D486 GRC

docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

D486

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

7

Uploaded by HeyyyJordo

Report
Jordan McCready Student ID#: 010287766 D486 Governance, Risk, and Compliance DFN1 Task 1 Security System Evaluation and Remediation A. Gap Summary The gaps that currently exist in Fielder Medical Center’s (FMC) security framework include the following: - There are deficiencies in FMC’s security controls and policies. These deficiencies include the absence of access control and account management policies and procedures, as well as the implementation of the least privilege principle and security attributes. - FMC’s system design is unsecure. Their System Security Plan (SSP) needs to be updated to address the gaps and comply with laws, regulations, and standards. - Security and privacy plans that need to be updated include the information security program plan, system inventory/asset list, and risk assessment. - Identification and authentication controls need to be addressed as multi-factor authentication is not implemented to verify user access to the network and information systems.
B. Risk Rating and Justification AC-6 The risk rating for the AC-6 Least Privilege control is high. Access to the network and systems should only be granted to users who are authorized to access. Within the network and systems, a user should only be able to perform the functions that are necessary to complete their job responsibilities. This is how the principle of least privilege is incorporated. If this principle is not implemented, users could have access to parts of the network and systems they shouldn’t and perform intentional or unintentional functions that could be detrimental to the organization. The National Institute of Standards and Technology (NIST) model for role-based access control (RBAC) was published in 2000 and adopted as an ANSI/INCITS standard in 2004 (NIST, 2015). CA-5 The risk rating for the CA-5 Plans of Action and Milestones (POAMs) control is moderate. FMC does not have a policy and procedure in place that documents the planned remediation actions for deficiencies that are present within its organization. Authorizing officials may want to see POAMs when deficiencies exist in order to maintain an authorization to operate status. The Federal Risk and Authorization Management Program (FedRAMP) provides POAM guidance to support the achievement and maintenance of a security authorization that meets FedRAMP requirements (FedRAMP, 2021). CA-7 The risk rating for the CA-7 Continuous Monitoring control is high. Continuous monitoring can help organizations detect security threats, performance issues, and/or non-compliance problems in real-time (Rahman, 2021). When an event arises through the use of continuous monitoring, the CA-5 POAMs control can be put into effect to remediate the issue. Crowdstrike,
a cybersecurity industry leader, advocates for the use of continuous monitoring tools and how they provide value to IT operations (Sharif, 2022). RA-3 The risk rating for the RA-3 Risk Assessment control is moderate. Without performing a risk assessment, an organization is operating in the blind. Therefore, it is crucial to perform risk assessments in order to introduce control measures to eliminate or reduce any potential risk- related consequences (Ervin, 2021). NIST SP 800-30 provides guidance for conducting risk assessments (NIST, 2012). RA-7 The risk rating for the RA-7 Risk Response control is moderate. A response to risks that are present is essential in order to help control those risks. Accepting all risks is not the most effective way to respond as this can yield detrimental results for an organization. Other risk response methods such as the mitigation, transfer, or avoidance of risks can provide more effective alternatives. C. Remediation AC-6 To address the risk associated with the AC-6 Least Privilege control, FMC should implement group policy objects (GPOs) and RBAC. GPOs and RBAC allow FMC to manage security settings and configurations for computers and users based on groups. Adding these two components to FMC’s operations can help ensure that users will only have the permissions necessary to carry out their jobs.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
CA-5 To address the risk associated with the CA-5 Plans of Action and Milestones control, FMC should document a policy and procedure for plans of actions and milestones management. Following this policy and procedure should be mandated when deficiencies arise. This way, executives and officials can approve the plans of action and monitor the progress of the remediation of deficiencies. FMC can acquire Governance, Risk, and Compliance (GRC) software where this control can be incorporated. CA-7 To address the risk associated with the CA-7 Continuous Monitoring control, FMC should implement a security information and event management (SIEM) tool that gathers data in one place, correlates that data, and gives awareness to network irregularities. This tool will help FMC comply with PCI DSS requirements with respect to security monitoring capabilities. RA-3 To address the risk associated with the RA-3 Risk Assessment control, FMC should perform a risk assessment of the new system. This risk assessment should document the impact, risk, and likelihood of all vulnerabilities of the new system. The GRC software used for the CA-5 POAMs control can also be utilized for the RA-3 Risk Assessment control. RA-7 To address the risk associated with the RA-7 Risk Response control, FMC should utilize the GRC software mentioned for controls CA-5 and RA-3. This GRC software can document risk- based decisions and house many other aspects of the risk management process. It would also be beneficial for FMC to document a risk management policy and procedure that applies to the RA-3 and RA-7 controls.
D. PCI DSS-Compliant Policy FMC’s PCI DSS-compliant policy to address the firewall configuration and maintenance, removal of vendor-supplied defaults, and an antivirus solution includes the following: - Firewall: The configuration and maintenance of the firewall will be the responsibility of IT Networking. The configuration of the firewall must comply with PCI DSS requirements. Any requested changes to the firewall will need to follow the firewall change management process. - Vendor-supplied defaults: All vendor-supplied defaults are to be changed by IT Networking to secure infrastructure from publicly-accessible credentials. Testing is to be conducted to ensure vendor-supplied defaults no longer exist. - Antivirus solution: All systems and network devices are to have antivirus (AV) solutions installed. IT Cybersecurity is to evaluate the current AV solution on a yearly basis to ensure its capabilities are on par with industry standards. Routine updates and subsequent testing of the AV solution must take place for quality assurance. The AV solution should be run, at a minimum, once every 24 hours.
E. Sources Evrin, V. “Risk Assessment and Analysis Methods: Qualitative and Quantitative.” isaca.org, 28 Apr. 2021, https://www.isaca.org/resources/isaca-journal/issues/2021/volume-2/risk- assessment-and-analysis-methods. Accessed 11 Feb, 2024 FedRAMP. “FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide.” FedRAMP.gov, 23 Nov. 2021, https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completi on_Guide.pdf. Accessed 10 Feb, 2024. NIST. “Guide for Conducting Risk Assessments NIST Special Publication 800-30 Revision 1 JOINT TASK FORCE TRANSFORMATION INITIATIVE.” nvlpubs.nist.gov, 2012, https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf. Accessed 11 Feb, 2024. NIST. “NIST Computer Security Division - Automated Combinatorial Testing for Software (ACTS).” csrc.nist.rip , 15 Jan. 2015, csrc.nist.rip/groups/SNS/rbac/. Accessed 10 Feb. 2024. Rahman, M. “Essential Cybersecurity Components: Continuous Monitoring, Human Intelligence and Commitment.” isaca.org, 9 Feb. 2021, https://www.isaca.org/resources/news-and- trends/isaca-now-blog/2021/essential-cybersecurity-components-continuous-monitoring- human-intelligence-and-commitment. Accessed 11 Feb. 2024.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Sharif, A. “What Is Continuous Monitoring? Benefits & Best Practices - CrowdStrike.” Crowdstrike.com, 21 Dec. 2022, https://www.crowdstrike.com/cybersecurity-101/observability/continuous-monitoring/. Accessed 10 Feb. 2024.

Related Documents

Cyb400_Project_Two_Talking_Points.docx
CYB420_Project_Management_Adrienne_Johnston_FINAL.docx
Cyb400_Project_Two_Talking_Points_FINAL_Adrienne_Johnston.docx
QSO640_Final_Project_Adrienne_Johnston01.docx
D482 Secure Network Design.docx
D485 Cloud Security-2.docx
Diamond Model of Intrusion Analysis.docx
Ana Daste- EDLD 5345 Week 2 Assignment.pdf
4-2 Lab_Cardinality and Targeted Data.docx
MD2Assign1GrantA.docx
ASSIGNMENT 5 CASE STUDY.docx
WEEK 8 PROJECT PAPER.docx