In the book, we saw a number of ways to treat unacceptable risk in an organization. One approach for risk treatment is the NIST Risk Management Framework (RMF) outlined in SP 800-30, 37, and 39. The purpose of this assignment is to apply the NIST RMF to a specific situation to see how it fits in an organization.
Before You Get Started
Use the following resources to complete the assignment:
- NIST SP 800-30: Guide for Conducting Risk Assessments
Download NIST SP 800-30: Guide for Conducting Risk Assessments - NIST SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View
Download NIST SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View - NIST SP 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
Download NIST SP 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
Instructions
Scenario
Our organization, Nadir Tools Inc., makes power tools, and although security is usually vigilant, the Sales team managed to bypass the normal process in purchasing to buy a large screen for a special presentation to potential customers. As a result, neither IT nor Security personnel were aware that a Wi-Fi enabled screen had been in the Sales Demo area for the last week until unusual network traffic coming from the screen was detected by a member of the networking team.
You have been tasked with applying the NIST Risk Management Framework to the whole situation. The CISO wants to figure out how to mitigate the current situation and also how the entire situation could have been avoided in the first place.
Please do the following:
- Considering the mitigation process in the above scenario, pick the most relevant task from each of the Tables E-1 to E-7 on pages 145-138 of the NIST SP 800-37 document, and explain why the task you picked was the most relevant one from each table. You can make reasonable assumptions about the organizational structure of Nadir Tools Inc. and about its current security arrangements as long as you spell out your assumptions.
- Explain which two tasks from these tables will be the most important as you come up with a plan for avoiding a repeat of the scenario in the future. What did you take into account when selecting these two tasks?
TIP The various steps of the NIST RMF are summarized in Tables E-1 to E-7 on pages 145-138 of the NIST SP 800-37 document. There are links that take you back to earlier parts of the document where the specific tasks are spelled out.
For example, on page 131 we see Table E-3, and when we click on the “Task S-1� link, we are taken to page 50 where this task is described in more detail. Clicking on the “Task S-2� link in Table E-3 on page 131 takes us to the description starting on page 51 and so on.
Additional Details
- Format: Microsoft Word (or compatible)
- Font: Arial, 12-point
- Citation style: APA
- Suggested length: At least 3 pages, which can vary depending on your presentation of the content
Evaluation
TIP Refer to the grading rubric attached to this assignment for further details.
Submit your work by the due date in the course calendar.
Rubric
Assignment: Risk Treatment
| Criteria | Ratings | Pts | |||
|---|---|---|---|---|---|
|
This criterion is linked to a Learning OutcomeApply components of the NIST RMF to the mitigation process for an event. |
|
15 pts |
|||
|
This criterion is linked to a Learning OutcomeApply components of the NIST RMF to prevent a repeat of the event |
|
15 pts |
|||
|
Total Points: 30 |
|||||