Special Note: Throughout the course, students will work on applying a cybersecurity framework to a small to-medium sized business. Each assignment will build upon the next, and will be compiled into a Cybersecurity Risk Report that helps their proposed business identify, assess, and manage cybersecurity risk. Refer to the “Framework Compliance Assessment Report Guide,” located within the Course Materials, for full instructions.
Organizations need to clearly identify risks before they become relative issues. Therefore, it is important for security professionals to comprehend what must be done to construct strategies that are considered to be proactive resources for analyzing and assessing cybersecurity threats before they become active issues.
Select an area of industry that you are interested in and create a hypothetical business. Refer to the “Business Profile Template” when completing this portion of the assignment. Define the business environment by making sure to:
Describe the organization’s mission, objectives, stakeholders, and how it fits into the industry.
Describe the main product, service offerings, and consumer base.
Describe the main departments and their roles, including all major stakeholders.
Describe the company’s information technology infrastructure to include hardware, software, networks, data centers, facilities, and related equipment used to develop, test, operate, monitor, manage, and/or support information technology services.
Describe a common flow of information and decisions at the following levels within the organization: Executive, Business/Process, Implementation/Operations.
Then, in a Word document, begin implementing a cybersecurity framework. Refer to the “Framework for Improving Critical Infrastructure Cybersecurity,” located within the Course Materials, focusing specifically on “Table 2: Framework Core.” Make sure to:
Align the hypothetical business to the ISO/IEC 27001 Cybersecurity Framework.
Prioritize organizational efforts and business needs.
Identify individual elements of cybersecurity risk (threats to and vulnerabilities of) and how to manage them.
Describe how the organization incorporates privacy principles in relation to data collection, disclosure, and retention.