171819According to the NIST Cybersecurity Framework, an organization can use the Framework as a key part of its systematic process for identifying, assessing, and managingcybersecurity risk.Based on your reading of the NIST Cybersecurity Framework, please select all the appropriate statement(s) that guide organizations on how the Framework can be used.0 000The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in itscurrent cybersecurity risk approach and develop a roadmap to improvement.The Framework is designed to complement existing business and cybersecurity operations.It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program.The Framework is designed to completely replace existing cybersecurity management practices and requires that organizations start fresh when "moving to theframework"O O O OThe Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization'scybersecurity practices.One of the specific management activities and outcomes (framework core sub-category) within the NIST Cybersecurity Framework is "Physical devices and systems within theorganization are inventoried". Which Framework core Category incorporates this sub-category?Asset Management (ID.AM)BusinessEnvironment (ID.BE)Identity Management and Access Control (PR.AC)Security Continuous Monitoring (DE.CM)Select the statement(s) that accurately describe(s) the notion of "Framework Implementation Tiers" within the NIST Cybersecurity Framework.OImplementation Tiers describe describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in theFramework (e.g., risk and threat aware, repeatable, and adaptive).The Tiers characterize an organization's practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactiveresponses to approaches that are agile and risk-informed. That is, they describe an increasing degree of rigor and sophistication in cybersecurity risk managementpractices.Organizations should determine the desired Tier, ensuring that the selected level meets the organizational goals, is feasible to implement, and reduces cybersecurity riskto critical assets and resources to levels acceptable to the organization.All organizations must achieve the highest tier (Adaptive - Tier 4) at all costs regardless of organizational contexts as these tiers depict cybersecurity maturity levels.

Dear Student, The answer to your questions is given below -

According to the NIST Cybersecurity Framework, an organization can use the Framework as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk. Based on your reading of the NIST Cybersecurity Framework, please select all the appropriate statement(s) that guide organizations on how the Framework can be used. 000 0 The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. The Framework is designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. The Framework is designed to completely replace existing cybersecurity management practices and requires that organizations start fresh when "moving to the framework" The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization's cybersecurity practices.

According to the NIST Cybersecurity Framework, an organization can use the Framework as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk. Based on your reading of the NIST Cybersecurity Framework, please select all the appropriate statement(s) that guide organizations on how the Framework can be used. 000 0 The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. The Framework is designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. The Framework is designed to completely replace existing cybersecurity management practices and requires that organizations start fresh when "moving to the framework" The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization's cybersecurity practices.

Fundamentals of Information Systems

9th Edition

ISBN:9781337097536

Author:Ralph Stair, George Reynolds

Publisher:Ralph Stair, George Reynolds

Chapter10: Ethical, Legal, And Social Issues Of Information Systems

Section: Chapter Questions

Problem 2CE

See similar textbooks

Similar questions

Exercise 5 - Examining a real-world federated identity management (FIM) system Find a real-world FIM system you've used and examine how technically the system is / may have been implemented. Search for technical documents related to the system to understand more. For the report, describe what FIM system you examined and what you learned about it briefly. Hint: To identify the techniques used behind a FIM system, search for its name and examine any technical information you may have access to (e.g., HTML source code returned from a website, source code of the system if published under an open source license).
C. List the components of PKI, then describe each component and its function. What are certification and accreditation when applied to information systems security management? List and describe at least two certification or accreditation processes. You've been hired by an investment company with 500 employees to serve as their Information Systems Security Manager. Your first task from the Chief Information Officer is to write a series of policies and procedures as the company has nothing in place. Where is a good place to start your research? List at least 3 policies and procedures that you would work on first and explain why these three should be considered early. Recommend a password policy. If the C.I.A. triangle is incomplete, why is it so commonly used in security? Explain what value an automated asset inventory system has for the risk identification process?
Requirements:• The Employee Management System (EMS) shall allow Human Resources staff to assign each new employee one unique ID and one personal information record (which includes names, addresses, etc.)• Each employee will be assigned one available title/role from a pre-configured list of titles/roles. Also, each employee will be assigned to one department within the organization, and one manager upon registration. An employee can also be configured as a "manager" within a department.• Managers can direct one or more employees at a time (the number of employees to manage depends on each department). The managers shall be able to record the performance of each employee that he/she manages. Performance assessment will be based on (1) a numeric grade, and (2) a performance review description.• The HR staff and Managers should be able to access and update the employee's records at any time. HR staff can view all organization's employees, although managers can only see their own employees.…
Requirements:• The Employee Management System (EMS) shall allow Human Resources staff to assign each new employee one unique ID and one personal information record (which includes names, addresses, etc.)• Each employee will be assigned one available title/role from a pre-configured list of titles/roles. Also, each employee will be assigned to one department within the organization, and one manager upon registration. An employee can also be configured as a "manager" within a department.• Managers can direct one or more employees at a time (the number of employees to manage depends on each department). The managers shall be able to record the performance of each employee that he/she manages. Performance assessment will be based on (1) a numeric grade, and (2) a performance review description.• The HR staff and Managers should be able to access and update the employee's records at any time. HR staff can view all organization's employees, although managers can only see their own employees.…
PurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…
PurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…
Security breaches in information systems are very commonplace these days even though some organizations have what they believe is good security controls. Because of their vulnerability to threats from hackers, internal personnel, and poor management of Hardware and software devices, security controls always need revisiting.From my perspective as manager of the Accounts and Finance department, every security breach affects this department even if it is just down time to be at meetings, to discuss strategies and costs to repair damages. When the breaches occur, unauthorized access is gained to either, do something malicious to the organization's resources to steal or sabotage data for financial gain.This usually results in the company's reputation/integrity being damaged, Loss of revenue during downtime, high costs to repair and restructure. legal ramifications are expected as well if guilty persons are found or if customers decide to sew for breach of contract and losses.Two Reasons…
Any organization or business that has had to deal witha cyber breach understands the stress that accompanies the process, no matter how well prepared or rehearsed it is for cyber events. All breaches come with a unique set of challenges and requirements. An incident response team often referred to as an IRT, is a team of individuals who are available, are ready, and have the expertise to investigate a data breach. IRT must understand the full scope of the breach to contain it, which typically includes understanding the entire life cycle of the attack. Forensic specialists can provide valuable information to the rest of the IRT team by examining logs, traffic, and systems to gain insight on the full scope of a breach. Discuss what the forensics investigators need to identify to understand how to scope the data breach incident.
Lab Objectives: This lab is designed to give students the opportunity to discuss security requirements including CIA and design principles interactively and to explore the topics covered in greater detail. CIA Confidentiality, integrity, and availability, also known as the CIA Triad. The CIA Triad is a security model that has been developed to help people think about various parts of IT security. Confidentialityis roughly equivalent to Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts. Integrityinvolves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized people Availabilitymeans information should be consistently and readily accessible for authorized parties. This involves properly maintaining hardware and technical infrastructure and systems that hold and display the…
Make sure you submit your proposal for a security education program. Artifacts that have been finished and polished are supposed to have all their parts. The input that was used to create it should be reflected in its final form. The proposal will include an executive summary, a communication plan, an introduction, the proposal's policies and procedures, the proposal's main body, the proposal's main body, the policies and procedures, the recommended remedies to security weaknesses, and the strategies to constantly monitor the company for hostile conduct.
Create a timeline that will detail how the week of pen testing will be conducted, the frequency of reporting, and the form of documentation of results that will be submitted. This should include a 1-page explanation of daily, weekly, and monthly security steps that the company should implement along with an explanation of how they will be implemented and what they will achieve
Interns who appear to be violating many security policies are confronted by the CISO, who hears their complaints. The company claims its employees don't encrypt their computers, listen to music without a license, share files between work and personal devices, waste too much time on social media, and illegally access pornographic material. The CISO suggests drafting a security document (Rules of Behavior) with at least 15 rules outlining the conduct that is and is not acceptable on the company's network.