Module 4: Risk Management
Student teams continue to build a description of the operating environment for their sector-based organization. They select an appropriate risk management framework for the sector-based organization. In the absence of one required by the industry, teams should begin to apply the NIST Cybersecurity Framework to the selected organization. Each team’s work should be reviewed by the instructor.
Team Activity Objectives
- Identify various risk management frameworks and standards, such as the NIST Cybersecurity Critical Infrastructure Framework (“NIST Cybersecurity Framework”) and North American Electricity Reliability Council (NERC).
- Describe how to use the framework core process.
Below are some of the risk management frameworks available. Please select one of them to ensure your team can complete the Team Assignment in Module 7.
- NIST Framework for Improving Critical Infrastructure Cybersecurity (“NIST Cybersecurity Framework”)
- NIST Special Publication 800-53 Rev 3 and NIST Special Publication 800-53 Rev 3 App l
- NIST Special Publication 800-53 Rev 4 and NIST Special Publication 800-53 Rev 4 App l
- Consensus Audit Guidelines (CAG)
- Cyber Resilience Review (CRR): Questions Set with Guidance
- CFATS Risk-Based Performance Standards (RBPS): Chemical Facilities Anti-Terrorism Standard, “RBPS 8 – Cyber,” pp. 71-81
- Committee on National Security Systems (CNSS) Instruction No. 1253, Baseline Security Categorization Method
- Committee on National Security Systems Instruction (CNSSI) No. 1253, Security Control Overlays for Industrial Control System (ICS), Volume 1
- DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7
- TSA Pipeline Security and Incident Recovery Protocol Plan
- Information Assurance Implementation, Department of Defense, DODI 8500.2, February 6, 2003.
- ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1
- NERC Reliability Standards CIP-002-009 Revisions 3 and 4
- NIST Special Publication 800-82 Guide to Industrial Control Systems Security, June 2011
- NIST Special Publication 800-82 Rev 1
- NIST Special Publication 800-82 Rev 2 (Draft)
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Rev 2
- NRC Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, January 2010
- Nuclear Energy Institute (NEI) 08-09 Cyber Security Plan for Nuclear Power Reactors
- TSA Pipeline Security Guidelines, April 2011
Option 1: Write a 2-page abstract summarizing why your team chose your selected risk management framework for your sector-based organization.
Option 2: Prepare 2–3 presentation slides on your justification for selecting this risk management framework.
Grading Criteria Rubric
- Evidence of teamwork
- Use of American Psychological Association (APA) style in writing the assignment
Total Points: 100