he assignment asks that you take the NIST Cybersecurity Framework controls that pertain specifically to system configuration items only, and reduce them to test cases with pass/fail criteria. To do th

The assignment asks that you take the NIST Cybersecurity Framework controls that pertain specifically to system configuration items only, and reduce them to test cases with pass/fail criteria. To do this you should perform the following:

Read through the NIST Cybersecurity Framework controls and identify all controls that relate to system configuration requirements. An example of one control (there are many, this is just one) would be:

• DS-4: Adequate capacity to ensure availability is maintained

Once you’ve identified all of the controls that relate to system configuration requirements, rewrite them into test cases in which you can grade them with a pass or fail grade. Keep in mind that there can be many test cases for a single control. A few examples for PR.DS-4 would be:

1. Are all disks configured for RAID 1 (mirrored disks)?
2. Is there at least 20% free space on every disk drive?
3. Are the number of CPU’s in the system adequate to meet the processing demand?

Explain the concept of mitigating controls. An example of a compensating control would be that the front door must be monitored 24/7 by video camera to record who enters and leaves. A compensating control is posting a security guard at the door, recording who enters and leaves, while the camera system is being upgraded.

Then for each of the cases where the above controls cannot be met, identify and explain the mitigating controls:

1. Laptops only have a single disk, so disk mirroring is not possible.

Analyze your controls and estimate the likelihood of a breach when all systems are compliant with the controls you’ve identified.