Please note! This essay has been submitted by a student.
The Burp Company is a start-up business in Cape Town and it would like to improve centres through infrastructure renewal. As the company aim to operate internationally, and want to sustain a substantial web presence, the purpose of the essay is to compile computer or information security plan as to how the company can reach their goal of improving critical infrastructure using the NIST framework.
The essay will assess the current project providing the description of the project and its boundaries with risk analysis or threat identification. Information security will help the company to protect its integrity, availability, confidentiality against threats. This can be achieved by use of company policies, processes, and structures. Burp has recognized the National Institute Standard Technology framework cloud-based software for project management and accounting.
BURP is a start-up company that intends to improve community centres through infrastructure refurbishment exercises. The company have offices in Cape Town which is the main offices and have regional offices in other provinces. The company have recognized some cloud based software for project management and accounting.
Asset is divided into two which are tangible and intangible assets.
They are assets that can be touched
These are assets that cannot be touched
The framework purpose is to improve critical infrastructure using the NIST (National Institute of Standards and Technology) framework. Using the NIST framework for Burp Company will establish an improved cybersecurity program on using framework tiers in framework implementation. Added language to framework ties to reflect integration framework consideration within organization risk management project. The Framework emphases on using business drivers to direct cybersecurity activities and seeing cybersecurity risks as part of the organization’s risk management processes.
The Framework contains of three parts: The Framework Core, the Application Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity events, effects, and helpful references that are common across sectors and critical infrastructure. Fundamentals of the Core provide detailed direction for developing individual organizational Profiles. Through use of Profiles, the Framework will help an organization to bring into line and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources.
The Burp company will use this framework in evaluating cybersecurity risks with the framework to clarify how they can be used by an organisation to know and measure their cybersecurity risk. The 3. 3 cybersecurity communicate with stakeholders, assist users better recognize cyber supply chain management (SCM), while the new section 3. 4 helps with buying judgement highlighting use of the framework in understanding risk associated with profitable off-the-shelve products. Additional to 3. 3 section, cyber SCRM principles are added to the operation tiers, and the supply chain risk management category including subsections, are added to the framework core.
The Burp Company is in threat of inappropriate internet usage by the staff, information theft or privacy violation, data lost, hackers’ attacks, data sharing over insecure networks as the company intends to operate worldwide, loss of tangible assets, unauthorised software, unauthorised access to their offices and unauthorised users. As the company is forced to start up on a tight budget, cybersecurity risk can drive up and affect the revenue. Using the framework and improving cybersecurityThe risk mentioned in the aforementioned section present threats to the company in different levels.
The design or the framework is to provide feasible solutions to the threats of the company. In the case of Cybersecurity threats, the company will use activities and plans, the stakeholders of the company will know how to handle these threats by means of using the documented policies, processes and procedures. Risk or threats may also be eliminated by means of using mitigation plan. The framework will also provide mutual classification for the Burp company to:
Framework core – The framework core will help Burp company to provide some activities in order to achieve cybersecurity results. The framework consists of functions like identify
The below steps illustrate how the Burp could use the framework to produce new cybersecurity.
The Burp company will identify its business/mission purposes and high-level organizational priorities. With this information, making strategic decisions regarding cybersecurity implementations and governs the scope of systems and resources that support the selected business line or process. The Framework can be modified to support the different business lines or procedures within an organization, which may have different business needs and associated risk tolerance. Risk acceptances may be replicated in a target Implementation Tier.
Once the scope of the cybersecurity has been identified for the company line or process, the organization identifies related structures and assets, controlling requirements, and overall risk approach. The organization then refers to sources to identify threats and susceptibilities applicable to those systems and assets.
Burp will develop a Current Profile by representing which Category and Subcategory results from the Framework Core are currently being accomplished. If an outcome is moderately achieved, noting this fact will help provision following steps by providing baseline information.
This assessment could be directed by the organization’s overall risk management procedure or preceding risk assessment activities. Burp will analyse the operative environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is of important that Burp identify evolving risks and use replicated threat data from internal and external sources in order to gain a better understanding of the likelihood and impact of cybersecurity events. 6. 5Create a Target Profile. The organization creates a Target Profile that emphases on the assessment of the Framework Groupings and Subgroups describing the organization’s anticipated cybersecurity results. Organizations also may develop their own additional Categories and Subgroups to account for unique organizational risks. The organization may also reflect influences and necessities of external stakeholders such as sector entities, customers, and business associates when making a Target Profile.
Burp is a start-up company therefore they do not have a current profile to compare to, Burp can only use the target profile to identify gaps. Following, it creates an ordered exploited strategy to address gaps – reflecting task drivers, expenses and profits, and threats to achieve the results in the Target Profile. The organization then defines resources, counting funding and workforce, necessary to report the gaps. Using Profiles in this way will inspire Burp to make informed choices about cybersecurity activities, supports risk management, and allowing the organization to achieve cost-effective, targeted improvements.
The Burp company may determine which actions to take to address the breaches, if any, recognized in the previous step and then adjusts its cybersecurity performs in order to attain the Target Profile. For further direction, the Framework classifies example Informative References concerning the Groupings and Subgroups, but Burp should define which standards, guidelines, and practices, including those that are sector specific, work best for their needs for instance the building of new offices in different provinces. Burp may repeat the above steps to constantly improve their cybersecurity.
NIST framework will provide a mutual language to communicate necessities amongst stakeholders accountable for delivering important critical infrastructure services and products.
Examples consist of:
Here the Burp will identify security risk that are faced by the company, these risks or threat include, unauthorised access, information theft and privacy violation, hackers’ attacks, loss of tangible assets, data loss, data sharing over unsecure network. Asset management, these are tangible devices including systems.
Governance: Burp may do assessment of cybersecurity and potential risk responses considers the privacy implication of its cybersecurity program. Burp will also create company policy which addresses the cyber threats. ProtectIdentity management, and access control, awareness and training, data security, information protection The company has already recognised cloud based software for project management and accounting and wants to sustain an important web presence for stakeholder’s communiqué purposes.
The use of access cards as access into the building and finger print access will be able to ensure that the authorized staffs are in the building. The security guard will be there to ensure that one entry at a time happens. There should be building use policy available for every staff to see and any violation will be penalized. Burp will train and educate the stakeholders and staff to perform their cybersecurity responsibilities. Encryption will help secure files containing information about the company and confidential data.
Staff should be made aware of installation of software through education and information system usage policy and in case of any violation staff account will be suspended and the staff will go to the administrator for retrieval of the account and reprimanded. Strong password should be used for all account types and audit will ensure that failed logins are located for password hacking attempts. For anomalies procedure is in place to conduct a secrecy evaluation of an organization’s irregular activity detection and cybersecurity monitoring.
Response planning, mitigation, improvements. Improvements will be combined for future purposes. Procedure is in place to measure and address whether, when, how, and the degree to which particular information is shared outside the organization as part of cybersecurity information sharing activities.
Data lost which might be caused by power surges, virus, hard failure and natural disaster but can be mitigated by having backups of database kept (not in the offices, kept offsite) to ensure that the data is consistent, accurate and usable to the company. There should be more backup storage and it must be up-to-date and virus free. Backups will ensure that data is not loss after unforeseen events. Software backup, documentation, time intervals for backup will also be part of the recovery planning. Disaster recovery plan will be drawn for future purposes.
The current state of the Burp company presents many weakness and flaws that can easily be exploited by malicious users; If the mitigation and NIST framework plan presented above is implemented the system will become more secure. There’s still chances that system will suffer hacker attacks, theft of information and that privacy of company information will still be compromised intentional or unintentionally. Users’ awareness and good ethics standards can make it safer because the internal threats will be significantly reduced; most of the external threats that may affect the company can be contained by adopting some of the above cited approaches.
Risk identification and estimation is always a good thing to do because it not just allows you to identify the fragilities but also allows you to differentiate them according to their likely to happen or the impact they can have allowing you to plan which risks will you address, which should be addressed first and how you will address them. Stakeholders being aware of the implications of security breaches can help limit the internal threats and the external will be kept at a minimal.