Organization Enterprise Plan and Security Policy, Computer Science Assignment Homework Help

Question description

Organization
Enterprise Plan and Security Policy
Prepare
a security plan for your chosen organization that provides a security awareness
policy using the security policy framework outline prepared in Project 1
according to the Critical Infrastructure document which concentrates on the
following integral keywords to cover the necessary elements of an organization
security plan. These are: Identify, Protect, Detect, Respond, and
Recover. The plan is a capstone of the work that you have accomplished in
this course. You will use your outline to guide the outcome of the plan in
addition to the keywords. The plan is an enterprise plan and security policy
that includes the following considerations, analysis approach, and protections
for the enterprise::

Identify threats and
vulnerabilities.
Assign appropriate security controls to protect the infrastructure of the
organization.
Identify vulnerability scans and
effective risk management protocols to ensure protections remain current
and effective and detect any
issues.
Initiate an incident response plan for responding to problems.
Develop a business continuity and
disaster recovery plan to recover
from interruptions in business whether manmade or geographical

This
plan must be completed and submitted in MS Word format. Use your chosen
organization from Project 1 and the outline as a resource.
From the Critical
Infrastructure document, align your organizational plan to reflect the intent of the document
as follows from an excerpt taken from the document and ensure you read the
document in its entirety:
“The Framework complements, and does not
replace, an organization’s risk management and cybersecurity program. The
organization can use its current processes and leverage the Framework to
identify opportunities to strengthen and communicate its management of cybersecurity
risk while aligning with industry practices. Alternatively, an organization
without an existing cybersecurity program can use the Framework as a reference
to establish one.
Just as the Framework is not
industry-specific, the common taxonomy of standards, guidelines, and practices
that it provides also is not country-specific. Organizations outside the United
States may also use the Framework to strengthen their own cybersecurity
efforts, and the Framework can contribute to developing a common language for
international cooperation on critical infrastructure cybersecurity.
1.1 Overview
of the Framework
The Framework is a risk-based approach to
managing cybersecurity risk, and is composed of three parts: the Framework
Core, the Framework Implementation Tiers, and the Framework Profiles. Each
Framework component reinforces the connection between business drivers and
cybersecurity activities. These components are explained below.
·
The Framework Core is
a set of cybersecurity activities, desired outcomes, and applicable references
that are common across critical infrastructure sectors. The Core presents
industry standards, guidelines, and practices in a manner that allows for communication
of cybersecurity activities and outcomes across the organization from the
executive level to the implementation/operations level. The Framework Core
consists of five concurrent and continuous Functions—Identify, Protect, Detect,
Respond, Recover. When considered together, these Functions provide a
high-level, strategic view of the lifecycle of an organization’s management of
cybersecurity risk. The Framework Core then identifies underlying key
Categories and Subcategories for each Function, and matches them with example Informative
References such as existing standards,
guidelines, and practices for each Subcategory.
·
Framework Implementation
Tiers
(“Tiers”) provide context on how an organization views cybersecurity risk and
the processes in place to manage that risk. Tiers describe the degree to which
an organization’s cybersecurity risk management practices exhibit the
characteristics defined in the Framework (e.g., risk and threat aware,
repeatable, and adaptive). The Tiers characterize an organization’s practices
over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a
progression from informal, reactive responses to approaches that are agile and
risk-informed. During the Tier selection process, an organization should consider
its current risk management practices, threat environment, legal and regulatory
requirements, business/mission objectives, and organizational constraints.
·
A Framework Profile
(“Profile”) represents the outcomes based on business needs that an organization
has selected from the Framework Categories and Subcategories. The Profile can
be characterized as the alignment of standards, guidelines, and practices to
the Framework Core in a particular implementation scenario. Profiles can be
used to identify opportunities for improving cybersecurity posture by comparing
a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be”
state). To develop a Profile, an organization can review all of the Categories
and Subcategories and, based on business drivers and a risk assessment,
determine which are most important; they can add Categories and Subcategories
as needed to address the organization’s risks. The Current Profile can then be
used to support prioritization and measurement of progress toward the Target
Profile, while factoring in other business needs including cost-effectiveness
and innovation. Profiles can be used to conduct self-assessments and
communicate within an organization or between organizations.
1.2 Risk
Management and the Cybersecurity Framework
Risk management is the ongoing process of
identifying, assessing, and responding to risk. To manage risk, organizations
should understand the likelihood that an event will occur and the resulting
impact. With this information, organizations can determine the acceptable level
of risk for delivery of services and can express this as their risk tolerance.
With an understanding of risk tolerance,
organizations can prioritize cybersecurity activities, enabling organizations
to make informed decisions about cybersecurity expenditures. Implementation of
risk management programs offers organizations the ability to quantify and
communicate adjustments to their cybersecurity programs. Organizations may
choose to handle risk in different ways, including mitigating the risk,
transferring the risk, avoiding the risk, or accepting the risk, depending on
the potential impact to the delivery of critical services.
The Framework uses risk management processes
to enable organizations to inform and prioritize decisions regarding
cybersecurity. It supports recurring risk assessments and validation of
business drivers to help organizations select target states for cybersecurity
activities that reflect desired outcomes. Thus, the Framework gives organizations
the ability to dynamically select and direct improvement in cybersecurity risk
management for the IT and ICS environments.”
Format: Provide a security policy
and plan that will include the framework, essential plans for inclusion in the
enterprise, risk management strategies, and recommended solutions for a
baseline security control assessment. Refer to NIST 800-39 and FIPS 200 plus
NIST 800-53-4. Double space the document. Use APA. Complete with in cite
citations and add a reference page. Write DRAFT on the upper right hand corner.
Include your name and Project Name on a cover sheet.