Through this real-world project you will first select a particular industry (verticals may include financial, retail, education, manufacturing, e-commerce, entertainment, government, etc.) that is of interest to you. Your chief security officer (CSO) has given you the assignment of investigating serious risks to your organization's data assets. To educate senior managers and board of directors, you are tasked to research, document, and explain at least two administrative, two physical, and three technical vunerabilies to the enterprise data assets. You are also required to recommend security controls that would enhance the overall security posture of your organization.
The final research project (White Paper) document should include recommendations for administrative, physical, and technical security controls. You are required to include at least some information from each of the following sources in your white paper: the Gartner's Magic Quadrant document on firewall, Verizon Data Breach Investigation Report, The Open Web Application Security Project (OWASP), The Common Vulnerabilities and Exposures (CVE) at The MITRE, and The NIST National Vulnerability Database (NVD).
Additionally, the final document needs to include a Visio diagram that captures the logical security design that you are proposing to mitigate risks to data assets. The design should include at the minimum the various security zones that the organization needs to implement. It should also emphasize placement of critical devices, such as firewalls, URL filtering, content screening, data leakage prevention (DLP), intrusion prevention system (IPS), and intrusion detection systems (IDS). Your job is not to implement the security controls in your research project but to define what the requirements are and to document them. In this project, you need to assume the role of security architect or security engineer
Phase 1: Project Identification and Security Environment
You are required to select one industry, such as healthcare, financial, education, manufacturing, and so forth, of interest to you and write an abstract that captures the main idea behind your research project for the selected industry.
Phase 2: Security Vulnerabilities, Threats, Likelihood of Attack, and Business Impact
you need to collect data from the following sources (the Gartner's Magic Quadrant document on firewall, Verizon Data Breach Investigation Report, and The Open Web Application Security Project (OWASP) Project), including additional sources such as IDC, Forrester Research, NIST, and so forth. The data should focus on security weaknesses that the enterprise faces. In brief, identify at least two administrative, two physical, and three technical vulnerabilities to the enterprise data assets. Describe how each vulnerability can be exploited in ways that lead to loss or damage of enterprise data assets. Discuss the likelihood of the threats exploiting the identified vulnerabilities. Explain the impact that such vulnerabilities may have on the enterprise if they were exploited by the identified threats in your research.
Compare and contrast the threats identified in your research to current trends in IS/IT security. As per the sources required in this research project: Gartner's Magic Quadrant document on firewall, Verizon Data Breach Investigation Report, and The Open Web Application Security Project (OWASP) Project, do you foresee even greater security risks to enterprise organizations in this sector? Justify your answer.
Phase 3: Security Control Recommendations
Recommend solutions to the potential vulnerabilities identified in Phase 2 of the project. In this phase of the project, you will include Parts 1 and 2. Phase 3 needs to take into consideration faculty feedback from early phases in the project. Hence, these improvements should be included in Phase 3. You will recommend solutions for the security vulnerabilities you identified in Phase 2.
Your security recommendations must at least address some of the recommendations from the following sources: The Center for Internet Security (CIS) Top 20 Critical Security Controls and NIST Special Publication (SP) 800-53 to assess the effectiveness of the recommended security controls.