risk-based approach of managing information systems is a holistic activity that should be fully integrated into every aspect of the organization, from planning and system development lifecycle processes to security controls allocation and continuous monitoring. The selection and specification of security controls support effectiveness, efficiency, and constraints via appropriate laws, directives, policies, standards, and regulations.
The NIST Special Publication 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems provides a disciplined and structured process that integrates information security and risk management activities into the development lifecycle by identifying the following six steps:
• Step 1 – Use an impact analysis to categorize the system and the information it processes, stores, and transmits.
• Step 2 – Select the set of initial or baseline security controls for the system based on the security categorization. Tailor and supplement the set of baseline security controls according to the organizational assessment of the risk and the conditions of the operational environment. Develop a strategy for continuous monitoring to achieve security control effectiveness. Document all the controls in the security plan. Review and approve the security plan.
• Step 3 – Implement the security controls and describe how the security controls are employed within the system and its environment of operation.
• Step 4 – Assess the security controls using the appropriate procedures as documented in the assessment plan. This assessment determines whether the security controls have been implemented correctly and will effectively produce the intended outcome.
• Step 5 – Authorize information system operation if the estimated risk resulting from the operation is acceptable. The assessment considers risk to organizational assets and operations (including mission, functions, image, or reputation), individuals, and other organizations.
• Step 6 – Monitor the security controls on an ongoing basis. Monitoring includes assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of these changes, and reporting the security state of the system to designated officials.
While the risk management framework is adaptable to most scenarios, it defaults to the traditional IT environment and requires customization to successfully address the unique characteristics of cloud-based services and solutions. The CRMF closely follows the original RMF approach. Table E.1 shows the aforementioned six steps listed in the right column, with each step grouped into one of the three main activities in the left column that collectively comprise the risk management process:
Table E.1 The six steps are mapped to each of the three activities comprising the CRMF.
Adopting the approach outlined by these steps enables organizations to systematically identify their common, hybrid ...
risk-based approach of managing information systems is a holistic.docx
1. risk-based approach of managing information systems is a
holistic activity that should be fully integrated into every aspect
of the organization, from planning and system development
lifecycle processes to security controls allocation and
continuous monitoring. The selection and specification of
security controls support effectiveness, efficiency, and
constraints via appropriate laws, directives, policies, standards,
and regulations.
The NIST Special Publication 800-37: Guide for Applying the
Risk Management Framework to Federal Information Systems
provides a disciplined and structured process that integrates
information security and risk management activities into the
development lifecycle by identifying the following six steps:
• Step 1 – Use an impact analysis to categorize the system and
the information it processes, stores, and transmits.
• Step 2 – Select the set of initial or baseline security controls
for the system based on the security categorization. Tailor and
supplement the set of baseline security controls according to the
organizational assessment of the risk and the conditions of the
operational environment. Develop a strategy for continuous
monitoring to achieve security control effectiveness. Document
all the controls in the security plan. Review and approve the
security plan.
• Step 3 – Implement the security controls and describe how the
security controls are employed within the system and its
environment of operation.
• Step 4 – Assess the security controls using the appropriate
procedures as documented in the assessment plan. This
assessment determines whether the security controls have been
implemented correctly and will effectively produce the intended
outcome.
• Step 5 – Authorize information system operation if the
estimated risk resulting from the operation is acceptable. The
assessment considers risk to organizational assets and
2. operations (including mission, functions, image, or reputation),
individuals, and other organizations.
• Step 6 – Monitor the security controls on an ongoing basis.
Monitoring includes assessing control effectiveness,
documenting changes to the system or its environment of
operation, conducting security impact analyses of these
changes, and reporting the security state of the system to
designated officials.
While the risk management framework is adaptable to most
scenarios, it defaults to the traditional IT environment and
requires customization to successfully address the unique
characteristics of cloud-based services and solutions. The
CRMF closely follows the original RMF approach. Table
E.1 shows the aforementioned six steps listed in the right
column, with each step grouped into one of the three main
activities in the left column that collectively comprise the risk
management process:
Table E.1 The six steps are mapped to each of the three
activities comprising the CRMF.
Adopting the approach outlined by these steps enables
organizations to systematically identify their common, hybrid,
and system-specific security controls and other security
requirements for procurement officials, cloud providers, cloud
carriers and cloud brokers alike.
The CRMF can be used to address the security risks associated
with cloud-based systems by incorporating possible outcomes
into the cloud provider’s contractual terms. Performance aspects
of these terms and conditions also need to be represented in the
SLA, which is an intrinsic part of the service agreement
between the cloud consumer and cloud provider. Contractual
terms should, for example, include guarantees concerning the
cloud consumer’s timely access to cloud audit logs and the
details pertaining to the continuous monitoring of the logs.
If permitted by the adopted deployment model, the organization
should implement both the cloud consumer’s set of identified
3. security controls and the specifically tailored supplemental
security controls. Cloud consumers are advised to request that
cloud providers (and cloud brokers) provide sufficient evidence
to demonstrate that the security controls being used to protect
their IT assets have been correctly implemented.
10/10/2019 Module 5: Critical Thinking
https://csuglobal.instructure.com/courses/13694/assignments/26
8137 1/3
ITS320 Module 5 Critical Thinking
Option #2: Third String in Reverse Order
Assignment Instructions
Write a Python function that will accept as input three string
values from a user. The method will
return to the user a concatenation of the first two strings and
will print the third string in reverse
order. The function is to be called from the main method.
In the main method, prompt the user for the three strings.
Assignment Submission Instructions
Submit a text file containing your Python code into the Module
5 drop box. Name your
file ITS320_CTA5.Option2.py.
10/10/2019 Module 5: Critical Thinking
4. https://csuglobal.instructure.com/courses/13694/assignments/26
8137 2/3
Criteria Ratings Pts
10.0 pts
10.0 pts
10.0 pts
10.0 pts
Requirements 10.0 to >8.0 pts
Meets Expectation
Includes all of the required
components, as specified in the
assignment, including the
submission of the text file that
contains your Python code in Option
1 OR Option 2.
8.0 to >6.0 pts
Approaches
Expectation
Includes most
of the required
components,
as specified in
the
assignment.
5. 6.0 to >4.0 pts
Below
Expectation
Includes some
of the required
components,
as specified in
the
assignment.
4.0 to >0 pts
Limited
Evidence
Includes few
of the required
components,
as specified in
the
assignment.
Content 10.0 to >8.0 pts
Meets Expectation
Demonstrates strong or adequate
knowledge of creating a Python
function of string values in reverse
order OR third string in reverse order;
correctly represents knowledge from
the readings and sources.
8.0 to >6.0 pts
Approaches
Expectation
Some significant
but not major
errors or
omissions in
6. demonstration
of knowledge.
6.0 to >4.0 pts
Below
Expectation
Major errors or
omissions in
demonstration
of knowledge.
4.0 to >0 pts
Limited
Evidence
Fails to
demonstrate
knowledge
of the
materials.
Problem
Solving
10.0 to >8.0 pts
Meets Expectation
Demonstrates strong or
adequate thought and
insight in problem solving.
8.0 to >6.0 pts
Approaches
Expectation
Some significant but not
major errors or omissions
in problem solving.
7. 6.0 to >4.0 pts
Below
Expectation
Major errors or
omissions in
problem
solving.
4.0 to >0 pts
Limited
Evidence
Fails to
demonstrate
problem
solving.
Critical
Thinking
10.0 to >8.0 pts
Meets Expectation
Demonstrates strong or
adequate critical thinking in
working through the coding
process.
8.0 to >6.0 pts
Approaches
Expectation
Some significant but
not major errors or
omissions in critical
thinking.
6.0 to >4.0 pts
Below
8. Expectation
Major errors or
omissions in
critical
thinking.
4.0 to >0 pts
Limited
Evidence
Fails to
demonstrate
critical
thinking.
10/10/2019 Module 5: Critical Thinking
https://csuglobal.instructure.com/courses/13694/assignments/26
8137 3/3
Criteria Ratings Pts
10.0 pts
10.0 pts
Demonstrates
college-level
proficiency in
organization,
grammar and
style.
10.0 to >8.0 pts
9. Meets Expectation
Project is clearly
organized, well
written, and in
proper format as
outlined in the
assignment. Strong
sentence and
paragraph
structure; few errors
in grammar and
spelling.
8.0 to >6.0 pts
Approaches
Expectation
Project is fairly well
organized and written,
and is in proper format
as outlined in the
assignment. Reasonably
good sentence and
paragraph structure;
significant number of
errors in grammar and
spelling.
6.0 to >4.0 pts
Below Expectation
Project is poorly
organized and does
not follow proper
paper format.
Inconsistent to
inadequate sentence
and paragraph
10. development;
numerous errors in
grammar and
spelling.
4.0 to >0 pts
Limited
Evidence
Project is not
organized or
well written, and
is not in proper
paper format.
Poor quality
work;
unacceptable in
terms of
grammar and
spelling.
Demonstrates
proper use of
APA style
10.0 to >8.0 pts
Meets Expectation
Project and/or
questions contain
proper APA formatting,
according to the CSU-
Global Guide to Writing
and APA, with no more
than one significant
error.
8.0 to >6.0 pts
11. Approaches
Expectation
Few errors in APA
formatting,
according to the
CSU-Global Guide
to Writing and APA,
with no more than
two to three
significant errors.
6.0 to >4.0 pts
Below
Expectation
Significant errors
in APA formatting,
according to the
CSU-Global Guide
to Writing and
APA, with four to
five significant
errors.
4.0 to >0 pts
Limited Evidence
Numerous errors in
APA formatting,
according to the
CSU-Global Guide
to Writing and APA,
with more than five
significant errors.
you will be creating a cloud risk management plan. Please do
not submit a paper; please submit a plan. A plain is defined
12. as an intention or decision about what one is going to do. To
this point, I want to know, what's your plan for managing risks
related to the cloud. The plan is how you plan to manage risks
related to using a third party cloud vendor. The plan must
address the six steps below and include a risk registry. Please
note, your risk registry should not be empty. The NIST
document, this week's lecture, and template from the textbook
on page 448 will help you frame the plan. You may have to
research additional information to put the plan together. Here's
a hint: risk = vulnerability x threat x the likely hood of an
incident occurring.
Step 1: Categorize Information Systems. ...
· Step 2: Select Security Controls. ...
· Step 3: Implement Security Controls. ...
· Step 4: Assess Security Controls. ...
· Step 5: Authorize Information System. ...
· Step 6: Monitor Security Controls.
·