MINISTRY OF EDUCATION AND TRAINING

This part is about: the developer group; the initial idea of the group’s Capstone; posing an actual IA problem in an organization, overview of similar existing solutions (if any), and overview of existing methods; business outline, limitations of existing solutions, improvement objectives, and benefits of the expected solution.

2.1.1. Name of the CP

2.1.2. Problem Abstraction

2.1.3. Project Overview

2.1.3.1. The Current Situation

2.1.3.2. The Proposed Solution

2.1.3.3. Boundaries of the Solution

2.1.3.4. Development Environment

2.2.1. Solution Process Model

2.2.2. Roles and Responsibilities

2.2.3. Tools and Techniques

2.3.1. Tasks:

2.3.1.n Task-n:

• 
  Description
  
• 
  Deliverables
  
• 
  Resources Needed
  
• 
  Dependencies and Constraints
  
• 
  Risks
  

2.3.3. All Meeting Minutes

3.2.1. Information Asset Classification

3.2.1.n. Critical Information Asset n

3.2.1.n.1. The Probability of a threat exploiting a vulnerability in an asset

3.2.1.n.2. The Impact of a threat exploiting a vulnerability in an asset usually

measured in terms of cost to the asset's stakeholders.

3.2.2. System Characterization

3.2.2.1. Logical Architecture: security domains, how data is stored, transmitted and

processed, …

3.2.2.2. System Components: hardware, software, network environment, servers,

switches, firewalls, OS, applications, databases,…

3.2.2.3. Users of the System

3.2.2.4. Security and Compliance Requirements: Confidentiality, Integrity,

Authentication, Non-repudiation, Availability, relevant laws, regulations,…

3.2.2.5. Information Protection Priorities

3.3.1. Threat Identification

3.3.2. Vulnerability Identification

3.4. Risk Analysis

3.4.1. Impact Assessment

3.4.2. Likelihood Assessment

3.4.3. Risk Determination (Rating)

3.4.3.1. Risk-Level Matrix

3.4.3.2. Description of Risk Level

3.5.1. Control Methods

3.5.1.1. Technical (safeguards, tools)

3.5.1.2. Non-technical (management and operational controls)

3.5.2. Control Types (Deterrent, Preventive, Detective, Corrective,…)

3.5.3. Residual Risk Evaluation

3.5.4. Risk Monitoring and Controlling

3.6. Other material (if any)

Report No.4: RMP

4.1. Objectives of RMP

4.1.1. Lists of Threats/Vulnerabilities

4.4.1. Present Recommendations

4.4.2. Document Management Response to Recommendations

4.4.3. Document and Track Implementation of Accepted Recommendations

4.6.1. Milestone Plan Chart

4.6.2. Gantt Chart

4.6.3. Critical Path

4.3.1. Framework (Risk IT, GAISP, CobiT, PCI DSS, ISO 17799, ISO/IEC 27002,

NIST Handbook, etc.).

4.3.2. Policies, Procedures, Plans, and Processes, Including CBA.

5.1.1. Major Risk Treatment: after monitoring divide major risks into

avoiding, mitigating, accepting, transferring (outsourcing, etc.).

5.1.2. Risk Mitigation Treatment (consider prevention, detection, and

response).

5.1.3. Risk Mitigation Plan (RMiP)

5.1.3.1. Cost and Time to Implement

5.1.3.2. Operational Impact

5.2.1. Threat/Vulnerability Matrix Method

5.2.2. Prioritizing Countermeasures

5.2.3. Verify How They Can Be Mitigated

5.3.1. Calculate CBA

5.3.2. CBA Report

5.4. Implement the RMiP

5.4.1. Tools and Techniques (Algorithms, Firewalls, InfoSec Software, etc.)

5.4.2. Policies, Procedures for Controlling Regular Backups and Configuration

Hardening.

5.4.3. Operational Controls (Employee Training in Security Awareness,

Configuration Management, Contingency Planning, Incident Response, etc.)

5.5.1. Ensuring Countermeasures Are Implemented

5.5.2. Ensuring Security Gaps Have Been Closed

5.6. Other Material (if Any)

Report No.6: VD

6.1. Repeat Risk Assessment Process

6.1.1. Check and Add for a New Critical Asset Appeared

6.1.2. Check for a Change of IT Environment

6.1.3. New Risk Assessment

6.2.1. Qualitative Analysis

6.2.2. Quantitative Analysis

6.2.3. Provable Risk Mitigation (provided no New Major Risks appeared)

6.3.1. Level of the Physical Security (FIP140/IBM).

6.3.2. CC Evaluation Standards

6.3.3. Other Material (if Any)