Spring2026_3

Project 3 – Risk Mitigation Strategy

Description

For this project, you will leverage your research from Project #1 and analysis from Project #2 to develop

a risk mitigation strategy for your chosen company. If necessary, you can adjust your Information Usage

Profile or your Risk Profile using feedback from your instructor and additional information from your

readings and research. The deliverable for this project will be a Risk Mitigation Strategy that includes a

Security Controls Profile based upon the security and privacy controls catalog from NIST SP 800-53

Revision 5 and the security functions and identifiers from the NIST Cybersecurity Framework (CSF)

Version 1.1.

● NIST SP 800-53 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

● NIST CSF https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Note: Table 2 Framework Core in Appendix A of the NIST Cybersecurity Framework provides a

cross-reference for each function/category/sub-category to the security and privacy controls from NIST

SP 800-53.

Review Guidance for Information Security Functions & Controls

1. Review the NIST Cybersecurity Framework with a particular focus on the Functions, Categories,

and Sub-Categories. Consider how these functions can be employed to mitigate the risks you

identified and documented in Project #2.

2. Review Chapter 2 in Security and Privacy Controls for Information Systems and Organizations

(NIST SP 800-53). Pay special attention to section 2.2 Control Structure and Organization.

3. Review Appendix A in the NIST CSF to identify security Functions/Categories/Sub-Categories

which specifies risk mitigations which could be implemented to reduce or eliminate each risk

listed in your Risk Mitigation Strategy Controls Profile (Table 2).

Develop and Document Your Security Controls Profile

1. Review the sample security controls profile provided in Tables 1 & 2 at the end of this file. Use

this sample to guide your security controls analysis and the formatting of your Risk Mitigation

Strategy Security Controls Profile. The sample entry in Table 2 was derived from the entry shown

below (source: NIST CSF Appendix A Table 2 Framework Core).

2. Copy your Risk Profile (Table 1) from Project #2 into a new file (for your assignment submission).

Then copy the Risk Mitigation Strategy Security Controls Profile (Table #2) from this assignment

file into your project submission file (place it after Table #1). Delete the sample text from Table

#2.

3. Transfer the RISK ID and RISK TITLE columns from Table 1 into Table 2. This is how you will link

your Risk Profile to your Risk Mitigation Strategy. You should have 15 or more risks related to the

company’s business operations, use of the Internet, the company’s IT systems and

infrastructures (including “technologies in use”), and the types and collections of information

used by the company.

4. For each row in your Table 2 (Risk Mitigation Strategy Security Controls Profile), choose a

security function from the NIST CSF which could be implemented to mitigate the identified risk.

Then, review the Category and Sub-Category information for that function. Choose one or more

sub-categories and enter those into your table in the CSF Category ID column.

5. Using the Informative References provided in the NIST CSF Appendix A Table 2: Framework Core,

identify 2 or 3 security controls which, if implemented, will serve to mitigate the specific risk

listed in your risk profile.

6. Write a brief narrative description of the risk mitigation strategy for your identified risk. This

strategy should derive from your selected security function and controls. Use the ABC hallmark

for writing for executive audiences: accuracy, brevity, and clarity.

Develop Your Risk Mitigation Strategy

1. Review Chapter 1: The Business Case for Decision Assurance and Information Security in the

(ISC)2 SSCP Systems Security Certified Practitioner Official Study Guide (the course textbook).

This resource will help you determine what information to include as part of your Risk Mitigation

Strategy for your selected company. Another helpful resource for understanding what

information should be included in your strategy is:

https://www.workfront.com/project-management/life-cycle/initiation/business-case

Note: this assignment does not require a full business case. You are not required to provide

financial information, implementation plans, etc. Your presentation of your strategy should focus

on these sections of a business case:

o Business problem or opportunity

o Benefits o Risk o Technical Solutions o Timescale o Impact on Operations

2. Identify best practices for information security and reasons / justifications for allocating

resources (people, money, technologies) to implement security controls. You will find relevant

best practices and justifications listed in the Executive Summaries and opening chapters of NIST

SP 800-30, NIST SP 800-37, NIST SP 800-53, and the NIST Cybersecurity Framework. You may

wish to discuss your recommendations in terms of timeframe for implementation: immediate,

near-term (6 months?), medium term (12-18 months), within the next two years, etc. Keep in

mind that there may need to be tradeoffs between time and money.

3. Organize your recommendations to formulate your Risk Mitigation Strategy. At a minimum, this

section should include a summary of the business problem (reduce risks related to information

and IT systems and infrastructures), the benefits of implementing security controls, the general

types of risks to be mitigated (focus on the CIA triad), and the policy, processes, and technical

solutions being recommended.

Write

1. An introduction section which provides a brief introduction to the company and the information

/ information technology risks that it faces (you may reuse some of your narrative from Project

#1 and/or Project #2). Your introduction should include a brief overview of the company’s

business operations. Follow this with a description of the purpose and contents of this Risk

Mitigation Strategy deliverable.

2. A separate analysis section in which you present your Risk Profile. Start with a summary of your

Risk Profile. You may reuse your introductory paragraph from Project #2 (revise if necessary)

where you explained your risk profile (what information is contained in the table and what

sources were used to obtain this information). Include a description of the process and

documents used to construct the Risk Profile. Explain the benefits of using a risk profile to help

manage risk. The citations and named documents in this paragraph will serve as citations and

attributions for the contents of Table #1 (bring Table #1 Risk Profile forward from Project #2 and

update if needed). Place Table #1 at the end of this section.

3. A separate analysis section (Security Controls Profile) in which you present your Security Controls

Profile. Provide an introductory paragraph that explains the security controls profile, e.g., what

information is contained in the table and what sources were used to obtain this information.

Describe the process and documents used to construct the Security Controls Profile.

4. A separate section (Risk Mitigation Strategy) in which you present a high-level strategy for

implementing the risk mitigations (security controls) presented earlier in this deliverable. This

section should include a summary of the business problem (reduce risks related to information

and IT systems and infrastructures), the general types of risks to be mitigated (focus on the CIA

triad and summarize the risks you previously identified), the benefits of implementing security

controls listed in your Security Controls Profile, and the policy, processes, and technical solutions

being recommended for implementation (aligned to your Security Controls Profile).

5. A separate Recommendations and Conclusions section which provides a summary of the

information contained in this deliverable and presents your concluding statements regarding the

business need and business benefits which support implementing your Risk Mitigation Strategy

and the allocation of resources by the company.

Submit Your Work for Grading and Feedback

Before you submit your work, check the rubric (displayed in the Assignment Folder entry) to make sure

that you have covered all required content including citations and references.

Submit your work in MS Word format (.docx or .doc file) using the Project #3 Assignment in your

assignment folder. (Attach the file.)

Additional Information

1. Your 8 to 10 page deliverable should be professional in appearance with consistent use of fonts,

font sizes, colors, margins, etc. You should use headings and sub-headings to organize your

paper. Use headings which correspond to the content rows in the rubric – this will make it easier

for your instructor to find required content elements and will help you ensure that you have

covered all required sections and content in your paper.

2. The stated page length is a recommendation based upon the content requirements of the

assignment. All pages submitted will be graded but, for the highest grades, your work must be

clear, concise, and accurate. Exceeding the recommended length will not necessarily result in a

higher grade. Shorter submissions may not fully meet the content requirements resulting in a

lower grade.

3. The INFA program requires that graduate students follow standard APA style guidance for both

formatting and citing/reference sources. Your file submission must be in MS Word format

(.docx). PDF, ODF, and other types of files are not acceptable.

4. You must include a cover page with the course, the assignment title, your name, your

instructor’s name, and the due date. Your reference list must be on a separate page at the end of

your file. These pages do not count towards the assignment’s minimum page count.

5. You are expected to write grammatically correct English in every assignment that you submit for

grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)

verifying that your punctuation is correct and (d) reviewing your work for correct word usage

and correctly structured sentences and paragraphs.

6. You are expected to credit your sources using in-text citations and reference list entries. Both

your citations and your reference list entries must follow APA Style guidance. Use of required

readings from the course as sources is expected and encouraged. Where used, you must cite and

provide references for these readings.

7. When using Security and Privacy controls from NIST SP 800-53, you must use the exact

numbering and names (titles) when referring to those controls. This information does not need

to be treated as quotations. You may paraphrase or quote from the descriptions of the controls

provided that you appropriately mark copied text (if any) and attach a citation for both quoted

and paraphrased information.

8. Consult the grading rubric for specific content and formatting requirements for this assignment.

9. All work submitted to the Assignment Folder will be scanned by the Turn It In service. We use

this service to help identify areas for improvement in student writing.

Table 1. Risk Profile for [company]

Risk ID Risk Title Description Risk Category Impact Level 001 Unauthorized disclosure of

customer information. Disclosure of or access to customer information must be restricted to authorized individuals with a need to know. Unauthorized disclosure or access could result in harm to customers and financial liabilities for the company.

People Medium

002 003 004 005 006 007 008 009 010 011 012 013 014 015

Table 2. Risk Mitigation Strategy Security Controls Profile

Risk ID Risk Title Risk Mitigation Strategy CSF Category ID Security Controls 001 Unauthorized disclosure of

customer information. Implementation of role-based access controls will reduce the risk of unauthorized access to customer information by controlling which individuals are granted access to the systems and software used to collect, process, transmit, and store this information.

PR.AC Identity Management, Authentication, and Access Control: PR.AC-4

AC-3 (7) Access Enforcement | Role Based Access Control; AC-3 (11) Access Enforcement | Restrict Access to Specific Information Types

002 003 004 005 006 007 008 009 010 011 012 013 014 015