NIST 800-53 CSF

MID TERM MODULE 02

Taimoor Hasan S-4/AUG/21/242

Khurram Munawar S-4/AUG/21/88

Taimoor Hasan and Khurram Munawar

[Email address]
Mid Term - 1 (Batch 4) Syed Farrukh Ali Raza Module
2 Information Risk Management

1. College has a well written security policy in practice but it is not duly approved by the higher
management.
NIST Control: All XX-1 controls, PM-2, PM-6, PM-29
Observation: Policy should not be made in practice without approval of Management
Risk:
Recommendation: Need Approval from Management before applying policy

2. The dedicated role of information security manager is approved but the position is still vacant and
security practices are administered by Head of Information technology.
NIST Control: (AC-5) Separation of Duties
Observation: Position not available
Risk: Specification of security and privacy roles in individual organizational position descriptions facilitates
clarity in understanding the security or privacy responsibilities associated with the roles and the role-based
security and privacy training requirements for the roles.
Recommendation: Hire a trained and expert resource

3. Services of well-equipped Human Resource group is utilizing by company and they complete the
background checks of employees before ending of probationary period
NIST Control: SI-4/21 Probationary Period
Observation: Background check will be performed from hiring or giving offer letter
Risk:
Recommendation: Probationary period should be defined w.r.t performance and task based

4. Network admins are performing their duties as per their Job Descriptions and sometime their
services acquired by security department to conduct security assessment
NIST Control: (AC-5) Separation of Duties
Observation: dedicated resource should be hired for tasks with having relevant certification
Risk: Allocation of Resources
Recommendation: Hire a trained and expert resource

5. College is well-equipped with all the instruments necessary to run an educational institute with high tech
functionalities and audit/ assessments of technological controls are carried out on adhoc basis.
NIST Control : CA-1, CA-2, CA-5, CA-7, PM-4
Observation: Internal audit should be performed on monthly basis
Risk:
Taimoor Hasan S-4/AUG/21/242
Khurram Munawar S-4/AUG/21/88
Mid Term - 1 (Batch 4) Syed Farrukh Ali Raza Module
2 Information Risk Management

Recommendation: Perform internal Audits on monthly or quarterly basis

6. Inventory is inadequately managed for Information technology assets.

NIST Control: CM-8 System Component Inventory
Observation: No proper management of assets in organization
Risk: No record of assets given to organization staff,
Recommendation: Design a Asset Inventory software for managing and controlling IT assets with proper record

7. Incident response plan is documented and approved by the management and lessons learnt
NIST Controls: IR 1 – IR 6 , IR-8
Observation: Incident Reporting and Incident Response Plan
Risk: Plan should be defined for incident reporting and handling
Recommendation: Craft a incident handling policy for reporting and response

8. Critical assets and resources are not yet identified which may hinder in case of any incident
NIST Control: PE-20 Asset Monitoring and Tracking
Observation: No Asset Monitoring and Tracking
Risk: No tracking for critical company assets
Recommendation: Apply PE-20 control for tracking and monitoring

9. Audit logs are not being adequately managed and secured by respective resources.
NIST Control: AU-3 , AU-4 , AU-5 , AU-6
Observation: Audit Record Reduction and Report Generation, Audit Record Review, Analysis, and Reporting
Risk: Audit logs are not present, and can never be traced
Recommendation: Apply Controls for Audit Logs managements

10. Awareness and training sessions are conducted for all resources except the information security
personnel.
NIST Control: AT-2 Literacy Training awareness and AT-3 Role Based Training
Observation: No procedures defined in organization for role based training and awareness
Risk: Non-technical staff can become a victim of Cyber threats and social engineering without proper awareness
Recommendation: Conduct Awareness session and training of staff regarding threats

Taimoor Hasan S-4/AUG/21/242

Khurram Munawar S-4/AUG/21/88