Project 1: Risk Management
Overview of project
Risk Management
After completing your master’s degree, you have been hired by a contracting company as an information systems security officer, or ISSO, supporting systems for federal clients. One morning, your boss asks you to come to her office. She tells you that you’ll be working on a network security audit. Network security audits, based on FISMA standards, are used annually to determine the effectiveness of our security controls. The boss explains: “Prior to the security audit, I will need you to test, execute, collect, and compile your results into a security assessment report, or SAR. Once you’re finished, you will submit the report to me and the executive leadership.”
Later, you receive a follow-up email from your boss with instructions. First you will conduct a risk and threat assessment of the enterprise network. Next, you will perform black box testing of the network using network analysis tools. After identifying any network vulnerabilities, you will lead efforts to remedy and mitigate those vulnerabilities using appropriate risk management controls. You will then perform a white box test, and compile the results in the final security assessment report. And provide this to leadership, along with an executive briefing in your lab analysis, so management has a baseline view of the security posture of the enterprise network, before the actual external IT audit. The email ends with this note: “Thank you for taking this on. Our executive leadership is excited to learn of your findings.”
Step 1: Conduct a Security Analysis Baseline
In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).
You will get your information from this data-flow diagram and report, which is generated by the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization.
Include the following areas in this portion of the SAR:
The overall SAR should detail the security measures needed, or implementation status of those in progress, to address the identified vulnerabilities. Include:
Through your research, provide the methods used to provide the protections and defenses.
From the identification of risk factors in the risk model, identify the appropriate security controls from NIST SP 800-53A and determine their applicability to the risks identified.
The baseline should make up at least three of the 12 pages of the overall report.
When you have completed your security analysis baseline, move on to the next step, in which you will use testing procedures that will help determine the company’s overall network defense strategy.
Step 2: Determine a Network Defense Strategy
You’ve completed your initial assessment of the company’s security with your baseline analysis. Now it’s time to determine the best defenses for your network.
Start by reading a publication by the National Institute of Standards and Technology, Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, and outline how you would test violations. Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. Within this portion of the SAR, explain the different testing types (black, white, and gray box testing).
Include these test plans in the SAR. The strategy should take up at least two of the 12 pages of the overall report.
Click the following link to learn more about cybersecurity for process control systems.
After you’ve completed this step, it’s time to define the process of penetration testing. In the next step, you’ll develop rules of engagement (ROE).
Step 3: Plan the Penetration Testing Engagement
Now that you’ve completed your test plans, it’s time to define your penetration testing process. Include all involved processes, people, and time frame. Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE). The process and any documents can be notional or can refer to actual use cases. If actual use cases are included, cite them using APA format.
This portion should be about two pages of the overall 12-page report.
After you have outlined the steps of a penetration testing process, in the next step you will perform penetration testing. During the testing, you will determine if the security components are updated and if the latest patches are implemented, and if not, determine where the security gaps are.
Step 4: Conduct a Network Penetration Test— ignore this step
You’ve defined the penetration testing process, and in this step, you will scan the network for vulnerabilities. Though you have some preliminary information about the network, you will perform a black box test to assess the current security posture. Black box testing is performed with little or no information about the network and organization.
To complete this step, you will use industry tools to carry out simulated attacks to test the weaknesses of the network.
Your assessments within the lab will be reported in the SAR.
Step 5: Complete a Risk Management Cost Benefit Analysis
You’ve completed the penetration testing, and now it’s time to complete your SAR with a risk management cost benefit analysis. Within this analysis, think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls.
When you have finished with the cost benefit analysis, which should be at least one page of your overall report, move to the final step, which is the completed SAR.
Step 6: Compile and Submit the SAR and Lab Report
You have completed comprehensive testing in preparation for this audit, provided recommended remediations, and developed a set of recommendations. Now you are ready to submit your SAR.
The requirements for Project 1 are as follows:
Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
Lab report: A document sharing your lab experience and providing screenshots to demonstrate that you performed the lab. Attach it to the SAR as an artifact.