Module 4: Risk Management
Module 4 Team Activity
Overview
Student teams continue to build a description of the operating environment for their sector-based organization. They select an appropriate risk management framework for the sector-based organization. In the absence of one required by the industry, teams should begin to apply the NIST Cybersecurity Framework to the selected organization. Each team’s work should be reviewed by the instructor.
Objectives
| Module 3 Learning Objective # | Revised Bloom’s Taxonomy | Team Activity Objectives |
|---|---|---|
| 4.2 | Evaluate | Select an appropriate risk management framework or standard, such as the NIST Cybersecurity Framework and the North American Electricity Reliability Council (NERC). |
| 4.5 | Understand | Explain how the selected risk management framework will holistically manage risk for the selected system. |
Assignment
Below are some of the risk management frameworks available. Please select one of them to ensure your team can complete the Team Assignment in Module 7.
- NIST Framework for Improving Critical Infrastructure Cybersecurity (“NIST Cybersecurity Framework”)
- NIST Special Publication 800-53 Rev 5
- Cyber Resilience Review (CRR): Questions Set with Guidance
- CFATS Risk-Based Performance Standards (RBPS): Chemical Facilities Anti-Terrorism Standard, “RBPS 8 – Cyber,” pp. 71-81
- Committee on National Security Systems (CNSS) Instruction No. 1253, Baseline Security Categorization Method
- Committee on National Security Systems Instruction (CNSSI) No. 1253, Security Control Overlays for Industrial Control System (ICS), Volume 1
- DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7
- TSA Pipeline Security and Incident Recovery Protocol Plan
- ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1
- NERC Reliability Standards CIP-002-009 Revisions 3 and 4
- NIST Special Publication 800-82 Rev 2 (Draft)
- NRC Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, January 2010
- Nuclear Energy Institute (NEI) 08-09 Cyber Security Plan for Nuclear Power Reactors
- TSA Pipeline Security Guidelines, May 2018
Assignment Options
Option 1: Write a 2-page abstract summarizing why your team chose your selected risk management framework for your sector-based organization.
Option 2: Prepare 2–3 presentation slides on your justification for selecting this risk management framework.
Grading Criteria Rubric
- Content
- Evidence of teamwork
- References
- Use of American Psychological Association (APA) style in writing the assignment
Total Points: 100
