Question: Before submitting your completed templates, work with other students to review their documents, provide feedback, and apply recommendations as appropriate. In your document, mention the
Before submitting your completed templates, work with other students to review their documents, provide feedback, and apply recommendations as appropriate. In your document, mention the recommendations from your group and how you specifically applied them.
Section 1: RMF Preparation
1.1 Roles and Responsibilities
Authorizing Official:
| Name: | Dr. Mariam Awuni |
| Title: | Authorizing Official (AO) |
| Work Phone: | (555) 123-4567 |
| Responsibilities: | The Authorizing Official is responsible for formally approving the system's use, based on a thorough risk assessment. They ensure that the system operates within acceptable risk levels and are accountable for ensuring compliance with relevant security policies. |
Chief Information Officer:
| Name: | Mark Thompson |
| Title: | Chief Information Officer (CIO) |
| Work Phone: | (555) 234-5678 |
| Responsibilities: | The CIO oversees the organization's IT strategy and ensures alignment with business objectives. They ensure that the system's infrastructure supports its strategic goals while maintaining security, integrity, and availability of the system. |
System Owner:
| Name: | Sarah Klein |
| Title: | System Owner |
| Work Phone: | (555) 345-6789 |
| Responsibilities: | The System Owner is responsible for the overall procurement, development, and maintenance of the system. They ensure that the system operates effectively and is compliant with organizational policies and security controls. |
Information Systems Security Officer:
| Name: | Fawzia Agandin |
| Title: | Information Systems Security Officer (ISSO) |
| Work Phone: | (555) 456-7890 |
| Responsibilities: | The ISSO manages the security of the system, ensuring it complies with the organization's security policies and protocols. They conduct regular risk assessments and are involved in security incident response activities. |
System Administrator:
| Name: | Adam Bukari |
| Title: | System Administrator |
| Work Phone: | (555) 567-8901 |
| Responsibilities: | The System Administrator is responsible for the day-to-day operation of the system, including configuration management, user account management, and monitoring system performance. They also ensure that security patches and updates are applied promptly. |
Information Owner:
| Name: | Daniel Lee |
| Title: | Data Governance Manager |
| Work Phone: | (555) 678-9012 |
| Responsibilities: | The Information Owner is responsible for ensuring the accuracy, integrity, and availability of the data within the system. They establish data access policies and ensure compliance with privacy regulations and internal policies. |
System User:
| Name: | Lisa Martinez |
| Title: | Financial Analyst |
| Work Phone: | (555) 789-0123 |
| Responsibilities: | System Users are individuals who use the system for its intended purpose. They are responsible for adhering to security policies and reporting any suspicious activity. |
Control Accessor:
| Name: | Kevin Roberts |
| Title: | IT Auditor |
| Work Phone: | (555) 890-1234 |
| Responsibilities: | The Control Accessor evaluates the security controls implemented within the system and ensures they meet required standards. They may perform audits and assessments to ensure ongoing compliance. |
Security Architect:
| Name: | Rachel Brooks |
| Title: | Senior Security Architect |
| Work Phone: | (555) 901-2345 |
| Responsibilities: | The Security Architect designs the security infrastructure for the system, ensuring that the design adheres to best practices for security and is aligned with the organization's risk management framework. |
1.2 Possible Risks for a Cloud-based Application
List and describe risks associated with a cloud-based application. Be sure to include references for your sources of information.
- Data Breaches: Unauthorized access to sensitive information stored in the cloud can lead to a data breach, exposing personally identifiable information (PII) or financial records.
- Reference: Jansen, W., & Grance, T. (2011). Special publication 800-144 guidelines on security and privacy in public cloud computing. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
- Insecure APIs: Application Programming Interfaces (APIs) are commonly used for cloud services. Poorly secured APIs can be exploited to access the underlying infrastructure and sensitive data.
- Reference: OWASP. (2019). OWASP API security - top 10 | OWASP. Owasp.org. https://owasp.org/www-project-api-security/
- Insider Threats: Employees or third-party service providers with access to cloud systems may intentionally or unintentionally compromise security.
- Reference: CISA. (2023). Defining insider threats. Cybersecurity and Infrastructure Security Agency CISA; CISA. https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
- Account Hijacking: Attackers can gain control over cloud accounts through weak passwords or social engineering, leading to unauthorized access to cloud resources.
- Reference: Ugochukwu, B. (2024, September 20). How to prevent cloud computing attacks. DevOps Blog. https://kodekloud.com/blog/how-to-prevent-cloud-computing-attacks/
- Data Loss: A cloud provider may experience outages or data loss, which can affect the availability of critical systems and data.
- Reference: Parashar, P. (2024, July 25). Understanding cloud outages: Causes, consequences and mitigation strategies | hcltech. Hcltech.com. https://www.hcltech.com/trends-and-insights/understanding-cloud-outages-causes-consequences-and-mitigation-strategies
1.3 System Categorization
The categorization has already been determined by another team as:
SC information system = {(confidentiality, LOW), (integrity, MODERATE), (availability, LOW)}
This results in a high-water mark of MODERATE.
Section 2: Selecting Security Controls
List the security controls that have been selected based on the System categorization using FIPS-200 guidance and the NIST SP-800-53 baseline security controls.
Table 1. Selected Security Controls
| ID | Control or Control Enhancement Name | |
| AT-1 | Security Awareness and Training Policy | |
| AU-4 | Audit Log Storage Capacity | |
| CA-3 | Information Exchange Agreements | |
| CP-4 | Contingency Plan Testing | |
| IR-4 | Incident Handling with Automated Processes | |
| PE-2 | Physical Access Authorizations | |
| PM-23 | Establish Data Governance Body |
Provide appropriate organization-assigned parameters for these specific controls.
Table 2. Security Control ID and organizational-controlled parameters to complete
| Security Control ID | Organization-controlled Parameters |
| AT-1 | a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles] c. Review and update the current awareness and training: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
| AU-4 | Control: Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. (1) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. |
| CA-3 | a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]]; c. Review and update the agreements [Assignment: organization-defined frequency]. |
| CP-4 | a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests] |
| IR-4 | Control Enhancements: (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES Support the incident handling process using [Assignment: organization-defined automated mechanisms]. (5) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected. (11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period] |
| PE-2 | (2) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [Assignment: organization-defined list of acceptable forms of identification]. (3) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS Restrict unescorted access to the facility where the system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined physical access authorizations]]. |
| PM-23 | Control: Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities] |
Section 3: Implement and Assess Security Controls
Using the templates provided in this attachment, complete the policies and documents for each of the following:
- Configuration Management Policy (CM-1)
- Maintenance Policy (MA-1)
- Acceptable Use Policy (PS-6)
- Contingency Planning Policy (CP-1)
- Identification and Authentication Policy (IA-1)
- Security Awareness Training Policy (PM-13)
In your submission submit the completed templates as an upload for your instructor to review.
Describe the process associated with implementing and documenting security controls. Estimate the timeline and number of people you might need to complete all 238 controls.
Process for Implementing and Documenting Security Controls
- Control Selection and Assessment
- Identify and assess applicable controls from frameworks like NIST SP 800-53 through a gap analysis.
- Planning and Resource Allocation
- Develop an implementation plan detailing timelines, resources, and responsibilities.
- Implementation of Controls
- Implement technical (e.g., firewalls), administrative (e.g., policies), and physical (e.g., access controls) security measures.
- Documentation of Controls
- Document each control's objectives, implementation procedures, and monitoring processes using standardized templates.
- Testing and Validation
- Conduct testing to verify controls function as intended and remediate any issues.
- Continuous Monitoring and Review
- Establish ongoing monitoring procedures and schedule periodic reviews for effectiveness.
- Reporting and Management Review
- Compile reports on implementation status and present findings to management.
Estimated Timeline and Resources
- Total Controls: 238
- Estimated Time per Control: 1 to 3 days
- Total Estimated Time:
- Low Complexity: 238 days (~8 months)
- Medium Complexity: 476 days (~16 months)
- High Complexity: 714 days (~24 months)
Personnel Requirements
- Project Manager: 1
- Security Analysts/Engineers: 2-4
- Compliance Officer: 1
- Documentation Specialist: 1
- IT Support Staff: 2-3
- Total Team Size: 7-12 personnel
Conclusion
Implementing and documenting security controls requires careful planning and ongoing monitoring. The estimated timeline and personnel needs will help manage compliance effectively.
Section 4: Assess Security Controls
A representative table of your results is shown below.
| Security Control | Examine | Interview | Test |
| AC-1 | Access control policy documented and accessible to all staff. | Security team confirms policies are enforced. | Access control policy reviewed against NIST standards. |
| AC-2 | Inspect account management procedures | HR confirms onboarding/offboarding procedures. | Test user creation and deletion processes. |
| AC-3 | Analyze access control lists and RBAC configurations | Consult system administrators on enforcement mechanisms | Attempt to access unauthorized data; verify access is denied |
| AC-4 | Review documentation of information flow policies | IT staff confirms data transfer policies. | Test data transfer processes to verify restrictions. |
| AC-5 | Check roles and responsibilities for separation | Interview department heads about their implementation | Verify that critical functions require multiple approvals. |
| AC-6 | Evaluate the process for granting and reviewing privileges | Speak with users about their access levels | Attempt to access sensitive data; verify restrictions. |
Section 5: Continuous Monitoring
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts
Study Help