Please Complete 7 & 8. 7 is partially completed.
Introduction:
Organizations commit to cybersecurity by way of a policy – this is how the organization describes the “law” of the organization. Policies generally do not include “how” something should be implemented, just the overall commitment (the Acceptable Use is an exception to this overall rule). In later assignments, we will be describing internal standards, which would indeed describe the details of “how.”
[AC-7] Unsuccessful Login Attempts: must enforce a limited of consecutive unsuccessful login attempts, and automatically locks the user account for a period of time until unlocked via established authentication methods, detailed in the internal standard.
or
[AC-11] Device Lock: must prevent further access to the system by initiating a device lock after a period of inactivity and retain the device lock until the user reestablishes access using established identification and authentication procedures, detailed in the internal standard.
Note that the timings and number of times unsuccessful login attempts are not listed in a policy – these would be detailed in the internal standard.
Completion Instructions:
Section 7 of the Cyber Security Program document will contain 4 policies.
7) Policies – complete this section by providing 4 complete policies, using the template you created for the DB in this module.
Policies
Acceptable Use Policy (use what you did for the DB – and put it in the template format – you will have to add to it as the DB did not include all sections of the template). (Already Complete!!)
Asset Management Policy – This is mostly provided for you by way of an example. You should complete the blank sections.
Access Control Policy – leverage NIST 800-53r5, the Access Control family, for inspiration. There should be at least 8 policy clauses included (2 examples are provided above as examples, you can use them)
Risk Management Policy – leverage NIST 800-53r5, the Risk Assessment family, for inspiration. There should be at least 5 policy clauses included
Additional Policies
NAME at least 8 additional policies that should be created to support the organization.
Note – this is just the NAME of the policy – you do not have to create these policies.
You can list policies based on the aligned standard, such as from NIST. You may choose policies such as “Audit and Accountability” – or If you want to be more direct, policies like “Password Policy” is fine as well, or a combination of both. Ensure that your polices cover most, if not all of the landscape of the common security controls areas.
Completion
Each week, more content will be added to it, you will always turn in the entire document each time. There are additional notes and comments on the template, remove them as you move through the completion of the template. For example, for the sections due this week, all of the comments, notes, and suggested text should be removed for those sections.
Introduction:
Determining the controls that are to be implemented is an important step to ensure that data is secure.
Completion Instructions:
There are 2 sections to complete in your program document for this module. The first is a table that reflects the information assets that need to be secured, and the second is to describe the controls that should be implemented.
8. Security Controls
Information Assets that Require Protection: There is a table within the program document that requires completion. The table is driven by the Information Assets that are within the Bank. The asset needs to be described, and the system classification identified. The information assets are already provided for you based on the initial given material, but you can add to them as you wish.
Information or Information Asset (name)
How needed by business or mission
System Classification
Email
For communication…
“Confidential”
Bank Office ERP
MYBANK Platform
Security Controls Aligned to Information Assets:
This section details the security controls that are implemented or planned to be implemented. We do this by starting with a category of control, and then identifying what should be put into place to protect the information asset.
Reference Enterprise Cybersecurity Architecture Categories
System Administration
Network Security
Application Security
Endpoint, Server, and Device Security
Identity, Authentication and Access Management
Data Protection and Cryptography
Monitoring, Vulnerability and Patch Management
High Availability, Disaster Recovery, and Physical Protection
Incident Response
Asset Management and Supply Chain
Policy, Audit and Training
In addition to the requirements and data that have been indicated above, these are additional requirements that have been derived to better protect the data described above.
Security Requirement: What is the requirement, can be as simple as “Confidentiality, Integrity, or Availability”, multiple of those or others.
System or Security Control Implemented (category) – From the list of 11 areas above, include the 1 or 2 key architecture implementations that will provide security control (or more if applicable).
Control, Tool or Technology – Can be description of a control, a name-brand tool or generic technology approach. These can be re-used for multiple information system assets – where the same tool will protect multiple assets. It is OK to leverage what you put in the DB.
Information or System that is being protected
Security Requirement
System or Security Control Implemented (category)
Control, Tool or Technology
Email
Confidentiality
Integrity
1. Identity, Authentication and Access Management
2. Data Protection and Cryptography
1. Password Authentication
2. Encrypted session to email when using Web
3. Multi-factor authentication
Bank Office ERP
Confidentiality
Integrity
Availability
MYBANK Platform
LEGACY BANK Application
Submission Instructions:
Each week, more content will be added to it, you will always turn in the entire document each time. There are additional notes and comments on the template, remove them as you move through the completion of the template. For example, for the sections due this week, all of the comments, notes, and suggested text should be removed for those sections.