Section 3: Cybersecurity Policy and Planning  As a small business owner with a mission of supporting services for the health, energy, and finance sectors, you want to begin a strategic plan that aligns the National

Section 3: Cybersecurity Policy and Planning 

As a small business owner with a mission of supporting services for the health, energy, and finance sectors, you want to begin a strategic plan that aligns the National Cybersecurity Strategic Plan and the CISA FY2024-2026 Cybersecurity Strategic Plan.

For the first phase of this plan, you need at least two goals with corresponding and appropriate objectives that will support your over mission. List and describe the goals and objectives. Also, describe how they align with National and CISA cybersecurity strategic plans.

Review existing policy templates from this content from this week and select at least 5 policies you would start to develop to support your business. Justify why you selected these policies and how they would help mitigate risks and possible threats.

Section 4: Security Control Assessment

Tabletop exercises  are often included as a critical part in preparing for cybersecurity incidents.

Security controls found in the NIST Special Publication 800-53r5 specifically discuss and recommend tabletop exercises to be included as part of testing incident response, contingency and other plans. For example, consider security control IR-3 INCIDENT RESPONSE TESTING:

Control: Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

Discussion: Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes. (CISA.gov)

Consider the following threat scenario found in CISA’s cyber insider threat situation manual.

“A disgruntled former employee takes advantage of their new position at one of your third-party vendors to exploit vulnerabilities in your systems created by a supply chain issue. An error by another employee discloses personally identifiable information (PII). “

Assume you are working as a cybersecurity manager for a medium-size company in the second year of a 50-million-dollar Department of Defense (DoD) contract award to support the Army. Your tasks are to support the growing cloud infrastructure program, but you also must support multiple off-site Windows and Linux server machines.

Using resources that include cybersecurity risk management best practices, and the implementation of appropriate security and privacy controls answer the following questions.

Note, since this is a fictional company, you will need to respond based on best practices and recommendations.  When responding, be sure to reference and/or justify your answer.

1. What are the greatest cybersecurity threats to your organization?
2. What cybersecurity threat information does your organization receive?
   1. What cyber threat information is most useful?
   2. How is information disseminated across your organization and by whom?
   3. What actions would your organization take following an alert like the one presented in the scenario?
3. Has your organization conducted a risk assessment to identify specific cyber threats, vulnerabilities, and critical assets?
   1. What information technology (IT) systems or processes are the most critical to your organization?
   2. Describe your organization’s asset management plan and how you prioritize critical assets.
   3. What improvements have been implemented to enhance cyber resilience following recent risk assessments?
   4. Does your organization have a vulnerability management program dedicated to mitigating known exploited vulnerabilities in internet-facing systems?
4. How does your organization mitigate insider threats? Does your organization have an insider threat management program?
   1. What are some behavioral indicators of an insider threat?
   2. What type of training do employees at your organization receive on identifying a potential insider threat?
5. Describe your organization’s cybersecurity training program for employees.
   1. How often are employees required to complete this training?
   2. Is training required during employee onboarding before granting system/network access?
   3. What additional training is required for employees who have system administrator-level privileges?
   4. What type of training methods or approaches have you found most beneficial?
6. How does your organization prevent the disclosure of PII?
7. What are your organization’s processes and procedures to revoke system access when an employee resigns or is terminated?
   1. Are there any additional processes implemented if the employee’s termination is contentious?
   2. Does your organization retrieve all information system-related property (e.g., authentication key, system administration’s handbook/manual, keys, identification cards, etc.) during the employment termination/off boarding process?
8. How often are your cybersecurity plans, policies, and procedures externally reviewed or audited?
   1. What were the most recent results and action items that followed?
9. What training does your cybersecurity incident response team undergo to detect, analyze, and report malicious activity?
10. As a leader in your organization what cybersecurity resilience goals have you set?
11. Be sure to list all references used and the website