Homework #2
CDK
CKD is a virtual reality application maker that specializes in the advanced VR technologies that are often used by government agencies as training simulators and by gamers who seek cutting edge gaming technology. When it comes to advances in application technology, no one beats CKD.
CKD‘s business strategy focuses on forward thinking research and development (R&D) and very high end VR systems. They have built a niche market catering to those in want of advanced VR capabilities. As such, their rivals (both foreign and domestic) would love to get their hand on CKD‘s research data and design specifications. That threat is only second to CKD having its production line shut down. CKD is a small start-up company with about 100 employees selling high end products. They have no inventory and must keep up with government contracts not to mention gaming customer demand. If their production line goes down for any length of time, they are out of business.
Because CKD relies heavily on its information and information systems, having a solid information security program is imperative. Loss of R&D data would wipe them out. However, because CKD is a start-up funds for information security are limited and the accounting officer keeps a tight hold on spending, and because production cannot be interrupted the operations officer doesn’t want anything fowling up product output even if it is essential to information security.
Major decisions at CKD are made by the executive council (EC) which consist of the Chief Executive Officer (CEO), Chief Operations Officer (COO), Chief Financial Officer (CFO), Chief Legal Officer (CLO) and Chief Information Officer (CIO). You have been hired to file the role of Chief Information Security Officer (CISO). In that capacity you and your staff of six are responsible for developing cyber security policies, securing the CDKs information infrastructure and performing IT audits for security and compliance.
Homework #2 – Audit!!!
Because CKD has a contract with the military they are subject to an audit under FISMA. The CIO has turned to you, the CISO to conduct a complete security (risk) assessment of CDKs information security posture. You have a staff of 5 to help you. This is your time to shine. Explain to the CIO in detail how you intend to go about conducting the assessment. You recall that in your system certification course, you learned the steps required for conducting the assessment (NIST SP 800-30R1). You decide to start there. You also remember that FISMA requires government agencies and third-party contractors like CDK to have C&As (NIST SP 80037R1) for all their systems and all organization employees must have annual information security assurance training. You use that to help scope your assessment.
Please explain how you would conduct the risk assessment.