Carry out a security self-assessment of an organization of your current or previous employer or your own organization. You must seek permission from the individual responsible for the information security of that organization. You may use any NIST Special Publications (e.g. SP800-171, SP1800), or any other national framework to assist in your report.
Write a report based on the self-assessment of an organization. It should be 5-7 pages long, 12 point character size, double line spacing, and have 1” margins on all sides. It is recommended that you do not use the actual name of the organization in the report; use a title, such as “ABC, Inc.” Your report should include a brief description of the organization, nature of the business, analysis of the results, and recommendations for improvement in the form of an action plan.
Deliverables: A single Word document
For the project, you can do a security assessment on either a single IT system or the entire IT infrastructure of an organization, whichever you think is feasible and manageable.
You can use these guidelines when working on your project:
1) Your project report just needs to be a very general assessment of the IT system in organization. You can keep it brief (about 4 to 8 pages long, not including the cover page), and broadly cover the following areas:
You don’t need to get into specifics on anything that might be considered sensitive or proprietary. Keep it very general (something that can be in the public-domain).
2) For your project, **only** use information that is considered public. Please **do not** use or reference any proprietary or non-public information. As the project guidelines state, do not use the actual name of any organization – instead use “ABC Inc.” And in your project please don’t reference any documents that are not considered to be in the public domain; also don’t use any company names – use something generic such as XYZ Inc.
3) Instead of doing a self-assessment of a real company, you can also do a self-assessment of a fictitious company similar to a real entity. For example, you could imagine that you are performing an assessment of a fictitious entity such as the following:
A college bookstore that accepts online textbook purchases, or
A pharmacy store that maintains a database of customer prescriptions
An auto-insurance agency that maintains customer data
… etc. … etc.
You can imagine yourself being hired as an Info Security consultant to perform a security audit of the fictitious company’s IT infrastructure. Assume that some rudimentary security measures are currently in place, but there is much room for improvement. In your report describe your assessment of the security measures currently in place and recommend any needed improvements to ensure better IT security in the organization.