CYB 260 Project Three Guidelines and Rubric

CYB 260 Project Three Guidelines and Rubric

Service Level Agreement Requirement Recommendations

Overview

Once security requirements have been defined, an organization must have a way to ensure that these requirements are satisfied. Security controls are safeguards or countermeasures that

organizations implement to protect all types of assets (data, physical, personnel, and so on) from threats to confidentiality, integrity, or availability. Trade groups such as the Center for

Internet Security (CIS), the International Organization for Standardization (ISO), and the National Institute of Standards and Technology (NIST) provide collections of security controls

intended to address critical areas of cybersecurity concern. However, these guidelines provide different levels of detail, vary in prescriptiveness, and apply to different industries and

organizational structures. Ultimately, each organization must determine how to best implement security controls to meet their expectations for asset protection. As such, the security

practitioner must select, design, implement, and manage the policies, procedures, standards, and guidelines designed to implement these controls.

In the milestone assignment for this project, you examined employee training as a control measure to reduce the incidents and effects of social engineering. As you saw, training is a key

method for incorporating security best practices. However, it is not the only type of control measure that cybersecurity professionals rely on. Incorporate instructor feedback you received on

the milestone as you envision a more comprehensive approach to security controls at an organization.

In this project, you will analyze requirements, select appropriate security controls, and specify methods to implement your selected controls to satisfy the requirements. You will demonstrate

your mastery of the following course competency:

Design security controls and practices for humans in the system

Scenario

Use the Project Three Scenario to complete this assignment. This scenario places you in the role of a security consultant for an organization. The scenario includes additional requirements

related to the proposal you addressed in Projects One and Two.

To complete this project, review the following documents:

Service Level Agreement

CIS Controls, Version 8

To complete this task, you will prepare service level agreement requirement recommendations for the internal stakeholder board identifying an approach to meeting the requirements in the

scenario.



2/18/25, 12:56 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1831858/viewContent/38649355/View 1/3

Prompt

Prepare a brief that outlines the requirement recommendations for the service level agreement and describes your approach to meeting the requirements of the scenario. You must address

the following critical elements:

I. Select two controls that address the requirements of the scenario.

A. Control One: Justify how your selected control type (i.e., policy, standard, procedure, or guideline) and implementation will meet the requirements.

B. Control Two: Justify how your selected control type (i.e., policy, standard, procedure, or guideline) and implementation will meet the requirements.

II. Describe the necessity for a training program to address a specific social engineering threat.

III. Describe the expected outcomes of a training program that addresses the social engineering threat you identified in the previous critical element.

What to Submit

Your submission should be 1 to 3 pages in length and use double spacing, 12-point Times New Roman font, and one-inch margins. Sources should be cited according to APA style. Use a file

name that includes the course code, the assignment title, and your name—for example, CYB_260_Project_One_Neo_Anderson.docx.

Project Three Rubric

Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value

Control One Meets “Proficient” criteria and

addresses critical element in an

exceptionally clear, insightful,

sophisticated, or creative

manner

Justifies how the selected

control type and

implementation will meet the

requirements

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address critical

element, or response is

irrelevant

23

Control Two Meets “Proficient” criteria and

addresses critical element in an

exceptionally clear, insightful,

sophisticated, or creative

manner

Justifies how the selected

control type and

implementation will meet the

requirements

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address critical

element, or response is

irrelevant

23

Necessity for a Training

Program

Meets “Proficient” criteria and

addresses critical element in an

exceptionally clear, insightful,

sophisticated, or creative

manner

Describes the necessity for a

training program to address a

specific social engineering

threat

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address critical

element, or response is

irrelevant

23

2/18/25, 12:56 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1831858/viewContent/38649355/View 2/3

Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value

Expected Outcomes of a

Training Program

Meets “Proficient” criteria and

addresses critical element in an

exceptionally clear, insightful,

sophisticated, or creative

manner

Describes the expected

outcomes of a training program

that addresses the identified

social engineering threat

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address critical

element, or response is

irrelevant

23

Articulation of Response Submission is free of errors

related to grammar, spelling,

and organization and is

presented in a professional and

easy-to-read format

Submission has no major errors

related to grammar, spelling, or

organization

Submission has some errors

related to grammar, spelling, or

organization that negatively

impact readability and

articulation of main ideas

Submission has critical errors

related to grammar, spelling, or

organization that prevent

understanding of ideas

8

Total: 100%

2/18/25, 12:56 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1831858/viewContent/38649355/View 3/3

CYB 260 Project Three Scenario

An initial agreement has been made, and Helios Health Insurance has provided a service level agreement (SLA) that defines the relationship between Fit-vantage and Helios. You have been tasked with recommending the implementation of the controls detailed in the SLA. Now that the partnership is in place, the insurance company’s SLA contains the terms and conditions that require evidence of how Fit-vantage will address three critical controls—specifically, how the organization will use awareness training to defend against social engineering attacks. The SLA covers several of the CIS Controls. Provide the steps needed to ensure that the following critical controls have been implemented:

• Control 5: Account Management

• Control 6: Access Control Management

• Control 14: Security Awareness and Skills Training

To complete this project, review the following documents:

• Service Level Agreement

• CIS Controls, Version 8 Links to these documents are on the Project Three Guidelines and Rubric page in the course’s Assignment Information area.

1

CYB 260 Service Level Agreement Version 1.1

Agreement Overview

This Agreement represents a Service Level Agreement (“SLA” or “Agreement”) between Helios Health Insurance (“COMPANY”) and Fit-vantage Technologies (“CLIENT”) for the provisioning of hosting services required to support and sustain product or custom software development. This Agreement remains valid until superseded by a revised agreement mutually endorsed by the stakeholders.

Goals and Objectives

The purpose of this Agreement is to ensure that the proper elements and commitments are in place to provide consistent IT service support and delivery to the CLIENT by the COMPANY. The objectives of this Agreement are to:

• Provide clear reference to service ownership, accountability, roles, and/or responsibilities • Present a clear, concise, and measurable description of service provision to the CLIENT • Match perceptions of expected service provision with actual service support and delivery

Service Agreement

The following detailed service parameters are the responsibility of the COMPANY in the ongoing support of this Agreement. Service Scope The following Services are included in this Agreement:

• Manned telephone support • Monitored email support • Support desk / ticket system

CLIENT Requirements CLIENT responsibilities and/or requirements in support of this Agreement include:

• Payment for all support and maintenance costs according to the contracted service contract or hourly rate in CLIENT’s agreement/contract with COMPANY

• Reasonable availability of CLIENT representative(s) when resolving a service-related incident or request

COMPANY Requirements COMPANY responsibilities and/or requirements in support of this Agreement include:

• Best effort for availability outside of office hours

2

• Meeting response times associated with service-related incidents • Appropriate notification to CLIENT for all scheduled maintenance • Best effort in diagnosis and repair of incident(s), including critical decision making in emergency

situations CIS Controls COMPANY responsibilities and/or requirements in support of this Agreement include:

• Control 1: Inventory and Control of Hardware Assets • Control 2: Inventory and Control of Software Assets • Control 5: Account Management • Control 6: Access Control Management • Control 10: Malware Defenses • Control 14: Security Awareness and Skills Training

Audit COMPANY responsibilities and/or requirements in support of this Agreement include:

• The Audit will be performed at least once a year. • The Audit will detail how the CLIENT covers the CIS critical controls. • The Audit will be in a short report to senior management.

Exceptions CLIENT shall not receive any credit under the SLA in connection with any failure or deficiency of website or email availability caused by or associated with:

1. Circumstances beyond COMPANY’s reasonable control, including, without limitation, acts of any governmental body, war, insurrection, sabotage, armed conflict, embargo, fire, flood, strike or other labor disturbance, interruption of or delay in transportation, unavailability of or interruption or delay in telecommunications or third-party services, virus attacks or hackers, failure of third-party software (including, without limitation, e-commerce software, payment gateways, chat, statistics, or free scripts) or inability to obtain raw materials, supplies, or power used in or equipment needed for provision of this SLA;

2. Scheduled maintenance and emergency maintenance and upgrades (Note: Every effort will be made to keep downtime to a minimum during maintenance periods, and when possible, COMPANY will notify CLIENT in advance of the expected downtime. CLIENT will not be billed hourly for these maintenance periods, but these maintenance periods are not eligible for SLA credits);

3. DNS issues outside the direct control of COMPANY; 4. CLIENT’s acts or omissions (including acts or omissions of others engaged or authorized by the

CLIENT), including, without limitation, custom scripting or coding (e.g., CGI, Perl, HTML, ASP, etc.), any negligence, willful misconduct, or use of the Services in breach of this Agreement;

5. DNS (Domain Name Server) Propagation; 6. Outages elsewhere on the Internet that hinder access to your account. COMPANY is not

responsible for browser or DNS caching that may make your site appear inaccessible when others can still access it. COMPANY will guarantee only those areas considered under the control of COMPANY.

3

7. Issues with email Client configuration or performance

Service Management

Effective support of in-scope services is a result of maintaining consistent service levels. The following sections provide relevant details on service availability, monitoring of in-scope services, and related components. Service Availability

• Regular business hours are considered to be from 9.00 a.m. until 5.00 p.m. Eastern Standard Time, Monday to Friday, except federal U.S. holidays and observances as defined by the U.S. government.

• Telephone support: Will be conducted during business hours. • Email support: Will be monitored during business hours. Any email received outside office hours

will be collected, and best efforts will be made to respond to CLIENT’s request. However, no action will be guaranteed until the next working day.

• Support desk / ticket system: Customers provided this option are encouraged to submit a ticket, no matter if during or after office hours, via the support desk.

Emergency Situation

1. Any work performed or calls handled outside regular business hours will be considered an emergency and billed accordingly.

2. Services that need an immediate resolution, including but not limited to server failure, software failure, e-PHI risk, that are not related to an existing project or approved work/change order, may be completed without CLIENT’s approval.

3. CLIENT will be provided with an emergency email address and phone number, which will be forwarded to multiple parties in COMPANY’s organization.

CLIENT will be promptly notified in the event of this situation, and COMPANY will make the best effort to identify such circumstances in order to ensure the best possible service. COMPANY guarantees 99.8% uptime (over a 1-month period) for systems under COMPANY’s exclusive control and hosted in COMPANY’s cloud HIPAA hosting environment, protecting the system from downtime as a result of poor server configuration or poor application performance. On simple HIPAA hosting, if server, or failure point is not hosted in COMPANY’s network, COMPANY cannot be held responsible for downtime as a result of network outages, hardware failure, and other issues outside of COMPANY’s control. COMPANY expects remote access to be maintained and direct contact to individuals physically present at the server hosting company. Customer Requesting Reimbursement If there is a server outage or other problem that causes CLIENT’s environment to go offline and the problem is in-scope of the responsibility of COMPANY, CLIENT will be entitled to the following:

• Credit of 2% of the monthly bill (applicable hosting, support, and maintenance fees only) for each 30 minutes of downtime beyond the guaranteed uptime up to a maximum 100% of their monthly bill.

4

To receive a credit, CLIENT must make a request by sending an e-mail message to COMPANY. If the outage is confirmed by COMPANY, credits will be applied within two billing cycles after receipt of CLIENT’s credit request. Credits are not refundable and can be used only toward future billing charges.

CIS Critical Security Controls® Version 8

v8

CIS Critical Security Controls Version 8

Acknowledgments CIS would like to thank the many security experts who volunteer their time and talent to support the CIS Critical Security Controls® (CIS Controls®) and other CIS work. CIS products represent the effort of a veritable army of volunteers from across the industry, generously giving their time and talent in the name of a more secure online experience for everyone.

Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

To further clarify the Creative Commons license related to the CIS Controls® content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http:// www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of the Center for Internet Security, Inc. (CIS®).

May 2021

CIS Controls v8 i Contents

Contents Glossary ………………………………………………………………………………………………… iii

Acronyms and Abbreviations …………………………………………………………………….. vi

Overview

Introduction ……………………………………………………………………………………………. 1 Evolution of the CIS Controls 1 This Version of the CIS Controls 2 The CIS Controls Ecosystem (“It’s not about the list”) 3 How to Get Started 4 Using or Transitioning from Prior Versions of the CIS Controls 4 Structure of the CIS Controls 4 Implementation Groups 5

CIS Critical Security Controls

Control 01 Inventory and Control of Enterprise Assets …………………………………………………… 7 Why is this Control critical? 7 Procedures and tools 8 Safeguards 9

Control 02 Inventory and Control of Software Assets …………………………………………………… 10 Why is this Control critical? 10 Procedures and tools 11 Safeguards 12

Control 03 Data Protection ……………………………………………………………………………………… 13 Why is this Control critical? 13 Procedures and tools 14 Safeguards 14

Control 04 Secure Configuration of Enterprise Assets and Software ………………………………. 16 Why is this Control critical? 16 Procedures and tools 17 Safeguards 18

Control 05 Account Management …………………………………………………………………………….. 19 Why is this Control critical? 19 Procedures and tools 19 Safeguards 20

Control 06 Access Control Management ……………………………………………………………………. 21 Why is this Control critical? 21 Procedures and tools 21 Safeguards 22

Control 07 Continuous Vulnerability Management ………………………………………………………. 23 Why is this Control critical? 23 Procedures and tools 24 Safeguards 25

Control 08 Audit Log Management …………………………………………………………………………… 26 Why is this Control critical? 26 Procedures and tools 26 Safeguards 27

CIS Controls v8ii Contents

Control 09 Email and Web Browser Protections ………………………………………………………….. 28 Why is this Control critical? 28 Procedures and tools 28 Safeguards 29

Control 10 Malware Defenses ………………………………………………………………………………….. 30 Why is this Control critical? 30 Procedures and tools 30 Safeguards 31

Control 11 Data Recovery ……………………………………………………………………………………….. 32 Why is this Control critical? 32 Procedures and tools 33 Safeguards 33

Control 12 Network Infrastructure Management …………………………………………………………. 34 Why is this Control critical? 34 Procedures and tools 34 Safeguards 35

Control 13 Network Monitoring and Defense ……………………………………………………………… 36 Why is this Control critical? 36 Procedures and tools 37 Safeguards 37

Control 14 Security Awareness and Skills Training ……………………………………………………… 39 Why is this Control critical? 39 Procedures and tools 39 Safeguards 40

Control 15 Service Provider Management ………………………………………………………………….. 42 Why is this Control critical? 42 Procedures and tools 43 Safeguards 43

Control 16 Application Software Security ………………………………………………………………….. 45 Why is this Control critical? 45 Procedures and tools 46 Safeguards 48

Control 17 Incident Response Management ……………………………………………………………….. 50 Why is this Control critical? 50 Procedures and tools 51 Safeguards 51

Control 18 Penetration Testing ………………………………………………………………………………… 53 Why is this Control critical? 53 Procedures and tools 54 Safeguards 55

Appendix

Resources and References ………………………………………………………………………. A2

Controls and Safeguards Index …………………………………………………………………. A4

CIS Controls v8 iii Glossary

Glossary Administrator accounts Dedicated accounts with escalated privileges and used for managing aspects of a

computer, domain, or the whole enterprise information technology infrastructure. Common administrator account subtypes include root accounts, local administrator and domain administrator accounts, and network or security appliance administrator accounts.

Application A program, or group of programs, hosted on enterprise assets and designed for end- users. Applications are considered a software asset in this document. Examples include web, database, cloud-based, and mobile applications.

Authentication systems A system or mechanism used to identify a user through associating an incoming request with a set of identifying credentials. The credentials provided are compared to those on a file in a database of the authorized user’s information on a local operating system, user directory service, or within an authentication server. Examples of authentication systems can include active directory, Multi-Factor Authentication (MFA), biometrics, and tokens.

Authorization systems A system or mechanism used to determine access levels or user/client privileges related to system resources including files, services, computer programs, data, and application features. An authorization system grants or denies access to a resource based on the user’s identity. Examples of authorization systems can include active directory, access control lists, and role-based access control lists.

Cloud environment A virtualized environment that provides convenient, on-demand network access to a shared pool of configurable resources such as network, computing, storage, applications, and services. There are five essential characteristics to a cloud environment: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Some services offered through cloud environments include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

Database Organized collection of data, generally stored and accessed electronically from a computer system. Databases can reside remotely or on-site. Database Management Systems (DMSs) are used to administer databases, and are not considered part of a database for this document.

End-user devices Information technology (IT) assets used among members of an enterprise during work, off-hours, or any other purpose. End-user devices include mobile and portable devices such as laptops, smartphones and tablets, as well as desktops and workstations. For the purpose of this document, end-user devices are a subset of enterprise assets.

Enterprise assets Assets with the potential to store or process data. For the purpose of this document, enterprise assets include end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers, in virtual, cloud-based, and physical environments.

Externally-exposed enterprise assets

Refers to enterprise assets that are public facing and discoverable through domain name system reconnaissance and network scanning from the public internet outside of the enterprise’s network.

Internal enterprise assets Refers to non-public facing enterprise

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.