How the US Military does Risk Management is a little different what we have seen thus far. The notable difference is the selection of the controls. The process we have seen usually begins by identifying the threats and vulnerabilities to which specific controls are selected. The US Military, on the other hand, first defines the system category based on the impact of confidentiality, integrity, and availability (STEP 1 in figure). From there, it MUST use the controls needed to meet the system category! (STEP 2 in figure). This removes the arguments over what controls should or should not be implemented. As an example, I had a Public-Facing website with low confidentiality, integrity, and availability requirements and we had to implement 107 controls. This approach is clever in that I don’t need to estimate probabilities or likelihood of threats/vulnerabilities – I just include the proper suite of controls. (In fact, there are 3 sets of possibilities in each group: 3x confidentiality, 3x integrity, and 3x availability equals 27 possible outcomes – and each outcome had a particular set of controls; but the idea is the same).
Week 2:
Your initial post should be at least 250 words.
PICK Fannie Mae: discuss with the class how your choice impacts real estate finance. Pay particular attention to their underwriting standards, underwriting tools, and overall organization.
+++++++++++++++++++++++++++++++++++++++++++++++
Week 3:
Your initial post should be at least 250 words.
What do we mean by a "mortgage program"?
PICK: Variable interest rate loans and discuss with the class how your choice differs from traditional 30 year loans. Be sure to explain the rationale behind the difference, and explain the pros and cons of Variable interest rate loans
++++++++++++++++++++++++++++++++++++++++++++
Week 3:
Your initial post should be at least 250 words
Review these questions and determine what the historic relationship between interest rates and home ownership was, and what it appears to be in the current housing slump.
What happens to an individual's capacity to borrow as mortgage interest rates fluctuate?
How did extremely low interest rates in 2004 and 2005, then rapidly rising rates in 2006 impact home sales? (Hint: Try to find some data on the web that correlates unit home sales with interest rates).
What happens to home prices as interest rates fluctuate? Have home prices recovered since rates have fallen since then to record lows in late 2010 and beyond?
What happens to DOM (Days on the Market) - or how long it takes to sell the average home - as rates go up and down?
The Breach at Limetree
Updated November 18, 2017
Background: Limetree Inc. is a research and development firm that engages in multiple
research projects with the federal government and private corporations in the areas of
healthcare, biotechnology, and other cutting-edge industries
Limetree recently lost a DOD contract worth millions of dollars, because anothe ...
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
How the US Military does Risk Management is a little different wha.docx
1. How the US Military does Risk Management is a little different
what we have seen thus far. The notable difference is the
selection of the controls. The process we have seen usually
begins by identifying the threats and vulnerabilities to which
specific controls are selected. The US Military, on the other
hand, first defines the system category based on the impact of
confidentiality, integrity, and availability (STEP 1 in figure).
From there, it MUST use the controls needed to meet the system
category! (STEP 2 in figure). This removes the arguments over
what controls should or should not be implemented. As an
example, I had a Public-Facing website with low
confidentiality, integrity, and availability requirements and we
had to implement 107 controls. This approach is clever in that I
don’t need to estimate probabilities or likelihood of
threats/vulnerabilities – I just include the proper suite of
controls. (In fact, there are 3 sets of possibilities in each group:
3x confidentiality, 3x integrity, and 3x availability equals 27
possible outcomes – and each outcome had a particular set of
controls; but the idea is the same).
Week 2:
Your initial post should be at least 250 words.
PICK Fannie Mae: discuss with the class how your choice
impacts real estate finance. Pay particular attention to their
underwriting standards, underwriting tools, and overall
organization.
+++++++++++++++++++++++++++++++++++++++++++++++
Week 3:
Your initial post should be at least 250 words.
What do we mean by a "mortgage program"?
2. PICK: Variable interest rate loans and discuss with the class
how your choice differs from traditional 30 year loans. Be sure
to explain the rationale behind the difference, and explain the
pros and cons of Variable interest rate loans
++++++++++++++++++++++++++++++++++++++++++++
Week 3:
Your initial post should be at least 250 words
Review these questions and determine what the historic
relationship between interest rates and home ownership was,
and what it appears to be in the current housing slump.
What happens to an individual's capacity to borrow as mortgage
interest rates fluctuate?
How did extremely low interest rates in 2004 and 2005, then
rapidly rising rates in 2006 impact home sales? (Hint: Try to
find some data on the web that correlates unit home sales with
interest rates).
What happens to home prices as interest rates fluctuate? Have
home prices recovered since rates have fallen since then to
record lows in late 2010 and beyond?
What happens to DOM (Days on the Market) - or how long it
takes to sell the average home - as rates go up and down?
The Breach at Limetree
Updated November 18, 2017
Background: Limetree Inc. is a research and development firm
that engages in multiple
research projects with the federal government and private
3. corporations in the areas of
healthcare, biotechnology, and other cutting-edge industries
Limetree recently lost a DOD contract worth millions of dollars,
because another competitor
claimed to have “superior chemical process that brought about
the desired results in half the
time, with over seventy-five percent more yield than
conventional technologies.” This contract
loss troubled Limetree Inc. management because Limetree has
been working on that exact
same technology for years and they suspect that it’s no mere
coincidence that a competitor has
claimed their proprietary process for their own.
The management then asked Jack Sterling, Limetree’s security
manager, to investigate if there
were any IT related security problems that could shed some
light on the possibility of an insider
threat. Jack performed an unannounced sweep of the office area
and found serious problems.
There were poor security practices with every workstation, such
as unauthorized external hard-
drives & USBs, passwords under mouse pads, unlocked
displays, unauthorized software,
obvious phone PINs, wireless passwords on bulletin boards, and
improper destruction of
sensitive documents.
Jacks’ investigation lead him to three suspects: Jamie Kim at
workstation #14 because her
external hard-drive had the same proprietary processes files as
was leaked to the competitor;
Duncan Harris at workstation #11 because he had a USB with
deleted files that also had the
4. proprietary processes leaked; Steve Kim at workstation #4
because he had passwords and
usernames of Jamie Kim on a partially shredded paper in the
trash. No other employees had
any file or potential access to the files that contained the
proprietary processes.
Jack also conducted a review of the access logs on the server to
rule out any unwarranted
wireless access from in or outside the facility. There were
several unauthorized users using the
wireless resource, but no access to the servers. Logs on the
servers themselves revealed
unauthorized directory traversals and DNS poisoning but these
attacks were not in the narrow
timeframe that the insider sold the proprietary process. Jack
then navigated to the folder that
the proprietary process was kept and observed there was no
encryption; nor was it isolated on
the network. Jack looked up the default password for the CISCO
switch and sure enough, it had
not been changed on the routers and switches. Jack also ran a
root-kit detector and although it
didn’t find one, it did show that a backdoor had been planted in
the distant past but wasn’t
active now. After finding the backdoor, Jack then examined the
public-facing webpage and
noticed that many of the input fields did not do any data
integrity checks. Since that is a poor
security practice, he made a mental note to consider common
security misconfigurations when
he had free time.
5. Jack went to the telecommunications closet and discovered that
the door was unlocked and the
AC was broken; it was critically hot in the small room. He also
noticed that someone opened a
ceiling panel (probably to allow fresh air into the closet). But
now Jack wondered if there should
be a false ceiling in sensitive area? He made another mental
note to go through all the physical
security concerns when he had time.
Jack went to the main lobby and checked the sign-in visitor
sheet. Clearly, the company wasn’t
following procedures as there were only a few people that
signed in per day, when he knew it
should be over 10 people a day. He did notice one thing, and
that was the only employee, of
the three suspected, Steve Kim was visited by a “Jason Byway”
several times. Jack ran simple
background checks using social media (Facebook, LinkedIn, &
Google) on all ninety-five people
entering the facility during the time the leak occurred and only
“Jason Byway” was a fake name.
Jack decided to run credit report on all three suspects. The
scores were: Jamie Kim 650; Duncan
Harris 670; Steve Kim 540. Jack confiscated all three
employees’ workstations and did a
preliminary investigation of the hard drives. Of all the
suspected employee’s only Steve Kim had
deleted files with the personal health information (PHI) used in
a research study. Thus, Jack
concluded that Steve Kim stole the information from another
employee (Jamie Kim) and was
the insider that sold company secrets, probably to get out of
financial trouble.
6. ISE 510 Final Project Scenario Background
Limetree Inc. is a research and development firm that engages
in multiple research projects with the federal government and
private corporations in the areas of healthcare, biotechnology,
and other cutting-edge industries. It has been experiencing
major growth in recent years, but there is also a concern that
information security lapses are becoming rampant as the
company grows. Limetree Inc. is working to establish a strong
reputation in the industry, and it views a robust information
security program as part of the means to achieving its goal. The
company looks to monitor and remain compliant to any
regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes
confidential company data has been stolen, including personal
health information (PHI) used in a research study. Limetree Inc.
believes the breach may have occurred because of some security
vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent
Surefire: InfoSec educational video game. The rest of the
environment is presented via an interview with the security
manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about
Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS
Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
Browser – Browser in use is Internet Explorer and browser
security setting was set to low. Browsers allow remote
installation of applets, and there is no standard browser for the
environment.
7. Virus Software – MacAfee is deployed locally on each user's
machine and users are mandated to update their virus policy
every month.
SQL Database – Ordinary users can escalate privilege via SQL
Agent. Disk space for SQL database log is small and is
overwritten with new information when it is full. Limetree Inc.
is not using any encryption for sensitive data at rest within the
SQL server environment.
Network:
The network comprises the following: three web/applications
servers, three email servers, five file and printer servers, two
proxy servers, seven remotely manageable Cisco switches, 250
desktops, three firewall devices, one gateway (router) device to
the internet, and three wireless access points.
Configuration Highlights:
Wireless – Wireless network is available with clearly
advertised SSID, and it is part of the local area network (LAN).
There is no segmentation or authentication between the wireless
and wired LAN. Visitors are provided access code to the
wireless network at the front desk to use the internet while they
wait to be attended to.
Managed switches – There is no logging of network activities
on any of the switches.
Web server – Public-facing web server is part of the LAN. This
is where internet users get needed information on the company.
The web servers are running the following services in addition:
File & Print Services, Telnet, IIS.
Firewalls – Firewall configuration is very secure, and the logs
are reviewed when there is suspicion of a security event. The
following files types are allowed for inbound connection: EXE,
DOC, XML, VBS. In addition, Telnet and FTP are allowed for
inbound connection.
Passwords – Users determine the length of the password and
complexity, but it is mandatory to change password once a year.
Network configuration changes are determined by the IT
manager and users are notified immediately once the changes
8. are implemented.
Documentation:
I. There is no documented security policy, or computer use
policy.
II. II. There is no documented process for changes to the
system.
III. III. There is no contingency plan.
System Backup:
I. Backup is conducted daily by the network administrator, and
tapes are kept safely in the computer room.
Personnel/Physical Security:
I. While users are not trained on security awareness, emails go
out every month from the system administrator warning users of
emerging threat.
II. II. Visitors sign in at the front desk before they are allowed
to walk in to see employees at their respective offices.
III. III. Remote employees connect via virtual private network.
Their laptops are configured exactly as the desktops in the
office with unencrypted hard drives.
IV. IV. Often users are allowed to bring in their own laptops,
connect to corporate system, and complete their tasks,
especially if they are having issues with laptops provided by the
company.
Incident Response:
At Limetree Inc., systems administrators are notified of
computer incidents, and the administrators escalate to the IT
manager, who reports incidents to the security manager if they
are deemed relevant. Currently there is no official documented
process of reporting incidents. There is also no previous
documented history of incidents, even though Limetree Inc. has
experienced quite a few. Corrective measures are taken
immediately after an incident, though none of the measures was
ever documented.
ISE 510 Final Project Guidelines and Rubric
9. Overview
The final project for this course is the creation of a security
breach analysis and recommendations.
The relevance of risk assessment cannot be overemphasized as
organizations establish or reaffirm their security posture,
especially in the wake of overwhelming computer security
breaches at many organizations in the United States and around
the world, including government agencies. Organizations seek
to understand their compliance status for current regulations as
well as their vulnerability in order to adopt a proper approach to
manage risks. It is equally important to conduct a risk
assessment after a system breach has occurred to better
understand the threats and the vulnerabilities exploited.
For your final project, you will analyze an information security
breach that has already occurred. This will place you in the role
of a risk assessment expert, coming in to determine how the
breach occurred and develop strategies to mitigate against the
breach reoccurring. Risk assessment experts can fill the
positions of penetration testers, information security auditors,
and independent verification and validation analysts, for
example. Such roles will continue to gain relevance as
organizations and governments continue to move sensitive
financial information, personal health information (PHI), and
personally identifiable information (PII) across publicly
accessible networks and storage devices.
For the final project for this course, you will analyze an
information security breach provided in the Final Project
Scenario document and the educational video game (Agent
Surefire: InfoSec) you will play in Module Three. In your
analysis, you will discuss how the breach occurred, the incident
response processes that were initiated, the impact of the breach,
and applicable regulations to the organization. Then, you will
develop a security test plan for the breached system and create
security controls to ensure that the breach will not reoccur.
10. The project is divided into three milestones, which will be
submitted at various points throughout the course to scaffold
learning and ensure quality final submissions. These milestones
will be submitted in Modules Three, Five, and Seven. The final
product will be submitted in Module Nine.
This assessment addresses the following course outcomes:
through analysis of security breaches
uate incident response processes for their effectiveness
in ensuring business continuity in support of organizational
goals
information security of organizations
works, applications, or
physical security assessment projects based on established
cybersecurity standards
website, and network vulnerabilities
rganizational
culture and communication challenges that could affect
cybersecurity risk assessment in a diversified world
Prompt
Your security breach analysis and recommendations should
answer the following prompt: Using your Final Project Scenario
and gameplay from the educational video game Agent Surefire:
InfoSec that you will complete in Module Three, analyze the
information security breach to determine how the breach
occurred, evaluate the incident response processes, and assess
the impact of the breach and applicable regulations on the
business or organization. Then use your analysis to develop a
security test plan, security controls to mitigate risk, and
recommendations that reduce the impact of organizational
culture and communication challenges.
11. Specifically, the following critical elements must be addressed:
I. Introduction: Provide a brief profile of the business or
organization that has been attacked, including its organizational
goals. In your profile, you could consider the industry in which
the business or organization operates and the product or service
that is the focus, for example.
II. II. Security Breach: In this section, you will analyze one
current information security breach, describing the business or
organization that has been affected by this breach and
explaining how the breach occurred. Specifically, you should:
A. Attack Location: Determine what part of the business or
organization was attacked by analyzing the security breach that
occurred. For example, was the network attacked? Or was the
company website hacked?
B. Attack Method and Tools: Analyze the security breach to
determine the method and tools that were used to effect the
attack. In other words, how did the attack occur?
C. Vulnerabilities: Based on your analysis, what vulnerabilities
of the business or organization were exploited? How were the
vulnerabilities discovered? For example, were the
vulnerabilities discovered by an employee, a third party, or a
customer?
III. Incident Response: In this section, you will evaluate the
incident response processes that were initiated in response to
the breach. Specifically, you should:
A. Actions: What incident response actions were initiated to
minimize the impact of the breach? In other words, what did the
business or organization do to address the vulnerabilities and
resume normal system operations after the breach?
B. Business Continuity: Evaluate these incident response
actions for their effectiveness in allowing the business to
resume normal system operations after the breach. In other
words, how effective were these incident response actions in
ensuring business continuity and supporting the organization’s
12. goals?
IV. Impact: In this section, you will discuss the possible
impacts of applicable cybersecurity regulations to the business
or organization. Specifically, you should:
A. Application: Describe the government and industry
regulations that apply to the business or organization in relation
to the security breach. For example, what legislation, directives,
and policies relate to the security breach?
B. Impact: How do these regulations impact the business or
organization and its information security? Support your
response with specific examples.
C. Financial and Legal Implications: Discuss possible financial
and legal implications of the security breach for the business or
organization. Will the business or organization be subject to any
fines or sanctions because of the security breach, for example?
V. Security Test Plan: In this section, you will develop a
security test plan for the breached system, basing your plan on
your analysis of the security breach and established
cybersecurity standards such as those from the National
Institute of Standards and Technology (NIST). Specifically, you
should:
A. Scope: Determine the scope of the risk assessment. For
example, what assets, threats, and vulnerabilities will need to be
addressed? Will the risk assessment need to include networks,
applications, or physical security systems? What policies and
procedures will need to be reviewed?
B. Resources: Document the resources required for the risk
assessment. In other words, what do you need to actually do the
assessment?
C. Hardware and Software: Create a list of system hardware and
software within the target of the risk assessment. In other
words, what are the parts of the system that you are assessing?
D. Tools: Determine the necessary tools for the risk assessment,
based the list of system hardware and software you created.
VI. Risk Mitigation: In this section, you will create security
13. controls to ensure that the breach will not reoccur. Specifically,
you should:
A. Security Controls: Create at least five security controls that
mitigate future risks by ensuring that the security breach will
not reoccur. These controls can be technical, administrative, or
personnel security controls, for example.
B. Vulnerabilities: How will the security controls you created
mitigate risks by reducing application, website, and network
vulnerabilities?
C. Evaluation: What are the criteria for measuring the controls
to ensure they are properly implemented? In other words, how
will the security controls be evaluated?
VII. Conclusion: In this section, you will recommend methods
to reduce the impact of organizational culture and
communication challenges. Specifically, you should:
A. Communication: Document interpersonal communication
issues encountered within the risk assessment team. How were
the issues resolved?
B. Organizational Culture: What challenges to organizational
culture occurred as a result of the security breach? In your
response, consider the impact of the security breach on the
reputation of the business or organization.
C. Recommendations: What methods can you recommend to
reduce the impact of these communication and organizational
cultural issues in future risk assessments?
Milestones
Milestone One: Kickoff Agenda In Module Three, you will
submit a kickoff agenda. This milestone will be graded with the
Milestone One Rubric.
Milestone Two: Test Plan In Module Five, you will submit a
test plan. This milestone will be graded with the Milestone Two
Rubric.
Milestone Three: Incident Response Plan In Module Seven, you
14. will submit an incident response plan. This milestone will be
graded with the Milestone Three Rubric.
Final Submission: Security Breach Analysis and
Recommendations In Module Nine, you will submit your final
project. It should be a complete, polished artifact containing all
of the critical elements of the final product. It should reflect the
incorporation of feedback gained throughout the course. It
should also be structured to follow the outline presented in the
Prompt. This submission will be graded with the Final Project
Rubric (below).
ISE 510 Security Risk Analysis & Plan
Security Breach Analysis and Recommendations
Milestone 2: Test Plan
<Last Name, First Name>
Due <DATE>
Submitted on <DATE>
If late let me know why:
=====================================
Delete these instructions in blue font before submission:
Change file name to MS#2_LAST_FIRST
A few comments up front:
Assume you and your team are hired by Limetree as an IT
Security consultant to analyze the breach, determine the
vulnerabilities, and make recommendations for an extensive
security program to include policies, controls, enforcement of
controls, and continuous monitoring, all for the purpose of
reducing information system risk to an acceptable level.
15. You will need to look up ONE of the Risk Methodologies listed
in the Reference section. Some are easier than others! So look
at a few and then decide which one you like. If you want to use
another one, just let me know.
If you have any questions, please let me know as soon as
possible.
Introduction
a) Introduce your company (Limetree) and state its capabilities.
It’s good business communication practice to double-check
assumptions and verbal correspondence. I would copy the
background section from final project scenario and make
changes as needed.
b) State your goal for the security breach analysis project.
Whatever you write as the goal should be connected to the
scope below. Remember, we are in a Risk Assessment and
Planning class – so you should include how ‘risk’ fits into the
goal(s).
Scope
a) Define the scope of the project.
From a Project Management perspective, the scope is the
boundary of the project and specifies what aspects will be
included and which aspects are not included. From a
cybersecurity perspective, we’re interested in IT systems,
facilities, people, cybersecurity procedures and policies; threats
and vulnerabilities as mentioned in the Surefire Game or THE
BREACH supplemental document.
Here are some ideas:
Answer these questions in essay format:
a) What is the primary reason Limetree is performing this
activity?
16. b) What will the Security Breach Analysis and
Recommendations report going to produce? (look back at goals)
c) What were the major threats and vulnerabilities described in
the Agent Surefire Game?
d) What were the major threats and vulnerabilities described in
THE BREACH supplemental document?
e) Any limitations or constraints?
f) How long will it take? (should be less than a month – you can
answer this after you complete ‘Timeline and Benchmarks’
below)
g) About how much will it cost? (you can answer this after you
complete ‘Timeline and Benchmarks’ below)
Remember that the title of the Final Project is "Security Breach
Analysis and Recommendations" so, keep the discussion to that.
Hardware and Software:
a) Create a list of hardware and software present.
Just list the hardware and software found throughout the Final
Project Scenario and the Breach description.
Resources:
a) Determine resources required with brief explanation of why
each is required (e.g., internet access, computers, additional
personnel).
These are the resources needed to complete the Security Breach
Analysis and Recommendations Report (i.e. our Final Project).
Here are the main three types of resources (you can add more if
you want):
List the Job titles of the team members and what skill-level –
team members and their skills, certifications, and experience.
How much does each member cost per hour.
List the Hardware & Software – What special hardware or
17. software; any licenses or subscriptions required; like a
penetration test suite.
List the Special tools –forensic hard drive duplicators; wireless
detection scanners etc.
Hint: A team of 5 would be too large, and a team of 1 is too
small.
Timeline and Benchmarks:
a) Discuss your timeline for the project (how long it will take
and why).
This can be a bulleted list of the major tasks to be completed
(No more than 6 major tasks); under each bullet give a short
description. You can list out the tasks and their description like
a Project Manager would.
Also, on each bullet, estimate the number of man-hours required
to complete each major task. Example: 3 people working 5 days
at 40 hours per week is 3 x 40 = 120 man-hours.
EXAMPLE:
1. KICK-OFF Meeting.
The kick-off meeting serves as an opportunity to discuss the
organizational structure, introduction of the team to senior
leaders and IT staff, reviews the facts of the breach, and defines
the scope of the project. Approximately 3 team members, for 2
hours is 6 man-hours.
b) Discuss what regulatory benchmark you will be using to
make vulnerability determination.
Here is an example of what this question is looking for:
The regulatory benchmark that will be used in the vulnerability
determination is the OCTAVE Allegro methodology (Caralli,
Stevens, Young, & Wilson, 2007). The original OCTAVE
methodology was developed by the Software Engineering
Institute (SEI) at Carnegie Mellon University in 1999. Since
18. then several versions have been developed, and in June 2007,
SEI introduced the OCTAVE Allegro methodology.
Any of the risk methods listed in the References (at the end of
this document) will be acceptable! Or, if you have a risk method
you’d like to use, just let me know.
Approach:
a) State your approach
Here is an example of what this question is looking for:
The OCTAVE Allegro methodology uses an 8-step process for
conducting a risk assessment. These are 1) establish risk
measurement criteria; 2) Develop an Information Asset Profile;
3) Identify Information Asset Containers 4) Identify Areas of
Concern; 5) Identify Threat Scenarios; 6) Identify Risks; 7)
Analyze Risks; and 8) Select Mitigation Approach.
OCTAVE Allegro methodology uses questionnaires, worksheets,
checklists, and templates to guide the risk assessor through the
8-step process.
b) Define how you will categorize your findings (Example: low,
medium, high)
Here is an example of what this question is looking for:
The OCTAVE Allegro methodology uses three categories to
evaluate the probability of a threat exploiting a vulnerability –
High, Medium, and Low.
The final risk score is determined by a relative risk score, which
considers a qualitative risk probability (high, medium, low)
combined with a prioritized impact level, taking into
consideration the organizations’ criteria.
References
19. Add your reference here
Have at least 3 or more references. Delete those references that
you did not use.
Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R.
(2007). Introducing octave allegro: Improving the information
security risk assessment process (No. CMU/SEI-2007-TR-012).
Carnegie-Mellon Univ Pittsburgh Software Engineering
Institute. Retrieved from http://www.dtic.mil/cgi-
bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA47
0450
CORAS, (2015). The CORAS Method. Retrieved from
http://coras.sourceforge.net/
NIST SP 800-37, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life
Cycle Approach. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-
rev1-final.pdf
NIST SP 800-39 (2011). Managing Information Security Risk:
Organization, Mission, and Information System View. Retrieved
from
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio
n800-39.pdf
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). NIST
SP 800-30: Risk management guide for information technology
systems. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf