CYB 410 Project Three Guidelines and Rubric

Crafting and Evaluating Risk-Based Recommendations

Overview

How do you make a good risk-informed decision? In this project, you will look at how to craft and evaluate risk-based recommendations. You will examine the processes and methods you can use to make risk-based recommendations, their impact, and the quality of the decisions you’ve made.

Throughout this course and the overall program, you have encountered many real-world breaches. Think about the breaches you have explored and the role that risk management and risk planning played in the outcomes. It is important to review previous breaches across different industries and find commonalities (similar software usage, for example) to make good decisions when evaluating or reevaluating your own organization’s risks. The OPM, Sony, and Target breaches are all useful examples that can help you learn better ways to manage risk and vulnerabilities.

When making risk-informed recommendations, you should look to resources in the form of standards, guidelines, and best practices to help make and assess your decisions. Some resources you might consider are the NIST, the CIS Controls, or the Fundamental Security Design Principles. There are other tools that also help to classify and quantify risk, like the risk register or business impact analysis. When you assess the quality of your decision, also consider how it will affect everyone in the organization.

The project will be submitted in Module Seven.

In this assignment, you will demonstrate your mastery of the following competency:

• Apply decision-quality principles in making risk-informed recommendations

Prompt

You must address the critical elements listed below. The codes shown in brackets indicate the competency to which each critical element is aligned.

1. Risk-Informed Recommendations
   1. Discuss how you can use tools to make risk-informed recommendations. Justify your response with a relevant example.
   2. Discuss how you can use resources to make risk-informed recommendations. Justify your response with a relevant example.
   3. Consider how you can identify and minimize your own bias when making risk-informed recommendations.
   4. Explain how you can use systems thinking to consider the impact of your decision on people, processes, and technology.
   5. Explain what evidence you would use to evaluate whether you made a good decision.

CYB 410 Project Two Guidelines and Rubric

Data Life Cycle Management

Overview

How does an organization determine the value of its data? The data life cycle covers all aspects of data within an organization—from creation to destruction. You have explored the data life cycle of Green Thumb Nursery in your milestones by developing a data inventory, classifying the data, and customizing policies for the secure storage and destruction of data. For your project, you will respond to new business developments from your customer and reflect on the value that creating a data life cycle has for any organization.

The project incorporates two milestones, which will be submitted in Modules Three and Five. The project will be submitted in Module Seven.

In this assignment, you will demonstrate your mastery of the following competency:

• Develop a data life cycle plan for the protection of organizational data

Scenario

You have been consulting with Green Thumb to create its data life cycle plan and have created a first draft. After you created this draft, Green Thumb has provided you with information that would affect the data life cycle plan.

The business owner explains that Green Thumb Nursery has not had vibrant plants for several months and has been trying a variety of nutrients on existing plants. The results are not up to Green Thumb standards. Green Thumb Nursery is looking to invest in creating its own custom fertilizer to be used for its own nursery and also for marketing to customers. Green Thumb Nursery is hoping to bring a competitive edge to the landscaping and nursery business and improve the quality of its existing plants and shrubs. The long-term plan is to bring this to market in two years. As part of the strategic plan, you will need to change the data life cycle plan you have already started.

Prompt

You must address the critical elements listed below. The codes shown in brackets indicate the competency to which each critical element is aligned.

1. Green Thumb Nursery Data Life Cycle Plan Updates—Using the Project Two Milestone One template for the data life cycle plan, add an additional Microsoft Windows Server 2022 with SQL 2022 to the System Resource/Component column for the new research and development (R&D) work and complete the following:
   1. Logically identify the data from the new resource in the Data Inventory column.
   2. Apply the appropriate classification to the new data you identified in the Data Classification column.
   3. Justify your rationale for applying the classification in the Data Classification Justification column.
2. Data Life Cycle Management Debrief—Using your experience with Green Thumb, think about how you can apply what you have learned more holistically and answer the following:
   1. Explain the importance of a data life cycle plan for an organization.
   2. Explain the impact that not creating a data life cycle plan has on an organization.
   3. Justify the value of maintaining this plan.

Risk Management Planning Debrief

Overview

Successful security risk management planning relies heavily on your proactive and adversarial mindsets. By thoroughly analyzing the threat landscape and anticipating risks that could impede normal business operations, you can set your organization up to make informed decisions during a crisis. You have explored creating a risk register and business impact analysis for a fictitious garden nursery. For your project, you will create a Risk Management Planning Debrief. Understanding the basics and best practices allows you to tailor solutions that will work best for your organization.

The project incorporates two stepping stones, which will be submitted in Module Two and Module Four. The project will be submitted in Module Six.

In this assignment, you will demonstrate your mastery of the following competency:

• Analyze threat landscape for its impact on the organizational environment

Prompt

You must address the critical elements listed below. The codes shown in brackets indicate the competency to which each critical element is aligned.

1. Risk Register
   1. Explain the importance of a risk register as a decision aid.
   2. Describe the relationship between a risk register and the threat landscape for an organization.
2. Business Impact Analysis (BIA)
   1. Explain the importance of a BIA as a decision aid.
   2. Describe the relationship between the BIA and the survivability of an organization.
3. Risk Management Planning
   1. Evaluate the strategic value of collectively applying systems thinking, an adversarial mindset, and the tenets of confidentiality, integrity, and availability (CIA) when security risk management planning.

Data Life Cycle Management Policies

Overview

What is the importance of policies in data life cycle management? In previous modules, you completed a data inventory and data classification for Green Thumb Nursery. Now you will address additional elements in the data life cycle for Green Thumb: data storage, data security, and data destruction. Addressing these elements of the data life cycle is important for all organizations regardless of size or complexity. Creating data storage, data security, and data destruction policies is a proactive step to limit exposure to potential risks to an organization. When writing policies, you should have two goals. First, create the right policy for an organization that is customized to its needs. Second, write a policy that is easy to understand and follow.

Scenario

You are part of a cybersecurity consulting firm that has been hired to help Green Thumb Nursery develop its risk management plan. The initial round of on-site, in-person interviews has already been conducted by your leadership team, and you are tasked with helping the team complete their data storage and security policies and their data destruction policies.

Prompt

To create new policies for Green Thumb Nursery, use the Project Two Milestone Two Templates for the data storage and security policy and for the data destruction policy. These two documents are linked in the What to Submit section below. Reference the Project Two Milestone One data inventory and data classification as needed.

You must address the critical elements listed below.

1. Data Storage and Security Policy
   1. Describe the purpose of the policy using precise and succinct language.
   2. Describe the people and the technology that are covered by the scope of this policy. Be specific.
   3. Create an effective data storage policy that addresses all elements in the policy section of the template.
   4. Create an effective data security policy that addresses all elements in the policy section of the template.
2. Data Destruction Policy
   1. Describe the purpose of the policy using precise and succinct language.
   2. Describe the people and the technology that are covered by the scope of this policy. Be specific.
   3. Create an effective data destruction policy that addresses all elements in the policy section of the template.

CYB 410 Project Two Milestone One Guidelines and Rubric

Data Inventory and Data Classification

Overview

It is important to understand the different kinds of data that an organization is collecting. As a cybersecurity analyst, you need to know the data. Know the criticality of the data you organize and analyze, and the impact on the organization in case of a breach or loss of data. As you develop the data life cycle plan, keep in mind that one of the goals is to protect the confidentiality, integrity, and availability of the organization’s data. Consider the following questions:

• Is some information highly confidential?
• Would your company be at risk if certain data were leaked?
• Would your customers be at risk?
• What if your data disappeared?

As a security analyst, you will use your adversarial mindset to view this task.

Part of data life cycle management and risk management is to classify the data. Classifying data can vary between organizations. Classification is based on the criticality of the information and the risks of possible attacks. For example, in the case of a data breach, a customer’s email address would be considered low risk. However, a customer’s credit card information or Social Security number would be high risk so it would have higher security protection. Data classification is simply a way of grouping the data based on its level of criticality. This classification allows for varying degrees of security protection for each group.

Scenario

You are part of a cybersecurity consulting firm that has been hired to help Green Thumb Nursery develop its risk management plan. The initial round of on-site, in-person interviews has already been conducted by your leadership team and you are tasked with helping the team complete the finalized documentation for the data life cycle plan. This plan includes performing a data inventory to identify data that is critical to the organization in order to implement a data classification standard.

Prompt

Using your expertise as a cybersecurity consultant, complete the Data Inventory and Data Classification tab in your Project Two Milestone One Template, which is linked in the What to Submit section below. One row of the template has been completed to provide you with an example. Begin by reviewing the Classification Matrix tab to learn about the categories used for data classifications. You must address the critical elements listed below.

1. Data Inventory: Using the components listed in the System Resource/Component column, complete the Data Inventory column.
   1. Identify the appropriate types of data found in each system resource/component.
2. Data Classification: Using the information in the Data Inventory column, complete the Data Classification column.
   1. Apply the appropriate classification to the data you identified in your data inventory.
3. Justification: Complete the Data Classification Justification column.
   1. Justify your rationale for applying each classification.

What to Submit

Submit the completed Project Two Milestone One Template for the data life cycle. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.xlsx.

CYB 410 Project One Stepping Stone Two Guidelines and Rubric

Business Impact Analysis

Overview

A business impact analysis (BIA) assesses the impact of disruptions to organizational operations. This document is used by organizations during catastrophic events that stop those operations. It is important to create a contingency plan before disaster strikes so you and your organization are set up to make the best possible decisions in the shortest amount of time when stressors can be at a maximum. The best plans are built when you can put yourself in a mindset that appreciates the urgency of the decisions that must be made. For example, if the point of sales systems are down for your organization, having a detailed resolution plan can help prevent loss of revenue and consumer confidence. A BIA captures very practical measurements of maximum tolerable downtime (MTD), recovery time objective (RTO), and recovery point objective (RPO). It is critical to business operations that you know these metrics and set them correctly. Incidents will happen, and that is okay if you are prepared.

For this stepping stone, you will complete the metrics for MTD, RTO, and RPO. Your leadership has already begun completing the BIA for Green Thumb Nursery, so it is your task to help them finish it by completing the Estimated Downtime Table. While this is usually a task for a more senior cybersecurity leadership position, this is great exposure to prepare you for such tasks in your career and to provide insight into how these decisions are made, which will inevitably affect you in your position as a cybersecurity analyst.

This stepping stone prepares you for Project One, which is due in Module Six.

Scenario

You are part of a cybersecurity consultant firm that has been hired by Green Thumb Nursery to help develop its risk management plan. The initial round of on-site, in-person interviews has already been conducted by your leadership, and you are tasked with helping them complete the finalized documentation for the business impact analysis.

Prompt

Complete the Project One Stepping Stone Two Template: Estimated Downtime Template for the business, which is linked in the What to Submit section below.

You must address the critical elements listed below.

1. Ordering Supplies
   1. Identify realistic RTO value.
   2. Identify realistic RPO value.
   3. Justify the values identified for this business process.
2. Processing Customer Transactions
   1. Identify realistic MTD value.
   2. Identify realistic RPO value.
   3. Justify the values identified for this business process.
3. Creating Security Reports
   1. Identify realistic MTD value.
   2. Identify realistic RTO value.
   3. Justify the values identified for this business process.
4. Tracking Grow Technique Data
   1. Identify realistic RTO value.
   2. Identify realistic RPO value.
   3. Justify the values identified for this business process.
5. Creating Safety Reports
   1. Identify realistic MTD value.
   2. Identify realistic RTO value.
   3. Justify the values identified for this business process.
6. Logging/Tracking Product
   1. Identify realistic MTD value.
   2. Identify realistic RPO value.
   3. Justify the values identified for this business process.

CYB 410 Module Two Activity Guidelines 

Comparing Privacy Protection Laws

Overview

Protecting personal information is an increasingly relevant issue facing both companies and individuals. In response to this, state legislation is evolving in an attempt to increase protections for customers. At the federal level, the Privacy Act of 1974 governs the personally identifiable information of individuals that is maintained by federal agencies. A need grew for legislation at the state level for additional consumer protections that wasn’t addressed by federal regulations. Because of the more needs-based way these laws developed, there is significant variation in existing state laws.

In this activity, you will explore the privacy protection laws of multiple states. When researching the laws in your own state, include such terms in your search as security breach notification, attorney general, privacy protection law, and so on.

Prompt

After reviewing the resources for this module, address the critical elements listed below.

1. Comparing Privacy Protection Laws
   1. What state from the provided resources offers the best privacy protection laws for consumers?
   2. How do these privacy protection laws compare to the state you live in? Include at least one source for your research.
   3. As a consumer, would you change anything about the privacy protection laws in the state you live in?
   4. Does reviewing the notifications of breaches from the state of California make you reconsider your consumer habits? Why, or why not?

What to Submit

Your submission should be 2–3 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. Any citations should be cited according to APA style. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.

Overview

Journals are private and between you and the instructor only. Approach these activities as an opportunity to reflect upon and apply what you learn each week based on the assigned readings, discussions, and activities. As a successful professional, you will need good reflective and writing skills. Journal activities offer you the opportunity to develop these skills further. The journal entries in this course are graded separately.

Prompt

First, complete the assigned readings for the week. Then discuss the importance of prioritizing cybersecurity risk when it comes to protecting sensitive data, maintaining trust with stakeholders, and mitigating financial and reputational harm. Your entry should include some thoughts on how increased cybersecurity awareness and proactive risk management contribute to a safer and more resilient digital environment for all.

Your journal entry should be 2 paragraphs long and fully address the prompt provided.

In your response, you must address the following critical elements:

1. Critical Thinking and Reflection: Support the claims with relevant examples of previous and logical thought processes.
2. Integration and Application: Show good depth of knowledge of the module content and demonstrate that the module content has been read.
3. Voice: Write in a style that is appropriate for the intended audience and use a consistent voice throughout.

What to Submit

Submit your journal assignment as a Microsoft Word document with double spacing, 12-point Times New Roman font, and one-inch margins. Responses should be at least 2 paragraphs long and address the points indicated in the journal prompt for each module.

Possible Points: 30

Begin by introducing yourself to the class. Include your major and anything you would like to share about yourself. Then address the prompt below.

For your initial post, think about your own personal data and the devices you use at home. In what areas are you the most vulnerable? You might consider areas such as saving passwords in a browser, buying products online, using social media, or saving photos in the cloud. What are your critical risks from these vulnerabilities? Have you taken any steps to address those risks? If so, what have you done?

In your response posts, evaluate which tenet of the confidentiality, integrity, and availability (CIA) triad is most affected by your classmates’ identified risks. Examine how that tenet could be used to inform good decision making.

To complete this assignment, review the Discussion Rubric.