Project 2 e-Commerce Risk Analysis
Description
For this project, you will begin by researching a publicly traded company that engages in e-Commerce. You will then review the companys risk statements as published each year in the companys Annual Report to Investors (also published in the companys annual filing of SEC Form 10-K). After analyzing the companys e-Commerce operations and its risk statements about those activities, you will construct and document your own cybersecurity risk analysis which focuses upon the companys e-Commerce activities (including all supporting business processes).

A list of approved companies appears at the end of this file (see Table 2). If you wish to use a company not on the approved list you must first obtain the approval of your instructor.

Note: before beginning this assignment, you should review NIST SP 800-30 R1: Guide for Conducting Risk Assessments. Pay special attention to Appendix D: Threat Sources: Taxonomy of Threats Sources Capable of Initiating Threat Events and Appendix H: Impact: Effects of Threat Events on Organizations, Individuals, and the Nation.

Research Your Chosen Company
1.    Review the companys website to learn about the products and services which it sells via e-Commerce.
2.    Retrieve and review the Hoovers profile for the company. These profiles are written by professional analysts; pay close attention to the types of questions the analysts ask and answer in the company profile. Use this URL to access the database http://ezproxy.umuc.edu/login?url=https://www.mergentonline.com/Hoovers
3.    Use the search bar at the top of the Search & Build a List tab to find your chosen company.

4.    The company profile web pages in the Hoovers database are interactive and have expanding menus / options (see figure below). You may find it helpful to use the OneStop Report button to generate a PDF version of the information. Select Core under categories (Available Fields: Company Summary, Contacts, Corporate Family, Corporate Overview, SWOT, and News). Click on the field names in the middle column to select them for your report.

5.    After you have looked at the company website and the Hoovers report, Identify 3 or more additional sources of information about the company and how it operates in cyberspace. These can be news articles, data breach reports, etc.
6.    Using the information obtained from your sources, identify the types of information and business operations which drive this companys need for cybersecurity products and services. (What needs to be protected?)
Analyze the Companys Risk Statements
1.    Using the links from Table 1 (at the end of this file), download a copy of your selected companys most recent Annual Report to Investors from its Form 10-K filing with the United States Securities and Exchange Commission. (Note: the company is the author of its Form 10-K. Do not list the SEC as the author.)
2.    Read and analyze the Risk Factors section in the companys report to investors (Item 1.A). This section is a professionally written risk analysis that has been written for a specific audience. Pay close attention to what the company includes as risk factors and how the writers chose to present this information.
3.    Analyze the risk factors to determine which ones are related to e-Commerce / Internet operations or are otherwise affected by the use of information in digital form and Information Technology systems and infrastructures. Make a list that shows what information, digital assets, and/or business operations (processes) need to be protected from cyberattacks and/or cybercrime (including insiders and external threats) and the type of risk or threat that could affect those assets and processes.

Write
1.    An introduction section which identifies the company being discussed and provides a brief introduction to the company including when it was founded and significant events in its history.
2.    A business profile for the company. This information should include: headquarters location, key personnel, primary types of business activities and locations, major products or services sold by the company, major competitors, stock information (including ticker symbol or NASDAQ code), recent financial performance, and additional relevant information from the business profiles. (Use information from Hoovers and other authoritative sources)
3.    An overview of the companys e-Commerce operations which summarizes information obtained from its annual report, the Hoovers profile for the company, and other sources which you found in your research.
4.    A separate section in which you describe this companys needs or requirements for cybersecurity. What information and/or business operations need to be protected? While your focus should be upon the companys e-Commerce activities, you should also address the back-office or supporting information and business processes required to deliver those e-commerce activities.
5.    A separate section which provides a detailed summary of the identified risks and potential impacts upon the companys operations as a whole. What are the likely sources of threats or attacks for each type of information or business operation? (E.g. protect customer information from disclosure or theft during online purchase transactions.). What are the possible impacts should these risks occur? You may present your summary in table format.

Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using the Project #2 Assignment in your assignment folder. (Attach the file.)

Additional Information
1.    Your 5-8 page e-Commerce Risk Analysis should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the professional appearance requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,Dec2018).docx.
2.    Your paper should use standard terms and definitions for cybersecurity. 
3.    You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignments minimum page count. (An example and template file are available in the LEO classroom. 
4.    You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 
5.    You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
6.    Consult the grading rubric for specific content and formatting requirements for this assignment.

See Table 1 at the end of this file for the list of approved e-Commerce companies which may be used for this project.

Table 1. List of Approved Companies for Project #2: e-Commerce Risk Analysis
Company Name    Corporate Website / Investor Relations    Form 10-K from SEC Edgar Database
Alphabet, Inc (Google)    https://www.google.com/intl/en/about/company/
https://investor.google.com/
https://www.sec.gov/Archives/edgar/data/1652044/000165204419000004/goog10-kq42018.htm

Amazon    http://www.amazon.com
http://phx.corporate-ir.net/phoenix.zhtml?c=97664&p=irol-irhome
https://www.sec.gov/Archives/edgar/data/1018724/000101872419000004/amzn-20181231x10k.htm

Apple    https://www.apple.com/newsroom/
http://investor.apple.com/
https://www.sec.gov/Archives/edgar/data/320193/000032019318000145/a10-k20189292018.htm

Booking Holdings    https://www.bookingholdings.com/  http://ir.bookingholdings.com/investor-relations
https://www.sec.gov/Archives/edgar/data/1075531/000107553119000009/bkng1231201810k.htm

Facebook    https://www.facebook.com/facebook
http://investor.fb.com/
https://www.sec.gov/Archives/edgar/data/1326801/000132680119000009/fb-12312018x10k.htm

Microsoft    http://www.microsoft.com
http://www.microsoft.com/investor/default.aspx
https://www.sec.gov/Archives/edgar/data/789019/000156459018019062/msft-10k_20180630.htm

Oracle Corp.    http://www.oracle.com/us/corporate/index.html
http://investor.oracle.com/overview/highlights/default.aspx
https://www.sec.gov/Archives/edgar/data/1341439/000119312518201034/d568983d10k.htm

PayPal Holdings    https://www.paypal.com/us/webapps/mpp/about
https://investor.paypal-corp.com/
https://www.sec.gov/Archives/edgar/data/1633917/000163391719000043/pypl201810-k.htm

Salesforce    https://www.salesforce.com/company/
http://investor.salesforce.com/about-us/investor/overview/default.aspx
https://www.sec.gov/Archives/edgar/data/1108524/000110852419000009/crmq4fy1910-k.htm

Project #1: Integrating NISTs Cybersecurity Framework with Information Technology Governance Frameworks
Scenario
You have been assigned to your companys newly established Risk Management Advisory Services team. This team will provide information, analysis, and recommendations to clients who need assistance with various aspects of IT Risk Management. 
Your first task is to prepare a 3 to 4 page research paper which provides an analysis of the IT Governance, IT Management, and Risk Management issues and problems that might be encountered by an e-Commerce company (e.g. Amazon, e-Bay, PayPal, etc.). Your paper should also include information about governance and management frameworks that can be used to address these issues. The specific frameworks that your team leader has asked you to address are:
    ISO/IEC 27000 Family of Standards for Information Security Management Systems
    ISACAs Control Objectives for Information Technology (COBIT) version 5
    NISTs Cybersecurity Framework (also referred to as the Framework for Improving Critical Infrastructure Security)
The Risk Management Advisory team has performed some initial research and determined that using these three frameworks together can help e-Commerce companies ensure that they have processes in place to enable identification and management of information security related risks particularly those associated with the IT infrastructure supporting online sales, payment, and order fulfillment operations. (This research is presented in the Background section below.) Your research paper will be used to extend the teams initial research and provide additional information about the frameworks and how each one supports a companys risk management objectives (reducing the risks arising from cyber threats and cyberattacks against information, information systems, and information infrastructures). Your research should also investigate and report on efforts to date to promote the use both frameworks at the same time.
Your audience will be members of the Risk Management Services team. These individuals are familiar with risk management processes and the e-Commerce industry. Your readers will NOT have in-depth knowledge of either framework. For this reason, your team leader has asked you to make sure that you include a basic overview of these frameworks at the beginning of your paper for the benefit of those readers who are not familiar with CSF and COBIT.
Background
Security Controls
Security controls are actions which are taken to control or manage risk. Security controls are sometimes called countermeasures or safeguards. For this assignment, it is important to understand that it is not enough to pick or select controls and then buy or implement technologies which implement those controls. A structure is required to keep track of the controls and their status — implemented (effective, not effective) and not implemented. The overarching structure used to manage controls is the Information Security Management System.
Information Security Management System (ISMS)
An Information Security Management System is the set of policies, processes, procedures, and activities used to structure the organizational unit which is responsible for managing the cybersecurity or information security program in a business. Companies can and do design their own structure for this program including: scope, responsibilities, and resources. Many companies, however, choose to use a defined standard to provide guidance for the structure and functions assigned to this organization. The ISO/IEC 27000 family of standards is one of the most frequently adopted and is comprised of best practices for the implementation of an information security program. The ISO/IEC 27001 standard specifies the requirements for and structure of the overall Information Security Management System and ISMS program. The ISO/IEC 27002 standard provides a catalog of security controls which can/should be implemented by the ISMS program. For additional information about the standards, please see this blog https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards.
Note: there are a number of free resources which describe the contents and purposes of the ISO/IEC 27000 family of standards. For your work in this course, you do not need access to the official standards documents (which are not freely available).
Control Objectives for Information Technology (COBIT)
COBIT is a framework that defines governance and management principles, processes, and organizational structures for enterprise Information Technology. COBIT includes a requirement for implementation of an Information Security Management System and is compatible with the ISO/IEC 27000 series of standards for ISMS implementation.
COBIT 5 has five process areas which are specified for the Governance and Management of enterprise IT. These areas are:
    Evaluate, Direct, and Monitor (EDM)
    Align, Plan, and Organize (APO)
    Build, Acquire, and Implement (BAI)
    Deliver, Service, and Support (DSS)
    Monitor, Evaluate, and Assess (MEA)
Beginning with version 5, COBIT has incorporated Information Security as part of the framework. Three COBIT 5 processes specifically address information security: APO 13 Manage Security, DSS04 Manage Continuity, and DSS05 Manage Security Services. 
NIST Cybersecurity Framework (CSF)
The NIST Framework for Improving Critical Infrastructure Security, commonly referred to as the Cybersecurity Framework or CSF, was developed in collaboration with industry, government, and academia to provide a common language and common frame of reference for describing the activities required to manage cyber-related risks and, in so doing, protect and defend against cyber attacks. Unlike many NIST guidance documents, the CSF was designed specifically for businesses to meet their needs and support attainment of business objectives. Originally designed for companies operating in the 16 critical infrastructure sectors, the CSF is now being required of federal government agencies and departments and their contractors. The Executive Summary of the NIST CSF version 1.1 provides additional background and supporting information about the purposes, goals, and objectives of the CSF.
The Cybersecurity Framework is presented in three parts:
    Core Functions (Identify, Protect, Detect, Respond, Recover)
    Implementation Tiers (risk management processes and practices)
    Profiles (specific to a business or industry goals and desired outcomes)
Commonalities between ISO/IEC 27000, COBIT, and NIST CSF
There are a number of common elements between the information security frameworks defined in the ISO/IEC 27000 family of standards, the COBIT standard, and the NIST Cybersecurity Framework. Each of these frameworks addresses risks that must be addressed by businesses that depend upon digital forms of information, information systems, and information infrastructures. Each framework presents structured lists of IT Governance and IT Management activities (processes and practices) which must be adopted and implemented in order to effectively manage risk and protect digital assets from harm or loss. Each framework also provides a list or catalog security. Each framework also provides lists of goals or objectives which must be met in order to assure the effectiveness of controls implemented to defend against cyber threats and attacks.
The ISO/IEC 27001:2013 and COBIT 5 controls and process areas have been cross referenced to the NIST Cybersecurity Framework Functions, Categories, and Subcategories in the NIST CSF document.  Table 1 below shows examples of the mapping between COBIT 5 and NIST CSF as provided in Table 2: Framework Core: Informative References in the NIST CSF document.

Table 1. Example Mappings from ISO/IEC 27001 to COBIT 5 Processes to NIST CSF Functions
ISO/IEC 27001:2013     COBIT 5 Process    NIST CSF Function    NIST CSF Category    NIST CSF Subcategory
A.5.1.1    APO 13.01    Identify    Governance (ID.GV)    ID.GV-1
A.16.1.6    DSS 04.02    Identify    Risk Assessment (ID.RA)    ID.RA-4
A.6.1.1, A.7.2.1, A.15.    DSS 05.04    Identify    Governance (ID.GV)    ID.GV-2
A.12.6.1, A.18.2.3    DSS 05.01, DSS 05.02    Identify    Risk Assessment (ID.RA)    ID.RA-1
Adoption and Use of IT Security Frameworks
A 2016 survey conducted by Dimensional Research for Tenable  found that over 80% of the responding organizations used an IT security or cybersecurity frameworks to structure their IT security management program. This finding was similar across all sizes of companies and across industries. Over 40% of the respondents used multiple frameworks. The NIST CSF was utilized by over 40% of the respondents approximately the same number who adopted the ISO/IEC 27000 standards. One notable finding was that in some cases the NIST CSF adoption was required by a business partner or a federal contract.
Research
1.    Read / Review the weekly readings
2.    Consult Aligning COBIT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit http://www.isaca.org/Knowledge-Center/Research/Documents/Aligning-COBIT-ITIL-V3-ISO27002-for-Business-Benefit_res_Eng_1108.pdf for additional information about the activities / controls included in ISO/IEC 27002 and COBIT. This reference should be used in conjunction with the Informative References listed in NISTs Cybersecurity Framework Core definitions.
3.    Review the following outlines and explanations of the ISO/IEC 27001 and 27002 standards
a.    ISO/IEC 27001:2013 Plain English Outline (excerpts for Information Security provisions)  http://www.praxiom.com/iso-27001-outline.htm and http://www.praxiom.com/iso-27001.htm
b.    ISO 27002:2013 Translated into Plain English http://www.praxiom.com/iso-27002.htm
4.    Read the following analyses and articles about COBIT 5 and its information security related functions.
a.    COBIT 5 for Information Security (ISACA) https://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-Security-Introduction.pdf
b.    About COBIT 5 https://cobitonline.isaca.org/about
c.    COBIT 5 for Risk A Powerful Tool for Risk Management http://www.isaca.org/COBIT/focus/Pages/cobit-5-for-risk-a-powerful-tool-for-risk-management.aspx
d.    9 Burning Questions about Implementing NIST Cybersecurity Framework Using COBIT 5 https://www.itpreneurs.com/blog/9-burning-questions-about-implementing-nist-cybersecurity-framework-using-cobit-5/
5.    Read the following analyses and articles about adoption of the NIST CSF
a.    Trends in Security Framework Adoption https://static.tenable.com/marketing/tenable-csf-report.pdf
b.    5 Steps to Turn the NIST Cybersecurity Framework into Reality https://www.securitymagazine.com/articles/88624-steps-to-turn-the-nist-cybersecurity-framework-into-reality
6.    Find three or more additional sources which provide information about best practices for implementing the NIST Cybersecurity Framework Core and COBIT 5 (separately and together).
Write:
Use standard terminology including correctly used cybersecurity terms and definitions to write a three to four page summary of your research. At a minimum, your summary must include the following:
1.    An introduction or overview of the role that the Information Security Management System plays as part of an organizations IT Governance, IT Management, and Risk Management activities. The most important part of this overview is a clear explanation of the purpose and relationships between governance and management activities as they pertain to managing and reducing risks arising from the use of information technology.
2.    An analysis section that provides an explanation of how ISO/IEC 27000, 27001, 27002; COBIT 5; and NISTs CSF can be used to improve the effectiveness of an organizations risk management efforts for cybersecurity related risks. This explanation should include:
a.    An overview of ISO/IEC 27000, 27001, and 27002 that includes an explanation of the goals and benefits of this family of standards (why do businesses adopt the standards, what do the standards include / address, what are the desired outcomes or benefits).
b.    An overview of COBIT 5 that includes an explanation of the goals and benefits of this framework (why do businesses adopt the framework, what does the framework include / address, what are the desired outcomes or benefits).
c.    An overview of the NIST Cybersecurity Framework (CSF) which explains how businesses can use this framework to support ALL of their business functions (not just critical infrastructure operations).
d.    Five or more specific examples of support to risk management for e-Commerce and supporting business operations that can be provided by implementing ISO/IEC 27000/1/2, COBIT 5, and NIST CSF.
3.    A recommendations section in which you provide and discuss five or more ways that e-Commerce companies can use the standards and frameworks at the same time (as part of the same risk management effort). You should focus on where the frameworks overlap or address the same issues / problems. (Use Table 2: Informative References to find overlapping functions / activities.) You are not required to identify or discuss potential pit falls, conflicts, or other types of problems which could arise from concurrent use of multiple guidance documents.
4.    A closing section that provides a summary of the issues, your analysis, and your recommendations.
Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using the Project #1 Assignment in your assignment folder. (Attach the file.)
Additional Information
1.    Consult the grading rubric for specific content and formatting requirements for this assignment.
2.    Your 3-4 page white paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings and page breaks to organize your paper.
3.    Your paper should use standard terms and definitions for cybersecurity. 
4.    The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the professional appearance requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,DEC2018).docx. 
5.    You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignments page count. 
6.    You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct, and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 
7.    You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).