Scribd
Upload
126 views13 pages

Unit 2 Assignment - Group Assignment

The document presents a case study on ACME, a manufacturing company, focusing on its cybersecurity challenges and the development of a risk register aligned with NIST frameworks. It identifies various threats and vulnerabilities within ACME's security posture, emphasizing the need for improved technical controls and centralized risk management. The analysis aims to enhance ACME's cybersecurity measures to protect against data breaches and insider threats while ensuring compliance with established standards.

Uploaded by

Raian White
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
126 views13 pages

Unit 2 Assignment - Group Assignment

The document presents a case study on ACME, a manufacturing company, focusing on its cybersecurity challenges and the development of a risk register aligned with NIST frameworks. It identifies various threats and vulnerabilities within ACME's security posture, emphasizing the need for improved technical controls and centralized risk management. The analysis aims to enhance ACME's cybersecurity measures to protect against data breaches and insider threats while ensuring compliance with established standards.

Uploaded by

Raian White
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Unit 2 Assignment: An Analysis of Case 1 1

Unit 2 Assignment: An Analysis of Case 1


University of Maryland Global Campus
CMAP 625 – Cybersecurity Risk Management
Group Number 1
Dr. Vivian Lyon
May 26, 2025
Unit 2 Assignment: An Analysis of Case 1 2

Unit 2 Assignment: An Analysis of Case 1


Unit 2 Assignment: An Analysis of Case 1 3

Table of Contents

Abstract.....................................................................................................................................4
Introduction...............................................................................................................................5
NIST Framework Use...............................................................................................................5
Risk Register Format................................................................................................................1
Threat Identification..................................................................................................................1
Control Implementation............................................................................................................1
Risk Response Variety..............................................................................................................1
Execution of Best Pratices........................................................................................................1
Conclusion................................................................................................................................1
References.................................................................................................................................1
Unit 2 Assignment: An Analysis of Case 1 4
Unit 2 Assignment: An Analysis of Case 1 5

Abstract
This case study is about ACME, a company that manufactures tables and chairs. As part of the case study, ACME's security
challenges will be discussed. The cybersecurity frameworks, including NIST 8286 Risk Registers, ISO 27001, and NIST 800-53, will
be reviewed to ensure ACME's compliance. A risk register will be developed based on ACME's current security posture. While
developing the Risk Register, both control-driven and threat-driven approaches will be analyzed. The Risk Register will be created in
accordance with the 8286 guidance. Finally, a set of key questions will summarize the findings of Acme to see how well their security
posture is and where there may be room for improvement.
Unit 2 Assignment: An Analysis of Case 1 6

Introduction
The cybersecurity case study of ACME, a mid-sized manufacturing company, presents a realistic scenario in which a firm must
evaluate and strengthen its security posture amid the development of new, proprietary products. With growing concerns about data
breaches, insider threats, and intellectual property theft, ACME seeks to assess its cybersecurity risks using a structured risk register
aligned with NIST frameworks. This analysis provides insight into the company's current physical, technical, and procedural controls
while identifying critical gaps that could undermine the confidentiality, integrity, and availability of its systems.

NIST Framework Use

Risk Register Format


A risk register is a foundational element in cybersecurity risk management. According to NISTIR 8286, a risk register serves
as a central repository for capturing, assessing, and monitoring risks across an organization’s digital ecosystem (National Institute of
Standards and Technology [NIST], 2020). It supports informed decision-making and aligns cyber risk with business objectives. In the
context of ACME Manufacturing Company, which faces diverse threats to its R&D operations, an effective risk register is essential
for identifying, prioritizing, and addressing vulnerabilities. The register should include specific risk elements such as threat sources,
events, affected assets, impact, likelihood, risk level, and recommended responses consistent with NIST SP 800-30 Rev. 1 guidelines
(NIST, 2012).
Unit 2 Assignment: An Analysis of Case 1 7

Sample Risk Register for ACME Manufacturing


Risk Threat Vulnerability Asset at Impact Likelihood Risk Mitigation Response Owner/Status
ID Source & Risk Level Strategy
Event

R- External Outdated R&D design High High Critical Upgrade OS, Mitigate IT Security /
001 hackers Windows 7 files and IP apply regular Open
infiltrate systems patches
R&D
network

R- Insider Admin R&D High Medium High Enforce least Mitigate IT Ops / Open
002 installs privileges for systems and privilege,
malware R&D staff network remove local
admin rights

R- Fire No off-site Engineering High Low Medium Implement Transfer IT Infrastructure


003 damages backups data, cloud backup / Pending
server financials and DR plan
room
Unit 2 Assignment: An Analysis of Case 1 8

R- Phishing Lack of User High High High Security Avoid Security


004 leads to training and credentials, awareness Awareness
credential email filtering network training, Team / Ongoing
theft access enable MFA

R- Rogue Lack of R&D Medium Medium Medium Deploy Mitigate IT Security /


005 USB endpoint workstation endpoint Not Started
device control integrity protection,
used in lab block
unauthorized
USB use

This format not only helps identify the full spectrum of risks but also supports ongoing monitoring and ownership, ensuring risks are
not just recorded but actively managed.
Alignment with Textbook and Case Study
As outlined in the Marquardson and Majid (2023) case study, ACME currently lacks centralized risk tracking across its IT
environment. There are inconsistencies in firewall rules, unpatched systems, and fragmented authentication policies. These
weaknesses are ideal entries in a formalized risk register. Furthermore, the textbook emphasizes that an effective risk register should
evolve over time, linking tactical cyber controls with strategic business impact (Marquardson & Majid, 2023). Implementing a robust
register at ACME will support better prioritization of limited resources, enhance accountability, and foster a culture of proactive
cybersecurity management.
The risk register is not a static document but a living tool that supports cybersecurity governance. For ACME Manufacturing, adopting
a NIST-compliant risk register will improve visibility into threats, promote cross-functional accountability, and enhance alignment
Unit 2 Assignment: An Analysis of Case 1 9

between cyber risk and business strategy. When integrated with the organization’s broader enterprise risk management (ERM) efforts,
the register can significantly reduce exposure to data loss, reputational damage, and operational disruption.

Threat Identification

Control Implementation
ACME’s cybersecurity posture reflects a mix of solid intentions and inconsistent execution in both physical and technical
controls. Physically, the company has implemented several strong measures to secure its high-value R&D building. These include
employee smart cards, strict visitor escort policies, bollards, and restricted access via padlocks. These align with NIST SP 800-53
recommendations for controlling physical access and reducing environmental risk (Joint Task Force Interagency Working Group,
2020).

However, significant weaknesses exist. The lack of interior surveillance in the R&D building creates blind spots in monitoring,
increasing the risk of undetected insider threats. Additionally, relying on a single padlock with only two keyholders introduces a point
of failure in emergency or compromised situations.

On the technical side, ACME uses basic safeguards such as screen-saver passwords, full disk encryption, USB port restrictions,
and a segmented network with Unified Threat Management (UTM). While these demonstrate foundational security awareness, their
implementation is limited. Key vulnerabilities include an unmanaged network switch, an unsecured cable modem, and the absence of
centralized alerting or monitoring tools.
Unit 2 Assignment: An Analysis of Case 1 10

A major flaw is the use of local authentication for R&D systems, due to network segmentation, which increases administrative
burdens and weakens policy enforcement. Compounding this, access logs are only reviewed annually and manually by the company
president an inefficient method that fails to support real-time threat detection (Brumfield & Haugli, 2022).

Moreover, the R&D file server allows unauthenticated access, assuming physical security is sufficient an approach that
contradicts the principle of least privilege. Physical controls should reinforce, not replace, logical access protections, particularly for
sensitive R&D data.

In sum, while ACME has established some sound physical controls, its technical controls and governance require significant
improvement. Centralized access management, continuous monitoring, and stricter logical access policies are essential for aligning
with NIST standards and supporting the company's strategic goals (Marquardson & Asadi, 2023).

Risk Response Variety

Execution of Best Practices


Unit 2 Assignment: An Analysis of Case 1 11

Conclusion
Write your conclusion here.
Unit 2 Assignment: An Analysis of Case 1 12

References
Brumfield, J., & Haugli, B. (2022). Cybersecurity Program Development for Business. Wiley.
Joint Task Force Interagency Working Group. (2020). NIST SP 800-53 Revision 5: Security and Privacy Controls for Information
Systems and Organizations. National Institute of Standards and Technology. [Link]
Marquardson, J., & Asadi, M. (2023). Cybersecurity assessment for a manufacturing company using risk registers: A teaching case.
Information Systems Education Journal, 21(3), 62–69. [Link]
National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (Special Publication 800-30 Rev. 1).
[Link]
National Institute of Standards and Technology. (2020). Integrating cybersecurity and enterprise risk management (ERM) (NISTIR
8286). [Link]
Unit 2 Assignment: An Analysis of Case 1 13

Appendix (Paste your screenshots/images here)


To cite your images in the body or content section, use Fig. 1, Fig. 2, etc.

You might also like