V

SEC 4320, IS Security Capstone 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

1. Compile a vulnerability assessment using the current security posture. 1.1 Integrate the critical security controls into an organization assessment.

4. Propose a security plan for a project solution.

4.1 Prioritize the critical security controls according to the needs of the organization.

5. Construct preventative measures to ensure critical assets are secure. 5.1 Classify the critical security controls utilizing a risk assessment matrix.

Required Unit Resources In order to access the following resources, click the links below. Allodi, L., & Massacci, F. (2017, August). Security events and vulnerability data for cybersecurity risk

estimation. Risk Analysis, 37(8), 1606–1627. https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?dire ct=true&db=bsu&AN=124586639&site=ehost-live&scope=site

Woods. D., Agrafiotis, I, Nurse, J. R., & Creese, S. (2017). Mapping the coverage of security controls in cyber

insurance proposal forms. Journal of Internet Services and Applications. https://jisajournal.springeropen.com/articles/10.1186/s13174-017-0059-y#Abs1

A transcript and closed captioning are available for both videos below once you access them. CPNI UK. (2012, April 3). 20 critical security controls for cyber defense [Video]. YouTube.

https://c24.page/5ws89v9fdbr4q9pjyk6s4t8wsr MIS Training Institute. (2018, March 26). The benefits of leveraging the CIS critical security controls [Video].

YouTube. https://c24.page/26cy2qmjqgfzdqwf998mbf4ssx Unit Lesson In Unit III, you developed a security framework using the National Institute of Standards and Technology (NIST) SP 800-53. You also identified the security controls that should be used as a baseline for the organization security framework. In Unit IV, it was briefly mentioned that critical security controls are vulnerable to potential threats, and a risk assessment was done based on the results from an assessment tool (Microsoft Baseline Security Analyzer). A few of the security controls were scanned and analyzed to generate a vulnerability matrix assessment. In this unit, we will take an in-depth look at the Center for Internet Security (CIS) Critical Security Controls (CSC). According to the Center for Internet Security (CIS, n.d.), there are 20 security controls that are critical to protect and safeguard the critical assets within the information technology infrastructure. Please review the video Prioritizing the Top 20 Critical Security Controls for more information. A transcript and closed captioning are available once you access the video. These 20 critical security controls fall into three categories: basic CIS controls, foundational CIS controls, and organizational CIS controls as shown below (CIS, n.d.):

UNIT V STUDY GUIDE IT Tool and Control Assessment

SEC 4320, IS Security Capstone 2

UNIT x STUDY GUIDE Title

Basic CIS controls Foundational CIS controls Organizational CIS controls Inventory and control of hardware assets

Email and web browser protections

Implementation of a security awareness and training program

Inventory and control of software assets

Malware defense Application software security

Continuous vulnerability management

Limitation and control of network ports, protocols, and services

Incident response and management

Controlled use of administrative privileges

Data recovery capabilities Penetration tests and red team exercises

Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers

Secure configuration for network devices, such as firewalls, routers, and switches

Maintenance, monitoring, and analysis of audit logs

Boundary defense

Data protection Controlled access based on the need to know Wireless access control Account monitoring and control

The critical security controls shown above support the security professional in designing policies, procedures, and documentation that will protect the organization in compliance with the CIS. Which of the critical security controls should you, as a security professional, implement first in your organization? One look at the CIS critical security control categories should provide the hint of which controls you should start with. To establish a baseline security framework, you should begin implementing the basic CIS controls that secure the assets and people in the organization. Many of you have seen some of these controls already implemented when you were hired to work for an organization. Examples of such controls that you may have seen are the company’s standard operating procedures (SOP), which provide a step-by- step set of instructions about the company and have a section on information technology (IT) security measures. The authorized use policy (AUP) contains specific rules about what can and cannot be done using organizational equipment, including the use of the Internet. Depending on your job within the organization, there will be controlled administrative access governing the equipment and/or applications that an employee is allowed to access. As an example, if you work in shipping and handling, you will not be granted access to customer billing information. Another example involves whether or not you have access to the company’s inventory database. If you are the systems administrator, you will have access to hardware as well as software applications. How much access you will have is determined by the policy set forth by the organization’s upper management. At no time should one individual within the organization have access to all hardware and applications. The security professional’s main job is to ensure the protection of all hardware and applications from potential security threats. Therefore, an organization’s network documents and people will be monitored for security compliance, and vulnerability scans will continuously take place within the organization. The remediation or fixes to vulnerabilities will be done by security and IT personnel within the organization. As you can see, the basic CIS controls are important to setting the security baseline and framework for the organization to build upon. Without a solid foundation, the organization will be susceptible to the easiest threats to the IT infrastructure. As always, there are risks with all the controls used. How much of a risk impact—whether it be low, medium, or high—will be tolerated is determined by the organization’s upper management. However, you must first set the baseline of what risk is acceptable based on the controls implemented in the organization. Once the basic controls are implemented, then the security posture can evolve with the foundational CIS controls and then the organizational CIS controls. Please know that if the organization already has a strong basic security framework in place, then the organization can start with the foundational CIS controls and/or organizational CIS controls.

SEC 4320, IS Security Capstone 3

UNIT x STUDY GUIDE Title

So, we come back to the same question. Which of the critical security controls should you, as a security professional, implement first in your organization? That will depend on the current security climate of the organization. Even if the organization is well established in its security framework, there is always a chance of complacency in the security culture. Therefore, there is nothing wrong with going back over the basic CIS controls to see if the organization has captured all the security controls.

Reference Center for Internet Security. (n.d.). The 20 CIS controls & resources. https://www.cisecurity.org/controls/cis-

controls-list/