Take on the role of Risk Management Analyst for Capital One Finance.

Take on the role of Risk Management Analyst for Capital One Finance.

Using the attached Segregation of Duties Matrixcreate a 6- to 8-page Security Risk Mitigation Plan for the Capital One Finance.

Research and include the following:

· Refer to additional resources below and attached, and the grading rubric.

· Security Risk Mitigation Plan:

· Select and document security policies and controls.

· Provide authentication recommendations.

· Document administrator roles and responsibilities.

· Document user roles and responsibilities.

· Determine authentication strategy.

· Determine intrusion prevention and detection strategy.

· Determine virus detection strategies and protection.

· Create auditing policies and procedures.

· Recommend an education plan for employees on security protocols and appropriate use.

· Provide recommendations for managing identified risk

· Avoidance

· Transference

· Mitigation

· Acceptance

· Address change Management/Version Control.

· Outline acceptable use of organizational assets and data.

· Present employee policies (separation of duties/training).

· Incident response process

· Preparation

· Detection

· Containment/analysis

· Eradication

· Restoration/Recovery

· Lessons learned (root cause analysis and action plan)

Additional Resources

· Intrusion prevention begins with an IPS that can automatically detect and stop intrusions. However, no control can stop all intrusions. Consequently, we need strong detection controls, including

· Log Management

· User Behavior Analysis

· Network Behavior Analysis

· The purpose of separation of duties is to ensure no one person can perform all tasks associated with a critical business process. This helps prevent fraud and mistakes. A common way to do this is the creation of roles (RBAC) and the assignment of tasks in an access matrix (spreadsheet). This allows data owners to understand who can do what and how to remove one or more tasks to ensure no role can perform all business process tasks. A separation of duties tool is attached below. The tabs along the bottom take you to the various business processes included. Adapt this to any set of business processes.

· Employee training is typically focused on the contents of the acceptable use policy.