Workshop 3

In a table, summarise the main steps of the RM framework by listing the main tasks of each step. The list should be comprehensive and can be used a guide.

Workshop 4

Activity 1-

Pre-class readings NIST framework:

https://www.nist.gov/cyberframework/online-learning/five-functions

https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework

Activity 2- 

Compare between the RM and NIST framework by mapping the steps of the RM to the functions of NIST framework?

Hint 1: use a table or diagram.

Hint 2: steps or functions can be combined to match each other’s.

Activity 3-

Consider again the case study provided in workshop 1 (please find it below for ease of access). 

Alice runs a money transfer business in Australia (like Western Union) called Ezy Transfer. Customers can either send money online via Alice’s company website or they can-do walk-in transactions.

In workshop 1, you have identified the type of security risks Ezy Transfer is subject to. Using the RM framework, which was covered in Week 2, or the NIST framework, which was covered in this workshop, do a brief security management plan for Ezy Transfer.

Workshop 5

Activity 1

• What is the purpose of an EISP?

• What is the purpose of an ISSP?

• List and describe three functions that the ISSP serves in the organization.

Activity 2

Search for sample security policies on the Web. Identify two EISP and two ISSP sample policies. Compare these with the framework presented in this chapter and comment on the policies' comprehensiveness.

Activity 3

Using the framework presented in this chapter, draft an issue-specific security policy for Ezy Transfer. At the beginning of your document, briefly describe the organization for which you are creating the policy and then complete the policy using the framework.

Additional resources: 5.3 Issue-Specific Policy (NIST An Introduction to Information Security)

Workshop 6

Activity one

• There are five risk treatment organization strategies presented in this chapter. Describe them:

a) Describe the strategy of defense.

b) Describe the strategy of transference. 

c) Describe the strategy of mitigation. 

d) Describe the strategy of acceptance

e) Describe the strategy of termination. 

• Describe residual risk. 

• Describe risk appetite

• What are the three common approaches to implement the defense risk treatment strategy?

Activity 2

1. Using the following table:

XYZ Software Company (Asset value: $1,200,000 in projected revenues)

1. Pick three threat categories shown in the table and explain how the company calculated the SLE?

2. Calculate in a table the ARO, and ALE for each threat category listed in the table.

Hint: You need to calculate the ARO first. If an attack occurs once a year than ARO is =1.