Overview
once security requirements have been defined, an organization must have a way to ensure these requirements are satisfied. Security controls are safeguards or
countermeasures implemented by organizations to protect all types of assets (data, physical, personnel, etc.) from threats to confidentiality, integrity, or availability.
Trade groups such as the Center for Internet Security (CIS), the International Organization for Standardization (ISO), and the National Institute of Standards and
Technology (NIST) provide collections of security controls intended to address critical areas of cybersecurity concern; however, these guidelines provide different
levels of detail, vary in prescriptiveness, and apply to different industries and organizational structures. Ultimately, it is up to each organization to determine how to
best implement security controls to meet an organization’s expectations for asset protection. As such, the security practitioner’s role centers around the selection,
design, implementation, and management of the policies, procedures, standards, and guidelines designed to implement these controls.
In the milestone assignment for this project, you examined employee training as a control measure to reduce the incidents and effects of social engineering. As
you saw, training is a key method for incorporating security best practices. However, it is not the only type of control measure relied on by cybersecurity
professionals. In this project, you will incorporate instructor feedback on the milestone as you envision a more comprehensive approach to security controls at
an organization.
In this project, you will analyze requirements, select appropriate security controls, and specify methods to implement your selected controls to satisfy the
requirements. You will demonstrate your mastery of the following course competency:
CYB-260-03: Design security controls and practices for humans in the system
Scenario
An initial agreement has been made, and Helios Health Insurance has provided a service level
agreement (SLA) that defines the relationship between Fit-vantage and Helios. You have been tasked
with recommending implementation of the controls detailed in the SLA.
Now that the partnership is in place, the insurance company’s SLA contains the terms and conditions
that require evidence of how Fit-vantage will address three critical controls—specifically, how the
organization will use awareness training to defend against social engineering attacks.
To complete this task, you will
prepare service level agreement requirement recommendations for the internal stakeholder board identifying an approach to meeting the requirements in the
scenario.
Prompt
Prepare a brief that outlines the requirement recommendations for the service level agreement and describes your approach to meeting the requirements of
the scenario. You must address the critical elements listed below. The codes shown in brackets indicate the course competency to which each critical element is
aligned.
I. Select two sub-controls that address the requirements of the scenario.
A. Control One: Justify how your selected control type (i.e., policy, standard, procedure, or guideline) and implementation will meet the
requirements. [CYB-260-03]
B. Control Two: Justify how your selected control type (i.e., policy, standard, procedure, or guideline) and implementation will meet the
requirements. [CYB-260-03]
II. Describe the necessity for a training program to address a specific social engineering threat. [CYB-260-03]
III. Describe the expected outcomes of a training program that addresses the social engineering threat you identified in the previous critical element.
[CYB-260-03]
0 comments