Last week you defined your IT system as ABC University Admin Office and the information processed or stored on it that requires protection

Risk Management Framework(RMF) Step 2: Select

Our Organization for this project: ABC University Admin Office

Last week you defined your IT system as ABC University Admin Office and the information processed or stored on it that requires protection. This week we start to define how you will protect it.

Please refer the other attached PDF for Step 1: RMF_STEP_1_Categorize.pdf for last week categorization which you completed. That document has purpose of the office, list of roles, and information types.

Your text describes controls and safeguards as “mechanisms, policies, or procedures that can successfully counter attack, reduce risk, resolve, vulnerabilities, and otherwise improve security within an organization.” It had a great discussion on controls last week (pp. 158-159), dividing them into three categories, managerial, operational, and technical.

NIST includes these categories, but divides their controls into 18 families:

1. AC – Access Control

2. AU – Audit and Accountability

3. AT – Awareness and Training

4. CM – Configuration Management

5. CP – Contingency Planning

6. IA – Identification and Authentication

7. IR – Incident Response

8. MA – Maintenance

9. MP – Media Protection

10. PS – Personnel Security

11. PE – Physical and Environmental Protection

12. PL – Planning

13. RA – Risk Assessment

14. CA – Security Assessment and Authorization

15. SC – System and Communications Protection

16. SI – System and Information Integrity

17. SA – System and Services Acquisition

Assignment Requirements:

Review the below Low Impact Controls baseline. Select one control from each of the 17 families

Low Impact Controls baseline: https://nvd.nist.gov/800-53/Rev4/impact/low

Create a report in which you explain how your ABC University Admin Office will apply each control. In your report:

1. Identify each control you selected for 17 families

2. Explain in at least a paragraph for each control, how you apply each control and whether you are compliant or not. Be specific.

For example,

CA-8, Penetration Testing, requires the organization conduct penetration testing within a defined frequency on a defined system.

ABC University Admin Office has a contract with UCanTrustUs.ru for monthly penetration testing of all assets within our system, to include the workstations and fileservers. This is redhat testing, so no IP, hostname or other system information is provided to facilitate testing. Representative Goober gets the results emailed within in 10 days of the testing, and sometimes sooner, via WikiLeaks. We are compliant with this control.

“Get 15% discount on your first 3 orders with us”
Use the following coupon
FIRST15

Order Now