Capstone - Information Systems
Table of Contents
COMPETENCIES 1
INTRODUCTION 1
REQUIREMENTS 1
RUBRIC 4
COMPETENCIES
981.1.1: Capstone
The graduate integrates and synthesizes competencies from across the degree program, thereby demonstrating the ability to participate in and contribute value to the chosen professional field.
INTRODUCTION
In this task, you will design, develop, and implement the capstone project approved by your course instructor.
You will compile the information for your solution into a report based on the prompts below.
Your work for this task will not be evaluated until the appropriate forms from Task 1 have been submitted and evaluated.
REQUIREMENTS
Your submission must be your original work. No more than a combined total of 30\% of the submission and no more than a 10\% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. An originality report is provided when you submit your task that can be used as a guide.
You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
Tasks may not be submitted as cloud links, such as links to Google Docs, Google Slides, OneDrive, etc., unless specified in the task requirements. All other submissions must be file types that are uploaded and submitted as attachments (e.g., .docx, .pdf, .ppt).
A. Write an executive report that includes the following requirements:
• the security problem under investigation
• background information about the problem
• a root cause analysis of the problem
• a description of the stakeholders
• an analysis of systems, processes, or both
• a description of the project requirements
• the data available or the data that needs to be collected to support the project
• the industry-standard methodology you used to guide and support the solution’s design and development
• deliverables associated with the design and development of the technology solution
• the strategy for implementing the solution and anticipated outcomes from the project, including phases of the rollout, details of project launch, and training plan for users
• the quality assurance plan for the solution, including formative and summative evaluation plans and plans for revision
• assessment of risks associated with the implementation
• the technology environments, tools, and any related costs, as well as the human resources, that are necessary to execute each project phase
• a projected timeline, including milestones, start and end dates, duration for each milestone, dependencies, and resources assigned to each task
• the framework that will be used to assess the success of the project and assess if the security solution meets stakeholder’s needs, including test cases and acceptance criteria
B. Design and develop a technology-supported security solution that addresses your identified business problem or organizational need.
1. Your solution must contribute to at least one of the following major security areas:
Cyberlaw, Regulations, and Compliance
Leadership and Professionalism
Security Planning and Management
Systems Security
2. Provide a summary that explains how your solution meets the following criteria:
• facilitates the development of consensus-based codes of conduct
• promotes the adoption of standards and practices
• promotes automation in cybersecurity
• improves and modernizes security assurance
• implements industry-standard security tools and infrastructure or environment
• collects digital evidence, including data for analysis or forensics
• provides cybersecurity plans, strategies, and policies
• implements confidentiality, integrity, and availability
• mitigates cybersecurity threats
• investigates cybersecurity incidents or crimes
• includes decision-support functionality
• provides a training plan for users
C. Create each of the following forms of documentation for the solution you have developed:
• a subset of comprehensive elements of cybersecurity plans, policies, standards, or procedures
• analysis of the alignment of the solution with organizational cybersecurity initiative or regulatory compliance
• assessment of the solution’s implementation, including testing results and implemented revisions
• applications, tools, installation, and user guides for any other environment used
• assessment of the efficiency of the solution
• post-implementation systems and process analysis, including diagrams or descriptions of the environment
• post-implementation risk assessment
• analysis of collected data
• analysis of the final output
• stakeholder impact analysis
• post-implementation and maintenance plans for the solution, including supporting resources
• the results from the solution testing and revisions
• training plan for users
• control deficiencies analysis that includes a plan of action and milestones
• source code and executable files, with installation and user guides, if applicable
• artifacts from the domain your solution addresses (listed below)
Domain: Cyber Risk Management and Oversight
- organization chart
- cybersecurity-related policies and procedures
- strategic plans
- cybersecurity job descriptions
- cybersecurity personnel qualifications
- risk assessments
- data loss prevention analysis
- IT audit schedule
- IT audit reports and correspondence
- audit exception tracking
- risk management reports
- cybersecurity training policies and procedures
- cybersecurity training and awareness materials
Domain: Cybersecurity Controls
- list of physical access controls (e.g., key cards, biometric controls, video cameras)
- baseline security configuration standards
- vulnerability or patch management policies and procedures
- patch management reports
- penetration test results and reports
- vulnerability assessments
- continuous monitoring strategy
Domain: External Dependency Management
- list of third parties and subcontractors
- contracts governing all third-party relationships
- inventory of all third-party connections
- network topology/diagram
- independent reports on the service provider’s security controls
- remote access logs
- third-party employee access reviews
- vendor management policies and procedures
Domain: Threat Intelligence and Collaboration
- list of threat intelligence resources (e.g., industry groups, consortiums, threat and vulnerability reporting services)
- management reports on cyber intelligence
Domain: Cyber Resilience
- cybersecurity event log and reports on cyber incidents
- business impact analysis
- business or corporate continuity plan
- results of resilience testing
- resilience testing reports
- cyber incident response plans
- crisis management plans
- data loss prevention analysis
- continuous monitoring strategy
D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
E. Demonstrate professional communication in the content and presentation of your submission.
RUBRIC
PROGRAM OUTCOME 1: THE GRADUATE DEVELOPS CYBERSECURITY PLANS, STRATEGIES, AND POLICIES TO SUPPORT AND ALIGN WITH ORGANIZATIONAL CYBERSECURITY INITIATIVES AND REGULATORY COMPLIANCE:
COMPETENT: The submission develops cybersecurity plans, strategies, and policies that support and align with organizational cybersecurity initiatives and regulatory compliance.
PROGRAM OUTCOME 2: THE GRADUATE PROVISIONS INFORMATION TECHNOLOGY INFRASTRUCTURE TO ENSURE THAT IT PROVIDES CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY:
COMPETENT: The submission provisions information technology infrastructure to ensure it provides confidentiality, integrity, and availability.
PROGRAM OUTCOME 3: THE GRADUATE OPERATES HARDWARE, SOFTWARE, AND VIRTUAL ENVIRONMENTS TO ENSURE EFFECTIVE AND EFFICIENT INFORMATION TECHNOLOGY SYSTEM PERFORMANCE AND SECURITY:
COMPETENT: The submission demonstrates the ability to operate hardware, software, and virtual environments to ensure effective and efficient information technology system performance and security.
PROGRAM OUTCOME 4: THE GRADUATE DEFENDS INFORMATION TECHNOLOGY INFRASTRUCTURE BY ANALYZING AND MITIGATING CYBERSECURITY THREATS:
COMPETENT
The submission demonstrates the ability to defend information technology infrastructure by analyzing and mitigating cybersecurity threats.
PROGRAM OUTCOME 5: THE GRADUATE INVESTIGATES CYBERSECURITY INCIDENTS OR CRIMES RELATED TO INFORMATION TECHNOLOGY AND DIGITAL EVIDENCE BY COLLECTING AND ANALYZING CYBERSECURITY INFORMATION:
COMPETENT
The submission demonstrates the ability investigate cybersecurity incidents or crimes related to information technology and digital evidence by collecting and analyzing cybersecurity information.
D: Sources
COMPETENT
The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available, or the candidate does not use sources.
E:
PROFESSIONAL COMMUNICATION
COMPETENT
Content reflects attention to detail, is organized, and focuses on the main ideas as prescribed in the task or chosen by the candidate. Terminology is pertinent, is used correctly, and effectively conveys the intended meaning. Mechanics, usage, and grammar promote accurate interpretation and understanding.
Cybersecurity Graduate Capstone Topic Approval Form
The purpose of this approval form is to help you clearly state your research question for this capstone
project, as well as your project’s scope and timeline, to ensure that these align with your degree
emphasis. You will not have a complete and realistic overview of your project, and the acceptability of
your project for the purposes of this course cannot be accurately assessed without clearly defining each of
these areas. Many students use a project they have already completed within the past two years. If you
choose a finished project, you will write the proposal as if the project is not yet complete. Then, when you
report on your project, use your complete after-implementation report.
If you have not yet started your project, this document can help make sure the scope is in the acceptable
range for this capstone. A course instructor must approve this form before you submit your capstone for
evaluation. The task will not be evaluated without a course instructor’s signature. The course instructor
may ask for additional information before approving the form.
Student Name: Stanley Wilson
Student ID: 001476606
Capstone Project Name: The NIST 800-53 COntrol Framework: A Path to a Secure and Compliance
System
☒This project does not involve human subjects research and is exempt from WGU IRB
review.
Project Topic: Cybersecurity Risk Management.
Summary of the problem: As technology continues to advance, organizations regardless of size and
sector face cybersecurity and regulatory compliance risks. Cyberattacks are becoming more common and
frequent, affecting organizations around the globe (Benz & Chatterjee, 2020). Benz and Chatterjee also
add that some of the damages caused by cyber attacks involve monitory loss, loss of reputation,
compliance risks, and potential loss of business.
Outline of technology-supported security solution: The proposed security solution will involve
utilizing a cybersecurity or control framework to develop a cybersecurity program that addresses
cybersecurity and regulatory compliance risks (Selig, 2016). The NIST 800-53 is a control framework that
can be used to develop a Cybersecurity control program which addresses various technological and
security concerns, and to ensure that security is incorporated throughout a system development cycle
(SDLC) (NIST, 2020).
Context: Explain why the situation or question would benefit from your security solution. The benefit
would be to develop and implement a comprehensive, flexible, and risk-based approach that will integrate
security, privacy, cyber supply chain risk management activities into the system development life cycle
(SDLC). The proposed security solution can be applied to new and legacy systems either through
acquisition or when developed. The NIST 800-53 control framework would enable organizations to comply
with privacy laws and regulations. In addition, this will help organization mitigate the risks of cyber
attacks (NIST, 2020).
Stakeholders: Identify the project stakeholders. Authorizing Official (AO) usually the Chief Information
Officer (CIO) or Associate CIO (ACIO), Chief Information Security Officer, Information System Owner
(ISO), Business Owner (BO), Information Systems Security Officer (ISSM), Information Systems Security
Officer (ISSO), Security Control Assessor, System Administrator, Developers, and System Users
(employees).
Project Plan: Describe the project plan, scope, goals, and objectives. The project plan is to implement
the NIST 800-53 control framework which provides security controls that addresses cybersecurity risks
based on business needs and objectives. The three control baselines in the NIST 800-53 allows
organizations to implement security in a cost-effective way that aligns technology and business goals. The
goal is to ensure that the NIST-800 53 control framework is implemented in the organization and ensuring
all information systems comply with this framework to ensure the confidentiality, integrity, and availability
of information and information systems. The scope includes all systems used to support mission and
business processes for both public and private organizations as well as best practices and regulatory
requirements. The goal is to ensure a risk-based approach of the NIST 800-53 control framework and
integrate security, privacy, cyber supply chain risk management activities into the system development
life cycle (SDLC). Additionally, to develop an effective information security and privacy program that will
ensure protection commensurate with the risk from unauthorized access, use, disclosure, disruption,
modification, or destruction of an information system and finally bring the risk to an acceptable level for
the organization.
Methodology: Outline the project approach. The approach will involve identifying all organizational
information systems and categorizing them based on business and security need. Identifying all
stakeholders and their roles and responsibilities. Utilizing research gathered on implementing NIST 800-53
control framework to secure systems currently in operation or currently being developed, as well as best
practices, standards, and guidelines regarding their secure use. Implement the NIST 800-53 control
framework and monitor the security program for compliance.
Implementation Plan: Identify the project phases. The phases are as follows: introducing the
framework to the CIO and other executive stakeholders, incorperating the framework into the
organizations IT strategies, identify the stakeholders, implement the framework, incorporate the
framework into current technological and security solutions, policies, standards, and best practices. Lastly,
the framework will be monitored for success.
Project Outcomes: List the key anticipated project outcomes and deliverables in 500 words or less. The
key deliverable for the project is to ensure the organization has an effective information security and
privacy program for ensuring that threat resulting from internal users and external malicious individuals
are minimized effectively. The outcomes involve ensuring a NIST 800-53 control framework program is
implemented to provide security for an organizations information systems, while also applying
administrative, operational, and technical controls solutions to successfully mitigate risk throughout the
risk management process. The other outcome is to ensure a continuous montoring programe is
implemented to continuously monitor systems on an ongoing basis.
Projected Project End Date: 8/31/2021
Sources: Include an APA-style list for all references and citations that support the summaries above and
are used in-text and as outside sources. Click here to enter text.
Benz, M., & Chatterjee, D. (2020). Calculated risk? A cybersecurity evaluation tool for SMEs. Business
Horizons, 63(4), 531-540.
https://www.sciencedirect.com/science/article/abs/pii/S0007681320300392?via\%3Dihub
National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Federal
Information Systems and Organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Selig, G. J. (2016). IT governance-an integrated framework and roadmap: How to plan, deploy and sustain for
improved effectiveness. Journal of International Technology and Information Management, 25(1), 55-
76. https://scholarworks.lib.csusb.edu/cgi/viewcontent.cgi?article=1252&context=jitim&httpsredir=1&ref
erer
Course Instructor Signature/Date: 08/12/2021
Implementation of Risk Management Framework under Federally Compliant Standards 1
Implementation of Risk Management Framework under Federally Compliant Standards
Adam Hooper
A Prospectus Presented to the Information Technology College Faculty
of Western Governors University
in Partial Fulfillment of the Requirements for the Degree
Master of Science in Degree Area Information Security and Assurance
Date of Submission April 30, 2016
Implementation of Risk Management Framework under Federally Compliant Standards 2
A1. Abstract
Risk Management Framework is a system developed by the National Institute of Standards and
Technology (NIST) intended to address security within an organization with a risk-based
approach. With today’s climate of increased cyber security risk, a heightened awareness for
information security is prevalent among the corporate and government organizations around the
world. Applying the RMF designed by NIST to any organization using publically available
federally complainant standards can effective mitigate or reduce risk to an acceptable level. The
plan to implement RMF was to leverage the structured lifecycle as designed by NIST and apply
the various controls, countermeasures, and methodologies used by federal entities to an
organization that was previously non-compliant. Research included accessing only information
that was publically releasable and available to the general population. This will included the
NIST SP800 series documents as they pertain to federal systems. Implementation occurred on a
simulated organization to include the full system security plan. This hypothetical organization
was designed from real world examples to streamline the implementation of RMF. The proposed
time to complete the implementation was a few weeks which is considerably less than if an
actual organization were utilized as all facets of business must be involved. The actual outcome
of this implementation yielded baseline documents that can be applied to many other
organizations and leveraged to expedite the RMF process as a whole.
Implementation of Risk Management Framework under Federally Compliant Standards 3
Table of Contents
B1. Capstone Summary ................................................................................................................................ 4
C1. Systems and Process Audit .................................................................................................................... 7
D1. Detailed and Functional Requirements ................................................................................................ 11
E1. Project Design ...................................................................................................................................... 14
F1. Methodology Approach Explanation .................................................................................................... 19
F2. Methodology Approach Defense .......................................................................................................... 20
G1. Project Development ............................................................................................................................ 21
G2. Resources Used .................................................................................................................................... 22
G3. Final Output ......................................................................................................................................... 22
H1. Quality Assurance Approach ............................................................................................................... 24
H2. Solution Testing ................................................................................................................................... 24
I1. Implementation Plan .............................................................................................................................. 25
J1. Risk Assessment .................................................................................................................................... 28
J2. Cost/Benefit Analysis ............................................................................................................................ 29
J3. Risk Mitigation ...................................................................................................................................... 30
K1. Post Implementation Support ............................................................................................................... 31
K2. Post Implementation Support Resources ........................................................................................... 311
K3. Maintenance Plan ............................................................................................................................... 322
L1. Project Summary .................................................................................................................................. 33
L1a. Deliverables ........................................................................................................................................ 33
L1b. Outcomes .......................................................................................................................................... 344
L2. Reflection ........................................................................................................................................... 354
M. References ............................................................................................................................................. 36
Implementation of Risk Management Framework under Federally Compliant Standards 4
B1. Capstone Summary
Project scope
The scope of this project included the entire RMF lifecycle. According to the NIST
SP800-37 document, six steps are stated to be part of the process. The first step was categorize,
which entailed determining the authorization boundary of the information system and what
impact the three components of the CIA (confidentiality, integrity, and availability) triad had on
the system. Next, the select step was the process of defining and selecting the baseline controls to
be applied to the environment based on the categorization. The implement step followed, and
was the process of applying the controls. Following implement, the security controls were
assessed via the assess step to determine the validity and operation of the implementation, as
well as the correct product of the desired outcome. Subsequently, the authorize step provided the
system authorization to operate based on the level of acceptable risk. Finally, the monitor stage is
an ongoing assessment of the security posture. As a result of these six steps, the scope was
defined as identifying the system and applicable controls, implementing and assess the controls,
and authorizing and monitoring the environments operation.
Defense of the Solution
The implementation of RMF was important to address the ever changing world of
information technology security. The old model of DIACAP was proven to leave information
systems stagnant and without review for up to years at a time. The implementation of RMF
enforced the use of continuous monitoring over the lifecycle of the system. Additionally,
mandates defined by government agencies require all systems to adopt the new model. In a
Implementation of Risk Management Framework under Federally Compliant Standards 5
regulated DOD environment, rewritten policies require the change. For the case of this
implementation, a DOD environment could not be used for demonstration purposes as the details
of a DOD IS may have been considered sensitive or classified information. The model network
was used for the study to demonstrate the process, without affecting a production environment or
potentially risking the dissemination of sensitive data. Additionally, the positive benefits of a risk
management framework implementation was realized in a private sector organization from the
enhanced security requirements of national security systems.
Methodology Justification
In an attempt to familiarize the audience with RMF, a typical infrastructure design was
created from industry standards as the approach for implementation. Using a fictitious
information system, the intricacies on the vulnerabilities and controls applied allows for the
dissemination of these details without breaching potentially sensitive information on an actual
organization. Rather than utilizing a production network for a business or a system used by a
government agency, a mock network was utilized. This network represented the standard
configuration of system to meet federal compliance standards. If an actual business network were
utilized, the application of security controls would have potentially taken the system offline. The
use of a test network and lab environment was leveraged to reduce the potential negative effects.
However, some effects from application of security controls were not be realized until a much
later time. Additionally, selecting a legitimate national security system for review would not
have been available for public release. Using industry standard designs, the potential disruption
to business practices was avoided as well as the unnecessary release of sensitive information.
Implementation of Risk Management Framework under Federally Compliant Standards 6
Organization of the Capstone Report
The remainder of the capstone report is broken into sections to include the systems and
process audit, detailed and functional requirements, project design, methodology, project
development, quality assurance, implementation plan, risk assessment, post implementation
support and issues, and the conclusion, outcomes, and reflection.
First, included is the background information which summarizes the history of DIACAP
and the transition to RMF including the difficulties entities face during the transition. The next
section summarizes the requirements and mandates to implement RMF. The following section
details the consequences of implementing RMF on an infrastructure. Proceeding, the cost
analysis summarizes the fiscal impact of reasonably implementing the framework. Following
cost analysis, the risk analysis details the likelihood and consequence of implementing RMF
including controls across the organization. Next, this section addresses a level of understanding
that is applied unilaterally to the process including boundaries defined during the process. The
next section addressed what may be faced, and the situation for accepting risk versus mitigation
of said risk.
Implementation of Risk Management Framework under Federally Compliant Standards 7
C1. Systems and Process Audit
Audit Details
The scope of the audit was the topic of implementation of risk management framework
under federally compliant standards was due to the heavy focus over the past few years in cyber
security. Attacks on business and government entities has exponentially grown and captured the
public eye. Additionally, recent mandates require transition from DoD Information Assurance
Certification and Accreditation Process (DIACAP) the NIST Special publication based Risk
Management Framework (RMF) for all DOD information systems. Implementation of the RMF
enabled a lifecycle approach to risk management rather than multi-annual iterative approach.
Problem Statement
Based on the results of the audit, the security problem addressed was the lack of large
scale implementation. Until recently, all federally compliant systems conformed to the DIACAP.
The recent requirement to implement RMF has occurred within the three year cycle where most
agencies are currently accredited. As these accreditations expire, the entities will be required to
reauthorize their systems under a completely new set of procedures.
Problem Causes
Significant factors contributing to the problem was the change from DIACAP to RMF.
As previously stated, the de facto standard was acknowledged to be DIACAP for many past
years. RMF as defined by NIST in the Special Publication 800-37 is now considered to be the
accepted standard. The new mandate required transition from DoD Information Assurance
Implementation of Risk Management Framework under Federally Compliant Standards 8
Certification and Accreditation Process (DIACAP) to the NIST Special publication based Risk
Management Framework (RMF) for national security systems. However, RMF is not widely
deployed and deviates from previous practices to the extent that responsible parties find the task
of converting overwhelming. According to National Institute of Standards and Technology.
(2012), the transition from DIACAP to RMF will provide a standardized language, efficient
enterprise management, and a potential cost savings by integrating with the SDLC process.
These beneficial changes within themselves present a challenge for the implementation. Standard
nomenclature will be modified across the board which presents a learning curve to those used to
the older process. The addition of enterprise management may be a new hurdle for information
assurance professionals to adopt when a more manual process was required under DIACAP.
Finally, the change from the previous process to applying entirely new controls that will require
gathering of new artifacts that were not available before. The three year accreditation process of
DIACAP allowed the organization to incrementally update new changes. The overhaul with
RMF will require a full review and rework of the accreditation package.
Business Impacts
In this case scenario, the possible operational and business impact of the lack of RMF
problem as it applies to the fictitious organization cannot be full realized. The intent was to
demonstrate the purpose and process of implementing an RMF solution. It was assumed however
that the impacts from a realized threat would mimic the impact to a real business. Loss or
disruption of any aspect of the confidentially, integrity, and availability (CIA) triad can result in
impacts on the business functions including finances, reputation, or even the ability to deliver
goods or protect the public. Data loss containing potentially sensitive information about
Implementation of Risk Management Framework under Federally Compliant Standards 9
customers is unfortunately a common occurrence in our culture. The loss of personal information
can result in legal ramifications including fines or court ordered settlements.
Cost Analysis
The cost to implement a reasonable solution such as a risk management framework is
greatly outweighed by the potential loss incurred from an information security breach. It would
be difficult to assign a dollar figure to the actual process of implementing RMF. However the
harm to an organization from a cyber-attack has the potential to result in losses greater that the
entity may be able to recover from. According to Corbin (2013), cyber security personnel
average $116,000 in salary per year. Assuming a standard work week, this breaks down to
approximately $55 per hour. The duration to fully implement an RMF solution is indefinite. The
last phase of RMF is continuous monitoring. The staff that will have to be hired for the
implementation will be retained to continue sustaining compliance. As stated by the National
Initiative for Cybersecurity Careers and Studies (2015), over 20 different roles for cybersecurity
professionals are listed. In a smaller environment such as this. Multiple roles can be assumed by
individuals. A team of 2-3 professionals should be adequate to perform the implementation and
maintained of RMF. The combination of the two to three average salaries comes to
approximately two to three hundred fifty thousand dollars per year.
Risk Analysis
According to Verizon (2014) breaches resulting in the disclosure of data have been
steadily increasing every year. In 2004 it was demonstrated that a total of less than 100 breaches
Implementation of Risk Management Framework under Federally Compliant Standards 10
occurred. Ten years later, in 2014, over 1000 incidents occurred. This demonstrates the increase
in cybercrime is steadily rising every year.
Information security is the protection of information from the disruption of the
confidentiality, integrity, and availability (CIA) of this data. The increased adoption of
technology within our global civilization has brought information security into the focus of the
public attention. Cybercrime and terrorism have become increasing threats to individuals and
organizations due this widespread acceptance of technology within our modern lives. The
realization of these threats is the risks to be mitigated through the use of a risk management
framework. It is evident through the common reports of businesses around the world becoming
victim to corporate espionage or hacking of information systems that a greater sense of urgency
is required to protect these organizations.
Implementation of Risk Management Framework under Federally Compliant Standards 11
D1. Detailed and Functional Requirements
Requirements
The requirement to implementation of a risk management framework is to ensure the
continuation of operation with minimal disruption. Every business faces some form of risk, and it
is essential to have a system in place to minimize potential risk, deal with new threats, and abate
the realization of these risks. Additionally, an important business factor may be the requirement
to substantiate the management of information security to a members of the board or a group of
investors. Having a presentable and actionable plan in place to address risk is relevant as it may
be required to bring additional investors on board or satisfy other requirements. Additional
requirements may include legal responsibilities, contractual requirements, or regulatory
obligations.
The importance of these business drivers should be considered as the implementation of
RMF is executed. Having a plan for continuation of operation in the event of a disruption will
enable to business to function in the face of disaster. Every business has a conceivable limitation
on the duration of downtime it can sustain before it is no longer feasible that the business can
endure. Having an established business continuity plan (BCP) and disaster recovery plan (DRP)
will enable the stakeholders of the organization to efficiently deal with potential disaster
scenarios as these events generally strike at unforeseen times.
Minimizing the potential risk within tolerable limits will enable the business to speak to
its preparation. As new threats arise, a risk manage framework will contain aspects that will
enable the organization to deal with them as they come as the realization of these risks is
inevitable. The ability to substantiate the management of information security in the climate of
Implementation of Risk Management Framework under Federally Compliant Standards 12
our current state of technological advancement will be at the forefront of any members of the
board. Additionally, current investors will have a vested interest in the organizations
survivability as well as the potential to bring additional investors on board.
Finally, all business face some form of regulatory obligations. These may include
regulations set for by the industry or government, or other organizations that offer a level of
certification that will enable the business to grow and achieve a new level of desirability.
Furthermore, each industry will face some form of legal responsibility. This may be realized
during normal operation, before brining on a new line of business, or in the event that a threat is
recognized. Lastly, during the normal course of business there will be some form of contractual
requirements. This may include new acquisitions or maintaining a service level agreement
(SLA).
Existing Gaps
Risk is the potential loss faced by an organization due to the realization of a threat. From
an information security perspective this loss can include personally identifiable information
(PII), protected health information (PHI), or business sensitive information resulting in a
financial loss. Implementing risk management can assist with identifying, assessing, and
prioritizing the said risks. An accept solution to this implementation is to leverage the risk
management framework (RMF) as defined by NIST. RMF replaces the deprecated certification
and accreditation process (C&A) developed by the Joint Task Force Transformation Initiative
Working Group.
To summarize, the existing gaps of the problem in a business sense is the potential loss
that can occur if risks are not dealt with. Managing risks enables the organization to prepare for
Implementation of Risk Management Framework under Federally Compliant Standards 13
incidents that can damage their reputation, profitability, or marketability. The lack of a risk
management framework could result in the loss of financial, customer, or proprietary
information. The leak of this type of data can put of potential investors or customers alike.
Additionally, an organization may not be compliant with regulations or laws that requirement a
risk management plan. Without this compliance, the business may be shut down until the issue is
resolved or potentially permanently.
Implementation of Risk Management Framework under Federally Compliant Standards 14
E1. Project Design
Scope
The scope of the project in this organization was to ensure compliance with RMF as well
as a hardened security posture. Following the processes laid out by NIST, implementing a risk
management framework helped the organization to reduce its overall risk. From a technology
perspective, default configurations provided by the manufacturers are generally insecure. When
these technologies are designed and deployed in an organization, they are configured for
compatibility and interoperability. The disregard for secure implementation opened the
organization up to potential risks. Utilizing current technology in place, and applying the
prescribed controls will close the gaps of persistent threats within the organization. Additionally,
achieving compliance with the NIST RMF standard, the organizations technology met the
requirements set forth by various industry and government standards. The solution in this case is
the reconfiguration and restriction of default manufacturer standards. Finally, enforcement of the
compliance assists with the recovery and continuance of operations for the organization when the
inevitable risk of disaster or data breach occurs.
Assumptions
The assumptions made in regards to the problem included details on the RMF standards
and networks that it was applied to. First, it was assumed that the most current baseline would be
used in regards to RMF. For example, NIST SP 800-37 is currently at revision 1 and the controls
document, NIST SP 800-53, is currently at revision 4. Once the actual implementation began, the
current revisions of all applicable documents was observed and recorded. These versions
Implementation of Risk Management Framework under Federally Compliant Standards 15
remained the locked in baseline to be used throughout the entire implementation. Next, it was
assumed that no current security strategy existed for the network to be managed. Using the RMF
lifecycle approach, a complete strategy was developed for the system. Finally, it was assumed
that information security was of the utmost importance to the network. In a production
environment, due care must be taken to limit implementation of some controls to meet business
requirements. As these changes do not affect a real world organization, the strictest controls were
applied as reasonably fit.
Project Phases (Timeline, Dependencies, & Requirements)
The document NIST Special Publication 800-37 Revision 1 (2010) has a well-defined
process consisting of six phases to be completed by designated individuals. The first phase was
categorization of the information system. This phase is to be completed by the information
owner and is a conceptualized process that defines requirements of information security in the
system. The timeline of this step can vary based on the information system. If the system is
operational with current documentation, then the categorization can be completed once all of the
stakeholders are available. Otherwise, the dependencies include information that must be
gathered to determine the system boundaries, requirements, and functions so the authorized
individual may review the CIA triad requirements. This phase may take a few days to a week to
complete. Resources required include mainly the documentation mentioned above and the
individuals to review.
The second phase was to select security controls. A designated representative or
authorizing official will take the categorization of the system, and select an overlay of controls to
be applied. The timeline for this phase is relatively short as well, within a week, the organization
Implementation of Risk Management Framework under Federally Compliant Standards 16
should be able to gather the control documents to select the controls. The dependencies include
the previous phase of system categorization, and the preparation of the control documents to be
obtained. The resources of this meeting include the same as the previous phase. It is possible that
immediately following the system categorization phase, that requirements for the resources may
be laid out for immediate action.
The third phase is implementation of the controls. An information security engineer is
selected to apply the controls as designated by the authorized official. The timeline for this phase
will vary based on the size and scope of the information system. If the system contains hundreds
of workstations, servers, and networking devices, the resources required may include a large staff
and possibly supplemental contractor assistance to apply the controls. The phase itself may take
weeks, months, or years based on the uptime requirements of the systems.
The fourth phase is assessing the security controls. An information security officer will
review the controls applied by the engineer to validate their application and effectiveness.
Additional resources may include scanning software and hardware such as a vulnerability
scanner, or may include a manual review process. The main dependency of this phase is the
complete implementation of the control phase for the system to be assessed. The timeline for this
phase can be a few days if the automated tools are able to detect all of the controls, or it may take
weeks per subsystem to complete if a manual review is required.
The fifth phase is the authorization of the information system. The information system
owner will review the plan of action and milestones along with the validated controls to approve
the function of the system in an operation status. Dependencies of this phase are the completed
assessment and validation of controls and the plan to mitigate any unresolved findings. The
timeline for authorization depends on the back log of the authorization authority. Generally, the
Implementation of Risk Management Framework under Federally Compliant Standards 17
approval process can be lengthy in terms of months, as the authorizer must dive deep into the
configuration of many systems under their authority.
The sixth and final phase is the continuous monitoring of the security controls. This
phase falls under the onus of all of the previous mentioned stakeholders. As a team a strategy has
to be developed to maintain the achieved heightened security posture. The timeline for this phase
is ongoing. The dependencies for this phase are the completion of the prior 6 steps. The
resources include the continual interaction of all the involved parties to review the system
security posture and revisit each phase each time a new vulnerability, control, or system change
arises.
Risk Factors
A risk factor is the lack of a solution to address risks in an organization could result in
loss of business. The potential threats to an organization would present issues such as inability to
provide business productivity. Inability to prevent attacks against the information systems will in
essence make the organization an easy target to be identified. Additionally, the impending
realization of a disaster scenario would leave the organization crippled without the proper
preparation to weather the storm.
Finally, there are possible implications from more of an organizational standpoint.
Stakeholders within the business may be forced to make unhealthy business decisions without an
appropriate risk management framework. Also, legal and regulatory ramifications may be
possible should the organization undergo an audit or review.
Implementation of Risk Management Framework under Federally Compliant Standards 18
Important Milestones
The most measureable point in the project that is the most significant is the authorization
phase. This phase represents the initial completion …
CATEGORIES
Economics
Nursing
Applied Sciences
Psychology
Science
Management
Computer Science
Human Resource Management
Accounting
Information Systems
English
Anatomy
Operations Management
Sociology
Literature
Education
Business & Finance
Marketing
Engineering
Statistics
Biology
Political Science
Reading
History
Financial markets
Philosophy
Mathematics
Law
Criminal
Architecture and Design
Government
Social Science
World history
Chemistry
Humanities
Business Finance
Writing
Programming
Telecommunications Engineering
Geography
Physics
Spanish
ach
e. Embedded Entrepreneurship
f. Three Social Entrepreneurship Models
g. Social-Founder Identity
h. Micros-enterprise Development
Outcomes
Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada)
a. Indigenous Australian Entrepreneurs Exami
Calculus
(people influence of
others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities
of these three) to reflect and analyze the potential ways these (
American history
Pharmacology
Ancient history
. Also
Numerical analysis
Environmental science
Electrical Engineering
Precalculus
Physiology
Civil Engineering
Electronic Engineering
ness Horizons
Algebra
Geology
Physical chemistry
nt
When considering both O
lassrooms
Civil
Probability
ions
Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years)
or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime
Chemical Engineering
Ecology
aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less.
INSTRUCTIONS:
To access the FNU Online Library for journals and articles you can go the FNU library link here:
https://www.fnu.edu/library/
In order to
n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading
ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers.
Key outcomes: The approach that you take must be clear
Mechanical Engineering
Organic chemistry
Geometry
nment
Topic
You will need to pick one topic for your project (5 pts)
Literature search
You will need to perform a literature search for your topic
Geophysics
you been involved with a company doing a redesign of business processes
Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience
od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages).
Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in
in body of the report
Conclusions
References (8 References Minimum)
*** Words count = 2000 words.
*** In-Text Citations and References using Harvard style.
*** In Task section I’ve chose (Economic issues in overseas contracting)"
Electromagnetism
w or quality improvement; it was just all part of good nursing care. The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases
e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management. Include speaker notes... .....Describe three different models of case management.
visual representations of information. They can include numbers
SSAY
ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3
pages):
Provide a description of an existing intervention in Canada
making the appropriate buying decisions in an ethical and professional manner.
Topic: Purchasing and Technology
You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class
be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique
low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion.
https://youtu.be/fRym_jyuBc0
Next year the $2.8 trillion U.S. healthcare industry will finally begin to look and feel more like the rest of the business wo
evidence-based primary care curriculum. Throughout your nurse practitioner program
Vignette
Understanding Gender Fluidity
Providing Inclusive Quality Care
Affirming Clinical Encounters
Conclusion
References
Nurse Practitioner Knowledge
Mechanics
and word limit is unit as a guide only.
The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su
Trigonometry
Article writing
Other
5. June 29
After the components sending to the manufacturing house
1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend
One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard. While developing a relationship with client it is important to clarify that if danger or
Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business
No matter which type of health care organization
With a direct sale
During the pandemic
Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record
3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i
One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015). Making sure we do not disclose information without consent ev
4. Identify two examples of real world problems that you have observed in your personal
Summary & Evaluation: Reference & 188. Academic Search Ultimate
Ethics
We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities
*DDB is used for the first three years
For example
The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case
4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972)
With covid coming into place
In my opinion
with
Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA
The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be
· By Day 1 of this week
While you must form your answers to the questions below from our assigned reading material
CliftonLarsonAllen LLP (2013)
5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda
Urien
The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle
From a similar but larger point of view
4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open
When seeking to identify a patient’s health condition
After viewing the you tube videos on prayer
Your paper must be at least two pages in length (not counting the title and reference pages)
The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough
Data collection
Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an
I would start off with Linda on repeating her options for the child and going over what she is feeling with each option. I would want to find out what she is afraid of. I would avoid asking her any “why” questions because I want her to be in the here an
Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych
Identify the type of research used in a chosen study
Compose a 1
Optics
effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte
I think knowing more about you will allow you to be able to choose the right resources
Be 4 pages in length
soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test
g
One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research
Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti
3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family
A Health in All Policies approach
Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum
Chen
Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change
Read Reflections on Cultural Humility
Read A Basic Guide to ABCD Community Organizing
Use the bolded black section and sub-section titles below to organize your paper. For each section
Losinski forwarded the article on a priority basis to Mary Scott
Losinksi wanted details on use of the ED at CGH. He asked the administrative resident