Project #5: Supply Chain Risk Analysis
For this project, you will research and report upon the problem of Supply Chain Risk as it pertains to the cybersecurity industry. To begin, you will need to explore through the readings the concepts of global supply chains and global cooperation for cross-border trade in goods and services. Then, you will need to investigate due diligence and other business processes / strategies which can be used to mitigate the impacts of supply chain risk for companies who produce and sell cybersecurity related products and services.
Research
1.    Global Supply Chain Risks affecting the Cybersecurity Industry. Here are some suggested resources to get you started:
a.    https://www.supplychaindigital.com/technology/supply-chain-remains-weakest-link-cybersecurity
b.    https://www.lexisnexis.com/en-us/products/entity-insight/political-risk-and-its-impact-on-supply-chain.page 
c.    https://www.cshub.com/attacks/articles/cyber-attacks-top-list-of-risks-impacting-supply-chain
d.    https://www.lmi.org/blog/securing-supply-chain-cybersecurity-and-digital-supply-chain
e.    Information and Communications Technology Supply Chain Risk Management (ICT SCRM) https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Managements/documents/nist_ict-scrm_fact-sheet.pdf
2.    Read the following articles / documents which focus on international cooperation and capacity building for cybersecurity:
a.    https://www.cfr.org/report/increasing-international-cooperation-cybersecurity-and-adapting-cyber-norms
b.    https://www.weforum.org/agenda/2015/09/what-cybersecurity-means-for-global-trade/
c.    https://eeas.europa.eu/sites/eeas/files/joint_communication_increasing_resilience_and_bolstering_capabilities_to_address_hybrid_threats.pdf
3.    Investigate due diligence as it applies to the purchase of components or services from vendors. Answer the question: how can due diligence processes help a company manage supply chain risks? Here are some suggested resources:
a.    https://www.microsoft.com/en-us/trustcenter/Compliance/Due-Diligence-Checklist# (download to your computer then open document to read/review the checklist)
b.    https://www.lexisnexis.com/en-us/products/lexis-diligence/ctr/9-steps-to-effective-third-party-due-diligence.page
4.    Research best practices and recommended strategies and approaches for managing global supply chain risk
a.    Best Practices in Cyber Security Supply Chain Risk Management https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/case_studies/USRP_NIST_Exelon_102215_05.pdf
b.    Supply Chain Cybersecurity: Experts on How to Mitigate Third Party Risk https://digitalguardian.com/blog/supply-chain-cybersecurity
c.    5 Cybersecurity Best Practices for your Supply Chain Ecosystem https://supply-chain.cioreview.com/cxoinsight/5-cybersecurity-best-practices-for-your-supply-chain-ecosystem-nid-14195-cid-78.html
Write
1.    An introduction which addresses the reasons why cooperation on a global basis is required to address cybersecurity related risks in global supply chains for products and services. Your introduction should include a brief overview of the problem of supply chain risk as it pertains to the cybersecurity industry.
2.    A supply chain risks section in which you identify and describe 5 or more specific sources of supply chain risk which impact cybersecurity related products and services.
3.    A due diligence section in which you address the use of diligence processes (investigating suppliers before entering into contracts) as a supply chain risk management strategy. Include 5 or more cybersecurity related questions which should be asked of suppliers during the due diligence process. This section should include discussion of political, economic, and social factors which impact management of supply chain risk.
4.    A best practices section in which you address 5 or more best practices for managing global supply chain risks in the cybersecurity industry. You must also provide an evaluation of the expected benefits from implementing each of these practices.
5.    A summary and conclusions section in which you present an overall picture of the supply chain risk problem in the cybersecurity industry and best practices for managing supply chain risks.
Submit For Grading
Submit your work in MS Word format (.docx or .doc file) using the Project 5 Assignment in your assignment folder. (Attach the file.)
Additional Information
1.    Consult the grading rubric for specific content and formatting requirements for this assignment.
2.    Your 5-8 page paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings and page breaks to organize your paper.
3.    Your paper should use standard terms and definitions for cybersecurity.
4.    The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the professional appearance requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,DEC2018).docx. 
5.    You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignments page count. 
6.    You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 
7.    You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).

Project #4: Acquisition Risk Analysis
Overview
For this project, you will investigate and then summarize key aspects of risk and risk management for acquisitions or procurements of cybersecurity products and services. The specific questions that your acquisition risk analysis will address are:
1.    What types of risks or vulnerabilities could be transferred from a supplier and/or imposed upon a purchaser of cybersecurity related products and/or services?
2.    Are suppliers liable for harm or loss incurred by purchasers of cybersecurity products and services? (That is, does the risk transfer from seller to buyer?)
3.    How can governance frameworks be used by both suppliers and purchasers of cybersecurity related products and services to mitigate risks?

For this assignment, your purchaser will be the same company that you researched in Project #2. You should reuse relevant information from your risk assessment and risk profile (especially your recommended security controls).

Begin by reviewing your selected companys needs or requirements for cybersecurity (this information should have been collected your earlier projects in this course). What information and/or business operations need to be protected? What are the likely sources of threats or attacks for each type of information or business operation? What technologies, products, or services did you identify and discuss in your risk management strategy / acquisition forecast?

Next, you will research how operational risk during the manufacturing, development, or service delivery processes can affect the security posture (integrity) of products and services listed in your acquisition forecast. You will then explore the problem of product liability and/or risk transference from supplier to purchaser as products or services are delivered, installed, and used. You will also need to examine the role that IT governance frameworks and standards can play in helping purchasers develop and implement risk mitigation strategies to compensate for potential risk transfer by suppliers.

Once you have completed your research and analysis, you will summarize your findings in an acquisition risk analysis for cybersecurity products and services. This analysis should be suitable for use by the companys senior managers in developing a company-wide risk management strategy for acquisition and procurement activities which could impact the companys cybersecurity posture.
Research
1.    Review your work for projects 1, 2, and 3.
2.    Review your previous work as to the role of IT Governance standards in helping businesses identify and manage risks arising from the purchase of IT related products and services. 
3.    Review the course readings relating to the Cybersecurity industry and sources of products and services.
4.    If you have not previously done so, identify three or more categories of cybersecurity products or services which your selected company is likely to purchase. Investigate the characteristics of these products / services. You should also identify possible vendors or sources from whom these can be purchased or acquired (e.g. open source software is acquired rather than bought or purchased). You should focus on products which can help reduce risks associated with e-Commerce and protection of customer information, protection of online ordering systems, etc.
5.    Research risks and/or vulnerabilities which could be introduced into a buyers organization and/or IT operations through acquisition or purchase of cybersecurity products or services. Some suggested resources are:
a.    Hardware Security:
i.    http://www.brookings.edu/~/media/research/files/papers/2011/5/hardware-cybersecurity/05_hardware_cybersecurity.pdf
ii.    http://resources.infosecinstitute.com/hardware-attacks-backdoors-and-electronic-component-qualification/
b.    Software Security
i.    https://www.synopsys.com/blogs/software-security/software-security/
ii.    http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com.ezproxy.umuc.edu/login.aspx?direct=true&db=heh&AN=61216498&site=eds-live&scope=site 
c.    Data Center Security
i.    https://www.forcepoint.com/cyber-edu/data-center-security
ii.    https://phoenixnap.com/blog/data-center-security
d.    Telecommunications Systems
i.    http://www.oracle.com/us/industries/communications/state-telecom-security-wp-3518256.pdf
ii.    https://www.fico.com/blogs/fraud-security/how-are-telecom-providers-managing-cybersecurity-risk/
6.    Identify five or more specific sources of operational risks, in a suppliers organization, which could adversely affect the security of cybersecurity products or services delivered to its customers. In addition to using information you relied on in your previous projects, consult the Software Engineering Institutes publication A Taxonomy of Operational Cyber Security Risks http://resources.sei.cmu.edu/asset_files/TechnicalNote/2010_004_001_15200.pdf
7.    Research the issue of product liability with respect to cybersecurity products and services. What is the current legal environment? Some suggested sources are:
a.    https://cdt.org/files/2018/04/2018-04-16-IoT-Strict-Products-Liability-FNL.pdf
b.    https://www.productliabilityadvocate.com/2018/12/internet-of-things-security-standards-will-states-follow-californias-lead-or-look-across-the-pond-for-further-guidance/#more-2266 
c.    https://www.travelers.com/prepare-prevent/protect-your-business/product-services-liability/product-liability-prevention.aspx
Write
1.    An introduction section which provides a brief overview of your selected company, its e-Commerce operations, and the acquisition forecast for the companys likely future needs and purchases for cybersecurity products and services. You should reuse information / narrative from projects 2 and 3. Your introduction section for this project should be no more than 1 page in length.
2.    A governance frameworks & standards section in which you discuss the role that standards and governance processes should play in reducing risk by ensuring that acquisitions or purchases of cybersecurity products and services meet the buyers organizations security requirements (risk mitigation). 
3.    A Cybersecurity Industry & Supplier Overview section which provides a discussion of the likely sources (companies, vendors, consortiums, open source repositories, etc.) from which cybersecurity products and services can be acquired, licensed, or purchased. Your overview should briefly discuss the cybersecurity industry as a whole. Why does this industry exist? (Hint: buyers want to procure or acquire cybersecurity related products and services). How does this industry benefit society?
4.    An operational risks overview section in which you provide an overview of sources of operational risks which could affect suppliers of cybersecurity related products and services and, potentially, compromise the security of those products or services. Discuss the potential impact of such compromises upon buyers and the security of their organizations (risk transfer).
5.    A product liability section in which you provide a summary of the current legal environment as it pertains to product liability in the cybersecurity industry. Discuss the potential impact upon buyers who suffer harm or loss as a result of purchasing, installing, and/or using cybersecurity products or services.
6.    A summary and conclusions section in which you present a summary of your findings including the reasons why product liability (risk transfer) is a problem that must be addressed by both suppliers and purchasers of cybersecurity related products and services.
Submit For Grading
Submit your work in MS Word format (.docx or .doc file) using the Project #4 Assignment in your assignment folder. (Attach the file.)
Additional Information
1.    Consult the grading rubric for specific content and formatting requirements for this assignment.
2.    Your 7-10 page paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings and page breaks to organize your paper.
3.    You may reuse portions of your Project #2 and 3 submissions and/or narrative from relevant discussion papers completed for THIS section of this course (CSIA 350).
4.    Your paper should use standard terms and definitions for cybersecurity. 
5.    The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the professional appearance requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,DEC2018).docx. 
6.    You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignments page count. 
7.    You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 
8.    You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).

Project 3 Risk Management Strategy for an e-Commerce Company
Description
For this project, you will build upon the e-Commerce Risk Analysis performed in Project #2. For this project, you will construct a risk management strategy for your selected company which includes specific cybersecurity activities (as defined in the NIST Cybersecurity Framework Core) which will help the company mitigate the identified risks. Your strategy will include an acquisition forecast in which you identify and discuss the technologies, products, and services required to implement your recommended risk management strategy. (Note: you must use the same company as used in Project #2. You may expand upon your risk analysis if necessary.)
Develop an Executive Summary
Since this is a separate deliverable, you will need to begin by identifying the selected company and providing an executive summary of the e-Commerce Risk Analysis that you presented in Project #2.
Develop and Document the Risk Mitigation Strategy
For this section of your project, you must identify and document a risk mitigation strategy for 10 separate risks. Your risk mitigation strategies must utilize at least three (3) of the five (5) NIST Cybersecurity Framework (CSF) Core Functions.

1.    Begin by copying Table 1 from this file into a new file (for your assignment submission). This table will become your Risk Profile Table. (Delete the example text.)
2.    Next, convert your list of risk factors (from Project #2) into a Risk Profile Each risk factor should be listed as a separate risk item with its own row in your Risk Profile. (Add a row to your table for each identified risk – one per row).  For this step, you will fill in the information for the first two columns (Risk ID and Risk).
3.    Next, consult the NIST Cybersecurity Framework (see Table 2: Framework Core) to identify the cybersecurity activities which can be used to control / mitigate the identified risks. Add this information to each row in your table. Note: you should paraphrase the information for the Risk Mitigation Strategy (description) column and the Implementation: Required Technologies, Products, or Services column.
4.    Complete the final two columns of the table by entering the exact function, category, and sub-category identifiers and descriptions as listed in NIST CSF Table 2. See the example below.

Table 1. Risk Profile Table (example)
Risk ID     Risk     Risk Mitigation Strategy (description)    Implementation: Required Technologies, Products, or Services    NIST Cybersecurity Framework Category and Sub Category Identifier (e.g. ID.AM-1)    Sub-Category Description
001    Theft of customer information from online transactions    Encrypt all communications between customers and the companys online ordering system.    Implement Transport Layer Security; purchase and deploy digital certificates to use for encrypting communications.    PR.DS-2    Data-in-transit is protected.
002                   
003                   
004                   
005                   
006                   
007                   
008                   
009                   
010                   

Develop an Acquisition Forecast
To complete your work, summarize the technologies which you are recommending that the company acquire (purchase) in order to mitigate risks; these technologies MUST appear in your risk profile table. Your acquisition forecast should identify and fully discuss a minimum of three categories or types of cybersecurity products or services which this company will need to purchase in order to appropriately mitigate the identified risks. Remember to include information about potential vendors or suppliers including how you can identify and qualify appropriate sources of technologies, products, and services. This information provides the justification or rationale for your recommendations.

Note: qualifying a producer / manufacturer, vendor or seller refers to the due diligence processes required to investigate the supplier and ensure that the products, services, and technologies acquired from it will meet the companys needs and requirements. For cybersecurity related acquisitions, this many include testing the products and services to ensure that they can be trusted to deliver the required functionality and will not be a source of threats or harm.
Write
1.    An executive summary which identifies the company being discussed and provides a brief introduction to the company including when it was founded and significant events in its history. This summary must also provide a high level overview of the companys operations (reuse and adapt your narrative from Project #2) and the e-Commerce risks that the company must address and mitigate.
2.    A separate section in which you present a Risk Management Profile. Begin with an introductory paragraph in which you summarize the risks and risk mitigation strategies. Your introduction should also explain the Risk Profile table (what is in it, how to use it).
3.    Complete and then insert your Risk Profile Table at the end of this Risk Management Profile section. In-text citations are NOT required within the body of your Risk Profile Table but you must credit the sources of information used by listing / mentioning them in your introduction to this section.
4.    A separate section in which you present your Acquisition Forecast in which you identify and discuss the products, services, and/or technologies which the company must purchase in the future to implement the recommended risk mitigation strategies. Remember to include information about potential vendors or suppliers including how you can identify and qualify appropriate sources of technologies, products, and services.
5.    A closing section (Summary & Conclusions) which summarizes your risk management strategy and presents a compelling argument as to how your risk mitigation strategies (including the acquisition forecast) will reduce or control (mitigate) the identified cyber risks. Remember to address the five NIST Cybersecurity Framework Core Functions in your summation.
Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using the Project #3 Assignment in your assignment folder. (Attach the file.)
Additional Information
1.    Your 5-8 page Risk Management Strategy for an e-Commerce Company should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the professional appearance requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,DEC2018).docx.
2.    Your paper should use standard terms and definitions for cybersecurity. 
3.    You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignments page count. (An example and template file are available in the LEO classroom.
4.    You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 
5.    You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.). See direction under Write for how to cite sources used in your Risk Profile Table.
6.    Consult the grading rubric for specific content and formatting requirements for this assignment.