Project 4: Enterprise Cybersecurity Program Step 5: Propose A Framework see attachment Enterprise Cybersecurity Program “Excellent work!” says the CEO as

Click here to Order a Custom answer to this Question from our writers. It’s fast and plagiarism-free.

Project 4: Enterprise Cybersecurity Program Step 5: Propose A Framework see attachment Enterprise Cybersecurity Program

“Excellent work!” says the CEO as he starts the meeting, holding up the Virtual Currency Applicability Report from your last project.

The senior leaders at the meeting, including the CIO, give you a well-deserved round of applause.

“Thanks. I enjoy my work,” is your polite response.

“I am really glad to hear that,” adds the CEO, “because we aren’t finished just yet. As proposed several weeks ago, you have one last project. I would like you to provide a roadmap, a comprehensive, corporate-wide strategic cybersecurity program.”

“Work closely with the CIO to design this program. The program should incorporate simulation, policy, and technology components. It will also need to be strategically aligned to our corporate mission, not overlooking the unique challenges we have as a global, financial institution.”

“You will need to present and defend your program to the board of directors. We look forward to your results.”

You leave the meeting and return to your office, pleased with the feedback that you have received. As you are thinking about the size and complexity of your new Enterprise Cybersecurity project, the CIO politely taps on the door.

“Got a minute?” he asks.

After congratulating you on the fine work so far, he provides a few details for the new assignment. First, the presentation for the board of directors will be in three weeks. Second, he would like you to record a five- to 10-minute oral presentation of your report to review before the full presentation to the board of directors.

That’s a quick turnaround, but you realize that your other assignments have prepared you for this latest challenge. Time to get to work.

Project 4: Enterprise Cybersecurity Program Start Here

Print Project

Transcript

This is the final project in the course. Project 4 is a culmination of the research and reports delivered in the previous three projects. It is the creation of a strategic policy framework the CEO references as the Enterprise Cybersecurity Program.

After you earn a Master’s in Cybersecurity, you will likely have the opportunity to sit at the management table. As the chief information security officer in this scenario, your opinion and recent education will bring value. However, it will be critical that you possess above-average skills in presenting your material.

Based on this expectation, the final assignment will include a 12- to 15-page Enterprise Cybersecurity Program Report as well as a five- to 10-minute audio presentation for the senior leadership team. Any questions should be directed to your boss, the CIO (course instructor). With 19 steps and five assignments to deliver in the next 19 days, it is time to start on Step 1.

Competencies

Your work will be evaluated using the competencies listed below.

· 1.8: Create clear oral messages.

· 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.

· 8.3: Design a cybersecurity defense framework composed of technologies and policies.

This is the final project in the course. Project 4 is a culmination of the research and reports delivered in the previous three projects. It is the creation of a strategic policy framework the CEO references as the Enterprise Cybersecurity Program.

After you earn a Master’s in Cybersecurity, you will likely have the opportunity to sit at the management table. As the chief information security officer in this scenario, your opinion and recent education will bring value. However, it will be critical that you possess above-average skills in presenting your material.

Based on this expectation, the final assignment will include a 12- to 15-page Enterprise Cybersecurity Program Report as well as a five- to 10-minute audio presentation for the senior leadership team. Any questions should be directed to your boss, the CIO (course instructor). With 19 steps and five assignments to deliver in the next 19 days, it is time to start on Step 1.

Competencies

Your work will be evaluated using the competencies listed below.

· 1.8: Create clear oral messages.

· 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.

· 8.3: Design a cybersecurity defense framework composed of technologies and policies.

Project 4: Enterprise Cybersecurity Program Step 1: Select a Framework

The first order of business in designing an enterprise cybersecurity program is to make a list of what you need to know, an inventory of the key elements to a cybersecurity framework. You will have to assess the cybersecurity posture currently taken at your financial institution. Select the framework you feel your organization is currently using.

Make notes, a paragraph or two, on the specifics of the framework to use in the next step of identifying any vulnerabilities.

Cybersecurity Frameworks

Print

The NIST Cybersecurity Framework (NIST CSF), produced by the Department of Commerce’s National Institute of Standards and Technology (NIST), provides a policy framework for private sector computer security.

Version 1.0 was published in 2014, originally aimed at specific operators of critical infrastructure. The next version is in the draft stage, with operators encouraged to comment on the proposed policy framework, which also addresses increased privacy and civil liberty concerns.

The upcoming NIST CSF 2.0 executive summary notes that cybersecurity threats to infrastructure systems can put the economy, public safety, and health at risk, and can affect “a company’s bottom line … [cybersecurity risk] can harm an organization’s ability to innovate and to gain and maintain customers” (NIST, 2017). The framework’s “core” provides guidance in the form of cybersecurity activities, outcomes, and it references “common across critical infrastructure sectors” (NIST, 2017). The 2.0 version continues to offer advice and guidance, based on the collaboration between the government and private sector.

ISO/IEC 27001:2013 is an information security standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This information security standard is a specification for an information security management system (ISMS) with “requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization,” according to the ISO’s website. The standard also includes requirements for the assessment and treatment of information security risks (ISO, 2013). The goal is for organizations to meet this standard and securely pass a compliance “audit” by an independent accreditation body.

The standard places emphasis on organization “controls” to respond to security incidents. Such important controls include: information security policies; organization of information security; human resource security controls that are applied before, during, or after employment; asset management; access control; cryptography; physical and environmental security; operations security; communications security; system acquisition, development and maintenance; information security incident management; and compliance with internal requirements, such as policies, and with external requirements, such as laws (ISO, 2013).

References

International Organization for Standardization (ISO). (2013).ISO/IEC 27001:2013. Information technology — security techniques — information security management systems — requirements. https://www.iso.org/standard/54534.html

National Institute of Standards and Technology (NIST). (2017, January 10). Framework for improving critical infrastructure cybersecurity, draft version 1.1. https://www.nist.gov/sites/default/files/documents/2017/01/30/draft-cybersecurity-framework-v1.1.pdf

Resources

· ISO/IEC 27001:2013

· ISO/IEC 27004:2016

· Framework for Improving Critical Infrastructure Cybersecurity

Project 4: Enterprise Cybersecurity Program Step 2: Identify Current Vulnerabilities

The cybersecurity framework selected in the previous step is only a structure or blueprint of possible solutions. Specific solutions, application, and implementation within a given framework are industry-driven. For example, in response to the credit card fraud in the retail industry, the bank card industry adopted the chip-and-PIN standard for credit cards.

Based on your knowledge of the current state of cyber attack vectors and the notes made in the previous step, create a list of vulnerabilities and how to address them within the chosen framework. Identify both technical and policy options to improve the defense posture of the institution. Add this list to your notes from the previous step. You will use this work in the next step of the project.

Attack Vectors

Print

Attack vectors are paths by which malicious actors gain unauthorized access to computer systems or data. These vectors can be existing avenues that are not adequately protected and hence used for unintended purposes, or they can be paths which are intentionally established for malicious activities. Attacks can come from internal or external sources.

Attack vectors generally exist because of vulnerabilities in hardware or software, or because of human factors (e.g., insider threats). Understanding the characteristics and behaviors related to attack vectors provides the potential to identify threats. Such identification then enables the development of mitigations as well as informing risk management and resource allocation plans.

There are active attacks and passive attacks. Passive attacks are stealthy and usually not detectable to the untrained eye. Network sniffers, brute-force attacks, and keystroke loggers are good examples of passive attacks. Active attacks are likely to modify the systems or data, many times using social engineering, such as phishing, to gain access to the systems and networks. Spoofed email attacks are active.

You should be familiar with the common schemas and frameworks such as brute force, SQL injection, Trojan horses, phishing variations, password cracking, buffer overflows, cross-site scripting, smurf attacks, wireless attacks, and logic bombs. Injection attacks are common, where redirection script is introduced in place of user input during log-in, use of web applications, or database entry. Attack vector lists can be found online (e.g., www.tecapi.com).

Enumerated attack vectors are used in formulating attack patterns which identify and characterize threats to guide risk management and development practices for software assurance. A schema for attack pattern enumeration is Common Attack Pattern Enumeration and Classification, or CAPEC (MITRE, n.d.). The attack pattern CAPEC-100 Overflow Buffers, for instance, outlines a buffer overflow attack in accordance with the CAPEC schema. Here, the attack vector is buffer overflow, and the attack pattern is the way buffer overflow is enabled through a vulnerability and implemented by an attacker to affect the information system.

Best software assurance and more generally risk management practices include use of industry-wide schemas and frameworks. CAPEC is part of a family of schemas developed in association with the Open Web Application Security Project (OWASP, n.d.), and is independent of any specific commercial interest. The Vocabulary for Event Recording and Incident Sharing, or VERIS (Verizon, n.d.), is another important schema for threat incident and breach enumeration, centered on Verizon Communications Inc. Further, as a service to the community, Verizon annually publishes the Data Breach Investigations Report (Verizon, 2016).

Public sharing of incident and breach data using VERIS leads to software assurance through threat identification, for instance by describing attack vectors in a common language and posting the information in the publicly accessible VERIS Community Database.

References

MITRE Corporation. (n.d.). About CAPEC. In Common attack pattern enumeration and classification: A community resource for identifying and understanding attacks. https://capec.mitre.org/about/

Open Web Application Security Project (OWASP). (n.d.). Welcome to OWASP. https://www.owasp.org/index.php/Main_Page

Verizon. (n.d.). The Veris Community Database (VCDB). http://veriscommunity.net/vcdb.html

Verizon. (2016). 2016 Data breach investigations report.

Project 4: Enterprise Cybersecurity Program Step 3: Prioritize the Vulnerabilities

Now that you have selected a defense framework and identified the type of cyber attack vectors to which your organization may be vulnerable, rank the cybersecurity vulnerability from both a probability of occurrence and financial impact on operations perspective. As you are ranking the vulnerabilities, make notes on your decision process. These notes will come in handy in the next step, where you will design a specific defense for your enterprise.

Project 4: Enterprise Cybersecurity Program Step 4: Evaluate the Framework

Review the notes taken regarding which framework should be used and the prioritized vulnerabilities. Thoroughly state the existing framework being applied by your organization. Break down both technology and policy components of the framework and how they complement each other to produce the optimum framework. Consider what works well, what could be improved, and vulnerabilities that are not currently being addressed.

You will build upon this evaluation in the next step.

Place your order now for a similar assignment and have exceptional work written by one of our experts, guaranteeing you an A result.

Need an Essay Written?

This sample is available to anyone. If you want a unique paper order it from one of our professional writers.

Get help with your academic paper right away

Quality & Timely Delivery

Free Editing & Plagiarism Check

Security, Privacy & Confidentiality