Follow the attach information to complete this work. Make sure it aligns with the Rubric.
Unit 2 Assignment Directions:
Risk-Assessment Strategy
Purpose
In this assignment, you will detail the risk-assessment plan and strategy for your organization that you described in your discussion post. You have demonstrated that you understand their core business functions and mission. Your risk assessment should be tailored to that understanding. If you implement the risk-management controls recommended by NIST, another standards body, or a trade association for your industry, you will be demonstrating compliance with government requirements. This means that if there is a breach, your legal office can provide a written justification that maps your compliance to your direct business services. This will also support any insurance claims and help to maintain your business reputation.
Directions
Write a detailed overview and analysis of the fundamentals of risk management in cybersecurity for your organization that you described in your discussion post. You may choose one of the following two options for formatting your response (see details below):
· Option A: A 4- to 6-page paper
OR
· Option B: A matrix (sample provided below) and a 2- to 3-page narrative
Regardless of which format you choose, be sure to address all the following elements:
1.
Write a substantive executive summary that includes the following:
a. A brief statement on the purpose and scope of the RA
b. Your focus on the current organizational assessment
c. Your risk-mitigation and management strategy
d. Cited references to authorities that show the organization’s compliance with government requirements, industry best practices (NIST), or other standards
2.
Assess the cybersecurity posture of your chosen organization. Be sure to include the following:
a. Describe your organization’s business goals, mission, objectives, and how the requirements would support them.
b. Use the implementation tiers in NIST to assess your organization’s current situation.
c. List vulnerabilities, countermeasures, and recommendations for improvement.
3.
Apply the NIST RMF framework:
a. Explain in more detail how to use NIST 800-53 (rev.5), NIST 800-30, and the new NIST 2.0 to create a comprehensive strategy.
b. Explain what actions you would take to align your business strategy with the recommended NIST best practices.
c. Clearly map the business objectives and goals to a cybersecurity plan. Include all the following key measures:
i. Prepare the organization.
ii. Categorize system and information.
iii. Select a range of 4–6 NIST SP 800-53 controls.
iv. Implement the controls and document how controls were deployed.
v. Assess whether the controls are in place, operating as intended, and producing the desired outcomes.
vi. Authorize risk-based decision-making.
vii. Continuously monitor implementation and risks to the system.
4.
Evidence of skills: Demonstrate your knowledge of risk-assessment protocols as well as legal and regulatory compliance.
5.
Write the paper with an organized, logical flow of information. Cite authoritative sources sufficiently to show that your analysis is based on the resources provided or other documents you find through your research. Please use a consistent citation style.
Executive Summary Features
Here are some ideas for what to include in your executive summary. A CEO should be able to use your summary for decision-making purposes. An executive summary includes a brief statement of the issue, which helps the executive understand the topic (risk mitigation and management).
As stated in the directions, cite the authorities you are using to show compliance with government requirements, industry best practices (e.g., NIST), or other standards. To analyze the importance of these requirements and best practices, one approach would be to follow the suggestions below.
Explain briefly how the templates and their rationale provide assurances to the CEO that these requirements reduce the organization’s cybersecurity risk. One way to do this is to cite a specific requirement as an example and explain how it is applied. Then you may also want to talk briefly about a technological solution you are using to assist you in this effort. You can then list some of the vulnerabilities your organization has in the system and explain how you will address them, Finally, you could discuss how you will make sure that you are ensuring compliance (e.g., continuous monitoring, establishing a training program that requires quarterly testing, or some other methods that demonstrate active participation).
To remind yourself how to cite references, visit the Library’s
APA Document Formatting (7th Edition) and
APA 7th Edition Citation Examples.
Format
Click the “+” to expand each section below.
Suggested Outline for Option A: Paper
Suggested Outline for Option B: Narrative and Matrix
Submission
· Review the Unit 2 Risk-Assessment Strategy Rubric to understand how you will be assessed on this assignment.
