Order Independent Case Study Assignment

Order Independent Case Study Assignment

Company Chosen: Capital One is a financial institution that experienced a data breach in 2019

You have been hired by a corporate client to conduct a cybersecurity risk assessment.  They will be looking to you to map their current practices against the NIST CSF framework and to provide recommendations on how to enhance their security posture.  Because your client’s resources are limited, they have asked you to focus only on 5-7 of out of the 108 NIST sub-categories and would prefer that the selected sub-categories fall into at least 3 of the 5 NIST functions. As a final deliverable, the client has asked you to provide them with a cyber risk assessment report that they can present to their board in order to procure financing to address cyber risk. This final deliverable will be the final project for our class.
Who is your client? We will ask you to select a company where there is enough public information to be gathered in order to perform this assessment.  Generally, companies do not make their security practices available to the public.  However, when there is a data breach, information comes out in connection with litigation and regulatory scrutiny. For purposes of this final project you will select a company that (i) has been breached; and (ii) about whom there is enough  information regarding the flaws in its security program to complete the project.  You will be providing the security assessment as though you learned all of the information BEFORE the breach.

What to look for when selecting your company. You should research companies which have had signification data breaches and then look for FTC consent orders and/or court decisions to ensure relating to the breach so you will have the data you need to complete the project. Additionally, there needs to exist a logical connection between the breach and missing controls (subcategories) so that you will be able to make appropriate recommendations. This connection can be established in two ways:

Order Independent Case Study Assignment

The missing control was specifically mentioned in the publicly available research. If this is the case, you can just reference the information that you found.
You were able to make a case that this control was missing based on other information uncovered in the course of your research.  In this case, you need to explain how you reached this conclusion. For example, if the research specifically mentioned that the breach occurred because the data in the database was not encrypted, you could say that the control. DS-1: Data-at-rest is protected was missing. You could, however, also probably extrapolate that GV-4: Governance and risk management processes address cybersecurity risks was also missing. In this case, you would need to provide an explanation of why you think that was the case (provide logical connection between other information in the case and this specific control)

Report components. Your report should have the following sections:

A.  Cover Page

B. Table of Contents

C.  Executive Summary

Summarize the purpose of the risk assessment.
Describe the scope of the risk assessment.
State that this is an initial risk assessment.
Describe the overall level of risk (e.g., Very Low, Low, Moderate, High, or Very High).
D. Body of the Report

Describe the purpose of the risk assessment, including questions to be answered by the assessment.
Summarize risk assessment results.
Describe in detail how you arrived at the risks and risk levels contained within your report (you should plan to dedicate one (1) slide / page per risk in the report). Provide recommendations that can remediate the missing or weak sub-categories identified.
E. Appendices

List references and sources of information