Swamped with your writing assignments? Take the weight off your shoulder!
Answer the questions with at least 1 reference per question. The length of each question should be a minimum of 6-8 sentences. 1. There are numerous risks to an organization’s business application systems, from natural disasters and terrorism to pandemics and cybersecurity risks. Organizations can leverage existing frameworks to develop and implement an organization security policy to reduce the impact of different risks to their business applications. Compare the ISO and NIST standards for securing information systems and critical infrastructures, and the differentiation with the DOD rainbow series. Make sure to address how the two frameworks differ, and state your opinion on which standards seem more prepared to deal with cybersecurity and data breaches. 2. Organizations must comply with different regulatory and legal policies based on the type of data the organization processes, transmits, and stores on their business application systems. Organizations must implement a security policy that supports and complies with the regulatory and legal policies for different data types and the information security systems they use. Discuss the different regulatory policies that an organization may be required to comply with, and the technical security controls requirement(s) based on the regulatory requirement(s). Examples should include all of the following, but are not limited to: HIPAA, HITECH, FDA 21 CFR , PCI-DSS, SOX, and COPPA. 3. When building an information security policy, it is important to note how the required security controls impact the organization and affect the business application processes. Discuss how an organizational security policy is developed and implemented in an organization. What are some of the formal roles and responsibilities required by the organization’s security policy and the reporting structure? 4. An organization has numerous stakeholders, and the organization may have a different obligation to each stakeholder group. It is essential to recognize organizational internal and external stakeholders and their influence, and, in return, the organization’s obligations related to each stakeholder. Discuss different methods such as technical controls and administrative controls that an organization can implement to reduce risk when establishing business relationships with external organizations. 5. Organizations are operating in a global economy. To be competitive, organizations must leverage technology to support their business processes and applications. Organizations have leveraged technology to automate, improve, and reduce their geographical and physical boundaries. Discuss some of the challenges organizations have with implementing technology and regulatory compliance requirements within a global economy to support their business process. Why is regulatory compliance (PCI, HIPPA, DSS, SOX, GLBA, GDPR) important to cybersecurity? 6. Organizations do not have unlimited resources; leaders must develop and implement methods to prioritize and allocate the organization’s resources to meet and execute its business priorities. Discuss the advantages and disadvantages of outsourcing the organization’s technology and cybersecurity requirements to external organizations (e.g., managed security service provider (MSSP). 7. Cybersecurity defense requires more than a modern network defensive tool with an intricate design. A good cybersecurity architecture is achieved by implementing a defensive, in-depth security architecture. Discuss the importance of developing in-depth defensive techniques within an organization. What are some of the security controls within the security policy that support a defense-in-depth security architecture? 8. Small businesses, like big businesses, need protection when it comes to their information infrastructures. However, small businesses face a steep challenge in “keeping up with the Joneses,” if you will, as they must employ technologies that often carry with them a heavy expense, which increases year after year. Knowing this, research and find a small business and discuss how they have implemented modern cybersecurity technology without breaking the bank. This business can be any business, so long as it is a small business that hosts less than 1,000 personnel. 9. There are numerous risks to an organization’s business processes and application systems, from natural disasters and terrorism to health pandemics and cybersecurity risks. Discuss the difference between qualitative and quantitative risk assessments and the advantages and disadvantages to an organization. 10. There are numerous regulatory compliances and policies based on the industry, sector, or geographical region, that organization operators are obligated to follow. According to regulatory standards and policy, organizations must comply with regulatory compliances and implement security controls. Discuss the impact of an organization’s failure to comply with a regulatory requirement; your response should include more than just the regulatory fines. 11. There is no such thing as a secure information technology system. Many information systems have designed flaws or vulnerabilities that a threat actor can exploit. Therefore, organizations need to have an incident response policy. Review the NIST computer security incident handling guide and discuss the different phases of the incident response process, as well as the tools and technology used by the incident response team during the different phases. 12. Data and asset classification are essential within an organization. The organization’s security policy should identify and define security requirements based on the asset and data classification. This means implementing rules and regulations surrounding the protection of critical assets and data that can severely impact the organization if compromised. Discuss the importance of a critical assets list and how an organization can use it during an incident response. 13. Developing and implementing a successful cybersecurity program within an organization can be a complex task. Therefore, it is essential to have leadership support for the program, and it should not create a layer of complexity wherein employees find it a hindrance to the business process. Research and discuss ways that organizations can implement an effective cybersecurity program that includes user awareness training. 14. Implementing a successful cybersecurity program does not only depend on having the latest security and software applications. It requires an effective security policy that includes administrative policy, physical security controls, and technology. The organization’s security depends on all these different security controls to secure an asset using compliance-driven directives. Research and discuss different ways for an organization to implement an administrative policy for the onboarding and offboarding of employees to ensure the security of the organization’s intellectual property. 15. Attempting to make framework-compliant policies is a difficult task for cybersecurity experts. However, it is well known that implementing these policies is an even more difficult task, as it takes stakeholder buy-in and understanding in order for policies to be fully realized parts of the infrastructure. With this in mind, research and discuss implementation strategies that you would use to ensure that the security policies that have been set are being followed and that compliance levels remain well within the standards outlined in the framework. 16. There are many ways to go about assessing the overall framework and structure of a secure information environment. Research and discuss how an organization can assess its cybersecurity programs. Should there be a regulatory requirement for organizations to have an external audit?