NIST Framework Based Information Security Plan for BURP Organization

Verified

Added on 2023/06/05

AI Summary

This document presents a comprehensive computer security plan for BarnUrban Renewal Projects Organization (BURP), a startup company. It leverages the National Institute of Standards and Technology (NIST) cybersecurity framework, focusing on the 'Detect' function, including anomaly detection, continuous security monitoring, and detection processes. The plan outlines a seven-step process for implementing the NIST framework, including prioritizing and scoping, orientation, creating current and target profiles, conducting risk assessments, analyzing gaps, and developing an implementation action plan. It addresses specific security threats faced by BURP, such as cloud-based software usage, headquarters under construction, online platform vulnerabilities, and data accessibility. The plan also incorporates ISO 27001 management controls and details protective measures like penetration testing and secure payment infrastructures. Furthermore, it establishes incident management guidelines based on NIST SP 800-61 and a disaster recovery plan according to NIST SP 800-34, ensuring BURP is well-prepared to navigate cybersecurity challenges.

Information Security plan 1
Computer Security plan for the BarnUrban Renewal Projects Organization
Student
Course
Tutor
Institutional Affiliations
State
Date

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security plan 2
1. Introduction
Compiling a computer security plan is an essential undertaking for every organization. It
protects the information and critical resources from being compromised thus mitigating business
risk as it increases the business investments and opportunity (Puhakainen, and Siponen, 2010,
pp.757-778). A computer computer security plan is achieved by providing a summary of the
information system and describing the security controls in place in order to meet the
requirements of the organization. The selected controls must be available in the documentation
of a system security plan. This article aims at compiling a computer/information security plan for
a company with reference to National Institute of Standard Technology NIST documentation.
1.1. NIST Framework
The National Institute of Standard and cyber security NIST cyber security framework is a
framework that was designed to improve the critical infrastructure cyber security. This
framework is used by many people as a resource which is help in improving the security
governance and operations of public as well as private companies (Ross, McEvilley, and Oren,
2018, pp.14). The framework is divided into five categories according to their functions as
follows. Identify: this section enable the organization to understand how they can manage cyber
security risks to their system, data, and other assets. Protect: this section is concerned with
development and implementation of security to the system to ensure that the system, data and
other assets are safe. Detect: this section provides the guides to develop and implement pertinent
activities to identify the security events. Respond: this section facilitates the development and
implantation relevant activities during security even. Recover: helps in development and
implementation of pertinent activities for resilience as well as restoring the activities that were
tampered with during security events.

Information Security plan 3
This particular computer security plan will, however focus on section three of the NIST
framework that is detection. The detection is subdivided into three sections which will be
majored on in the following scenario include: anomalies of events, security continuous
monitoring and detection process.
2. Steps of NIST framework
NIST facilitates both improvement and constructions of a new framework. Since BURP
is a startup firm as illustrated in the scenario script, its framework will be done as a new
framework through the following procedure (Cybersecurity, 2014, pp.14; Shen, 2013, p.16).
Step 1: prioritize and scope
This is the step where all important elements of the requirements which facilitate the
compliance and successful cyber security resilience are identified. The important elements that
will be identified include the organization’s desired state of security baseline, maturity and
readiness for the firm. Another significant element is the requisite set of standard framework that
will facilitate the organization’s activities, the framework which will be most appropriate for the
organization is COBIT framework as it provides the foundation upon which the regulations that
will govern computer security for the organization will be laid. Other useful elements will be the
system network among other critical information technology assets.
Step 2: Orient
After prioritizing on the scope of cyber security program for the business line of process
for BURP organization, the related system as well as assets among other requirements will be
identified for the organization after which threats and vulnerabilities to the system and other
assets will be identified.

Information Security plan 4
Step 3: Create a current profile
This step involves the development of profile. At this stage, the three categories one
category and three subcategories from the framework core mentioned in the previous section of
this article will be looked into.
Step 4: conduct a risk assessment
After creating the profile, the organization’s state of protection strategy will be measured
evaluated. The gaps and opportunities for improvement will be identified through audit.
Step 5: create a target profile
Based on the sections 3.1 anomalies of events, 3.2 security continuous monitoring and
3.3 detection process, a target profile outlining the security outline of the organization’s system
will be created.
Step 6: Determine, analyze and prioritize gaps
The following activities will be carried out in this step: The gaps will be identified by
comparing the current and target profile of BURP organization after which a prioritized action
plan will be made on basis of which a pertinent security plan will be planned for the corporate.
Step 7: implementation action plan
At this stage, the BURB organization will execute the security plan. This will be done in
accordance with the gap identified after the comparison between the current profile and the target
profile.
2. Implementing NIST framework in BURP

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security plan 5
In this section, the cyber security management functions as well as security level profile
for BURP organization is illustrated. The security plan use case, as provided in the scenario
script, contains a list of threats along with the necessary standards and regulations that BURP
must be careful about being that it is a start-up company. The functions are applied to the
situation at BURP organization.
Apart from NITS framework, BURP organization follow ISO framework for advice on
how the security will be managed and test the security of its critical infrastructures (Smith,
Winchester, Bunker, and Jamieson, 2010, pp.463-486; Shackelford, Proia, Martell, and Craig,
2015, p.305.). The NIST cyber security framework will be applied in the organization as follows.
2.1. Identify
BURP organization has identified the following list of security threats areas:
i. Use of cloud based software for accounting and project management
ii. Headquarters for keeping critical infrastructures is still under construction, a situation
which might lead to lose and or attack of critical infrastructure (Baggett, and Simpkins,
2018, pp. 13).
iii. Online platform which is vulnerable to security threats
iv. The company’s data is available all time for anyone
In order to keep its assets safe, BURP will comply with management controls provided by ISO
27001.
2.2. Protect

Information Security plan 6
To prevent the security threats, BURP organization will articulate roles and
responsibilities alongside policy to govern the following areas:
a. Access control
b. Awareness and data training
c. Data security
d. Information protection process and procedures
e. Protective technology
Additionally, BURP have website, the website will act like the store front of the
organization, the entry door for its clients and the entry door for its employees. The
organization therefore need to consider cyber-attacks like data breach, stealing of the
organization’s assets among other potential attacks (Johnston, and Warkentin, 2010, pp.549-
566; FitzPatrick, and Wollman, 2010, pp. 1-4,). The protection measures that will be taken by
the organization include: the organization can do penetration test to the system periodically
to identify the potential threats, BURP organization can also use payment infrastructures like
cash register; there are many APIs nowadays that provide a cost effective secure ways of
making payments being that BURP operates on a very tight budget.
2.3. Detect
The BURP organization will monitor its access control and network activities including
but not limited to repeated attempts of network connection as well as abnormal connection
termination by use of firewalls to detect the attackers (Greer, et al., 2014, pp.41).
2.4. Respond

Information Security plan 7
BURP will develop security incident management guidelines that the organization will
follow on the off chance a security breach is detected. The controls will be developed on basis of
the security incident handling guide provided by NIST SP 800-61.
2.5. Recovery
For the organization to recover from vulnerable cyber-attacks, the organization will
establish a disaster recovery plan according to the controls cited in NIST SP 800-34.
The above steps will reasonably prepare BURP organization to carry out its business as a
new company in the wilds of cyberspace (Kim, 2013, pp. pp.171-179). The organization will
find the needs to upgrade cyber security infrastructure as it grow; the organization will be much
better prepared for it. Through the above steps, the organization will have visibility into its
network and identify its weakness for improvement.
Conclusion
In summary, this document has compiled a pertinent system computer security plan for
BURP organization according to the case scenario. The computer security has covered major
security vulnerabilities that is associated with a start-up company like BURP organization.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Information Security plan 8
Reference list
Baggett, R.K. and Simpkins, B.K., 2018. Homeland security and critical infrastructure
protection. ABC-CLIO, pp. 13.
Cybersecurity, C.I., 2014. Framework for Improving Critical Infrastructure
Cybersecurity. Framework, 1, p.11.
Greer, C., Wollman, D.A., Prochaska, D.E., Boynton, P.A., Mazer, J.A., Nguyen, C.T.,
FitzPatrick, G.J., Nelson, T.L., Koepke, G.H., Hefner Jr, A.R. and Pillitteri, V.Y., 2014. NIST
framework and roadmap for smart grid interoperability standards, release 3.0 (No. Special
Publication (NIST SP)-1108r3).
Johnston, A.C. and Warkentin, M., 2010. Fear appeals and information security behaviors: an
empirical study. MIS quarterly, pp.549-566.
Kim, E.B., 2013. Information security awareness status of business-college: Undergraduate
students. Information Security Journal: A Global Perspective, 22(4), pp.171-179.
Puhakainen, P. and Siponen, M., 2010. Improving employees' compliance through information
systems security training: an action research study. Mis Quarterly, pp.757-778.
Ross, R.S., McEvilley, M. and Oren, J.C., 2018. Systems Security Engineering: Considerations
for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems [including
updates as of 1-03-2018] (No. Special Publication (NIST SP)-800-160).

Information Security plan 9
Shackelford, S.J., Proia, A.A., Martell, B. and Craig, A.N., 2015. Toward a global cybersecurity
standard of care: Exploring the implications of the 2014 NIST cybersecurity framework on
shaping reasonable national and international cybersecurity practices. Tex. Int'l LJ, 50, p.305.
Shen, L., 2013. NIST Cybersecurity Framework: Overview and Potential Impacts, The. SciTech
Law., 10, p.16.
Smith, S., Winchester, D., Bunker, D. and Jamieson, R., 2010. Circuits of Power: A Study of
Mandated Compliance to an Information Systems Security" De Jure" Standard in a Government
Organization. MIS quarterly, pp.463-486.