SWEET 2

DUE SUNDAY OCTOBER 9TH 2022 QUESTION 1 ---------- Suppose you accidentally started a fire at your company. A while back, you brought in an extension cord and noticed it was becoming pretty frayed. You kept forgetting to change it out. In this case, are you held responsible for the damage caused to your company? What if no one knew it started at your cubicle? Would it be unethical for you to deny that there was anything in your cubicle that caused the fire if someone asked you? QUESTION 2 ----------- From the internet, find out what laws in Maryland have been passed to prosecute computer crimes. List a minimum of two methods for preventing illegal or unethical behavior in an organization and justify your rationale question 3 ========== When planning, it is important to consider crucial elements like explicitly stating ethical, entrepreneurial, and philosophical perspectives. Omitting any one of these perspectives might cause your strategic plan to become unmanageable. In recent years, the ethical perspective has come into focus and companies such as IBM, HP, Enron, and WorldCom, where ethical lapses in their business operations were widely publicized. Please pick one of these companies and discuss how they failed to operate ethically. Make sure to provide supporting evidence for your answer. Question 4 ========== What is InfoSec governance? What are the five basic outcomes that must be achieved through InfoSec governance? Why? Research and explain the role of Information Technology Governance Institute (ITGI) on InfoSec governance. QUESTION 5 ========== To make sound decisions about information security, a proper plan must be in place. Planning is defined as the process of developing, creating, and implementing strategies for the accomplishments of goals and objectives. Levels of planning include: Strategic, Tactical, and Operational. Scenario: You have been tasked with your security team to create a 3-5-minute presentation for the board in which you will demonstrate your teams plan to secure the organization's assets during the next three to five years.You will create an 8 page power point document for a 3-5 minute video Using the company from SWEET 1 TASK, create a high-level (general) strategy for management to make informed decisions about their investments in security. In a 3- to 5-minute video/screencast, you must address the criteria below. Identify the business goals for the organization Make sure they align with the organization's mission and vision statements. Note: These goals are usually created by the CEO of the company then translated into more specific goals for the levels below. Then define and map the individual responsibilities for your division and respond to the CEO’s general strategy with an IT-focused statement of strategy and supporting goals. These goals must be specific, measurable, achievable, and time-bound. Make sure to address for each : Specific security functions, processes and people/roles. Compliance standards, governing rules, regulations, etc. (at the international, federal, state, local, and industry specific legislation). Applicable security policies. Potential impacts to the organization should the security fail. Next, translate the plans and goals you created into a division-specific tactical plan. Outlining the following: How to achieve the high-level strategic plan. What actions are required to achieve short-term goals. Who has the responsibility for implementation? Lastly, translate the plans and goals you created into a division-specific operational plan. Outlining the following: How will resources be allocated to achieve short-term goals. What will be the desired outcome? How will progress be monitored. Within the screencast, make sure to reference a variety of visuals that contribute to the audience's understanding of the technical aspects, recommendations, and overall objective of the plan. QUESTION 6 ========== Research each one of the following standards for implementing Risk Management Models: NIST SP 800-39, NIST SP 800-37, ISO 27005:2011, and ISO 27005:2011. Recommend a model for organizations that do not have a risk management program in place. Explain why risk identification, through a listing of assets and their vulnerabilities, is so important to the risk management process. QUESTION 7 ========== Once the InfoSec team in an organization identifies its risks and evaluates the values of its information assets, the team will have to decide whether the current level of risks are acceptable or not. What are some of the factors that make this decision challenging? Justify your rationale. QUESTION 8 ========== Once the InfoSec team has identified assets with an unacceptable level of risk, the team must choose one of the five basic strategies to treat the risks for those assets. Review all five strategies and discuss the following: What conditions must be met to ensure that risk acceptance has been used properly? What must be considered in a mitigation plan? Can outsourcing be used for risk transference? Explain. QUESTION 9 ========== How should a risk management framework and process be communicated to an organization's stakeholders? What best practices would you recommend? QUESTION 10 =========== Each member of an organization is held accountable for managing risks. Therefore, it is essentials to establish the context for a risk framework and risk process. Using your company from SWEET 1, establish a risk management framework using industry standards for compliance. Part 1 Create a Risk Management Framework. Part 2 In 500–750 words, discuss various risk assessment models, methodologies, and processes that can be used to perform a risk assessment of a particular system. Make sure to: Describe how risk relates to a system security policy. Describe various risk analysis methodologies. Considering your framework from Part 1, explain why it is important to evaluate and categorize risk a) with respect to technology; b) with respect to individuals, and c) in the enterprise. Compare the advantages and disadvantages of various risk assessment methodologies. Explain how one would select the optimal methodology based on needs, advantages and disadvantages.