+1(978)310-4246 credencewriters@gmail.com
  

Assessment Description

A business continuity plan details all of the steps a company must take in the event of an emergency, whether it is fire, flood, or computer hacking. This is how to create one that maximizes your business’s chance of survival should something like that happen.

Using the “FEMA Small Business Continuity Plan Template,” located in the topic Resources as well as the “Benchmark – Impact Analysis Part 1: Information Acquisition,” “Impact Analysis Part 2: Audit,” and “Impact Analysis Part 3: Prevention and Response Strategies,” assignments from CYB-630, create a 40- to 60-page comprehensive business continuity plan that reports how the business will successfully operate regardless of any obstacles. Be sure to address the following:

Develop acybersecurity program aligned with business needs, regulations, and compliance standards to enhance the organization’s security posture.

Determine appropriate business strategies to ensure business sustainability, availability, and reliability, and articulate these needs to relevant stakeholders.

Include the components of the BCP.

1
Cybersecurity Framework
Rohit Grover
College of Sciences, Engineering and Technology, Grand Canyon University
CYB 630: Enterprise Cyber Law and Compliance Strategies
Sean Atkinson
30-Mar-2022
2
Impact Analysis Part 1: Information Acquisition
The Department of Defense (DoD) has devised a new framework for preserving state
data and evaluating contractor compliance. Working as a DoD supplier is a small part of many
firms’ operations but usually requires incredible work and danger. Payment delays and cash
flow issues resulting from the failure to adhere to DOD trade standards. Compliance errors
may also result in rejected shipments, potential costs, and the possibility of not being renewed
or receiving new contracts. However, DoD compliance should not be a burden, and firms
willing to pursue defense business can create a steady revenue stream in the coming years.
Compliance followed by DoD
The DOD requirements in the NIST (National Institute of Standard Technology)
requirements are as follows:
•
However, DoD compliance should not be a burden, and firms willing to pursue
defense business can create a steady revenue stream in the coming years. Additionally,
security measures should be aware that data cannot be accessed or disseminated
unlawfully.
•
The report security problems and any transgression or cyber occurrence to the U.S.
military swiftly and accurately. This requires that the media be transparent and that the
authorities disclose dangerous codes.
•
The company will utilize subcontractors to assist with the task, ensuring that the
company’s information system complies with all applicable subcontractor regulations
(Twagirayezu, Talukder, & Geerts, 2018).
Overarching Guidance
The regulations’ advice guarantees that information security functions correctly and
3
that guidance rules and controls are maintained. The DAS is defined in DoDD 5000.01 and
DoDI 5000.02 as the management concepts regarded as substantial. DAS contributes to the
NDS by establishing a robust and efficient procedure based on American technology
advancements and an individual’s capacity to deliver a determined and persistent advantage
(Hameed & Swar, 2016).
Overarching Laws
•
Providing adequate guard training is critical for military personnel dwelling in or
crossing remote access and distribution via their public information systems.
•
If firms or subcontractors discover dangerous programs and isolate them in
connection with cyber cafes, they should forward them to the DoD financial crime
center following DC3 or the procurement officer’s instructions (DC3).
•
Maintain and safeguard photographs of any known damaged information systems and
any pertinent tracking and unpacking data for at least 90 days following the delivery
of the cyber report on the event, in addition to permitting DoD to make media
requests or decline interest.
Standards, Frameworks, Policies, and Best
Practices
ScottyTec, Inc. is a fake employee-owned small business focused on growth. Its fundamental
concepts are to deliver superior customer service by recruiting and retaining a highly skilled
workforce, meeting and surpassing customer expectations via the execution of disciplined
programs, and utilizing innovative business procedures to enhance cost-effectiveness.
ScottyTec is an engineering firm. The establishment and execution of ScottyTec objectives
require standards, frameworks, and policies to safeguard the security objective’s information
4
from threats and vulnerabilities that suggest the organization’s security attacks create the
information risk. Legal requirements are a process carried out by a large number of individuals
at various levels of the firm. Second, regulations must be developed systematically throughout
time. Without a clear understanding of the strategic implications of policy, the government
may soon devolve into an additional expenditure or an accepted dogma. In information
technology, the strategy is necessary for establishing particular goals and, more importantly,
for cultivating a culture focused on regulated, corporate services.
In comparison, compliance and policymaking operations must be coordinated well.
Without an accurate reproduction of observation and monitoring procedures, the policy will be
implausible and rejected as dogma. Outside of the underlying policy infrastructure,
compliance operations will fail at a high rate due to inadequately articulated or communicated
demands.
As a result, policy objectives should drive specific conformance efforts; the rate of development
on both sides of the debate may be comparable (Chorna & Milenin, 2018).
Critical Data Infrastructure Assets
Visualize the information: The information plan is used to comprehend the data acquired and
stored; it summarizes critical facts.
Find the essential data: After displaying the data and assessing the threat to the
resources, businesses can identify critical data.
Threats of access: The organization’s resources will be recognized, and protection procedures
will be devised.
Measuring the plan’s needs and requisite security assesses an organization’s critical assets.
5
Human Resources
Principles and functions of application management: This application management system
is utilized to establish and develop the organization’s personnel.
The following factors are considered to make employee-related decisions: The staff’s
decision-making processes are consistent with human resource policies.
The organizations’ technical impact: Technical clout of the organizations will yield the
optimum outcomes for the H.R. Company.
The functions of human resources are not limited to business: This responsibility of human
resources applies to the organization as a whole and all sectors of society, including education
and health care.
Law Enforcement Entities
Under the National Conference of State Legislatures (NCSL), all 50 countries, the
District of Columbia, Puerto Rico, and the United States Virgin Islands have embraced
legislation requiring private entities and federal agencies to notify individuals directly
impacted by security breaches that could affect their proof of identity or data. These
regulations restrict what constitutes personal information in each state, the organizations
required to comply, the definition of a cyberattack, the time and method of waiting areas for
individuals and regulators, consumer credit reporting organizations, and deductions from
encryption data things.
Entities operating in any state must still be familiar with federal rules and legislation
that apply to any institution that collects, stores, or processes data regarding residents of that
state. While various jurisdictions’ policies share several fundamental characteristics, national
6
legislatures have endeavored to build a secure and trusted consumer in their own countries.
Though many countries’ laws contain some fundamental values, legislative leaders battled to
achieve them.
Federal Law Enforcement
In most cases, federal law enforcement will have the most critical capability to
investigate cybersecurity issues: the United States Secret Service (USSS) and the Federal
Bureau of Investigation (FBI). It is classified as having primary expertise in specified areas
such as eavesdropping, foreign counterintelligence, national security, international relations,
and detailed banned data. Nonetheless, it appears that both the USSS and FBI are working on
cybersecurity investigations and have grown too involved in territorial issues. Both the USSS
and the FBI appear to be cooperating on cybersecurity investigations without delving into
jurisdictional concerns, and both are excellent resources for reporting cyber-security incidents.
State and Local Law Enforcement.
Various state data protection warning legislation about applying regulations and
obtaining a “police report” in the usage image. Often, notifying state or local law enforcement
authorities of the cybersecurity incident is the simplest method. It is frequently an appealing
matter to ensure that “checking the case” is completed. It is not, however, an issue of content.
One primary reason for this is that most state law enforcement agencies do not (and still do
not) have the experience, technology, money, or workforce available to them from federal
agencies such as the USSS and the FBI (Berry & Berry, 2018).
7
References
Berry, C. T., & Berry, R. L. (2018). An initial assessment of small business risk
management approaches for cyber security threats. International Journal of
Business Continuity and Risk Management, 8(1), 1.
https://doi.org/10.1504/ijbcrm.2018.10011667
Chorna, M., & Milenin, D. (2018). Electromagnetic technology of increasing the yield
of sunflower. Technology Transfer: Fundamental Principles and Innovative
Technical Solutions, 2, 43–45. https://doi.org/10.21303/25856847.2018.00769
Hameed, T., & Swar, B. (2016). Information Systems Acquisition Decisions: Learning
Management System of SolBridge. Journal of Information Technology
Teaching Cases, 6(2), 121–133. https://doi.org/10.1057/s41266-016-0006-y
Ju, F., Wang, M., Luan, H., Du, P., Tang, Z., & Ling, H. (2018). Reactive adsorption
desulfurization of NiO and Ni0 over NiO/ZnO–Al2O3–SiO2 adsorbents: role of
hydrogen pretreatment. RSC Advances, 8(58), 33354–33360.
https://doi.org/10.1039/c8ra06309e
The Definitive Guide to U.S. State Data Breach Laws. (n.d.).
https://info.digitalguardian.com/rs/768-OQW-145/images/the-definitiveguide-to-us-state-data-breach-laws.pdf
1
Cybersecurity Framework
Rohit Grover
College of Sciences, Engineering, and Technology, Grand Canyon University
CYB 650: Innovation in Security Framework
Dr. Hermano Jorge De Queiroz
1-June-2022
2
Impact Analysis Part 2: Audit
Industry-Specific Cyber Law about Inquiries and Incidents
Healthcare does not exist in a vacuum. That is, its operators conduct daily
operations in a human-populated area. As a result, it must adhere to industry-specific
cyber rules regarding investigations and incidents.
The cybersecurity sector, particularly related to the healthcare industry in the
United States, is highly substantial. The public and private sectors work diligently to
protect data and information from dangerous attackers. As a result of technological
innovation, there has been a growing demand for increased awareness of securing data
from cyber-attack. Several significant statutes governing inquiry and occurrences are
mentioned below. These are mandatory for all businesses operating in the United
States. These rules do not give absolute protection against cyber-attacks, but rather lay
a solid framework for businesses to adhere to their security standards. (2017) (Singh,
2016).
Critical Information Infrastructure’s Configuration
Some of the critical cybersecurity laws are as follows:
1996 Health Insurance Portability and Accountability Act (HIPAA):
Designed to prevent unauthorized access to patient information.
1999 Gramm-Leach-Bliley Act: Requires businesses to disclose their rules
on sharing information and data to customers.
3
Federal Information Security Management Act (FISMA): Federal agencies
must build plans to implement information security principles throughout their
operations.
Windows are frequently closed to prevent unauthorized parties from sharing
vital info. The following security and protection protocols and processes are
implemented in essential information infrastructure configuration techniques.
Additionally, access to the server is restricted to authorized users only and is
accompanied by appropriate control methods.
1. Access to doors and windows is restricted to workers and patients whom the
company’s board of directors has granted particular security clearance and
authentication.
2. Physical access via key cards and digital access via biometrics are highly recommended.
3. Network configurations should be risk-averse and employ harsh security measures
to prevent hackers from gaining access to data.
4. Hardware and software are updated regularly.
5. Every 90 days, all passwords are reset and stay complicated.
6. All vulnerabilities and defects should be reported immediately.
7. User access is meticulously documented.
8. Backups of user data should be maintained to provide rapid recovery in a disaster.
4
Key Vulnerabilities Points and Strengths
Among the primary qualities noted before are the use of anti-virus software on
each network, a Firewall to filter packet context, file access control, and the proper and
exact implementation of network and system resources. There are no known
vulnerabilities in the entity’s network, as a firewall protects each network, and each
machine is protected by anti-virus software. The following table illustrates a live
presentation of a workstation and server compliance test.
case
1
scenario
Ransomwar
e
installation
through
PDF
Log in to the
system, open a
browser-based
mail client, and
download a
malicious
attachment.
Data
result
result
NIL
Ransomwa
File
ree
Successful
installed
ly sanitize
Fail
5
2
3
Sanitize File
was
downloaded
from the
internet and
saved as an
attachment.
altering an
unauthorize
Log in to the
Usernamee
Successfull
Successful
system and
password
ysanitize
y sanitize
Unable
Unable
tomodify
to
access the web
Log access to the
NIL
system and edit a
file that is not
privileged
d file
4
Pass
Pass
modify
Access to
NIL
Unable
Unable
Pass
todetect
todetect
IP restricted
IP restricted Pass
navigate to the
external
system’s
media
configuration
and input the
5
external media
The username remotely log in
was subjected and brute force
to a brute
access
force attack.
Username
password
Potential Legal Elements and Liability (Costs)
The consequences are not always monetary but may also be reputational.
Some of the potential legal components and liabilities are as follows: The first is the
possibility of an assault, resulting in the entity’s brand being tarnished in the
6
healthcare industry, resulting in a loss of business for the firm. The second is the
danger of an assault that results in the public disclosure and loss of an entity’s data.
The third danger is a Ransomware assault, which results from a lack of anti-virus
sanitization of downloaded files. Finally, the danger of illegal access may damage
the system and network resources.
HIPAA: The penalty is proportional to the amount of information disclosed.
Fines for each record can vary between $50 and $50,000. They are restricted to a
maximum of $1.5 million each year. Violators face prison sentences ranging from
one to ten years. (2020, Cyberinsure One).
GLBA: The standard is a fine of $100,000 per infraction and $10,000 for each
offender. Additionally, violators may face jail penalties ranging from one to five years.
(2020, Cyberinsure One).
FISMA: This statute applies only to government agencies. Sanctions may
include congressional condemnation and budget reductions. (2020, Cyberinsure
One).
7
References
De Groot, J. (2019, January 3). What is HIPAA Compliance? 2019 HIPAA
Requirements. Digital Guardian. https://digitalguardian.com/blog/what-hipaacompliance
Basic Firewall Configuration. (n.d.). Web.mit.edu. Retrieved April 14, 2022, from
https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sag-en-4/ch-basicfirewall.html
CDL. (2019). NACDL – Computer Fraud and Abuse Act (CFAA). NACDL – National
Association of Criminal Defense Lawyers.
https://www.nacdl.org/Landing/ComputerFraudandAbuseAct
Bureau of Justice Assistance. (n.d.). Electronic Communications Privacy Act of 1986
(ECPA). Bureau of Justice Assistance. https://bja.ojp.gov/program/it/privacycivil-liberties/authorities/statutes/1285
Patil, S. (n.d.). Front cover HIPAA Compliance for Healthcare Workloads on IBM
Spectrum Scale. Retrieved April 14, 2022, from
http://www.redbooks.ibm.com/redpapers/pdfs/redp5591.pdf
The Stark Law Basics: Definitions, Compliance, and Exceptions. (n.d.).
Summithealthlawpartners.com.
https://summithealthlawpartners.com/services/the-stark-law
Cybersecurity Laws and Penalties. (n.d.). CyberInsureOne. Retrieved April 14, 2022,
from https://cyberinsureone.com/laws-penalties
Hardeep Singh. (2015). A Glance At The United States Cyber Security Laws.
Appknox.com. https://www.appknox.com/blog/united-states-cyber-securitylaws
1
Cybersecurity Framework
Rohit Grover
College of Sciences, Engineering, and Technology, Grand Canyon University
CYB 630: Enterprise Cyber Law and Compliance Strategies
Sean Atkinson
11-May-2022
Impact Analysis Part 3: Prevention and Response Strategies
Negotiations with accreditors on compliance
To negotiate is to attempt to reach an agreement on something. In our CSE, we are focusing
on negotiating compliance with creditors. Creditors are those who lend us money. To deal with
creditors, we must adhere to our narrative. To deal with creditors, we must adhere to our tale. We
should make every effort to prevent unnecessary drama since it may lead to disorder, which does
not project a positive picture to the public. During our talks, we are prudent to ask questions and
take notes on the subject matter. Being truthful is an essential characteristic since it is preferable to
state clearly what we can afford without exaggeration. Instead of dealing with collectors, we
should always communicate directly with creditors. We shouldn’t tell them about our bankruptcy
since they may decrease their statements for us. Because even a tiny slip of the tongue might bind
us, we must be extremely cautious with our speech. Read and file away your email for future
reference.
Chris, the owner of a firm, wanted to talk with his creditor, to whom he owed money, and
the payment date was approaching. In his negotiations with the creditor, Chris said that his wife
had been ill and could not clear his obligations. While the conversation continued and the creditor’s
tone grew more severe, Chris never compromised himself by stating that the firm had not made a
profit. Hence he had not fulfilled his due. The creditor grew angry with him since he had not
adhered to his original story, and the entire transaction turned into a drama.
Response strategies
As a response strategy, breach notification rules must provide a way for notifying victims
of a security breach on time, but they must also be comprehensive and a successful information
security plan. The essential security components include:
2
•
Risk assessment: The association’s data security strategy must begin with
a risk assessment. A security risk is a known but concealed occurrence.
•
Trigger events: The association’s data security strategy must begin with a
risk assessment. A security risk is a known but concealed occurrence. The
staff’s ability to recognize security breach trigger events will expedite the
initiation of the appropriate response.
•
Mitigation plan: The security reaction group organizes a security incident
response convention that elucidates the relief method.
Consequently, the risk analysis should consider the three types of security
safeguards outlined in the HIPAA security rule: regulatory, physical, and specialized
safeguards. . It should be noted that research indicates that the primary cause of
security breaches is associated with the people or business functions of an organization
(Baskerville & Kim, 2014). Therefore, it is not surprising that the most significant section
on shields in the HIPAA security regulation does not focus on innovation. The focus is
on the organization.
employee training recommendations
The employee security awareness program is unique to each firm, and there is
no standard implementation method. If you wish to develop a cyber security awareness
training and program, I will outline the necessary stages.
The security Awareness program is an endeavor undertaken by a business to
guarantee that every employee has the necessary cybersecurity knowledge. This aligns
everyone and instills a feeling of accountability for the effective execution of the Security
awareness program.
3
This is one of the efficient approaches for informing employees about the dos
and don’ts regarding business resources, data, and the Internet. You should draft a set
of acceptable usage policies to establish rules and regulations that will instill network
security knowledge in all employees.
To create a user training program for cybersecurity awareness, you must first
evaluate the steps below.
1. Assess the organization’s existing requirements and create content based on the
evaluation results.
2. Make the essential preparations for the training’s schedule and conduct.
3. Develop a technique for measuring the efficacy of the training delivered
4. Create a tracking mechanism to monitor the implementation.
Depending on the training budget, I prefer organized and output-based training,
particularly in cybersecurity. You can first construct a formal training that addresses the
fundamental principles, followed by a web-based simulation to test their grasp of the
instruction.
You can use the classroom method for the theory-based portion of the security
awareness program so that employees have a general understanding of the
organization’s policies and programs. Afterward, you should assess their
comprehension through web-based or computer-based simulations of actual scenarios
covered in your security awareness plan. This provides them with hands-on experience
with the many scenarios you supplied.
The efficiency of the training approach depends on the caliber of the participants;
there are several aspects to consider for each employee’s learning process.
Nevertheless, based on my personal and professional experience, it is preferable to
employ web-based training, preferably with a simulation, to guarantee that they are
4
aware of how to respond to cyber dangers in the modern-day. The downside of this
method is that you must have enough workstations to accommodate the number of
personnel you wish to train or train on a scheduled basis. Classroom-based training,
which represents the conventional method of instruction, lacks the real-world scenario
or simulation necessary to verify the taught theory. Therefore, to assure efficacy, you
must mix both approaches.
feedback on the effectiveness of security policies
The most effective technique to acquire genuine input from stakeholders on the
success of security policies would be to discuss it with the other stakeholders.
Step-by-step explanation
The most effective technique to acquire genuine input on the success of security
policies from stakeholders would be to have one stakeholder serve and then discuss it
with other stakeholders. The reason is that when individuals recognize a member of the
media or an investigative journalist, they are more likely to express their concerns and
desires, regardless of how reasonable the discourse may be (Abdelwahed et al., 2016).
For example, when we communicate with our friends, especially those of the same state
and standard, we prefer to tell them what we know. However, when speaking with a
stranger for an interview, we exaggerate or say more than true ( Cram et al. 2017).
When stakeholders are required to comment on the efficacy of security rules,
company publications, journals, and articles can also be employed. Through this, one
may interview the subject and receive comments.
new threats, vulnerabilities, and risk management
Conduct Initial Assessment in which you identify the assets and define the risk
and necessary incentive for each device (provided feedback from the client, such as a
5
security evaluation vulnerability scanner; Framework Baseline Definition. Conduct the
Vulnerability Scan and create the Vulnerability Assessment Report. Security awareness
should be managed as an ongoing process to ensure that preparation and knowledge
are not directly given as an annual action; instead, it should be used to maintain a
consistently high level of security awareness.
Various systems should be examined, such as assembling the security
consciousness group.
Establishing a group will assist ensure the success of the security awareness
program by assigning responsibility for the application (James, 2011). This group is
responsible for the development, implementation, and maintenance of the security
awareness program. The size and membership of the security awareness group will
depend on each organization’s specific requirements and culture. It is required that the
group be comprised of personnel from diverse regions of the organization, with varying
responsibilities representing a cross-section of the organization.
Impact of new threat intelligence
Incident response can typically notify operational management, stakeholders,
and other personnel affected by a security breach in a business. This addresses
security incidents, breaches, and cyber threats with internal and external
communication system integration (James, 2011). Mobile phone communication is the
official and most efficient method for alerting operational management—for instance,
phone calls, text messaging, and business landlines. Emailing is acceptable,
competent, and professional for the stakeholders and other persons.
However, these groups will be confronted with countless inquiries and
unrestricted mobility when a breach occurs. They may fail to follow the necessary
incident response procedure to minimize the damage in such a chaotic circumstance.
6
This is crucial since a security incident might be high-pressure, and your IR team must
immediately prioritize the most critical tasks. Judicious judgment and prompt execution
of pre-planned incident response measures can prevent several unwarranted business
effects and reputational loss during a security incident.
Responding effectively to New Challenges
1. Communicate often and early- When the public is aware of a security event, it is crucial
to address it quickly, even if you can only announce that an investigation is underway.
This demonstrates to impacted parties that you are aware of the issue, are trying to
resolve it, and will be a source of information in the future.
2. Be truthful and straightforward- When communication is not clear and intelligible, or if
they feel you are not speaking with them, they may become frustrated. In reality, end
customers have lost confidence. If end-users are in danger due to your breach, you must
disclose this fact. Be straightforward and write to the technical standard of your users, but
do not embellish the truth.
3. Don’t lose track of the basics- Typically, higher priority queries include: “When did the
infraction occur?” and “Whose information is affected by customers?”. The inability to
develop a basic consensus on the repercussions of an occurrence may afterward result in
delays and ambiguity.
4. Never let a good incident go to waste- A new issue has two advantages: the first is that,
because it clearly demonstrates both demands and repercussions, an event is always the
optimal moment to obtain extra funding and prevent the next one.
5. Share your learnings- We can only grow as a society if we continually exchange
information about our cybersecurity concerns. Each failure is thoroughly examined and
shared with others, and airlines develop improvement plans regardless of who was
initially affected.
7
By implementing these actions, organizations would be better positioned to
adjust to new difficulties successfully. Lastly, in the context of a supply chain, consider
businesses. The loss of customer information is crucial to the majority of businesses.
However, the influence of goods and services on other businesses may be considerably
more severe and enduring.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) Cybersecurity
Framework Implementation Tiers are one of the three major components of the
Framework, together with the Framework Core and Profile. Similar to the Profiles and
the Framework Core, the Implementation Tiers are intended to serve as a benchmark
for assessing current cybersecurity risk management practices and assisting
businesses in developing strategies to enhance their cybersecurity posture. The
implementation levels are intended to give stakeholders with context on the extent to
which an organization’s cybersecurity program shows the NIST CSF characteristics The
CSF Implementation Tiers are not intended to constitute a maturity model, according to
NIST. Instead, the implementation levels are intended to provide light on and give
direction for the interplay between cybersecurity risk management and operational risk
management procedures. The implementation stages are intended to give a clear
approach for integrating cyber risk into the enterprise’s broader organizational risk. This
piece will examine each of the four Implementation Tiers to help you determine where
your business fits within this scoring methodology.
Each Implementation Tier comprises three major components: Risk Management
Processes, the Risk Management Program, and External Participation; each has its
8
functions, classifications, and subcategories. Cybersecurity risk management
techniques indicate how a company tackles cybersecurity risk. The degree to which a
company employs an integrated risk management program reveals to its leadership that
it has consolidated its cyber risk data and can make choices based on that data. Lastly,
external engagement indicates the organization’s understanding of the larger business
environment in which it operates.
NIST Cybersecurity Framework Implementation Tiers
•
•
•
Risk Management Processes: Typically, Tier 1 firms execute cybersecurity risk
management ad hoc and reactive. In addition, cybersecurity actions are often carried
out with little to no prioritizing, depending on the level of risk addressed.
Integrated Risk Management Program: The lack of protocols related to cyber risk
management makes it difficult for these firms to communicate and manage this risk.
Due to the absence of reliable information, the business approaches cybersecurity
risk management case-by-case basis.
External Participation: These organizations lack a comprehensive awareness of
their place within the larger business ecosystem, including their supply chain
position, dependents, and interdependencies. Tier 1 organizations do not
communicate information with third parties effectively (if at all) and are typically
unaware of the supply chain risks they take and pass on to other ecosystem
members if they do not understand their position.
The NIST Cybersecurity Framework is a voluntary framework produced by the
U.S. Department of Commerce that includes standards, recommendations, and best
practices. It is a joint endeavor involving the governmental, business, and academic
sectors. It was initially intended to improve cybersecurity for parts of the United States’
vital infrastructure. These significant industries included banking, energy, healthcare,
and defense. It was also designed for use by state and municipal governments and
federal entities. In February 2014, version 1.0 of the NIST CSF was released.
Since then, the Framework has been changed to make it adaptable enough for
small and large organizations in any industry. It applies not only to IT but also to IoT —
9
the Internet of Things. Version 1.1 of the NIST Common Security Framework was
released in April 2018. The new trails included those above:
•
•
•
•
•
Authentication and administration of identity
Assessing your own cybersecurity risk
Cybersecurity management throughout the supply chain (including buying guidance
for commercial, off-the-shelf products, and services)
Disclosure of fragility
Clarifications on the connection between Implementation Tiers and Profiles
At the time of its introduction, Wilbur Ross, secretary of commerce, stated, “The
voluntary NIST Cybersecurity Framework should be every company’s first line of defense.
The three main components of the Framework are:
1. Framework Core: A collection of desirable cybersecurity outcomes arranged
hierarchically and consisting of the five tasks of a cybersecurity program: Identity,
Protect, Detect, Respond, and Recover.
2. Implementation Tiers: Tiers ranging from Partial (Tier 1) to Adaptive (Tier 4) give a
qualitative measurement of the organization’s cybersecurity risk management
process.
3. Profiles: Profiles align an organization’s goals and objectives, risk appetite, and
resources with the intended Framework Core results. Comparing a “Current” Profile
to a “Target” Profile, uncover possibilities for enhancing cybersecurity posture.
10
References
Allin, B. (2019, July 3). How to Implement a Security Awareness Program at Your
Organization – Threat Stack. Threat Stack.
https://www.threatstack.com/blog/how-to-implement-a-security-awarenessprogram-at-your-organization
Drolet, M. (2018, January 10). 4 steps to launch a security awareness training
program. CSO Online. https://www.csoonline.com/article/3246455/4-stepsto-launch-a-security-awareness-training-program.html
5 Types of Trainings on Information Security Awareness. (2013, June 15). Rapid
ELearning Blogs – CommLab India. https://blog.commlabindia.com/elearningdesign/information-security-awareness-training
BusinessBalls. (2001). Reflective practice. Businessballs.com.
https://www.businessballs.com/self-awareness/reflective-practice/
Abdelwahed, A. S., Mahmoud, A. Y., & Bdair, R. A. (2016). Information Security
Policies and their Relationship with the Effectiveness of the Management
Information Systems of Major Palestinian Universities in the Gaza
Strip. International Journal of Information Science and Management
(IJISM), 15(1). https://ijism.ricest.ac.ir/index.php/ijism/article/view/934
Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security
policies: a review and research framework. European Journal of Information
Systems, 26(6), 605–641. https://doi.org/10.1057/s41303-017-0059-9
Rhodes, H. B. (2022). Developing Breach Notification Policies and Procedures: An
Overview of Mitigation and Response Planning. Developing Breach
Notification Policies and Procedures: An Overview of Mitigation and Response
Planning / AHIMA, American Health Information Management Association;
American Health Information Management Association.
https://library.ahima.org/doc?oid=93423#.YnysiOjMK3A
11
Johnson, L., & Nevill, E. (n.d.). Media Contacts. Retrieved May 12, 2022, from
https://www.pcisecuritystandards.org/pdfs/14_10_29_Security_Awareness_SI
G_Release_final.pdf
Bresnahan, E. (n.d.). The NIST Cybersecurity Framework Implementation Tiers
Explained. Www.cybersaint.io. https://www.cybersaint.io/blog/the-nistcybersecurity-framework-implementation-tiers-explained
What is the NIST Cybersecurity Framework? (n.d.). Www.bcs.org.
https://www.bcs.org/articles-opinion-and-research/what-is-the-nistcybersecurity-framework/
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE U.S.
DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY
RELIABILITY Energy Sector Cybersecurity Framework Implementation
Guidance. (n.d.).
https://www.energy.gov/sites/default/files/2015/01/f19/Energy%20Sector%2
0Cybersecurity%20Framework%20Implementation%20Guidance_FINAL_0105-15.pdf
Keller, N. (2018, August 10). An Introduction to the Components of the Framework.
NIST. https://www.nist.gov/cyberframework/online-learning/componentsframework
12

Purchase answer to see full
attachment

  
error: Content is protected !!