System Management Act Case Study
Order ID 53563633773 Type Essay Writer Level Masters Style APA Sources/References 4 Perfect Number of Pages to Order 5-10 Pages Description/Paper Instructions
System Management Act Case Study
Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations. Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT security for IT systems in the commercial sector.
These audits are comprehensive and rigorous, and negative findings can lead to significant fines and other penalties. Therefore, industry and federal entities conduct internal self-audits in preparation for actual external IT audits, and compile security assessment reports.
In this project, you will develop a 12-page written security assessment report and executive briefing (slide presentation) for a company and submit the report to the leadership of that company.
There are six steps to complete the project. Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than three weeks to complete. Begin with the workplace scenario, and then continue to Step 1.
Deliverables
security assessment report (SAR), slides to support executive briefing, lab report
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment.
1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation.
1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
1.7: Create neat and professional looking documents appropriate for the project.
1.8: Create clear oral messages.
2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
2.4: Consider and analyze information in context to the issue or problem.
2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
5.2: Knowledge of architectural methodologies used in the design and development of information systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
5.3: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.
7.2: Includes the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Vulnerability from the perspective of disaster management includes assessing the threats from potential hazards to the population & to infrastructure.
In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).
You will get your information from a data-flow diagram and report from the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization. Click the following to view the data-flow diagram: [diagram and report]
Include the following areas in this portion of the SAR:
Security requirements and goals for the preliminary security baseline activity.
Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. Include the impacts these attacks have on an organization.
Network infrastructure and diagram, including configuration and connections. Describe the security posture with respect to these components and the security employed: LAN, MAN, WAN, enterprise. Use these questions to guide you:
What are the security risks and concerns?
What are ways to get real-time understanding of the security posture at any time?
How regularly should the security of the enterprise network be tested, and what type of tests should be used?
What are the processes in play, or to be established to respond to an incident?
Workforce skill is a critical success factor in any security program, and any security assessment must also review this component. Lack of a skilled workforce could also be a security vulnerability. Does the security workforce have the requisite technical skills and command of the necessary toolsets to do the job required?
Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed?
Describe the ways to detect these malicious code and what tactics bad actors use for evading detection.
Public and private access areas, web access points. Include in the network diagram the delineation of open and closed networks, where they co-exist. In the open network and closed network portion, show the connections to the Internet.
Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices?
Operating systems, servers, network management systems.
data in transit vulnerabilities
endpoint access vulnerabilities
external storage vulnerabilities
virtual private network vulnerabilities
media access control vulnerabilities
ethernet vulnerabilities
Possible applications. This network will incorporate a BYOD (bring your own device) policy in the near future. The IT auditing team and leadership need to understand current mobile applications and possible future applications and other wireless integrations. You will use some of this information in Project 2 and also in Project 5.
The overall SAR should detail the security measures needed, or implementations status of those in progress, to address the identified vulnerabilities. Include:
remediation
mitigation
countermeasure
recovery
Through your research, provide the methods used to provide the protections and defenses.
From the identification of risk factors in the risk model, identify the appropriate security controls from NIST SP 800-53A and determine their applicability to the risks identified.
The baseline should make up at least three of the 12 pages of the overall report.
When you have completed your security analysis baseline, move on to the next step, in which you will use testing procedures that will help determine the company’s overall network defense strategy.
You’ve completed your initial assessment of the company’s security with your baseline analysis. Now it’s time to determine the best defenses for your network.
Start by reading a publication by the National Institute of Standards and Technology, NIST-SP-800-115 Technical Guide to Information Security Testing and Assessment, and outline how you would test violations. Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. Within this portion of the SAR, explain the different testing types (black box testing, white box testing).
Include these test plans in the SAR. The strategy should take up at least two of the 12 pages of the overall report.
Click the following link to learn more about cybersecurity for process control systems: Cybersecurity for Process Control Systems
After you’ve completed this step, it’s time to define the process of penetration testing. In the next step, you’ll develop rules of engagement (ROE).
Now that you’ve completed your test plans, it’s time to define your penetration testing process. Include all involved processes, people, and timeframe. Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE). The process and any documents can be notional or can refer to actual use cases. If actual use cases are included, cite them using APA format.
This portion should be about two pages of the overall 12-page report.
After you have outlined the steps of a penetration testing process, in the next step you will perform penetration testing. During the testing, you will determine if the security components are updated and if the latest patches are implemented, and if not, determine where the security gaps are.
Step 4: Conduct a Network Penetration Test
You’ve defined the penetration testing process, and in this step, you will scan the network for vulnerabilities. Though you have some preliminary information about the network, you will perform a black box test to assess the current security posture. Black box testing is performed with little or no information about the network and organization.
To complete this step, you will use industry tools to carry out simulated attacks to test the weaknesses of the network. You will do this within your lab Workspace. The workspace instructions will provide many of the details, but in the simulation, you will launch a sandbox type of virtual machine (VM), report your findings and actual screen captures of the behaviors you see as a result of the tests, and include these in the SAR.
Your assessments within the lab will be reported in the SAR.
Note: You will use the tools in Workspace for this step. If you need help outside the classroom, you can register for the CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration information). Lab assistants are available to help.
Click here to access the instructions for Navigating the Workspace and the Lab Setup.
Click here to access the Project 1 Workspace Exercise Instructions. Explore the tutorials and user guides to learn more about the tools you will use. Then, enter Workspace.
After finding the security issues within the network, define which control families from the NIST 800-53 are violated by these issues. Explain in the SAR why each is a violation, support your arguments with a copy of your evidence, and then provide suggestions on improving the security posture of these violations.
This section should make up at least four of the 12 pages in the overall report.
After you’ve completed the penetration testing, move to the next step, where you will compile a risk management cost benefit analysis.
Step 5: Complete a Risk Management Cost Benefit Analysis
You’ve completed the penetration testing, and now it’s time to complete your SAR with a risk management cost benefit analysis. Within this analysis, think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls.
When you have finished with the cost benefit analysis, which should be at least one page of your overall report, move to the final step, which is the completed SAR. As part of the final assignment, remember that you will need to create a slide presentation as part of the executive briefing, and submit that along with the SAR.
Step 6: Compile the SAR, Executive Briefing, and Lab Report
You have completed comprehensive testing in preparation for this audit, provided recommended remediations, and developed a set of recommendations. Now you are ready to submit your SAR and executive briefing.
The requirements for Project 1 are as follows:
Executive briefing: A three- to five-slide visual presentation for business executives and board members.
Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables or citations.
Lab report: A document sharing your lab experience and providing screenshots to demonstrate that you performed the lab. Attach it to the SAR as an artifact.
Submit all three components to the assignment folder.
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.
1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment.
1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation.
1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
1.4: Tailor communications to the audience.
1.5: Use sentence structure appropriate to the task, message and audience.
1.6: Follow conventions of Standard Written English.
1.7: Create neat and professional looking documents appropriate for the project.
1.8: Create clear oral messages.
2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
2.2: Locate and access sufficient information to investigate the issue or problem.
2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
2.4: Consider and analyze information in context to the issue or problem.
2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
5.2: Knowledge of architectural methodologies used in the design and development of information systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
5.3: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.
7.2: Includes the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Vulnerability from the perspective of disaster management includes assessing the threats from potential hazards to the population & to infrastructure.
RUBRIC
QUALITY OF RESPONSE NO RESPONSE POOR / UNSATISFACTORY SATISFACTORY GOOD EXCELLENT Content (worth a maximum of 50% of the total points) Zero points: Student failed to submit the final paper. 20 points out of 50: The essay illustrates poor understanding of the relevant material by failing to address or incorrectly addressing the relevant content; failing to identify or inaccurately explaining/defining key concepts/ideas; ignoring or incorrectly explaining key points/claims and the reasoning behind them; and/or incorrectly or inappropriately using terminology; and elements of the response are lacking. 30 points out of 50: The essay illustrates a rudimentary understanding of the relevant material by mentioning but not full explaining the relevant content; identifying some of the key concepts/ideas though failing to fully or accurately explain many of them; using terminology, though sometimes inaccurately or inappropriately; and/or incorporating some key claims/points but failing to explain the reasoning behind them or doing so inaccurately. Elements of the required response may also be lacking. 40 points out of 50: The essay illustrates solid understanding of the relevant material by correctly addressing most of the relevant content; identifying and explaining most of the key concepts/ideas; using correct terminology; explaining the reasoning behind most of the key points/claims; and/or where necessary or useful, substantiating some points with accurate examples. The answer is complete. 50 points: The essay illustrates exemplary understanding of the relevant material by thoroughly and correctly addressing the relevant content; identifying and explaining all of the key concepts/ideas; using correct terminology explaining the reasoning behind key points/claims and substantiating, as necessary/useful, points with several accurate and illuminating examples. No aspects of the required answer are missing. Use of Sources (worth a maximum of 20% of the total points). Zero points: Student failed to include citations and/or references. Or the student failed to submit a final paper. 5 out 20 points: Sources are seldom cited to support statements and/or format of citations are not recognizable as APA 6th Edition format. There are major errors in the formation of the references and citations. And/or there is a major reliance on highly questionable. The Student fails to provide an adequate synthesis of research collected for the paper. 10 out 20 points: References to scholarly sources are occasionally given; many statements seem unsubstantiated. Frequent errors in APA 6th Edition format, leaving the reader confused about the source of the information. There are significant errors of the formation in the references and citations. And/or there is a significant use of highly questionable sources. 15 out 20 points: Credible Scholarly sources are used effectively support claims and are, for the most part, clear and fairly represented. APA 6th Edition is used with only a few minor errors. There are minor errors in reference and/or citations. And/or there is some use of questionable sources. 20 points: Credible scholarly sources are used to give compelling evidence to support claims and are clearly and fairly represented. APA 6th Edition format is used accurately and consistently. The student uses above the maximum required references in the development of the assignment. Grammar (worth maximum of 20% of total points) Zero points: Student failed to submit the final paper. 5 points out of 20: The paper does not communicate ideas/points clearly due to inappropriate use of terminology and vague language; thoughts and sentences are disjointed or incomprehensible; organization lacking; and/or numerous grammatical, spelling/punctuation errors 10 points out 20: The paper is often unclear and difficult to follow due to some inappropriate terminology and/or vague language; ideas may be fragmented, wandering and/or repetitive; poor organization; and/or some grammatical, spelling, punctuation errors 15 points out of 20: The paper is mostly clear as a result of appropriate use of terminology and minimal vagueness; no tangents and no repetition; fairly good organization; almost perfect grammar, spelling, punctuation, and word usage. 20 points: The paper is clear, concise, and a pleasure to read as a result of appropriate and precise use of terminology; total coherence of thoughts and presentation and logical organization; and the essay is error free. Structure of the Paper (worth 10% of total points) Zero points: Student failed to submit the final paper. 3 points out of 10: Student needs to develop better formatting skills. The paper omits significant structural elements required for and APA 6th edition paper. Formatting of the paper has major flaws. The paper does not conform to APA 6th edition requirements whatsoever. 5 points out of 10: Appearance of final paper demonstrates the student’s limited ability to format the paper. There are significant errors in formatting and/or the total omission of major components of an APA 6th edition paper. They can include the omission of the cover page, abstract, and page numbers. Additionally the page has major formatting issues with spacing or paragraph formation. Font size might not conform to size requirements. The student also significantly writes too large or too short of and paper 7 points out of 10: Research paper presents an above-average use of formatting skills. The paper has slight errors within the paper. This can include small errors or omissions with the cover page, abstract, page number, and headers. There could be also slight formatting issues with the document spacing or the font Additionally the paper might slightly exceed or undershoot the specific number of required written pages for the assignment. 10 points: Student provides a high-caliber, formatted paper. This includes an APA 6th edition cover page, abstract, page number, headers and is double spaced in 12’ Times Roman Font. Additionally, the paper conforms to the specific number of required written pages and neither goes over or under the specified length of the paper. GET THIS PROJECT NOW BY CLICKING ON THIS LINK TO PLACE THE ORDER
CLICK ON THE LINK HERE: https://www.perfectacademic.com/orders/ordernow
Also, you can place the order at www.collegepaper.us/orders/ordernow / www.phdwriters.us/orders/ordernow
Do You Have Any Other Essay/Assignment/Class Project/Homework Related to this? Click Here Now [CLICK ME]and Have It Done by Our PhD Qualified Writers!!