(Course-Key Assignment) Cyber Security Program Template For Student Use

docx

School

Texas A&M University *

*We aren’t endorsed by this school

Course

514

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

14

Uploaded by CommodoreField12479

Report
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: LOGO Cyber Security Management Program XYZ Organization 1
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: Contents 1. Purpose ................................................................................................................ 3 2. Description of Organization ................................................................................... 3 3. Cyber Security Management Program (CSMP) ....................................................... 3 Description of overall Security Program .................................................................... 3 Security Objectives ................................................................................................... 3 Laws, regulations that apply .................................................................................... 3 Aligned Standards ....................................................................................................... 4 Security Team .......................................................................................................... 4 4. Data Classification Levels ...................................................................................... 4 5. Information Assets and Information Systems that Require Protection .................... 5 Information Assets and Internal Systems .............................................................. 5 Cloud Based Systems ............................................................................................ 5 6. Governance ........................................................................................................... 6 Policies ..................................................................................................................... 6 ACCEPTABLE USE POLICY ...................................................................................... 6 MOBILE DEVICE POLICY ......................................................................................... 7 ACCESS AND AUTHENTICATION POLICY ................................................................ 7 OTHER SUPPORTING POLICIES .............................................................................. 7 7. Security Awareness Program .............................................................................. 8 8. Security Controls Implemented ............................................................................. 8 10. Risk Assessment Methodology ...................................................................... 11 2
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: <This template has notes for the students completing it. Any text that is in YELLOW should be ultimately deleted when those sections are due. Reference notes are also provided for additional guidance. Again, those notes should be deleted when those corresponding sections are due. > 1. Purpose <Organization Name> establishes the Information Security Management Program to manage information system risks. This program describes personnel, tools, controls and technology deployed to protect <Organization Name> and client data. <More here – additional paragraph> 2. Description of Organization <What is the nature of the organization, their business, how many employees, overview of technology that is in place.> 3. Cyber Security Management Program (CSMP) The following is the System Security plan for <Organization Name> with included elements based on best practices and standards. Description of overall Security Program The <Organization Name> security program is based on best practices from <Standard>. This group establishes, maintains, and improves Information Security capabilities. The CSMP operates under the authority of senior management to ensure that business may be successfully executed without creating unacceptable harm through compromised information assets. <More here – additional paragraph – what would you WANT the program to be like?> Security Objectives Maintain confidentiality, integrity, and availability of <organization name> information based on data classification, business mission, and acceptable level of risk. <More here – 5 more objectives as it aligns to your organization> 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: Laws, regulations that apply <Define the laws that apply to the organization – name AT LEAST 1> <Describe how they relate to your organization> Aligned Standards These are the standards that this program will be aligned to, or use requirements from: <Example - NIST, ISO or another standard or standards you may be pulling information from – describe whether you will be fully following one standard, or pulling best practices from multiple standards.> Security Team <Name at least 5 roles, with a paragraph or 3 bullet points of key responsibilities> Role Key Responsibilities Chief Information Security Officer 1) 2) 3) 4. Data Classification Levels <Identify the classification levels of data for the organization. The below are merely examples. Start with lists of what data is being protected, and categorize appropriately. Things to consider: PII Data - Personnel data – employee SSN, etc. Payment card data Internal finance reports Client data Data that all internal employees have access to Data where only some internal employees have access to> 4
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: Data Classification Definition Examples Public Available to everyone. Website, marketing materials. Internal Private Employee Data, <ETC> Confidential <what other options> 5. Information Assets and Information Systems that Require Protection This is what requires protection at <Organization Name> Information Assets and Internal Systems Information or Information Asset (name) How needed by business or mission System Classification Responsibility for <Organization Name> to protect Email For communication “Confidential” ERP Intellectual Property Internal File Share Cloud Based Systems Information or Information Asset (name) How needed by business or mission System Classification Responsibility for <Organization Name> to protect Payroll System Cloud 2 5
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: 6. Governance This section will include the governance for the security program, as well as how risk is managed, and complied. Policies There are many policies that are important to our organization, three of them are summarized within this document. <These three policies are specifically identified for this assignment. The Acceptable Use Policy requires coordination and agreement with HR. The Mobile Device requires IT to handle users’ personal devices and users need to sign agreements. The third one regarding access control and authentication is more IT related, but there is a process element to it regarding approvals.> 1. Acceptable Use Policy 2. Mobile Device Policy 3. Access and Authentication Policy List 8 more policies that would be created. <review your book, or a standard to ensure that the 8 policies cover the areas of the organization and controls required> <YOU CAN ADD ADDITIONAL SECTIONS TO THE POLICIES BELOW – BUT THE BELOW SECTIONS, AT A MINIMUM, ARE REQUIRED> ACCEPTABLE USE POLICY Purpose of Policy: <3-4 sentences> Scope of Policy: <Systems? Locations? Example Text – “ The scope of this policy applies to all Information Technology resources owned or operated by <Organization Name>, as well as any information that is stored or processed within those systems.”> Roles and Responsibilities: <Who has activities regarding this policy? Does IT have the responsibility to do XYZ? What responsibilities do the users have? Management? > 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: Policy Statements: <These are a series of statements that need to be abided by and ultimately implemented.> Enforcement/Exceptions: <How is the policy enforced? What are the penalties if people break the policy statements on purpose or by accident? Who approved exceptions?> MOBILE DEVICE POLICY Purpose of Policy: Scope of Policy: Roles and Responsibilities: Policy Statements: Enforcement/Exceptions: ACCESS AND AUTHENTICATION POLICY Purpose of Policy: Scope of Policy: Roles and Responsibilities: Policy Statements: Enforcement/Exceptions: OTHER SUPPORTING POLICIES 1. 2. 3. 4. 5. 6. 7
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: 7. 8. 7. Security Awareness Program <Describe the Security Awareness Program – copy from discussion board 5 and make it look nice.> 8. Security Controls Implemented This section details the security controls that are implemented or planned to be implemented. Reference Enterprise Cybersecurity Architecture Categories 1. System Administration 2. Network Security 3. Application Security 4. Endpoint, Server, and Device Security 5. Identity, Authentication and Access Management 6. Data Protection and Cryptography 7. Monitoring, Vulnerability and Patch Management 8. High Availability, Disaster Recovery, and Physical Protection 9. Incident Response 10. Asset Management and Supply Chain 11. Policy, Audit, E-Discovery and Training In addition to the requirements and data that have been indicated above, these are additional requirements that have been derived to better protect the data described above. Information or System that is being protected – From Section 5 – ALL systems hosted internally or cloud need to be listed, to show what security is in place to protect those assets. Security Requirement: What is the requirement, can be as simple as “Confidentiality, Integrity, or Availability”, multiple of those or others. 8
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: System or Security Control Implemented (category) – From the list of 11 areas above, include the 1 or 2 key architecture implementations that will provide security control (or more if applicable). Tool or Technology – Can be a name-brand tool or generic technology approach. These can be re-used for multiple information system assets – where the same tool will protect multiple assets. Information or System that is being protected Security Requirement System or Security Control Implemented (category) Tool or Technology Email Confidentialit y Integrity 1. Identity, Authentication and Access Management 2. Data Protection and Cryptography 1. Password Authentication 2. Encrypted session to email when using Web ERP Confidentialit y Integrity Availability Intellectual Property Internal File Share 9. Incident Response Management This section will document key items regarding incident management preparation and response. Preparation 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: In some level of detail, describe 5 key things that absolutely need to be in place to prepare for an incident. Each should be 2-3 sentences. You can re-use 2 of the non-plan related items you created in the discussion board. 1. 2. 3. 4. 5. High Level Incident Response Plan Research incident response plans within the text or other sources (hint – NIST 800-61). Each Incident Response Plan is different, but they should all have some key phases, such as Detection, Analysis, Containment, Eradication, Recovery – plus some others perhaps, or the ones above with perhaps different names. Create a high-level IR Plan for your organization by selecting the phases that work best for your organization, as well as at least 2 or more activities per phase. The activities should include the action and the outcome of the action (i.e. a complete sentence or two, not a 2 word activity. Be sure to include activities such as communication to internal as well as external parties.) Incident Lifecycle Key Activities Detection 1. 2. 3. Analysis 1. 2. 3. <continue> 10
<COMPANY LOGO> Cyber Security Management Program STUDENT NAME: 11
10. Risk Assessment Methodology 10.1 - Risk assessment definitions Impact Defined 1 - Low <define, based on your organization> 2 – Medium <define, based on your organization> 3 - High <define, based on your organization> Example – Financial impact between X and Y % above expectations. Systems not available for XYZ amount of time beyond established SLA’s. ABC number of users impacted. Likelihood Defined 1 – Unlikely <define, based on your organization> 2 – Probable <define, based on your organization> 3 – Certain <define, based on your organization> 12
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
10.2 - Risk Assessment Approach Based on the Standard your organization is following, review that standard and describe the risk assessment steps. While you can repeat some of the material that is in the standard, the assessment step details and Organizational Considerations should be somewhat unique material that you create, or adjust to work for your organization. There should be at least 8 main steps to your methodology . Assessment Step Inputs Assessment Step Details Outputs Organizational Considerations Step Name One or more things that are needed to perform the step. 2-3 sentences describing the assessment step details. The outcome of the assessment step, a list of outputs. Needs to be at least one. 2-3 sentences describing something specific about the organization and the assessment step. Assessment Step Inputs Assessment Step Details Outputs Organizational Considerations System Characterizatio n Hardware Software System Interfaces Data and Information People System Mission Review inputs and ensure that all are properly characterized based on the data criticality and sensitivity. System Boundary System Functions System and Data criticality System and Data Sensitivity 13
Assessment Step Inputs Assessment Step Details Outputs Organizational Considerations END OF DOCUMENT 14

Related Documents

Unit 12 Quiz.pdf
MIS Exam #2 prep.docx
INFO150.docx
LG312 Unit 6 Discussions case 11 1.docx
E4277C1F-3738-46BE-BDCB-7140AD52C4D4.jpeg
Assignment #1.docx
Discussion #7.docx
Week4_portfolio.docx
Home Assignment – Week 1- Vasyl Yakovishak.docx
Discussion #3.docx
Week1_portfolio_yzh.docx
HIM 422 Final Project.docx