You will be asked to perform a cybersecurity risk assessment for a company that was breached in the past two years.Your simulated assessment is done prior to the breach.Therefore,all breach information and reasoning provided through your research will be used as part of your assessment process.You will select a company (a maximum of 5 students can select the same company) and develop a risk assessment report that reflects the risks uncovered as a result of your assessment. You need to use the NIST CSF ↓framework (pages 23-44) for this assessment. Your reasoning must be consistent with publicly available information about the company and the breach,but you may draw additional conclusions based on this information.
NIST CSF Dashboard with Questions (1).xlsx ↓
Please use the spreadsheet to assess the controls and then develop the assessment report.The final submission should include both the spreadsheet and the report deck.
Example: FTX Sample PowerPoint ↓and FTX Sample Spreadsheet ↓
Details
The steps required to complete the assignment are as follows:
1.You are to select a company (not attack type) of a major breach publicly announced within the last couple of years.
2.You are to conduct research about the breach at this company.
3.Based on the information that you obtained from your research using the NIST CSF ↓framework's 5 major control areas (identify, protect, detect, respond, recover), your assessment will identify at least 2 risks per major control area that you believe were missing and contributed to the breach.
4.There needs to exist a logical connection between the breach and missing controls (subcategories) for a specific company.This connection can be established in two ways:
1.The missing control was specifically mentioned in the publicly available research.If this is the case, you can just reference the information that you found.
2.You were able to make a case that this control was missing based on other information uncovered in the course of your assessment.
Assessment
● The assignment will be graded based on the following formula:
o 10%Overall format and style of the paper
o 20%Thoroughness of the research conducted
o 70%Quality of the reasoning related to the risks/controls selected
·Examples of elements to include in the powerpoint that will help your scoring:
·Summary and scope of the security assessment engagement you're conducting(as if you're the assessor)
o Threats to the company
o Executive summary
o Company background
o Attack/breach information,timeline
o State of the cybersecurity program
o Approach used to do the assessment,results
o References