Research Paper on Cybersecurity Control

Answer the following questions: If done, is it complete? What page number is it referenced?

If not done, what are the recommendations for completing the task referring ISO 27002, COBIT, NIST, or ITIL? Where should the results be saved? External documents needed for task

RMF Step 1: Categorize Information Systems

1.1

Security Categorization

Using either FIPS 199 or CNSS 1253, categorise the information system. The completed classification should be in the security plan. Not done As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.

The security classification that completed in the risk assessment can be part of the security plan. The full classification can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.

FIPS 199 for non-national security systems, CNSS 1253 for national security systems

1.2

Information System Description

Is a description of the information system included in the security plan? Done. As evident from page 11 of the risks assessment report, the first set of the risk assessment approach is the determination of the system boundary hence the description of the information security. Furthermore, there is a description of the information system in the explanation of HBWCs information system criticality. The report depicts the task. There is no need for an external document.

1.3

Information System Registration

Identify offices that the information system should be registered with. These can be organisational or management offices. Not done. As evident from the report findings in page 19-21, there is no registration of information in any copyright or patent information as ISO/IE 27002:2005 demands (ISO/IEC 27002:2005, 2005). There is also no information management registration for certification. The necessary document that will facilitate the registration of information system includes, NIST SP 800-53A and ISO/IEC 27002:2005.

RMF Step 2: Select Security Controls

2.1

Common Control Identification

Describe common security controls in place in the organisation. Are the controls included in the security plan? Not done. The report just mentions the need for security controls, but there is the insufficient description. As the risks assessment report indicates in page 7, operational security controls are identified to be among the strategies put in place for ensuring the protection of SHGTS integrity, availability, and confidentiality. Additionally, the organisation needs to create technical controls for ensuring proper security checks as the NIST and COBIT guidelines suggest. COBIT 4.1, NIST SP 800-53A and NIST SP 800-53A.

2.2

Security Control Selection

Are selected security controls for the information system documented in the security plan? Not done. Despite the report mentioning about operational security controls, there is no documentation of the specific security checks (p.7, 40). Because there is no security categorization which is the initial step in documenting security controls, it is justifiable that OGG has failed to document security controls in its ISMS plan. FIPS 199 and NIST SP 800-53A which facilitate security controls assessment and documentation of the results of individual security control assessment.

2.3

Monitoring Strategy

What security control monitoring procedures should be used to protect the information system and its environment of operation? Not done. Since the report does not identify, categorise and select security controls, there are no strategies for security control monitoring. Monitoring is essential for evaluating the effectiveness of security controls and documenting any changes that occur in the security systems put in place. External documents necessary include FISM and NIST publications such as NIST 800-30 and NIST 800-53A

2.4

Security Plan Approval

Has the security plan been reviewed and approved? Not done. The plan does not have an approval sheet at the end (p. 44). The lack of authorization and review documentation is probably due to the absence of an explicit security policy which should indicate the individuals accountable for approving the security plan. External document necessary is the ISO/IEC 27002:2005 for obtaining guidelines for approval of the security plan.

RMF Step 3: Implement Security Controls

3.1

Security Control Implementation

Have the security controls specified in the security plan been implemented? Not done. The security plan only mentions and document security controls which aid the company in monitoring, reviewing and improving operational controls for information systems protection FIPS publications and COBIT 4.1 are the external materials needed here.

3.2

Security Control Documentation

Has the security control implementation been documented? Not done. The risk assessment reports risks assessment matrix does not document the strategies for implementing the recommendations outlined (p.25). In practice, there is a need to list the security controls, applications and record implementation plans. FIPS publications (200) and COBIT 4.1

RMF Step 4: Assess Security Controls

4.1

Assessment Preparation

Has a plan to assess the security controls been developed? Not done. Other than just mentioning operational security controls, there is no documentation of specific security controls hence the lack of plans to assess them. NIST 800-53A is a preferable external document that can is in the establishment of a roadmap for assessing security controls.

4.2

Security Control Assessment

Have the security controls defined in the security assessment plan been evaluated? Not done. The report has not security assessment section, but there is risks assessment which does not provide any explanations on security controls (p.11). ITIL framework is necessary to assess the security controls by checking the achievement of business objectives against the needs of the security control resources.

4.3

Security Assessment Report

Has the security assessment report from the security control assessment been completed? Not completed. There is no security assessment because the report has not adequately and identified the security controls neither does it have a security control policy. ITIL framework stipulate the use of security controls as a way of ensuring efficient delivery of IT services. External resources needed include the guidelines in ITIL V3 framework and COBIT 4.1 standards.

4.4

Remediation Actions

What remediation efforts on security controls need to be taken based on the findings and recommendations of the security assessment report? No remediation actions on security controls. The cleanup measures present in the report are those in the risks assessment documented in the threat actions section (p.17). Therefore, there is no remediation for security controls because the report does not list the security checks, not the security policy. As ISO/IEC 27002:2005 suggests, there should be a proper documentation of the corrective actions for every security threat identified (ISO/IEC 27002:2005, 2005). ISO/IEC 27002:2005

RMF Step 5: Authorise Information System

5.1

Plan of Action and Milestones

Is there a completed plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken? Not done. There is no completed action plan and milestones in the report because of the lack of comprehensive security assessment. The only available measure is the threat response which outlines the countermeasures for the foreseeable risks such as malware and vulnerabilities such as unauthorised workers accessing the OGG workstations. According to the provision of the NIST framework, corrective measures should follow security assessment should to serve as a roadmap planning remediation process. NIST 800-53A

5.2

Security Authorization Package

Has the security package been authorised and submitted to the authorising official? Not done. There is no precise identification of the individuals in OGG who will receive the security package. NIST framework suggests that people responsible for making informed security control decisions should have the documented security report, assess and collaborate with others in planning the recommended actions Managers are always the authorising officials. NIST 800-53A publications.

5.3

Risk Determination

What is the risk to organisational operations, organisational assets, individuals, and other organisations? Done. The report has risk determination section which contains vulnerability and risk assessment, potential impact, likelihood estimation and appropriate recommendations (p. 20). For operational safety, the risk determination shows that SHGTS risks of data manipulation by old users have a medium likelihood of occurrence, medium risks and impact on operations continuity. There is an accomplishment of the task hence there is no need for external documents.

5.4

Risk Acceptance

Is the risk to organisational operations, corporate assets, individuals, and other organisations acceptable about avoidance, transference, and acceptance? Not acceptable. There is no section in the risk assessment report where the OGG determines acceptable levels of risks. ITIL frameworks seek to align business goals with IT resources objectives hence the need to determine the companys level of risk acceptance, transference and avoidance depending on ISMS data classification and the effects of the risks on business objectives. External documents necessary include ITIL standards documentation and ISO/IEC 27002:2005

RMF Step 6: Monitor Security Controls

6.1

Information System and

Environment Changes

What is the security impact of changes to the information system and its environment of operation? Done but with insufficient information. In the findings section of the report (p.19-24), there is the identification of security impacts of primary areas, management, operation and technical elements of the SHGTS system and operating environment. For example, SHGTS do not have a system security plan, and there is a medium foreseeable security impact of the vulnerability is medium. However, the explanation of the security consequences is insufficient considering series of threats that SHGTS system is facing. NITS SP 800-53A information security documentation is necessary.

6.2

Ongoing Security Control

Assessments

Which security controls from the subset of the technical, management, and operational security controls should be assessed? Not done. The report only documents risks assessment in managerial, technical and operational security perspective. The recommendation for OGG in solving the issue is that it should develop a security policy for outlining addressing all the subsets of security controls-operational, managerial and technical controls. An external document that will serve as guidance to OGG is NIST SP 800-53A.

6.3

Ongoing Remediation Actions

What remediation measures need to be taken based on results of monitoring activities? Not done. There are no results of SHGTS information system monitoring. Recommendation for SHGTS improvement is that continuous assessment should identify flaws and suggest corrective remediation measures throughout the evaluation cycle. ITIL V3 flaw remediation documentation.

6.4

Key Updates

Has the security plan, assessment report, and plan of action been updated based on the continuous monitoring process?

Not done. The report does not have a section explaining the concept of continuous system security monitoring. It is recommended that security policies should be up-to-date so that se...