Wk2_415

Assignment Content

1.

Top of Form

As the CISO for a health care organization, you are tasked with the following:

· Analyze an information system for determining the selection of security control objectives in order to manage information security risk and apply that gained knowledge to build a security assessment plan.

· Assess information security controls to mitigate risks and secure operations for a specified industry organization.

 

Read the NewTab Project Profile document and refer to FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems .

Part A: Security Assessment Plan

Create a 3- to 4-page security assessment plan (SAP) in Microsoft® Word that includes the following:

· Short summary of the NewTab project

· Description of each of the 11 security control families as documented in FIPS Publication 200 and listed in the NewTab Project Profile

· Priority list of the top 5 security control families of concern, based on their applicability to the NewTab project

· Explanation of your rationale for the top 5 security control families that must be analyzed and assessed in order to determine any vulnerabilities that the NewTab solution may have

 

Part B: Build the POA&M

Based on the list of 7 vulnerabilities provided in the NewTab Project Profile and the information from the SAP you wrote in Part A, complete a 3- to 4-page POA&M using the Plan of Action and Milestones (POA&M) Worksheet.

Cite any references according to APA guidelines.

CYB/415 v2

Plan of Action and Milestones (POA&M) Worksheet

CYB/415 v2

Page 2 of 2

Plan of Action and Milestones (POA&M) Worksheet

Complete the table below to include the following for each of the 7 vulnerabilities listed in the NewTab Project Profile:

· Description of Vulnerability: Describe the vulnerability.

· Security Control Family: Identify the security control family attributed to the vulnerability.

· Recommended Mitigation: Include the applicable NIST SP 800-53a security controls as described by IT security management.

· Scheduled Completion Date: Estimate the completion date based on the complexity of the vulnerability.

· Required Resources: Estimate the monetary cost of correcting the vulnerability.

· Organizational Department: Identify the department(s) responsible for tasks such as resourcing and implementing solutions to correct the vulnerability.

· Milestones: Identify several specific requirements to correct the vulnerability.

Description of Vulnerability	Security Control Family	Recommended Mitigation	Scheduled Completion Date	Required Resources	Organizational Department	Milestones

Copyright 2020 by University of Phoenix. All rights reserved.

Copyright 2020 by University of Phoenix. All rights reserved.

CYB/415 v2

NewTab Project Profile

CYB/415 v2

Page 2 of 2

NewTab Project Profile

Refer to this project profile as you complete the Wk 2 – Security Assessment Plan, the Wk 4 – Incident Response Plan and Penetration Testing Agreement, and the Wk 5 – Strategic Plan assignments.

Scenario

The health care organization is adding a tablet (iPad® 2, iOS 8.0.1) to its personnel reporting information system, called HI-PHI. It will be attached to the health care organization ’s secured network infrastructure.

NewTab provides the health care organization with the capability to view and modify Protected Health Information (PHI) from the master registration database on a mobile device (i.e., iPad®). The PHI is transmitted wirelessly to the iPad® into HI-PHI.

User Community: 25 users (doctors)

Data: HI-PHI includes protected health information (PHI)

NewTab Suite

· iPads®:

· Model: iPad® 2, iOS 8.0.1

· Pre-loaded with standard iOS apps

· Use standard 6-number passcode to access iPad®

· Use VPN client to remotely access health care organization network with user’s network account login

· Within the network, the iPad® automatically connects to health care organization ’s wireless network

· HI-PHI Application:

· Uses single sign-on (from network account) to log into HI-PHI

· Accesses PHI from the PHI database

· PHI Database (protected health information)

Architecture

Security Requirement Control Families

Note: A detailed description of these families can be found in FIPS Publication 200.

1. AC Access Control

2. AT Awareness and Training

3. AU Audit and Accountability

4. CP Contingency Planning

5. IA Identification and Authentication

6. IR Incident Response

7. MP Media Protection

8. PE Physical and Environmental Protection

9. PS Personnel Security

10. SC System and Communications Protection

11. SI System and Information Integrity

List of Vulnerabilities Discovered From a Security Test and Evaluation

Vulnerability #1: Tools for the review of audit records and the reports generated from audit records are not available. Audit records do not include some or all of the mandatory data. The contents of audit trails are not protected against unauthorized access, modification, or deletion.

Vulnerability #2: The authentication required to access the iPads®, once screen-locks are activated, are not unique to each device. Non-unique authentication for screen unlock is utilized throughout system. All iPads® are set to the same screensaver unlock password.

Vulnerability #3: No information security personnel training plan has been developed that identifies initial and refresher training and familiarization requirements for assigned information security roles.

Vulnerability #4: iPads® are not configured to enforce the password stringency required by NIST Policy. The iPads® are not configured to enforce the required password strength, complexity, and aging. The health care organization senior leadership has specified that passwords will have a minimum of 12 characters using at least one upper case character, one lower case character, a number, and a special character. The policy will also enforce mandatory changing of passwords after every 90 days.

Vulnerability #5: The iPads® are not stored and locked in a secured location when employees are not using them. There is no policy for employees to sign out iPads®.

Vulnerability #6: There is no set of Employee Rules of Behaviors for users to sign holding them accountable for their actions.

Vulnerability #7: There is no mobile device management capability.

Financial Plan for Implementation of the Information Security Organization

1. Total Annual Infrastructure Budget: $1.2 million (hardware, software, licenses, spares, etc.)

2. Total Annual Supplies Budget: $0.2 million (user computers, batteries, etc.)

3. Total Annual Personnel Budget: TBD (will be determined in Week 5 financial plan)

4. Total Training Budget: TBD (will be determined in Week 5 financial plan)

The Total Annual Operating Budget will be the sum of the 4 areas above.

The Infrastructure Budget includes SOC equipment which is to include SIEM servers and software (e.g., vulnerability scanners, log correlation, event monitoring).

Information Security Personnel Resources

Position	Level	Certification	Salary and Benefits Cost Per Year Note: This is not the individual salary per year; this includes the complete cost to the company, factoring in vacation, health insurance, 401K, etc.	Training Costs Per Year
CISO	Senior	CISSP, CCISO	$300,000	$15,000
Senior Information Security Manager	Senior	CISSP, CISM	$250,000	$15,000
Senior Security Architect	Senior	CISSP, CISM	$200,000	$5,000
Security Architect	Mid-Level	CISSP, Sec+, SSCP	$150,000	$5,000
Senior Security Engineer	Senior	CISSP, CISM	$200,000	$5,000
Security Engineer	Mid-Level	CISSP, Sec+, SSCP	$150,000	$5,000
Senior Security Risk Analyst	Senior	CISSP, CISM	$200,000	$2,000
Security Risk Analyst	Mid-Level	CISSP, Sec+, SSCP	$150,000	$2,000
Junior Security Risk Analyst	Entry Level	Sec+, SSCP	$100,000	$2,000
Security Incident Responder	Mid-Level	CISSP, Sec+, SSCP	$125,000	$2,000

Copyright 2020 by University of Phoenix. All rights reserved.

Copyright 2020 by University of Phoenix. All rights reserved.