Assignment Content

As the team leader for Phoenix Security Services$$ SureMarket account, you completed your SOX assessment of compliance. Now your company is being retained to monitor the status of SureMarket$$s security posture, including maintaining compliance with the Sarbanes$-$Oxley $($SOX$)$ act using the NIST RMF as described in NIST SP $800-37$:

Step $1$: Categorize Information Systems

Step $2$: Select Security Controls

Step $3$: Implement Security Controls

Step $4$: Assess Security Controls

Step $5$: Authorize Information System

Step $6$: Monitor Security Controls

Review the security controls implemented and assessed during Steps $3$ and $4.$

Your next task as team leader is to complete Step $6$ of the NIST RMF process by requiring various methods of monitoring, including security metrics and vulnerability management.

Security metrics are used to gain a holistic view of the effectiveness of the overall security program, while vulnerability management constantly monitors for any new vulnerabilities and applies mitigation actions in order to reduce the risks of those newly identified vulnerabilities. In some cases, the process will start over with Step $1$ of the NIST RMF process.

Part A: Metrics Plan

To prepare a metrics plan for the SureMarket information security department, create a $3-$ to $4-$page Microsoft Word document that includes the following:

Describe the security strategy for measuring the effectiveness of the implemented security controls and risk mitigation put into place during Step $5$ of the NIST RMF process. Include the following for each of the vulnerabilities with respect to the SureMarket IT systems:

How to measure mitigated risk

How to identify new vulnerabilities

How to measure SOX compliance

Describe the tools that you would use to measure and track trends, including key performance indicators and thresholds.

Illustrate how you would present metrics to senior leadership, including the requirement for reauthorization.

Part B: Vulnerability Management Plan

To prepare a vulnerability management plan for the SureMarket information security department, create a $2-$ to $3-$page Microsoft Word document that includes the following:

Describe the strategy for continuously monitoring the SureMarket network and IT systems for new vulnerabilities. Include the methods and frequency for conducting the following:

Vulnerability scanning

Penetration testing

Describe a decision tree for mitigating newly identified vulnerabilities.

Format your citations according to APA guidelines.