Price/college
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5689457fac
college/Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/Instructions.md

5.7 KiB
Raw Blame History

Assignment #1 Part I, 70 points

Assessments: Review of NISTIR 7621 Purpose Assignment 1, Part I

There are many ways to approach cybersecurity at an organization; and many different activities that may be conducted in a cybersecurity assessment ranging from design and policy reviews, to penetration testing (or other kinds of testing), to audits conducted by impartial, certified third-parties.

However, to ensure that appropriate cybersecurity activities are conducted by, or for, a specific organization, industry, system, or task, numerous standards and frameworks have been developed to guide those activities.

In this assignment, you will be reviewing the National Institute of Standards and Technology (NIST) Internal/Interagency Report (IR) 7621 Rev. 1, Small Business Information Security: The Fundamentals (NISTIR 7621) to evaluate its effectiveness in outlining activities that should be undertaken by small businesses and organizations to ensure an appropriate cybersecurity posture.

This document can be found here: https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final Note: Common pronunciation of NIST is similar to "mist" and NISTIR is similar to "mister". Also, they are often referred to by their number only, so this would be “NISTIR 7621.” Some standards, such as NIST SP 800-53 are often referred to as “Eight-hundred, fifty-three” and the revision number is included only when it is specifically required. For example, if an agency is updating their policies to 800-53 rev. 5, then it would be explicitly mentioned like, "In eight-hundred fifty-three rev 4, it says… but in rev 5, it says...", otherwise, the general assumption is comments or discussions refer to the latest version.

Note 2: You are going to be conducting a cybersecurity assessment of a fictional organization for the Course Project, and will be leveraging what you learn from this assignment, and the artifacts that you develop in Part II. So, please treat this assignment seriously, it will pay off later in the semester!

Assignment

For this part of Assignment 1, you will analyze NISTIR 7621, and identify areas (if any) where the standard could be updated, expanded, or improved. If the standard appropriately covers an area, you will include your reasoning for why it is appropriate/sufficient in that area.

While doing this assignment, please consider these issues specific to small businesses or organizations:

  • They may not have the expertise or understanding to perform complex, technical tasks. So, overly detailed or complex frameworks may be beyond their capability.
  • With a smaller number of employees, they may not have a lot of time to dedicate to the process (For example, NIST SP 800-53 Rev. 5 is 492 pages long and is far too detailed and time consuming for a small organization to use.)
  • They may not have the funding to bring in a 3rd party to assist with their cybersecurity needs, and given #1 and #2 may not be able to do a lot of work themselves, so any framework needs to:
    1. Stay focused on the critical areas
    2. Be as short and concise as possible (NISTIR 7621 is only 10% the size of 800-53)
    3. Must address important areas while doing (a) and (b)
    4. Make trade-offs between detail and usability (something cybersecurity professionals have to deal with daily!)
  • A framework for a small business will direct their efforts to ensure an effective cybersecurity program, with a minimum amount of overhead.

Deliverables

  1. (70 points) A paper, submitted as a PDF, of at least 1500 words, but no more than 1800 words that details your analysis of NISTIR 7621. (This number excludes any references or citations.) The paper must include:
  2. An overall analysis of the described framework (is it sufficient, or are there things that are missing, expanded, etc.)
  3. For any components of the framework you feel are adequate, you must provide your reasoning for why they are adequate.
  4. For any areas you feel are not adequate or missing entirely identify the area, and provide a description for what could be improved, or what should be (Ex: Does it properly address ransomware? What about use of personal devices?)
  5. Proper citations for reference [https://libguides.utsa.edu/cite]. Please use APA format. You can find an APA format sample here: student-annotated.pdf

Note: Do not use ChatGPT (or other generative AI) to write this for you.

Understanding these frameworks is a critical component of this class, and necessary for the Course Project. Handing this work off to AI is not acceptable. Papers may be submitted to ZeroGPT or other AI analysis tools to determine if the work has been generated by AI.

Other Notes

  • If you have looked up the CISSP Official Study Guide (9th Edition) on O'Reilly (directly or via the UTSA library eBooks) you can find more information regarding assessments and audits in Chapter 15: Security Assessment and Testing. (This is not required reading, but the chapter has great information regarding this area).
  • You may discuss this assignment with other class members, but each individual should write their own paper.
    • This is an individual assignment, where you make your own decisions and have your own reasoning process. Make sure your work reflects thought and consideration.
    • Again, do not use ChatGPT or other generative AI to do this assignment for you.
  • UTSA policy is all suspected cases of Scholastic Dishonesty are referred to the university. i.e. If you cheat, I am required to report it to Student Conduct and Community Standards. This includes the improper use of generative AI for this assignment.