Step 1: Classify Aspects to Be Addressed
Before beginning the
vulnerability assessment
, you must first create a preliminary classification of mission-critical aspects to be addressed in the assessment. Determine what “secure” means to the organization by reviewing the topic of
cybersecurity vulnerability
, evaluating existing business practices, and interviewing senior personnel.
Prepare an overview of the mission-critical aspects of the organization’s current processes. Include personnel, physical security, network security, and cybersecurity in the overview. You will use this overview to prepare a
scope of work
in the following step.
Step 2: Create a Scope of Work (SoW)
In this step, you will perform a vulnerability assessment once again as the CISO. Since the previous contractor was an external consultant, you will be able to offer insights and consider the big picture of the organization when conducting the assessment. You will prepare for the assessment by creating a comprehensive list of security needs based on findings from the previous step. This list should identify threats, risks, and vulnerabilities to achieve a holistic view of the risk across the entity.
The scope of work is the key element to any project and important to learn. It should be filed as supplementary documentation for purposes of evaluating execution and directional purposes of meeting milestones of a multiphase comprehensive project plan within the vulnerability assessment. The scope of work will be the first section of the final vulnerability assessment report.
Combine the overview from the previous step with the list of security needs into a one-page SoW report. Submit the report for feedback.
I have attached the links in the steps as well as an example. This must have a title page, and a reference page
7/19/22, 10:15 PM
Cybersecurity Vulnerability
Learning Topic
Cybersecurity Vulnerability
An old adage goes: “The only computer that is not in danger is a computer that is turned
off.” Cybersecurity professionals must identify and explain the main vulnerabilities against
a company’s critical infrastructure.
A cybersecurity vulnerability is any weakness that may compromise the CIA triad
(confidentiality, integrity, and availability) of a product. A cybersecurity vulnerability can
never be completely eliminated; therefore, countermeasures must be in place to mitigate
the potential disaster to a business’s ability to operate after a potential attack.
The confidentiality, integrity, and availability (CIA) triad is at the core of information
system security. Information system security professionals use the CIA triad as a
mechanism for quantifying the key security considerations of an information system.
When a system is under development, each of the CIA concepts must be considered as
part of the system’s design objectives. Below is a model of the CIA triad.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/cybersecurity-vulnerability.html?ou=684046
1/5
7/19/22, 10:15 PM
Cybersecurity Vulnerability
Confidentiality, Integrity, Availability (CIA)
Source: Janet Zimmer
Confidentiality refers to the methods used to protect information from unauthorized
disclosure. Protecting the confidentiality of proprietary or sensitive information is of vital
importance.
Integrity refers to the processes that ensure accuracy of information.
Availability addresses the need of a system to provide continued, reliable access to
information while maintaining an acceptable level of performance. Consider organizations
with technology and services that must be nearly 100 percent available 24 hours a day,
365 days a year, such as financial institutions, emergency service providers, power
providers, and communication providers. Every moment that these organizations cannot
exchange information, there is the potential for serious financial loss, injury, or even
death.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/cybersecurity-vulnerability.html?ou=684046
2/5
7/19/22, 10:15 PM
Cybersecurity Vulnerability
Resources
Protect Your Information From Physical Threats
(https://leocontent.umgc.edu/content/dam/permalink/2cadfc011455-4748-8cc7-090de9704cc3.html?ou=684046)
Vulnerability Scanning With Metasploit Using Nessus
(https://leocontent.umgc.edu/content/dam/permalink/781808a51b91-4c1b-8e76-9eb29e86c4bf.html?ou=684046)
Vulnerability
(https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218cmp630/learning-resource-list/vulnerability.html?ou=684046)
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/cybersecurity-vulnerability.html?ou=684046
3/5
7/19/22, 10:15 PM
Cybersecurity Vulnerability
Check Your Knowledge
Question 1
Which of the following is a true statement?
A vulnerability is a covert action with potential harm.
A vulnerability is a weakness that allows a threat to be realized.
A vulnerability is a desirable outcome of a business continuity plan.
A vulnerability gives priority to the functions of the organization.
Question 2
Which of the following is a true statement?
A threat could be necessary for a vulnerability to occur.
A vulnerability could be mitigated by an end-user license agreement
(EULA).
A threat by itself does not always cause damage; there must be a
vulnerability for a threat to be realized.
Question 3
True or false? Using security policies, standards, procedures, and
guidelines helps organizations decrease risk, threats, and vulnerabilities.
True
False
Question 4
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/cybersecurity-vulnerability.html?ou=684046
4/5
7/19/22, 10:15 PM
Cybersecurity Vulnerability
What are the four elements of a vulnerability management process?
inventory, focus, assess, and respond
inventory, assess, scanning, and respond
assess, scanning, war dialing, and scanning
credential monitoring, assess, scanning, respond
Question 5
In the CIA triad, what does the I stand for?
inventory
information
identity
integrity
Licenses and Attributions
Confidentiality, Integrity, Availability (CIA) by Janet Zimmer is available under a Creative
Commons Attribution-ShareAlike 3.0 Unported (https://creativecommons.org/licenses/bysa/3.0/deed.en)
license
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/cybersecurity-vulnerability.html?ou=684046
5/5
7/19/22, 10:16 PM
Project Statement of Work
Learning Topic
Project Statement of Work
By Adrienne Watt and bpayne
The statement of work (SOW), sometimes called the scope of work, is a definition of a
project’s parameters—factors that define a system and determine its behavior—and
describes the work done within the boundaries of the project, and the work that is
outside the project boundaries.
The SOW is typically a written document that defines what work will be accomplished by
the end of the project—the deliverables of the project. The project scope defines what will
be done, and the project management plan defines how the work will be accomplished.
No template works for all projects. Some projects have a detailed scope of work, and
some have a short summary document. The quality of the scope is measured by the ability
of the project manager and project stakeholders to develop and maintain a common
understanding of the products or services the project will deliver.
The size and detail of the project scope is related to the complexity profile of the project.
A more complex project often requires a more detailed and comprehensive scope
document.
According to the Project Management Institute (2008), the scope statement should
include the following components:
description of the scope
product acceptance criteria
project deliverables
project exclusions
project constraints
project assumptions
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/project-statement-of-work.html?ou=684046
1/2
7/19/22, 10:16 PM
Project Statement of Work
The scope document is the basis for agreement by all parties. A clear project scope
document is also critical to managing change on a project. Since the project scope reflects
what work will be accomplished on the project, any change in expectations that is not
captured and documented creates an opportunity for confusion.
One of the most common trends in project management is the incremental expansion in
the project scope. This trend is labeled scope creep. Scope creep threatens the success of
a project because the small increases in scope require additional resources that were not
in the plan.
Increasing the scope of the project is a common occurrence, and adjustments are made to
the project budget and schedule to account for these changes. Scope creep occurs when
these changes are not recognized or not managed. The ability of a project manager to
identify potential changes is often related to the quality of the scope documents.
References
Project Management Institute, Inc. (2008). A guide to the project management body of
knowledge (PMBOK guide) (4th ed.). Project Management Institute, Inc.
Licenses and Attributions
Chapter 4: Framework for Project Management
(https://opentextbc.ca/projectmanagement/chapter/chapter-4-framework-for-projectmanagement-project-management/)
by bpayne and Adrienne Watt from Project
Management is available under a Creative Commons Attribution 4.0 International
(https://creativecommons.org/licenses/by/4.0/deed.en)
license. © 2014, Adrienne
Watt. UMGC has modified this work and it is available under the original
license. Download this book for free at http://open.bccampus.ca
(http://open.bccampus.ca)
.
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/project-statement-of-work.html?ou=684046
2/2
7/19/22, 10:15 PM
Vulnerability Assessment
Learning Topic
Vulnerability Assessment
A vulnerability is a “weakness in any information system, security production, internal
controls, or implementation that could be exposed by a threat source” (NIST, 2012, p. 9).
Vulnerabilities may result from an improperly configured system (weak passwords,
unnecessary ports and protocols, etc.), as well as from missing software patches.
Vulnerability assessments involve the use of tools and processes to identify vulnerabilities
present in the systems for which an organization is responsible. A vulnerability
assessment identifies errors which could be used by hackers.
Vulnerability assessment is an important part of an organization’s overall risk management
strategy. Such assessments are conducted to meet governmental regulations and
requirements, and to help guide organizational IT security practices, stay on top of
emerging security threats, ensure that staff members are using appropriate measures, and
to demonstrate to customers that your organization is vigilant on security issues.
One commonly used assessment tool is a vulnerability scanner, used to create a network
map or inventory that identifies systems that are functional on a network, as well as their
open ports, running services, and operating systems (such as Microsoft Windows 7, Linux,
etc.). Once a map has been created, the vulnerability scanner can assess systems with a
database of known vulnerabilities.
Other tools and processes used to identify, quantify, and prioritize a system’s
vulnerabilities include network discovery, network port and service identification,
documentation and log review, integrity checking, or a combination of several methods.
References
National Institute of Standards and Technology (NIST). (2012, September). Special
publication 800-30, revision 1: Guide for conducting risk assessments.
http://dx.doi.org/10.6028/NIST.SP.800-30r1
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/vulnerability-assessment.html?ou=684046
1/5
7/19/22, 10:15 PM
Vulnerability Assessment
Resources
Read chapters 2 and 4 of NIST SP 800-115 Technical Guide to
Information Security Testing and Assessment
(https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication
800-115.pdf)
Vulnerability
(https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218cmp630/learning-resource-list/vulnerability.html?ou=684046)
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/vulnerability-assessment.html?ou=684046
2/5
7/19/22, 10:15 PM
Vulnerability Assessment
Check Your Knowledge
Choose the best answer to each question:
Question 1
What is the purpose of a vulnerability assessment?
to meet governmental regulations and requirements
to ensure that staff members are using appropriate measures
to demonstrate to customers that your organization takes security
seriously
to meet governmental regulations and requirements, to demonstrate
to customers that your organization takes security seriously, and to
ensure that staff members are using appropriate measures
Question 2
True or false? A vulnerability assessment is only useful if government
regulations require it.
True
False
Question 3
A weakness in a system that may possibly be exploited is called a(n)?
corrective control
risk assessment
vulnerability
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/vulnerability-assessment.html?ou=684046
3/5
7/19/22, 10:15 PM
Vulnerability Assessment
physical controls
Question 4
All of the following are tools and processes used to identify, quantify,
and prioritize a system’s vulnerabilities:
network discovery, network port and service identification,
documentation and log review, integrity checking, or a combination
of several methods
network discovery, network port and service identification,
documentation and log review, integrity checking, exigent
circumstance doctrine
network discovery, network port and service identification,
documentation and log review, integrity checking, exigent
circumstance doctrine, separation of duties
network discovery, network port and service identification,
documentation and log review, integrity checking, collusion, job
rotation, or a combination of several methods
Question 5
What is the purpose of the vulnerability scanner?
to create an environment where two or more people cannot
conspire to commit an illicit act
to induce an individual to make inappropriate security decisions
to create a network map or inventory, which identifies systems that
are functional on a network, as well as their open ports, running
services, and operating systems.
to network discovery, network port and service identification,
documentation and log review, integrity checking, or a combination
of several methods.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/vulnerability-assessment.html?ou=684046
4/5
7/19/22, 10:15 PM
Vulnerability Assessment
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/vulnerability-assessment.html?ou=684046
5/5
1
Running Head: SCOPE OF WORK (SOW)
Scope of Work (SoW)
Amador Alejandro Marin
University of Maryland Global Campus
This study source was downloaded by 100000777564704 from CourseHero.com on 07-25-2022 17:44:06 GMT -05:00
https://www.coursehero.com/file/73022684/Project-1-Scope-of-Workdocx/
2
SCOPE OF WORK (SOW)
This Scope of Work (SoW) key elements defines security measures by breaking them
down into segments and providing examples. Physical, personnel, network, and cybersecurity are
critical areas used to address threats, risks, and vulnerabilities to provide a holistic approach of
areas that need to be covered and considered to achieve maximum effectiveness and success.
Physical security is an overarching term that includes the protective measure of personnel,
hardware, software, networks, and data from physical actions and events that could cause severe
loss or damage to a company’s assets. This includes protection from fire, flood, natural disasters,
intrusion, theft, vandalism, and terrorism. Some measures include security personnel assigned to
guard building entry points, camera, badge, and biometric systems to verify access eligibility.
The purpose of personnel security is to authorize initial and continued access to information and
the assignment to duties to those persons whose determination of loyalty, reliability, and
trustworthiness are such that by entrusting them with information assess or the assignment to
sensitive duties is consistent with the interests of a company. Processes used to determine
personnel trustworthiness include: background investigations and continuous evaluation to verify
ongoing eligibility for sensitive assignments.
Similarly, to personnel security, network security are safeguards implemented at the software
and hardware level, to prevent access of unauthorized personnel to sensitive information.
Examples include: multiple-factor authentication, strong password criteria, and requirements,
role-based assess control (RBAC), and the implementation of anti-virus software, firewalls, and
This study source was downloaded by 100000777564704 from CourseHero.com on 07-25-2022 17:44:06 GMT -05:00
https://www.coursehero.com/file/73022684/Project-1-Scope-of-Workdocx/
3
SCOPE OF WORK (SOW)
intrusion prevention and detection systems.
Cybersecurity is the conglomeration of measures to protect computer systems and
networks to prevent or mitigate cyber-attacks. Cyber-attacks being the actions aimed at
accessing, changing, or destroying sensitive information, exhorting ransom from information
owners or the interruption or delays of business processes.
The main goal of this SoW is to implement enough of the security measure previously
defined to address the following cybersecurity concerns:
Threats are any malicious acts that seek to damage, steal data, or disrupt computer and
network services. Some threats include computer viruses, data breaches, and Denial of
Service (DoS) attacks.
Risk is the potential loss or harm to the computer and network infrastructure, use of
technology, or reputation of an organization.
Vulnerabilities are weaknesses exploitable by a cyber-attack to gain unauthorized access
to computer systems and networks to perform unauthorized actions. Vulnerabilities can
allow attackers to run code, access a system’s memory, install malware, and steal, destroy
or modify sensitive data.
Lastly, to determine any measure or performance (MOP) or effectiveness (MOE), a process of
scheduled and unscheduled assessments must be implemented to determine if any of the
This study source was downloaded by 100000777564704 from CourseHero.com on 07-25-2022 17:44:06 GMT -05:00
https://www.coursehero.com/file/73022684/Project-1-Scope-of-Workdocx/
4
SCOPE OF WORK (SOW)
measures currently in place are worth the return on investment (ROI), and equally important,
address the company’s need.
This study source was downloaded by 100000777564704 from CourseHero.com on 07-25-2022 17:44:06 GMT -05:00
https://www.coursehero.com/file/73022684/Project-1-Scope-of-Workdocx/
Powered by TCPDF (www.tcpdf.org)