Question

For your organization/business, take the NIST Cybersecurity Framework controls and reduce them to system configuration requirements and system test cases with pass/fail criteria. Refer to the "Framework for Improving Critical Infrastructure Cybersecurity," located within the Course Materials. Then, include the following in a report:(Hint..The professor wants us to use table 2 of the cybersecurity framework(CSF) to answer this question.I know the question has to do how some of the controls of the protect function of CSF cannot work for mobile devices like laptop, smartphone etc..My problem is I do not see how everything comes together)

1. Describe when some controls cannot be implemented (such as on a personal laptop).
2. Explain what is to be done in each case identified above to compensate for controls that cannot be implemented (e.g., create an identification authentication scheme).
3. Demonstrate how compensating controls can ensure the non-compliant system can continue to operate within the secured and compliant environment.
4. Discern the likelihood of a cybersecurity breach within the compliant environment and the impact it might have on the organization (make sure to consider emerging risks, threats, and vulnerability).

Answer 1

1) Description when some controls cannot be implemented (such as on a personal laptop).

One of the biggest threat basically comes from personal laptop is connections with networks. When the personal laptop connected to network, firewall provides protection. When there is only stand alone personal laptop then implementation of security control is easier, when laptop is connected to network in such case implementation of security control is very difficult.  

2) Explain what is to be done in each case identified above to compensate for controls that cannot be implemented (e.g., create an identification authentication scheme).

Creation of authentication essentially collects credentials that determine whether user is legitimate or not. while authentication, agents program interact and communicate with policy server(PS) in order to determine the proper credential about the particular user during requesting for a particular service.

Owners of data resources or network resources wishes to verify the correctness of the user, who is trying to access the resources that are stored in diverse location. Identifying a particular user which determines which parts of the resource user is trying to access. keep tracking unknown uniquely is vital because history is used to provide the details activities of the user.

3) Demonstrate how compensating controls can ensure the non-compliant system can continue to operate within the secured and compliant environment.

• Identify divers locations of data stored and accordingly define compliance scope.
• Gain visibility over data as well as control over sensitive and private data.
• Periodically keep monitor system security control as well as compliance of the system.
• Training and hands on session about security awareness to all the members working in particular organization.
• Filling of questionnaires on compliance self-assessment is essential without validating some of the security controls.

4) Discern the likelihood of a cyber security breach within the compliant environment and the impact it might have on the organization (make sure to consider emerging risks, threats, and vulnerability).

Cyber Threats

Cyber threats is a cyber security event which causes harm inside the system. Some of the example of cyber threats are phishing attack which enable an attacker to install Trojan software and stealing private data from user's application, second one is when an system administrator leaving deliberately data which leads to data breach.

Vulnerabilities

Major weaknesses in a particular system is refer to as vulnerabilities. Vulnerabilities essentially, make threat which is very dangerous for the system. Any system must be exploited via a single vulnerability, take an example of single SQL Injection attack, which gives full control to attacker on private and sensitive data.

Risks

A cyber security risk is collection of threat probability and loss that can happen in a particular system. One example of the risk is private and sensitive information theft is biggest threats which SQL injection can enables.