The team has spent several weeks defining the risk management process and exploring PE-3 controls

to ensure risks are

mitigated for laptops. The teams delineated between brick and mortar locations and temporary facilities during these
assessments. According to Marquette University, risk management “is the continuing process to identify, analyze, evaluate,
and treat loss exposures and monitor risk control and financial resources to mitigate the adverse effects of loss” (2021). That is
indeed what we have focused on as we have tried to mitigate the risks associated with a laptop that could contain data that
would put the organization as risk.

This week we studying continuous monitoring, this process allows an organization to track a device or component and ensure
that any changes to the device are authorized changes. Effective monitoring occurs on a continuous basis and provides alerts
when suspicious activity occurs. We also learned that a security configuration checklist can be an effective tool for securely
configuring a device/component. Table 1 is an example of a technical implementation guide when updating the software on a
laptop.

Table 1
Laptop Technical Implementation Guide
Initiative/Release Name Laptop Lockdown  
Maintenance: Update Laptop hard
Project Type drive encryption  
System Changes Bitlocker app update  
Baseline Changes Update Bitlocker software  
Security Risks PCI or PII data loss  
Planned Deployment Initiation Date 15-Mar-21  
Planned Deployment Completion Date 31-Mar-21  
System(s) Impacted by change All Corp Laptops  
Current Security Categorization of
Impacted System(s) High  
[Insert initiative/release background info All Corp Laptops open to internet
required by the organization as applicable] and potentially confidential data  
What are the business requirements Bitlocker new software provides
driving the change? better encryption of hard drives  
Please describe the proposed change(s), Remove and replace Bitlocker  
including ALL additions, deletions, and X.X with Bitlocker Y.Y
 modifications
Yes, this is a software push to
Corporate laptops. All systems
Is the Technical Lead and/or Project Lead will force a reboot to the
aware of any potential security-related employees, the forced reboot can
issues or challenges associated with this be snoozed or scheduled by the
change? If so, briefly describe them or employee so long as the update
provide an attachment describing them. occurs prior to 31-Mar-21  
Note: This table was derived from an example in NIST SP 800-128

References
Johnson, A., Dempsey, K., Ross, R., Gupta, S., & Bailey, D. (2011, August). Guide for Security-Focused Configuration Management of
Information Systems (NIST Special Publication 800-128). National Institute of Standards and
Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-128.pdf

What is Risk Management | Risk Management | Marquette University. (2021). Www.marquette.edu; Marquette University.

https://www.marquette.edu/riskunit/riskmanagement/whatis.shtml#:~:text=Risk%20management%20is%20the

%20continuing