Wk 3 - NIST RMF Step 3: Implement Security Controls and Step 4: Assess Security Controls [due Mon]

Assignment Content

As the team leader for Phoenix Security Services SureMarket account, you continue your SOX assessment of compliance using the NIST RMF as described in NIST SP 800-37:

Step 1: Categorize Information Systems

Step 2: Select Security Controls

Step 3: Implement Security Controls

Step 4: Assess Security Controls

Step 5: Authorize Information System

Step 6: Monitor Security Controls

Review the security controls outlined in Step 2 of the SureMarket IT Systems Security Audit Results.

Your next task is complete Steps 3 and 4 of the NIST RMF process by continuing to document information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

Part A

To prepare your documentation for Step 3, create a 2- to 3-page table in Microsoft Word mapping each of the 5 vulnerabilities from the SureMarket IT Systems Security Audit Results document to the ineffective or non-existent security controls. The landscape table should include the following 5 columns:

IT System with the Vulnerability

Vulnerability Title

Vulnerability Description

Security Control that is Not Compliant

Type of Security Control (Technical or Non-technical)

Part B

To prepare your documentation for Step 4, use the information from Steps 1 through 3 to create a 10- to 11-slide Microsoft PowerPoint presentation documenting the risk assessment for the selected security controls for each IT system. You will present this to the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) prior to the presentation with the SureMarket leadership (prepared in your Week 4 assignment) to be sure the CIO and CISO approve the Phoenix Security Services contract work.

Your presentation should include the following:

A table for each IT System (1 slide per system) that shows:

IT System Categorization for confidentiality, integrity, and availability

Vulnerability Title

Vulnerability Description

Security Control Name (e.g., AC-2)

Likelihood Determination

Impact Determination

A 5 x 5 Risk Matrix for each IT System as derived from NIST SP 800-30 (1 slide per system) with the overall risk assessment identified

A table summarizing the overall risk for each IT system (on a single slide)

DETAILED SLIDE NOTES in the Notes section of each slide.

Note: You will use this weeks assignments to help you complete the Week 4 assignment.

Submit your assignment.

Resources

Center for Writing Excellence

Reference and Citation Generator

Grammar and Writing Guides