Step 3: Develop a Comprehensive Work Breakdown Structure (WBS)
Within the previous step, the SoW report conveyed a brief overview of the organization’s critical aspects and a list of the organization’s security needs. Now, you are ready to develop a comprehensive
work breakdown structure
This breakdown provides more detail, so you will need to devise examples of procedures you might recommend to your organization. Some examples include a
. Note the tools and techniques to use in conducting a vulnerability assessment to be used later in the project.
Using a spreadsheet, create the comprehensive work breakdown structure, including key elements that must be tested and analyzed.
Organize the spreadsheet using the elements identified in the SoW from the previous steps and the following:
internal threats: personnel, policies, procedures
external threats: systems, connectivity, databases
existing security measures: software, hardware, telecommunications, cloud resources
compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain
Note the security threats and vulnerabilities. This plan will serve as the second section of the final vulnerability assessment report.
Submit the comprehensive work breakdown structure for feedback.
Step 4: Explain Security Threats and Vulnerabilities
In the previous step, you developed a comprehensive work breakdown structure. In this step, you will explain the security threats and vulnerabilities included in the plan. In the explanations, consider relevant concepts such as the
threat modeling process
third-party outsourcing issues
. Include system and application security threats and vulnerabilities.
Reference aspects that are not being included. Note that you would need to obtain management agreement with the initial analysis of mission-critical components to be included in the assessment. This phase includes management input into the prioritization process of all risks from internal and external sources.
This information will be used in the following steps to develop the threats and vulnerabilities report, which will then be included in the Final Vulnerability Assessment Report.
Next, you will classify the risk of threats and vulnerabilities.
Step 5: Classify the Risk of Threats and Vulnerabilities
Throughout this project, you have developed a foundation for the vulnerability and threat assessment by classifying critical organizational aspects, creating a scope of work, and explaining security threats and vulnerabilities. Now, you are ready to classify the organization’s risk according to the relevant data determined in the project plan.
Company demands, management input, compliance requirements, and industry probability of exploitation are all considerations when classifying the risk of threats and vulnerabilities. Based on these considerations for the midsize government contracting group, further clarify the vulnerabilities and threats you have itemized. Explain why each is a vulnerability or threat, as well as why it is relevant to the overall assessment.
issues as you work through the classification. Use the threat and vulnerability explanations from the previous step and risk classifications from this step to develop the threats and vulnerabilities report.
In the next step, you will prioritize the threats and vulnerabilities you have explained and classified.
Step 6: Prioritize Threats and Vulnerabilities
Now that you have explained and classified the threats and vulnerabilities, you will prioritize them using a reasonable approach as explained in the project plan. As you prioritize the identified threats and vulnerabilities, you will need to:
include both internal and external sources of threats
assessment of exposure to outages
information resource valuation
indicate which approach you are using and justify your choice
Use this information, along with the threat and vulnerability explanations and risk classifications from the previous steps, to develop the threats and vulnerabilities report.
Compose a two- to three-page report regarding specific threats and vulnerabilities of the technical aspects of the environment. This report will be used in the final vulnerability and threat assessment report.
Submit the threats and vulnerabilities report for feedback.
This should be two separate files. One for step 3 and one for step 6 (follow steps 4-6 in order to complete step 6). Each file should have a tile page and a reference page. For the spreadsheet, you can use Word to create it.
Running Head: SOW REPORT
Project 1: Vulnerability and Threat Assessment
Step 2: Create a Scope of Work (SoW)
CMP 630 9041 Risk Management and Organizational Resilience
July 26, 2022
Statement of Work Report
The critical features in the scope of work highlight the security measures by breaking them
down into manageable sizes and offering some examples. Some vital areas involved in addressing
the security vulnerabilities, risks, attacks, and threats include cybersecurity, physical, network, and
personnel by providing a general approach to the covered areas and considered to attain maximum
effectiveness and success.
Physical security denotes measures tailored to prohibit illegal access to equipment,
facilities, and resources while protecting the property and personnel from harm or damage (Garcia,
2008). It is an overarching term that encompasses protective measures of personnel, network,
hardware, and physical actions and events that can result in severe damage or loss to a company
asset. Physical security encompasses several layers of interdependent systems such as security
guards, CCTV surveillance, locks, perimeter intrusion detection, access control, fire protection,
deterrent systems, and other systems designed to protect property and persons (Garcia, 2008).
Other measures for physical security include biometric systems that are used in the verification of
access eligibility. Garcia (2008) states that personnel security is purposely meant to authorize the
initial and continued access to information and assign duties to individuals whose determination
of devotion, dependability, and trustworthiness are such that they have the company’s best interest
at heart. Identifying employee dependability includes conducting background checks and constant
assessments to authenticate ongoing suitability for critical assignments (Garcia, 2008).
Like personnel security, the network security protective measures are incorporated into the
software and hardware level to eliminate illegal access to sensitive information by unauthorized
personnel. For instance, secure password criteria and requirements, multiple factor authentication,
role-based assessment control, and installation of anti-virus software, intrusion detection systems,
firewalls, and detection systems. The users select ID, secure password, or other verification
information to access information and programs within their authority.
Cybersecurity is a combination of tactics implemented to protect the organization’s system
and networks from cyber threats. Implementing efficient cybersecurity measures is particularly
challenging currently since the technology has evolved, and therefore there are more devices than
people. Cyber attackers are increasingly becoming more innovative. Scarfone et al. (2008) state
that cyber-attacks aim to illegally access modify sensitive data and, extort ransom from
information owners or delay or interrupt business procedures. These actions by the attackers are
malicious and deliberate and aimed at breaching the information of the respective organization or
individual (Scarfone et al., 2008).
The main objective of the SOW is to incorporate enough security measures defined above
to address some of the cybersecurity concerns:
1. Quickly update review, document, and set up security architectures for all computer system
and service solutions creating formal baselines and cybersecurity measures.
2. The threats are malicious acts that intend to destroy, data theft, and interrupt the network
system services. These malicious programs include data breaches, viruses, and malware
3. The cyber security risks result in potential harm or loss to the computer or network
infrastructure, technology utilization, and an organization’s reputation.
4. Minimizing system vulnerabilities exploited by the attackers to gain access to the computer
systems and networks to perform illegal actions. These system vulnerabilities can allow
attackers to run malicious programs, access the system’s memory, theft, install malware
and modify and destroy critical data (Scarfone et al., 2008).
Finally, a scheduled and unscheduled assessment must be implemented to identify any
measure of performance (MOP) or Measure of effectiveness (MOE). The efforts must be worth
the return on investment and equally crucial in addressing the company’s cybersecurity needs
(Scarfone et al., 2008).
Garcia, M. (2008). The design and evaluation of physical protection systems (2nd ed.).
Scarfone, K., Cody, A., Souppaya, M., & Orebaugh, A. (2008). Technical guide to information
security testing and assessment. U.S. Dept. of Commerce, National Institute of Standards
Purchase answer to see full