Problem
Because CKD has a contract with the military they are subject to an audit under FISMA. The CIO has turned to you, the CISO to conduct a complete security (risk) assessment of CDKs information security posture. You have a staff of 5 to help you. This is your time to shine. Explain to the CIO in detail how you intend to go about conducting the assessment. You recall that in your system certification course, you learned the steps required for conducting the assessment (NIST SP 800-30R1). You decide to start there. You also remember that FISMA requires government agencies and third-party contractors like CDK to have C&As (NIST SP 80037R1) for all their systems and all organization employees must have annual information security assurance training. You use that to help scope your assessment. Explain how you would conduct the risk assessment.