...Security Policy Framework CIS 462 01 February 2014 As organizations grow, and rely more on information systems as the primary means of conducting operations, keeping those systems and its information secure has become one of the biggest priorities ever. In order to ensure information security, the organization must take appropriate security measures to make sure that no information is put in the hands of unauthorized personnel. Having a comprehensive information security framework in place along with sound standard operations procedure (SOP), and policies and regulations can help any organization keep its systems and information secure. When developing a framework for any organization you must choose what will be best for that organization, although the NIST (SP 800-53), ISO/IEC 27000, and COBIT all are frameworks that offer many different security programs, there is no wrong framework to choose, but choosing the one that works for your organization can be a tough decision for any manager to make. With the insurance organization I would choose to implement the ISO/IEC (27000) framework. That way we can concentrate on establishing and managing an IT security program. The ISO/IEC covers information security standards that are published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that develop and publish international standards. By using this framework we can provide all necessary best practices...
Words: 1310 - Pages: 6
...Tra Johnson Ruben Barragan Bernie Rodriguez Unit 3 Assignment 1: Security Policy Frameworks A business is only as strong as its weakest link. This is true for any company from Apple to Microsoft to any Mom & Pop store. Unfortunately, when your weakest link is your security policy frameworks you put yourselves in a position of unnecessary risk. We are tasked in this assignment to list things that can affect your business if your company’s framework doesn’t align with the business. The first subject that was discussed was operations. Operations focus on various manual processes while ensuring there is minimal risk of errors. For example, if your company is still using paper-based ledgers for your daily paperwork and accounting. You would want to switch your systems to some sort of business software. Overall this will save you both time and money. You also must be careful not to all cost overrun. If your business is not streamlined you can definitely run the risk of this. Risk mitigation is the process of reducing risks as close to the point of absolute zero as possible. Using non-standardized methodologies, and non-compliance with regulatory requirements can damage your company beyond the point of no return. This is because, in the case of non-standardized methodologies, you will be using different processes in different departments and expecting those departments to be able to interact smoothly. Non-compliance with regulatory requirements can subject your business...
Words: 322 - Pages: 2
...ASSIGNMENT 1 IT SECURITY POLICY FRAMEWORK To purchase this visit here: http://www.activitymode.com/product/cis-462-wk-4-assignment-1-it-security-policy-framework/ Contact us at: SUPPORT@ACTIVITYMODE.COM CIS 462 WK 4 ASSIGNMENT 1 IT SECURITY POLICY FRAMEWORK CIS 462 WK 4 Assignment 1 - IT Security Policy Framework Establishing an effective Information Technology Security Policy Framework is critical in the development of a comprehensive security program. Additionally, there are many security frameworks that organizations commonly reference when developing their security programs. Review the security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series, and COBIT. Assume that you have been hired as a consultant by a medium-sized insurance organization and have been asked to draft an IT Security Policy Framework. You may create and / or assume all necessary assumptions needed for the completion of this assignment. Write a three to five (3-5) page paper in which you: 1. Select a security framework, describe the framework selected, and design an IT Security Policy Framework for the organization. 2. Describe the importance of and method of establishing compliance of IT security controls with U.S. laws and regulations, and how organizations can align their policies and controls with the applicable regulations. 3. Analyze the business challenges within each of the seven (7) domains in developing an effective IT Security Policy Framework. More Details...
Words: 793 - Pages: 4
...and Audit an Existing IT Security Policy Framework Definition Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure * Review existing IT security policies as part of a policy framework definition * Align IT security policies throughout the 7 domains of a typical IT infrastructure as part of a layered security strategy * Identify gaps in the IT security policy framework definition * Recommend other IT security policies that can help mitigate all known risks, threats, and vulnerabilities throughout the 7 domains of a typical IT infrastructure Week 5 Lab Part 1: Assessment Worksheet (PART A) Sample IT Security Policy Framework Definition Overview Given the following IT security policy framework definition, specify which policy probably can cover the identified risk, threat, or vulnerability. If there is none, then identify that as a gap. Insert your recommendation for an IT security policy that can eliminate the gap. Risk – Threat – Vulnerability | IT Security Policy Definition | Unauthorized access from pubic Internet | Acceptable use policy | User destroys data in application and deletes all files | Backup Recovery Policy | Hacker penetrates your IT infrastructure and gains access to your internal network | Threat Assessment & Management Policy | Intra-office employee...
Words: 1625 - Pages: 7
...Unit 4 Assignment 1: Enhance and Existing IT Security Policy Framework Richman Investments Remote Access Standards Purpose: This document is designed to provide definition of the standards for connecting remotely to Richman Investments’ network outside of the company’s direct network connection. The standards defined here are designed to mitigate exposure to potential damage to Richman Investments’ network, resulting from the use of unauthorized use of network resources. Scope: All Richman Investments agents, vendors, contractors, and employees, who use either Richman Investments company property or their own personal property to connect to the Richman Investments network, are governed by this policy. The scope of this policy covers remote connections, used to access or do work on behalf of Richman Investments, including, but not limited to, the viewing or sending of e-mail, and the viewing of intranet resources. Policy: Richman Investments agents, vendors, contractors, and employees with privilege to remote access to Richman Investments’ corporate network are responsible for ensuring that they adhere to these standards, whether using company-owned or personal equipment for data access, and that they follow the same guidelines that would be followed for on-site connections to the Richman Investments network. General access to the Internet by household members via the Richman Investments network will be permitted, and should be used responsibly, such that all Richman...
Words: 474 - Pages: 2
...Risk-Threat-Vulnerability IT Security Policy Definition Unauthorized access from Public Internet Acceptable Us Policy User Destroys Data in application and deletes all files Asset Identification and Classification Policy Hacker penetrates you IT infrastructure and gains access to your internal network Vulnerability Assessment and Management Policy Intra-office employee romance gone bad Security Awareness Training Policy Fire destroys primary data center Threat Assessment and Management policy communication circuit outages Asset Protection Policy Workstation OS has a known software vulnerability Vulnerability Assessment and Management Policy Unauthorized access to organization owned Workstations Asset Management Policy Loss of production data Security Awareness Training Policy Denial of service attack on organization e-mail server Vulnerability Assessment and Management Policy Remote communications from home office Asset Protection Policy LAN server OS has a known software vulnerability Vulnerability Assessment and Management Policy User downloads an unknown e-mail attachment Security Awareness Training Policy Workstation browser has software vulnerability Vulnerability Assessment and Management Policy Service provider has a major network outage Asset Protection Policy Weak ingress/egress traffic filtering degrades performance Vulnerability Assessment and Management Policy User inserts CDs and USB hard drives with personal photos...
Words: 616 - Pages: 3
...VLT2 - Security Policies and Standards - Best Practices Course of Study This course supports the assessments for VLT2. The course covers 3 competencies and represents 3 competency units. Introduction Overview The skills and knowledge measured by performance assessment VLT2 are derived from a survey of information security professionals from around the world and are also based on the many different information security and assurance frameworks (ISO 27001/2, COBIT, ITL, etc.). The results of this survey were used in weighing the subject areas and ensuring that the weighting is representative of the relative importance of the content. The Security Policy and Standards subdomain focuses on creating organizational security activities and policies; assessing information security risk; and implementing and auditing information security management programs, information assurance certification programs, and security ethics. Watch the following video for an introduction to this course: Competencies This course provides guidance to help you demonstrate the following 3 competencies: Competency 427.3.2: Controls and Countermeasures The graduate evaluates security threats and identifies and applies security controls based on analyses and industry standards and best practices. Competency 427.3.3: Security Audits The graduate evaluates the practice of defining and implementing a security audit and conducts an information security audit using industry best practices. Competency 427...
Words: 4354 - Pages: 18
...IS4550 Security Policies and Implementation INSTRUCTOR GUIDE Course Revision Table Change Date | Updated Section | Change Description | Change Rationale | Implementation Quarter | 12/20/2011 | All | New curriculum | | June 2012 | | | | | | | | | | | | | | | | | | | | | | | | | | ------------------------------------------------- ------------------------------------------------- Credit hours: 4.5 Contact/Instructional hours: 60 (30 Theory, 30 Lab) Prerequisite: IS3110 Risk Management in Information Technology Security or equivalent Corequisite: None Table of Contents Course Overview 5 Course Summary 5 Critical Considerations 5 Instructional Resources 6 Required Resources 6 Additional Resources 6 Course Management 8 Technical Requirements 8 Test Administration and Processing 8 Replacement of Learning Assignments 9 Communication and Student Support 9 Academic Integrity 10 Grading 11 Course Delivery 13 Instructional Approach 13 Methodology 13 Facilitation Strategies 14 Unit Plans 15 Unit 1: Information Security Policy Management 15 Unit 2: Risk Mitigation and Business Support Processes 25 Unit 3: Policies, Standards, Procedures, and Guidelines 33 Unit 4: Information Systems Security Policy Framework 42 Unit 5: User Policies 50 Unit 6: IT Infrastructure Security Policies 58 Unit 7: Risk Management 66 Unit 8: Incident Response Team Policies 74 Unit 9: Implementing...
Words: 18421 - Pages: 74
...significant role within the IG program. The IGRM model designed by EDRM, which provides theoretical Framework to encourage unified IG, as well as advocate policy and process integration for information stakeholders. Especially in, IT, Business, Security and Records and information management. This integration is aim to bring transparency to stakeholders and be able to identify the value and duty of information at any time. Furthermore, this framework contributes more communication and cooperation among stakeholders, the ultimate benefit is to keep crucial information security within the organization, reduce information costs,...
Words: 930 - Pages: 4
...potential security breach within their records. They are now currently investigating how this happened and what information was access by the unauthorized individual. However, the company is now interested in established a baseline framework to avoid future information breaches from occurring. This document will outline three major IT frameworks and how each could have mitigated the recent information breach. ISO Policy The ISO 27001 recommendation is a high-level discussion. A precise policy was not located. The discussion did contain a preventive feature to denied access afterhours; however, how the afterhours check relates to a policy is not clear. The COBIT5 recommendation is a discussion and needs to develop a policy. The discussion includes auditing in general; however, details about the auditing need to be developed once a precise policy is developed. The NIST framework discussion includes review of log files. Details need to be developed about the review once a policy is developed. The three major security frameworks in the discussion are excellent overall recommendations. Precise policy statements that will prevent an identified security flaw in the scenario need to be developed. The first policy presented is ISO 27001 (International Standards Organization Security Standards). According to the ISO website, “The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets...
Words: 3049 - Pages: 13
...1. How can a security framework assist in the design and implementation of a security infrastructure? Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which to proceed. What is information security governance? Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination provide...
Words: 4589 - Pages: 19
...Introduction to Policy Augmentation Process Due to the fact that both HIPAA and HITECH are non-prescriptive security frameworks HITRUST common security framework (CSF) was leveraged to augment the Heart-Healthy Insurance Information Security Policy. Moreover, HITRUST CSF was chosen as it maps to various other information security frameworks applicable to Heart-Healthy Insurance Company (i.e. HIPAA, HITECH, PCI, ISO 27000-series, etc.). Furthermore, CSF compliance worksheet is an intelligent tool that allows for control mapping to the aforesaid security frameworks based on the scope of assessment (i.e. type of organization, number of insured members, number of system users, number of transactions, etc.). New-User Policy Augmentation Using the aforesaid CSF-based logic, the following security controls are applicable to the new user protocols of Heart-Healthy Insurance overarching security policy: • Heart-Healthy users will be granted accessed to the system on need-to-know bases and on the principle of least privilege. • Users will be given access rights based on their job roles and responsibilities as well. • Common job roles will be defined in order to receive standard user access, critical and non-critical access rights will be removed within 24 hours after a user has changed roles or has left the company. • All Heart-Healthy employees requesting remote access or dial-in-services must sign the acknowledgement of understanding and accept the use policy and rules of behavior...
Words: 524 - Pages: 3
...RESPONSE PROFILE Table of Contents INTRODUCTION 3 PROFILE 3 CYBER ATTACKS 4 REDUCING THE IMPACTS OF CYBER THREATS 6 COUNTER MEASURES TO THREATS 8 LAW 10 INTERNATIONAL SCOPE 11 CONCLUSION 12 References 13 INTRODUCTION With the rapid growth of technology in the past few decades have brought forward major aspects that actually helped the mankind in many ways. The birth of technology is a prolific boon to the mankind. Technology has made our world a better and safe place bringing forward unknown facts and also helping with many new ways to take up unidentified, difficult tasks at ease and complete it within seconds (Alston, 1987). Technology has totally changed the whole scenario of our world, starting from business to science every field; every sector has been boosted with the rapid change in technology in the past few decades. The era of this technology can be termed as the technological revolution that has potentially brought forward major prospects for the mankind. But, this evolution of this technology has also brought forward major drawbacks and curse. In one word we understand technology means computers, cell phones, Information technology (IT) etc. All along with this one major thing that technology has brought along with it is cyber crime and cyber-attacks. These cyber attacks are very dangerous in terms of information technology. These cyber-attacks cause huge damages which cannot be described in words. These damages are so prolific and potentially...
Words: 4844 - Pages: 20
...Part 1: Craft an Organization-Wide Security Management Policy for Acceptable Use Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Define the scope of an acceptable use policy as it relates to the User Domain * Identify the key elements of acceptable use within an organization as part of an overall security management framework * Align an acceptable use policy with the organization’s goals for compliance * Mitigate the common risks and threats caused by users within the User Domain with the implementation of an acceptable use policy (AUP) * Draft an acceptable use policy (AUP) in accordance with the policy framework definition incorporating a policy statement, standards, procedures, and guidelines Part 1 – Craft an Organization-Wide Security Management Policy for Acceptable Use Worksheet Overview In this hands-on lab, you are to create an organization-wide acceptable use policy (AUP) that follows a recent compliance law for a mock organization. Here is your scenario: * Regional ABC Credit union/bank with multiple branches and locations thrrxampexoughout the region * Online banking and use of the Internet is a strength of your bank given limited human resources * The customer service department is the most critical business function/operation for the organization * The organization wants to be in compliance with GLBA and IT security best practices regarding its employees ...
Words: 639 - Pages: 3
...* ------------------------------------------------- Why are information security policies important to an organization? ------------------------------------------------- They strengthen the company's ability to protect its information resources * ------------------------------------------------- Which of the following should include any business process re-engineering function? ------------------------------------------------- Security review * ------------------------------------------------- Policies and procedures differ, because policies are ___ and procedures are ___. ------------------------------------------------- Requirements, technical * ------------------------------------------------- Among other things, security awareness programs must emphasize value, culture, and ___. ------------------------------------------------- Resiliency * ------------------------------------------------- To achieve repeatable behavior of policies, you must measure both ___ and ___. ------------------------------------------------- Consistency, quality * ------------------------------------------------- Within the user domain, some of the ways in which risk can be mitigated include: awareness, enforcement, and ___. ------------------------------------------------- reward * ------------------------------------------------- In a workstation domain, you can reduce risk by ___. ------------------------------------------------- Securing the workstation ...
Words: 867 - Pages: 4