Assignment:
Project Description
The objective of this assignment is to apply what you have learned in this course to carry out a simple exercise of doing an assessment of the cybersecurity measures put in place in a fictitious business organization. Since this is a paper-based exercise, you can assume the organization to be any business entity such as such as - a college bookstore that accepts online textbook purchases, a pharmacy store that maintains a database of customer prescriptions, an auto-insurance agency that maintains customer data, a car rental business, a travel agency that handles flight and hotel reservations for clients, etc.
You can imagine yourself being hired as an Info Security consultant to perform a security audit of the fictitious company's IT infrastructure. Assume that some rudimentary security measures are currently in place, but there is much room for improvement. For your project report describe your assessment of the security measures currently in place and recommend any needed improvements to ensure better IT security in the organization.
For the project, you can do a security assessment on either a single IT system or the entire IT infrastructure of an organization, whichever you think is feasible and manageable.
You may use any NIST Special Publications (e.g. SP800-171, SP1800), or any other national framework as a guide to assist in your report.
Deliverables: A project report describing your security assessment, as a single Word document
You can use the following general guidelines for your project report:
Your project report just needs to be a general assessment of the cybersecurity posture of a business entity. It should be 6 to 8 pages long (not including the cover page), 12 point character size, 1.15 line spacing, and have 1" margins on all sides. Your report should include a description of the organization, nature of its business, analysis of the results, and recommendations for improvement in the form of an action plan.
The project report should broadly cover the following areas:
1) Description of the organization - core operational area, corporation mission & vision, role of information security in the organization.
2) An assessment of the organization's documented security policies (Assume that you have been provided access to its EISP and ISSPs documents outlining its various policies. You can look at some sample EISPs and IISPs on the internet for ideas of what would be appropriate for the organization)
3) The management controls that are currently in place to secure their IT systems
4) The operational controls that are currently in place to secure their IT systems, and
5) The technical controls that are currently in place to secure their IT systems
6) Results of security assessment - strengths of existing security posture and identification of weakness that need to be addressed. Include a prioritized list of vulnerabilities that need attention.
7) Recommendations for improvement and an action plan detailing steps for implementing them.
Remember, the main purpose of this project is only to give you an idea of how such assessments are carried out in practice.