Building a Risk Assessment Plan for Operational Technology and Information Security

Lab Purpose

Task:

Lab Purpose Operational Technology (OT) and Information Security (Infosec) are a constantly growing and changing areas of concern for governments, corporations, and individuals. Technology itself changes at a pace much faster than ever seen before. As technology advances, so do the security issues. As new technology presents new security challenges, information security must concern itself with the old and the new technology; thus, producing a constant layering. As a security aware professional, recognizing the need for controls in all areas of the cyber domain (physical, people, and technology) is critical for your success and the success of your organization, and for your personal security. Infusing Internet of Things (IoT) devices with Operational Technology instruments, processes, and artifacts creates opportunities for better security as well as introducing new vulnerabilities that must be protected against. The purpose of this lab is to increase your awareness and sources of awareness of Operational Technology vulnerabilities, security design, and defense-in-depth by building a Risk Assessment Plan with the aid of the NIST Cybersecurity Framework. To apply this understanding to create a Security Policy for the Bank. Lab Goals Upon completion of this lab, you should have: Increased your awareness of Information Security influences on Operational Technology and building design. Improved your understanding of the relevance of infrastructure security based on functions, categories, subcategories, and reference structure of the NIST Cybersecurity Framework. Increased recognition of cybersecurity influences on attributes of our society’s critical infrastructure. Lab Instructions 1. Identify and Describe the data center that supports Online Banking System for a Regional Bank:

(a) Identify the numbers of people that may be on site at operational times, and access points and barriers to entry to important areas. Using paper and pencil, or Lucidchart.com (Links to an external site.) (login with your ASU-Gmail credentials) or Microsoft Visio, Take a screenshot image (cut/paste) of your completed schematic into a Word document. 2. Create a Risk Assessment by answering these prompts (10 points each) based on NIST CF. A. Identify: In a Word Table, state the following for Identify: Create an inventory of physical assets and cyber assets (devices and systems) within the facility. Prioritize these assets based on their criticality to the business functions of the organization. Identify a vulnerabilities for each asset. Refer to NIST CSF: ID.AM-1 & 2, ID.BE-3 & 4, and ID.RA-1 & 3.

B. Protect: Describe 2 ways to protect the physical assets. Describe 2 ways to protect the cyber assets. Explain 2 topics that are in a security training program for employees who have privileged users access based on their job role. Refer to NIST CSF: PR.AC-1 & 2 and PR.AT-1 & 2. C. Detect: How would you know if a someone or something was attempting to access, disable, degrade, or destroy one or more of the devices and/or systems in the facility? Which types of systems are implemented to identify occurrences of physical security breaches? Which types of systems are implemented to identify occurrences of cyber security breaches? Refer to NIST CSF: DE.CM-2, 3, & 8. D. Respond: How would you respond to the anomalies and events through the systems you have would implement? Which type of response plan is necessary when physical security is breached at the facility? Which type of response plan is necessary when cyber security is breached at the facility? Refer to NIST CSF: RS.AN-1, 2, 3 and RS.CO-4 & 5. E. Recover: Which steps are in place to recover from actions intended to access, disable, degrade, or destroy the assets ? Which type of recovery plan is needed for physical security breaches that occur at one of the critical areas in the facility? Which type of recovery plan is needed for cyber security breaches that occur at one of the critical areas in the facility? Refer to NIST CSF; RC.RP-1 and RC.CO-1 & 2. Lab Deliverables When using resources to support your work, required to use APA mechanics. (20 points) To obtain full points, you are required to provide: Introduction Your schematic Substantive answers to each section/question listed in the Risk Assessment section based on your schematic Security Policy Conclusion References (minimum of 3 references)