Assessment matrix | Human Resource Management homework help

For the scenario below, choose appropriate security controls from the SAN’s 20 critical security controls and choose the remainder of controls that are needed to secure this system from the listing of controls provided from NIST 800-53 rev 4 (see webliography). You will select a total of 10 security controls. List the control by type, mapping them as best as you can to the NIST Control Families (i.e. PE-3, etc. and provide a one sentence description of the function of this control). NOTE: You will address each control in the 20 critical security controls document and determine whether or not the control is appropriate to security the system in the scenario. You will provide a sentence or two on why or why not it should be selected. The 20 critical security controls must be addressed for the scenario but not necessarily selected for the scenario. The rest of the 10 controls you will select can be chosen from the NIST SP 800-53, Rev. 4 controls, from the Access Controls Family (I’ve provided a list, below, however you will review each of the controls in the document provided in Course Content). For example, if you choose two of the twenty SANS controls, you will select eight of the Access controls for a total of ten controls. Scenario: The following illustration shows an example of a public, unsecured Windows Communication Foundation (WCF) client and server. The system is not secure. This is a small business. It is a client/server system. The system is located in an unlocked room within the main building of the business. The business only has two buildings. One building houses all the computer equipment plus the data about their customers. How would you secure this system?

 

Assessment Matrix

Name:

Date: July 3, 2014

SANS Critical Controls

Explain selection rationale

Enter  Y for selected and N for not selected

Inventory of Authorized and Unauthorized Devices

 

 Y

Inventory of Authorized and Unauthorized Software

 

 

Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

 

 Y

Continuous Vulnerability Assessment and Remediation

 

 Y

Malware Defenses

 

 Y

Application Software Security

 

 

Wireless Access Control

 

 

Data Recovery Capability

 

 

Security Skills Assessment and Appropriate Training to Fill Gaps

 

 

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

 

 

Limitation and Control of Network Ports, Protocols, and Services

 

 

Controlled Use of Administrative Privileges

 

 

Boundary Defense

 

 

Maintenance, Monitoring, and Analysis of Audit Logs

 

 

Controlled Access Based on the Need to Know

 

 

Account Monitoring and Control

 

 

Data Protection

 

  Y 

Incident Response and Management

 

 Y

Secure Network Engineering

 

 

Penetration Tests and Red Team Exercises

 

 

 

Security Control Assessment

Name of Control

Purpose

 Access Control Policy and Procedure

 

Account Management 

 

Least Privilege 

 

 Data Protection

 

 Inventory of authorized and unauthorized devices

 

Continuous Vulnerability Assessment and Remediation

   

 Incident Response and Management

 

 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

 

 Malware Defense