplified one by covering the aspects that can be analyzed.

New Security Tools and Policies to Propose:

For the IT components noted, what additional cyber security tools and policies would you propose. Number the IT components as i, ii, iii so that I can clearly identify them. This section gives the students an opportunity to apply their learnings and lessons to recommend additional security measures by considering the current state and the future risks in mind.

For example, if the software application has a future need to be hosted in a cloud environment, propose additional security measures. If your assessment says that there is a security loophole existing in the current software, state what it is and what can be done to address it. For example, a software version is out of support then propose its upgrade.

Associate any new tool or policy with one/more of the NIST and/or CIS Top 18 and/or OWASP 10 and it clearly so that I can understand which control/standard it matches with. For any reason, if it does not match, clearly explain why.

An example is, for the Oracle database used in the organization (database is the IT component), it is proposed to have an additional Oracle Database Security Assessment Tool and it maps to CIS 03 (and elaborate accordingly).

This section in its entirety is no less than half a page but no more than 2 pages.

Cyber Security Response – An Email to Executive Committee

Write this section as if it is an email to the executive committee who will sponsor this project (e.g. approve this project, allocate time, resources, funding). You can just write the body of the email and there is no need to address anyone, nor to put any date and signature. Your email body (only include the email body in this section) should emphasize why it is important to implement your proposal (e.g. why we should the company invest $x on a new tool y), what is the quantified benefit, what would happen if this investment is not made, what is the benefit (short term and long term) of making this investment. These are a few of the ideas. You are making a business case for your project and this investment. Focus on business and in this section write to capture the attention of the business (without overwhelming with technical jargon, as the business decision-makers may also come from the non-technical group).

This section in its entirety is no less than half a page but no more than 1 page.

Conclusion:

The conclusion is the concluding remarks.

Roughly half a page but no more than 1 page.

Your Opinion on any Certification Interest

As you understand, an industry certificate will require focused study using test preparation and test questions, and the intent is different from the broader learning objective of a college course, which is based on theory, practice, case study and many more. Share if you will be interested in doing focused study on any certificate such as SYO-601, or any other certificate, and any preparation plan, if you are interested in pursuing it.

References:

Include at least 5 references in the reference section and also cite them in-line within the body of the writing using the citation rule.

Pictorial Representations, if Used:

Any diagram, table, and chart included in the paper are exempt from the page limit, and they do not inflate the page limit suggested above. There is no requirement to do any additional work by including a cover page, or any special formatting – there is no need to do any extra work of this nature.

PreviousNext

Requirements: APA format

CSM 601 – FINAL PROJECT CSM 601

FINAL PROJECT WEEK 8

DEVELOP CYBER SECURITY PLAN

Summary:

This cyber security plan outlines key aspects of a comprehensive security strategy for a fictitious organization, XYZ Enterprises. The plan encompasses research findings, business description, identification of IT components, current cyber security practices mapped to NIST, CIS Top 18, and OWASP 10, risk analysis, cost-benefit assessment, proposed security tools and policies, and a persuasive email to the executive committee. The plan aims to enhance XYZ Enterprises’ cyber resilience and protect its assets while ensuring the best return on investment.

Research Findings:

For the purpose of this project, we have chosen to focus on XYZ Enterprises, a fictitious organization. While no external research was conducted due to the fictional nature of the organization, the plan draws on the knowledge acquired during the course to establish a robust security framework for XYZ Enterprises.

Description of the Business and IT Usage:

XYZ Enterprises is a medium-sized financial services company offering a range of banking and investment products to its customers. The organization’s strategic objectives include expanding its customer base, increasing revenue, and maintaining a competitive edge in the financial services sector.

The organization’s extensive use of IT is integral to its daily operations, including online banking, customer relationship management, data analytics, and regulatory compliance reporting.

Identification of IT Components and Their Use:

I. Network Infrastructure:

Local Area Network (LAN) with Cisco Catalyst switches.

Wireless network using Cisco Aironet access points.

VPN for secure remote access.

Cisco ASA firewall for perimeter security.

II. Hardware:

Dell PowerEdge servers running Windows Server 2019.

End-user workstations with Windows 10 Pro.

Cisco routers for network routing.

III. Software:

Proprietary online banking software developed in-house.

Microsoft Office 365 suite.

Symantec Endpoint Protection for antivirus.

Identification of Current Cyber Security Practices:

I. Network Infrastructure:

Regular patch management, following NIST guidelines.

Intrusion detection system (IDS) in place, mapped to CIS Control 5.

Firewall rules configured according to CIS Control 9.

II. Hardware:

Regular hardware maintenance and updates.

Strong access controls with password policies aligned to CIS Control 13.

III. Software:

Frequent software updates and security patches.

End-user security awareness training for phishing prevention (CIS Control 17).

Analyze the Current Risk:

For each IT component:

I. Network Infrastructure:

Risk = 25% (Likelihood) x 2 (Impact) = 50%

The high risk is attributed to the critical nature of network infrastructure.

II. Hardware:

Risk = 20% (Likelihood) x 1 (Impact) = 20%

Lower risk due to routine maintenance.

III. Software:

Risk = 15% (Likelihood) x 2 (Impact) = 30%

Moderate risk due to the potential impact of software vulnerabilities.

Cost-Benefit of Cyber Security:

I. Network Infrastructure:

Cost: Annual maintenance and IDS subscription costs – $50,000.

Benefit: Avoidance of a potential breach, estimated at $1 million.

Break-even in 20 months.

II. Hardware:

Cost: Annual hardware maintenance – $20,000.

Benefit: Prevention of hardware failures, saving $100,000 per failure.

Immediate return on investment.

III. Software:

Cost: Annual software maintenance and training – $40,000.

Benefit: Prevention of a major security incident, estimated at $500,000.

Break-even in 8 months.

New Security Tools and Policies to Propose:

I. Network Infrastructure:

Propose implementing a Security Information and Event Management (SIEM) system (CIS Control 6).

II. Hardware:

Suggest adopting a hardware asset management tool (CIS Control 2).

III. Software:

Recommend implementing a software vulnerability scanning tool (CIS Control 3).

Cyber Security Response – Email to Executive Committee:

Dear Members of the Executive Committee,

I would like to emphasize the critical importance of implementing the proposed cyber security enhancements for XYZ Enterprises. The investment required for these measures is justifiable, considering the potential consequences of neglecting them.

The cost-benefit analysis demonstrates that the cost of non-compliance or security incidents far outweighs the investments needed for improved security. Failing to act could result in substantial financial losses, damage to our reputation, and legal ramifications.

In addition to safeguarding our assets, these security enhancements will align us with industry standards and best practices, enhancing our competitiveness and demonstrating our commitment to data protection. Furthermore, they will ensure the continued trust of our customers and regulators.

The proposed security tools and policies are aligned with recognized security frameworks (NIST, CIS Top 18, and OWASP 10), providing a robust defense against evolving cyber threats.

I urge you to consider this investment as a necessary step to protect our organization’s future. Our cyber security measures are only as strong as our weakest link, and it is our responsibility to fortify that link. I am confident that these enhancements will yield significant benefits, both in the short and long term.

Thank you for your attention and consideration.

Sincerely,

[Your Name]

Conclusion:

In conclusion, this cyber security plan outlines a comprehensive strategy to protect XYZ Enterprises from cyber threats. By identifying key IT components, assessing risks, and proposing security enhancements, we aim to strengthen our organization’s security posture while ensuring a favorable return on investment.

Your Opinion on any Certification Interest:

As I consider the next steps in my cyber security career, I am indeed interested in pursuing industry certifications such as SYO-601. These certifications will provide me with a focused and structured approach to enhancing my skills and knowledge. I plan to dedicate time to study for these certifications and follow a rigorous preparation plan to achieve them. Certifications will not only bolster my professional profile but also equip me with the latest industry insights and best practices.

References:

NIST Cybersecurity Framework. Retrieved from [URL].

CIS Controls V8. Retrieved from [URL].

OWASP Top Ten Project. Retrieved from [URL].

XYZ Enterprises Internal Security Policy Document (2023).

Symantec Endpoint Protection Documentation (Version X.X).

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.