Assignment
In the last few months, the Acme Corporation has undergone an internal PCI DSS audit to assess the systems and processes associated with credit card processing. During the audit, critical vulnerabilities were discovered in Acme's account management process. For example, the Windows domain controller and user computers were discovered to contain multiple inactive user accounts. Ultimately, it was discovered that no individual or team is actively managing user accounts on Acme's information systems. Additionally, technical vulnerabilities were discovered in critical servers. Acme's management has realized they need a framework that can support Acme in managing information security risk. As a result, your manager has requested that you perform a pilot study where you will apply the NIST Risk Management Framework to the recently discovered instances of noncompliance and vulnerabilities and assess how the RMF could help mitigate these risks.
In this part of the lab, you will assume the role of the Information Security Manager at Acme. Your manager has requested that you analyze how RMF could help Acme in managing its risks. To accomplish this goal, you will identify mitigation actions corresponding to each step of the RMF. At the end of this lab, you will have completed the RMF cycle and defined a risk management plan for the Acme Corporation.
A. Select one task from RMF (Risk Management Framework) and describe how the task could help Acme achieve its goal of creating a robust risk management plan.
B. In the context of the recent PCI DSS audit findings at Acme Corporation, identify a clause that describes the assets requiring protection.
C. Describe the system at Acme Corporation that was audited recently.
D. Describe two controls that could help mitigate the findings in the PCI DSS audit. One control should be in the information system tier and one control should be in the Organization or Mission/Business Process level.
E. Describe how the two controls you selected should be implemented.
F. Assume the role of a top-level manager. What authorization decision would you make and why?
G. Think about the vulnerability of a lack of account management procedure. Which monitor tasks would you suggest to monitor the implementation of this control and the authorization of the implementation? Who would be the responsible parties for these tasks?