Your first task is to prepare a 3 to 4 page research paper which provides an analysis of the IT Governance, IT Management, and Risk Management issues and problems that might be encountered by an e-Commerce company (e.g. Amazon, e-Bay, PayPal, etc.). Your paper should also include information about governance and management frameworks that can be used to address these issues. The specific frameworks that your team leader has asked you to address are: ISO/IEC 27000 Family of Standards for Information Security Management Systems ISACA’s Control Objectives for Information Technology (COBIT) version 5 NIST’s Cybersecurity Framework (also referred to as the “Framework for Improving Critical Infrastructure Security”)
csia_350_project_1___integrating_nist_csf_with_it_governance_frameworks_v1_2.docx
Unformatted Attachment Preview
CSIA 350: Cybersecurity in Business & Industry
Project #1: Integrating NIST’s Cybersecurity Framework with Information Technology
Governance Frameworks
Scenario
You have been assigned to your company’s newly established Risk Management Advisory
Services team. This team will provide information, analysis, and recommendations to clients who need
assistance with various aspects of IT Risk Management.
Your first task is to prepare a 3 to 4 page research paper which provides an analysis of the IT
Governance, IT Management, and Risk Management issues and problems that might be encountered by
an e-Commerce company (e.g. Amazon, e-Bay, PayPal, etc.). Your paper should also include information
about governance and management frameworks that can be used to address these issues. The specific
frameworks that your team leader has asked you to address are:
•
•
•
ISO/IEC 27000 Family of Standards for Information Security Management Systems
ISACA’s Control Objectives for Information Technology (COBIT) version 5
NIST’s Cybersecurity Framework (also referred to as the “Framework for Improving
Critical Infrastructure Security”)
The Risk Management Advisory team has performed some initial research and determined that
using these three frameworks together can help e-Commerce companies ensure that they have
processes in place to enable identification and management of information security related risks
particularly those associated with the IT infrastructure supporting online sales, payment, and order
fulfillment operations. (This research is presented in the Background section below.) Your research
paper will be used to extend the team’s initial research and provide additional information about the
frameworks and how each one supports a company’s risk management objectives (reducing the risks
arising from cyber threats and cyberattacks against information, information systems, and information
infrastructures). Your research should also investigate and report on efforts to date to promote the use
both frameworks at the same time.
Your audience will be members of the Risk Management Services team. These individuals are
familiar with risk management processes and the e-Commerce industry. Your readers will NOT have indepth knowledge of either framework. For this reason, your team leader has asked you to make sure
that you include a basic overview of these frameworks at the beginning of your paper for the benefit of
those readers who are not familiar with CSF and COBIT.
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 350: Cybersecurity in Business & Industry
Background
Security Controls
Security controls are actions which are taken to “control” or manage risk. Security controls are
sometimes called “countermeasures” or “safeguards.” For this assignment, it is important to understand
that it is not enough to pick or select controls and then buy or implement technologies which implement
those controls. A structure is required to keep track of the controls and their status — implemented
(effective, not effective) and not implemented. The overarching structure used to manage controls is the
Information Security Management System.
Information Security Management System (ISMS)
An Information Security Management System is the set of policies, processes, procedures, and
activities used to structure the organizational unit which is responsible for managing the cybersecurity
or information security program in a business. Companies can and do design their own structure for this
program including: scope, responsibilities, and resources. Many companies, however, choose to use a
defined standard to provide guidance for the structure and functions assigned to this organization. The
ISO/IEC 27000 family of standards is one of the most frequently adopted and is comprised of best
practices for the implementation of an information security program. The ISO/IEC 27001 standard
specifies the requirements for and structure of the overall Information Security Management System
and ISMS program. The ISO/IEC 27002 standard provides a catalog of security controls which can/should
be implemented by the ISMS program. For additional information about the standards, please see this
blog https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards.
Note: there are a number of free resources which describe the contents and purposes of the ISO/IEC
27000 family of standards. For your work in this course, you do not need access to the official standards
documents (which are not freely available).
Control Objectives for Information Technology (COBIT)
COBIT is a framework that defines governance and management principles, processes, and
organizational structures for enterprise Information Technology. COBIT includes a requirement for
implementation of an Information Security Management System and is compatible with the ISO/IEC
27000 series of standards for ISMS implementation.
COBIT 5 has five process areas which are specified for the Governance and Management of
enterprise IT. These areas are:
•
•
•
•
Evaluate, Direct, and Monitor (EDM)
Align, Plan, and Organize (APO)
Build, Acquire, and Implement (BAI)
Deliver, Service, and Support (DSS)
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 350: Cybersecurity in Business & Industry
•
Monitor, Evaluate, and Assess (MEA)
Beginning with version 5, COBIT has incorporated Information Security as part of the framework.
Three COBIT 5 processes specifically address information security: APO 13 “Manage Security,” DSS04
“Manage Continuity,” and DSS05 “Manage Security Services.”1
NIST Cybersecurity Framework (CSF)
The NIST Framework for Improving Critical Infrastructure Security, commonly referred to as the
Cybersecurity Framework or CSF, was developed in collaboration with industry, government, and
academia to provide a common language and common frame of reference for describing the activities
required to manage cyber-related risks and, in so doing, protect and defend against cyber attacks. Unlike
many NIST guidance documents, the CSF was designed specifically for businesses – to meet their needs
and support attainment of business objectives. Originally designed for companies operating in the 16
critical infrastructure sectors, the CSF is now being required of federal government agencies and
departments and their contractors. The Executive Summary of the NIST CSF version 1.1 provides
additional background and supporting information about the purposes, goals, and objectives of the CSF.
The Cybersecurity Framework is presented in three parts:
• Core Functions (Identify, Protect, Detect, Respond, Recover)
• Implementation Tiers (risk management processes and practices)
• Profiles (specific to a business or industry – goals and desired outcomes)
Commonalities between ISO/IEC 27000, COBIT, and NIST CSF
There are a number of common elements between the information security frameworks defined
in the ISO/IEC 27000 family of standards, the COBIT standard, and the NIST Cybersecurity Framework.
Each of these frameworks addresses risks that must be addressed by businesses that depend upon
digital forms of information, information systems, and information infrastructures. Each framework
presents structured lists of IT Governance and IT Management activities (processes and practices) which
must be adopted and implemented in order to effectively manage risk and protect digital assets from
harm or loss. Each framework also provides a list or catalog security. Each framework also provides lists
of goals or objectives which must be met in order to assure the effectiveness of controls implemented
to defend against cyber threats and attacks.
The ISO/IEC 27001:2013 and COBIT 5 controls and process areas have been cross referenced to
the NIST Cybersecurity Framework Functions, Categories, and Subcategories in the NIST CSF document.2
Table 1 below shows examples of the mapping between COBIT 5 and NIST CSF as provided in Table 2:
Framework Core: Informative References in the NIST CSF document.
1 Source: http://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-Security-Introduction.pdf
2
Source: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 350: Cybersecurity in Business & Industry
Table 1. Example Mappings from ISO/IEC 27001 to COBIT 5 Processes to NIST CSF Functions
ISO/IEC
27001:20133
A.5.1.1
A.16.1.6
COBIT 5 Process
APO 13.01
DSS 04.02
NIST CSF
Function
Identify
Identify
A.6.1.1, A.7.2.1,
A.15.
A.12.6.1,
A.18.2.3
DSS 05.04
Identify
DSS 05.01, DSS
05.02
Identify
NIST CSF Category
Governance (ID.GV)
Risk Assessment
(ID.RA)
Governance (ID.GV)
Risk Assessment
(ID.RA)
NIST CSF
Subcategory
ID.GV-1
ID.RA-4
ID.GV-2
ID.RA-1
Adoption and Use of IT Security Frameworks
A 2016 survey conducted by Dimensional Research for Tenable4 found that over 80% of the
responding organizations used an IT security or cybersecurity frameworks to structure their IT security
management program. This finding was similar across all sizes of companies and across industries. Over
40% of the respondents used multiple frameworks. The NIST CSF was utilized by over 40% of the
respondents – approximately the same number who adopted the ISO/IEC 27000 standards. One notable
finding was that in some cases the NIST CSF adoption was required by a business partner or a federal
contract.
Research
1. Read / Review the weekly readings
2. Consult Aligning COBIT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit
http://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT-ITIL-V3-ISO27002for-Business-Benefit_res_Eng_1108.pdf for additional information about the activities / controls
included in ISO/IEC 27002 and COBIT. This reference should be used in conjunction with the
“Informative References” listed in NIST’s Cybersecurity Framework Core definitions.
3. Review the following outlines and explanations of the ISO/IEC 27001 and 27002 standards
a. ISO/IEC 27001:2013 Plain English Outline (excerpts for Information Security provisions)
http://www.praxiom.com/iso-27001-outline.htm and http://www.praxiom.com/iso27001.htm
b. ISO 27002:2013 Translated into Plain English http://www.praxiom.com/iso-27002.htm
4. Read the following analyses and articles about COBIT 5 and its information security related
functions.
3
Names for many of the ISO/IEC 27001 controls can be found here: https://www.bsigroup.com/Documents/iso27001/resources/BSI-ISO27001-mapping-guide-UK-EN.pdf
4
Source: https://static.tenable.com/marketing/tenable-csf-report.pdf
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 350: Cybersecurity in Business & Industry
a. COBIT 5 for Information Security (ISACA)
https://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-SecurityIntroduction.pdf
b. About COBIT 5 https://cobitonline.isaca.org/about
c. COBIT 5 for Risk – A Powerful Tool for Risk Management
http://www.isaca.org/COBIT/focus/Pages/cobit-5-for-risk-a-powerful-tool-for-riskmanagement.aspx
d. 9 Burning Questions about Implementing NIST Cybersecurity Framework Using COBIT 5
https://www.itpreneurs.com/blog/9-burning-questions-about-implementing-nistcybersecurity-framework-using-cobit-5/
5. Read the following analyses and articles about adoption of the NIST CSF
a. Trends in Security Framework Adoption https://static.tenable.com/marketing/tenable-csfreport.pdf
b. How to Implement NIST CSF: A 4-Step Journey to Cybersecurity Maturity
https://www.rsam.com/wpcontent/uploads/2018/06/Rsam_NIST_CSF_Implementation_WP-sept-2017.pdf
c. 5 Steps to Turn the NIST Cybersecurity Framework into Reality
https://www.securitymagazine.com/articles/88624-steps-to-turn-the-nist-cybersecurityframework-into-reality
6. Find three or more additional sources which provide information about best practices for
implementing the NIST Cybersecurity Framework Core and COBIT 5 (separately and together).
Write:
Use standard terminology including correctly used cybersecurity terms and definitions to write a
two to three page summary of your research. At a minimum, your summary must include the following:
1. An introduction or overview of the role that the Information Security Management System plays as
part of an organization’s IT Governance, IT Management, and Risk Management activities. The most
important part of this overview is a clear explanation of the purpose and relationships between
governance and management activities as they pertain to managing and reducing risks arising from
the use of information technology.
2. An analysis section that provides an explanation of how ISO/IEC 27000, 27001, 27002; COBIT 5; and
NIST’s CSF can be used to improve the effectiveness of an organization’s risk management efforts
for cybersecurity related risks. This explanation should include:
a. An overview of ISO/IEC 27000, 27001, and 27002 that includes an explanation of the
goals and benefits of this family of standards (why do businesses adopt the
standards, what do the standards include / address, what are the desired outcomes
or benefits).
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 350: Cybersecurity in Business & Industry
b. An overview of COBIT 5 that includes an explanation of the goals and benefits of this
framework (why do businesses adopt the framework, what does the framework
include / address, what are the desired outcomes or benefits).
c. An overview of the NIST Cybersecurity Framework (CSF) which explains how
businesses can use this framework to support ALL of their business functions (not
just critical infrastructure operations).
d. Five or more specific examples of support to risk management for e-Commerce and
supporting business operations that can be provided by implementing ISO/IEC
27000/1/2, COBIT 5, and NIST CSF.
3. A recommendations section in which you provide and discuss five or more ways that e-Commerce
companies can use the standards and frameworks at the same time (as part of the same risk
management effort). You should focus on where the frameworks overlap or address the same issues
/ problems. (Use Table 2: Informative References to find overlapping functions / activities.) You are
not required to identify or discuss potential pit falls, conflicts, or other types of “problems” which
could arise from concurrent use of multiple guidance documents.
4. A closing section that provides a summary of the issues, your analysis, and your recommendations.
Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using the Project #1 Assignment in your
assignment folder. (Attach the file.)
Additional Information
1. Consult the grading rubric for specific content and formatting requirements for this assignment.
2. Your 2-3 page white paper should be professional in appearance with consistent use of fonts,
font sizes, margins, etc. You should use headings and page breaks to organize your paper.
3. Your paper should use standard terms and definitions for cybersecurity. See Course Content >
Cybersecurity Concepts for recommended resources.
4. The CSIA program recommends that you follow standard APA formatting since this will give you
a document that meets the “professional appearance” requirements. APA formatting guidelines
and examples are found under Course Resources > APA Resources. An APA template file (MS
Word format) has also been provided for your use
CSIA_Basic_Paper_Template(APA_6ed,DEC2018).docx.
Copyright ©2019 by University of Maryland University College. All Rights Reserved
CSIA 350: Cybersecurity in Business & Industry
5. You must include a cover page with the assignment title, your name, and the due date. Your
reference list must be on a separate page at the end of your file. These pages do not count
towards the assignment’s page count.
6. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct, and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.
7. You are expected to credit your sources using in-text citations and reference list entries. Both
your citations and your reference list entries must follow a consistent citation style (APA, MLA,
etc.).
Copyright ©2019 by University of Maryland University College. All Rights Reserved
…
Purchase answer to see full
attachment
