Structure-Frameworks-for-Establishing-and-Managing-the-Internal-IT-Security-Program-Cybersecurity-risk-profile

(1)Structure & Frameworks for Establishing and Managing the Internal IT Security Program
This week, our focus is upon the structures and frameworks used to establish and manage a business’s internal cybersecurity or IT security program. Most businesses do not attempt to create their own structure from the ground up. Instead, they adopt and adapt one or more governance frameworks developed by an industry standards setting body, e.g. ISACA, a national standards body (e.g. NIST or the British Standards Organization), or an international body such as the International Standards Organization (ISO). Specific IT governance frameworks and standards for information security management include:

COBIT® 4.1
ISO/IEC 27001/27002
ITIL® v. 3

These frameworks and standards set forth recommended organization structures for information security functions within a business and recommend policies, procedures, activities, and best practices which should be adapted and adopted by a business.
Businesses also need to adopt a standard set of IT security controls which will be used to mitigate and manage risk. (seehttp://www.praxiom.com/iso-27000-definitions.htm#Control). IT security controls are also used to establish the performance standards used to evaluate the effectiveness (functioning) of the IT security program. There are three primary categories (“classes”) of security controls:

Management Controls
Operational Controls
Technical Controls

The National Institute of Standards and Technology (NIST) publishes a catalog of recommended security controls for information, information technology, and related management functions (NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. http://dx.doi.org/10.6028/NIST.SP.800-53r4). Originally developed for federal government organizations, this controls catalog is widely used by businesses and includes 18 families of controls. The table below is from Revision 3 of NIST SP 800-53 and shows the mapping of security control families to the three categories (“Classes”): management, operational, and technical.

Security controls are integrated with and serve as the basis for the audit and compliance elements of the organization’s IT governance program. Compliance audits serve as a means for determining the effectiveness of the IT security program with respect to implementing controls.
Many businesses use COBIT and/or ITIL as their governance frameworks for managing the delivery of IT services. In this debate, you are asked to take a position as to which framework is a better fit for managing IT SECURITY services.
Write a 3 to 5 paragraph position statement in which you identify and describe 3 to 5 contributions that your chosen framework will make to “good governance” and “good management” for a company’s IT Security Management Program.
Provide in-text citations and references for 3 or more authoritative sources. Put the reference list at the end of your posting.
 If you need help getting started, review chapter 1 in Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefithttp://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT-ITIL-V3-ISO27002-for-Business-Benefit_res_Eng_1108.pdf
You can also search this document for “information security” to find processes (ITIL) or control objectives (COBIT) that are specific to the management and delivery of IT security services.
Timeliness of Initial Posting
On Time
Late
Very Late
No Submission
Timeliness of Briefing Statement or Paper

2) Corporate Profile Part 2: Cybersecurity Risk Profile
For this paper, you will construct a cybersecurity risk profile for the company that you wrote about in Part 1 of the Corporate Profile project. Your risk profile, which includes an Executive Summary, Risk Register, and Risk Mitigation Recommendations (Approach & Security Controls by family), will be developed from information provided by the company in its Form 10-K filing (Annual Report to Investors) retrieved from the U.S. Securities and Exchange Commission (SEC) Edgar database.  You will also need to do additional research to identify security controls, products, and services which could be included in the companyâ€s risk response (actions it will take to manage cybersecurity related risk).
Research
1.  Review the Risk section of the companyâ€s SEC Form 10-K. Develop a list of 5 or more specific cyberspace or cybersecurity related risks which the company included in its report to investors. Your list should include the source(s) of the risks and the potential impacts as identified by the company.
2.  For each risk, identify the risk management or mitigation strategies which the company has implemented or plans to implement.
3.  Next, use the control families listed in the NIST Special Publication 800-53 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf to identify general categories of controls which could be used or added to the companyâ€s risk management strategy for each risk in your list.
4.  For each control family, develop a description of how the company should implement these controls (“implementation approach”) as part of its risk management strategy.
Write
1.  Develop a 2 to 3 page Executive Summary from your Corporate Profile Part 1 (reuse and/or improve upon the business profile). Your Executive Summary should provide an overview of the company, summarize its business operations, and discuss the sources, potential impacts, and mitigation approach/strategy for cybersecurity related risks identified in the companyâ€s annual report. The Executive Summary should appear at the beginning of your submission file.
2.  Copy the Risk Register & Security Control Recommendations table (see template at the end of this assignment) to the end of the file that contains your Executive Summary.
3.  Using the information you collected during your research, complete the table. Make sure that you include a name and description for each risk. For the security controls, make sure that you include the family name and a description of how each recommended control should be implemented (implementation approach). Include the control family only. Do not include individual security controls from NIST SP 800-53.
Your Risk Profile is to be prepared using basic APA formatting (including title page and reference list) and submitted as an MS Word attachment to the Corporate Profile Part 2 entry in your assignments folder. See the sample paper and paper template provided in Course Resources > APA Resources for formatting examples. Consult the grading rubric for specific content and formatting requirements for this assignment.
Table 1. Risk Register & Risk Mitigation Approach with Recommended Security Controls

Risk Identifier

Description of the Risk & Current Risk Management Strategy

Risk Mitigation Approach with Recommended Security Controls (by NIST SP 800-53 family)

Sequence # or Brief title (<50 characters)

Must be from Form 10-K. Split complex risk statements into multiple individual risks.

Must list NIST Control Family (two character ID) as part of recommended mitigation

12CriteriaExcellentOutstandingAcceptableNeeds ImprovementNeeds Significant ImprovementMissing or UnacceptableExecutive Summary: Introduction to the Company

Rubrics for both questions.
20 points
Provided an excellent introduction which identified the company being profiled and included a brief overview of the company (may reuse narrative from Part 1 of this assignment). Appropriately used information from 3 or more authoritative sources.
18 points
Provided an outstanding introduction which identified the company being profiled and included a brief overview of the company (may reuse narrative from Part 1 of this assignment). Appropriately used information from 2 or more authoritative sources.
16 points
Provided an introduction which identified the company being profiled and included a brief overview of the company (may reuse narrative from Part 1 of this assignment). Appropriately used information from authoritative sources.
14 points
Provided an introduction to the company but the section lacked some required details. Information from authoritative sources was cited and used in the overview.
9 points
Attempted to provide an introduction to the company but this section lacked detail and/or was not well supported by information drawn from authoritative sources. 
0 points
The introduction section was missing or did not clearly identify the company.
Executive Summary: Sources of Cybersecurity Risk20 points
Provided an excellent summary of the sources, potential impacts, and planned mitigation approach/strategy for cyberspace and/or cybersecurity related risks as identified in the Risk Section of the companyâ€s annual report.
18 points
Provided an outstanding summary of the sources, potential impacts, and planned mitigation approach/strategy for cyberspace and/or cybersecurity related risks as identified in the Risk Section of the companyâ€s annual report. Appropriately used and cited information from 3 or more authoritative sources.
16 points
Provided a summary of the sources, potential impacts, and planned mitigation approach/strategy for cyberspace and/or cybersecurity related risks as identified in the Risk Section of the companyâ€s annual report. Appropriately used and cited information from 2 or more authoritative sources.
14 points
Provided a summary of the sources, potential impacts, and planned mitigation approach/strategy for cyberspace and/or cybersecurity related risks as identified in the Risk Section of the companyâ€s annual report. Appropriately used and cited information from authoritative sources.
9 points
Provided a discussion of the cybersecurity risks that the company faces. The discussion lacked detail and/or was not well supported by information drawn from authoritative sources.
0 points
Risk discussion was missing or off topic.
Table: Risk Register15 points
Provided a complete, concise, and thorough Risk Register (columns 1 and 2 of table) for 10 or more cyberspace or cybersecurity related risks as identified in the company’s annual report. (Risk ID was numeric sequence # or short title suitable for cross-referencing.)
14 points
Provided a complete, concise, and thorough Risk Register (columns 1 and 2 of table) for 8 or more cyberspace or cybersecurity related risks as identified in the company’s annual report. (Risk ID was numeric sequence # or short title suitable for cross-referencing.)
13 points
Provided a completed Risk Register (columns 1 and 2 of table) for 5 or more cyberspace or cybersecurity related risks as identified in the company’s annual report. (Risk ID was numeric sequence # or short title suitable for cross-referencing.)
11 points
Provided a completed Risk Register (columns 1 and 2 of table) for at least three cyberspace or cybersecurity related risks which the company faces.
9 points
Attempted to complete the Risk Register (columns 1 and 2 of table) for 3 or more entries but information about the risks was lacking details.
0 points
Did not complete 3 or more entries in the Risk Register.
Table: Risk Mitigation Approach15 points
Provided a complete, concise, and thorough Risk Mitigation Approach with Recommendation Security Controls by family (column 3 of table) for 10 or more cyberspace or cybersecurity related risks as identified in the company’s annual report.
14 points
Provided a complete, concise, and thoroughRisk Mitigation Approach with Recommendation Security Controls by family (column 3 of table) for 8 or more cyberspace or cybersecurity related risks as identified in the company’s annual report.
13 points
Provided a completed Risk Mitigation Approach with Recommendation Security Controls by family (column 3 of table) for 5 or more cyberspace or cybersecurity related risks as identified in the company’s annual report.
11 points
Provided a completed Risk Mitigation Approach with Recommendation Security Controls by family (column 3 of table) for at least three cyberspace or cybersecurity related risks which the company faces.
9 points
Attempted to complete the Risk Mitigation Approach with Recommendation Security Controls by family (column 3 of table) for 3 or more entries but information about risk mitigation was lacking details.
0 points
Did not complete 3 or more entries in the Risk Mitigation Approach column of the table.
Addressed security issues using standard cybersecurity terminology5 points
Demonstrated excellence in the integration of standard cybersecurity terminology into the case study.
4 points
Provided an outstanding integration of standard cybersecurity terminology into the case study.
3 points
Integrated standard cybersecurity terminology into the into the case study
2 points
Used standard cybersecurity terminology but this usage was not well integrated with the discussion.
1 point
Misused standard cybersecurity terminology.
0 points
Did not integrate standard cybersecurity terminology into the discussion.
APA Formatting for Citations and Reference List5 points
Work contains a reference list containing entries for all cited resources. Reference list entries and in-text citations are correctly formatted using the appropriate APA style for each type of resource.
4 points
Work contains a reference list containing entries for all cited resources. One or two minor errors in APA format for in-text citations and/or reference list entries.
3 points
Work contains a reference list containing entries for all cited resources. No more than 3 minor errors in APA format for in-text citations and/or reference list entries.
2 points
Work has no more than three paragraphs with omissions of citations crediting sources for facts and information. Work contains a reference list containing entries for cited resources. Work contains no more than 5 minor errors in APA format for in-text citations and/or reference list entries.
1 point
Work attempts to credit sources but demonstrates a fundamental failure to understand and apply the APA formatting standard as defined in the Publication Manual of the American Psychological Association (6th ed.).
0 points
Reference list is missing. Work demonstrates an overall failure to incorporate and/or credit authoritative sources for information used in the paper.
Professionalism Part I: Organization & Appearance5 points
Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.
4 points
Submitted work has minor style or formatting flaws but still presents a professional appearance. Submitted work is well organized and appropriately uses color, fonts, and section headings (per the assignmentâ€s directions).
3 points
Organization and/or appearance of submitted work could be improved through better use of fonts, color, titles, headings, etc. OR Submitted work has multiple style or formatting errors. Professional appearance could be improved.
2 points
Submitted work has multiple style or formatting errors. Organization and professional appearance need substantial improvement.
1 point
Submitted work meets minimum requirements but has major style and formatting errors. Work is disorganized and needs to be rewritten for readability and professional appearance.
0 points
Submitted work is poorly organized and formatted. Writing and presentation are lacking in professional style and appearance. Work does not reflect college level writing skills.
Professionalism Part II: Execution15 points
No formatting, grammar, spelling, or punctuation errors.
14 points
Work contains minor errors in formatting, grammar, spelling or punctuation which do not significantly impact professional appearance.
13 points
Errors in formatting, spelling, grammar, or punctuation which detract from professional appearance of the submitted work.
11 points
Submitted work has numerous errors in formatting, spelling, grammar, or punctuation. Work is unprofessional in appearance.
4 points
Submitted work is difficult to read / understand and has significant errors in formatting, spelling, grammar, punctuation, or word usage.
0 points
Submitted work is poorly executed OR does not reflect college level work.
Overall ScoreExcellent90 or moreOutstanding80 or moreAcceptable70 or moreNeeds Improvement56 or moreNeeds Significant Improvement36 or moreMissing or Unacceptable0 or more points
Posted briefing statement or paper before 11:59 PM ET on Friday.
10 points
Posted briefing statement or paper before 11:59 PM ET on Saturday.
5 points
Posted briefing statement or paper before 11:59 PM ET on Sunday.
0 points
Did not post a briefing statement or paper before 11:59 PM ET on Sunday.
Briefing Statement or PaperExcellentOutstandingAcceptableNeeds ImprovementNeeds Significant ImprovementMissing or No Work SubmittedIntroduction to Briefing Statement or Paper10 points
Provided an excellent introduction to the deliverable which clearly, concisely, and accurately addressed the topic of the briefing statement or paper. Appropriately paraphrased information from authoritative sources.
8.5 points
Provided an outstanding introduction to the deliverable which clearly and accurately addressed the topic of the briefing statement or paper. Appropriately paraphrased information from authoritative sources.
7 points
Provided an acceptable introduction to the deliverable which addressed the topic of the briefing statement or paper. Appropriately paraphrased information from authoritative sources.
6 points
Provided an introduction to the deliverable but the section lacked some required details. Information from authoritative sources was mentioned.
4 points
Attempted to provide an introduction to the deliverable but this section lacked detail and/or was not well supported by information drawn from authoritative sources (too many quotations or improper paraphrasing).
0 points
Introduction was missing or no work submitted.
Analysis15 points
Provided an excellent analysis of the issues for the required briefing topic. Addressed at least three separate issues and provided appropriate examples for each. Appropriately used and cited information from authoritative sources.
13.5 points
Provided an outstanding analysis of the issues for the required briefing topic. Addressed at least two separate issues and provided appropriate examples for each. Appropriately used and cited information from authoritative sources.
12 points
Provided an acceptable analysis of the issues for the required briefing topic. Addressed at least one specific issue and provided an appropriate example. Appropriately used and cited information from authoritative sources.
11 points
Addressed the required briefing topic but the analysis lacked details or was somewhat disorganized. Appropriately used and cited information from authoritative sources.
8 points
Mentioned the required briefing topic but the analysis was very disorganized or off topic. OR, the analysis did not appropriately use information from authoritative sources (too many quotations or improper paraphrasing).
0 points
Analysis was missing or no work was submitted.
Summary10 points
Included an excellent summary section for the briefing statement or paper which was on topic, well organized, and covered at least 3 key points. The summary contained at least one full paragraph.
8.5 points
Included an outstanding summary paragraph for the briefing statement or paper which was on topic and covered at least 3 key points.
7 points
Included a summary paragraph for the briefing statement or paper which was on topic and provided an appropriate closing.
6 points
Included a summary paragraph but, this section lacked content or was disorganized.
4 points
Included a few summary sentences for the briefing statement or paper.
0 points
Did not include a summary for the briefing statement or paper.
Use of Authoritative Sources5 points
Included and properly cited three or more authoritative sources (no errors).
4 points
Included and properly cited three or more authoritative sources (minor errors allowable).
3 points
Included and cited two or more authoritative sources (minor errors allowable). Reference list entries contain sufficient information to enable the reader to find and retrieve the cited sources.
2 points
Included and cited at least one authoritative source (errors allowable in citations or reference entries). Reference list entries contain sufficient information to enable the reader to find and retrieve the cited sources.
1 point
Mentioned at least one authoritative source but, the citations and/or reference list entries lacked required information (not sufficient to retrieve the correct resource).
0 points
References and citations were missing. Or, no work submitted.
Professionalism10 points
No formatting, grammar, spelling, or punctuation errors. Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.
8.5 points
Work contains minor errors in formatting, grammar, spelling or punctuation which do not significantly impact professional appearance. Work needs some polishing to improve professional appearance.
7 points
Errors in formatting, spelling, grammar, or punctuation which need attention / editing to improve professional appearance of the work.
6 points
Submitted work has numerous errors in formatting, spelling, grammar, or punctuation. Substantial polishing / editing is required.
4 points
Submitted work is difficult to read and/or understand. OR, work has significant errors in formatting, spelling, grammar, punctuation, or word usage which detract from the overall professional appearance of the work.
0 points
No submission.
Timeliness of PostingsOn TimeLateVery LateFirst Critique for Another Student2 points
Posted a critique of another student’s briefing statement or paper before 11:59 pm ET on Saturday.
1 point
Posted a critique of another student’s briefing statement or paper before 11:59 pm ET on Sunday.
0 points
Did not post a critique of another student’s briefing statement or paper before 11:59 PM ET on Sunday.
Second Critique for Another Student2 points
Posted a second critique of another student’s briefing statement or paper before 11:59 pm ET on Saturday.
1 point
Posted a second critique of another student’s briefing statement or paper before 11:59 pm ET on Sunday.
0 points
Did not post a second critique of another student’s briefing statement or paper before 11:59 PM ET on Sunday.
Follow-Up Reply or Discussion Participation2 points
Posted a follow-up reply or discussion posting before 11:59 pm ET on Sunday.
0 points
Posted a follow-up reply or discussion posting after 11:59 pm ET on Sunday.
0 points
Did not post a follow-up reply in the week’s topic.
Second Follow-Up Reply or Discussion Posting2 points
Posted a second follow-up reply or discussion posting before 11:59 pm ET on Sunday.
0 points
Posted a second follow-up reply or discussion posting after 11:59 pm ET on Sunday.
0 points
Did not post a second follow-up reply in the week’s topic.
Quality of Discussion PostingsExcellentAcceptableNeeds ImprovementLow-Quality or No Work SubmittedCritique #1 for Another Student’s Briefing Statement or Paper10 points
Posted an excellent critique for another student’s briefing statement or paper. Critique focused on ways in which the content could be improved and/or better organized. Provided 3 or more specific examples and added value to the discussion.
8.5 points
Posted an acceptable critique for another student’s briefing statement or paper. Critique focused on ways in which the content could be improved and/or better organized. Provided at least one specific example and added value to the discussion.
7 points
Posted a critique of another student’s briefing statement or paper. Critique provided at least one suggestion for improvement.
0 points
Posting was missing or did not add contain a critique of the briefing statement or paper.
Critique #2 for Another Student’s Briefing Statement or Paper10 points
Posted an excellent critique for another student’s briefing statement or paper. Critique focused on ways in which the content could be improved and/or better organized. Provided 3 or more specific examples and added value to the discussion.
8.5 points
Posted an acceptable critique for another student’s briefing statement or paper. Critique focused on ways in which the content could be improved and/or better organized. Provided at least one specific example and added value to the discussion.
7 points
Posted a critique of a second student’s briefing statement or paper. Critique provided at least one suggestion for improvement.
0 points
Posting was missing or did not add contain a critique of the briefing statement or paper.
Follow-up Reply or Comment #15 points
Posted a follow-up reply or comment which added value to the discussion.
4 points
Posted an acceptable follow-up reply or comment which added some value to the discussion.
3 points
Posted a follow-up reply or comment but added little value to the discussion.
0 points
Posting was missing or did not add value to the discussion.
Follow-up Reply or Comment #25 points
Posted a follow-up reply or comment which added value to the discussion.
4 points
Posted an acceptable follow-up reply or comment which added some value to the discussion.
3 points
Posted a follow-up reply or comment but added little value to the discussion.
0 points
Posting was missing or did not add value to the discussion.
Overall ScoreExcellent100 or moreOutstanding85 or moreAcceptable75 or moreNeeds Improvement65 or moreNeeds Significant Improvement1 or moreNo Work Submitted0 or more 
Do you need a similar assignment done for you from scratch? We have qualified writers to help you. We assure you an A+ quality paper that is free from plagiarism. Order now for an Amazing Discount! Use Discount Code “Newclient” for a 15% Discount!
NB: We do not resell papers. Upon ordering, we do an original paper exclusively for you.

The post Structure-Frameworks-for-Establishing-and-Managing-the-Internal-IT-Security-Program-Cybersecurity-risk-profile appeared first on Nursing Writers Hub.

 

"Is this question part of your assignment? We Can Help!"