...Risk-Threat-Vulnerability IT Security Policy Definition Unauthorized access from Public Internet Acceptable Us Policy User Destroys Data in application and deletes all files Asset Identification and Classification Policy Hacker penetrates you IT infrastructure and gains access to your internal network Vulnerability Assessment and Management Policy Intra-office employee romance gone bad Security Awareness Training Policy Fire destroys primary data center Threat Assessment and Management policy communication circuit outages Asset Protection Policy Workstation OS has a known software vulnerability Vulnerability Assessment and Management Policy Unauthorized access to organization owned Workstations Asset Management Policy Loss of production data Security Awareness Training Policy Denial of service attack on organization e-mail server Vulnerability Assessment and Management Policy Remote communications from home office Asset Protection Policy LAN server OS has a known software vulnerability Vulnerability Assessment and Management Policy User downloads an unknown e-mail attachment Security Awareness Training Policy Workstation browser has software vulnerability Vulnerability Assessment and Management Policy Service provider has a major network outage Asset Protection Policy Weak ingress/egress traffic filtering degrades performance Vulnerability Assessment and Management Policy User inserts CDs and USB hard drives with personal photos...
Words: 616 - Pages: 3
...Audit an Existing IT Security Policy Framework Definition Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure * Review existing IT security policies as part of a policy framework definition * Align IT security policies throughout the 7 domains of a typical IT infrastructure as part of a layered security strategy * Identify gaps in the IT security policy framework definition * Recommend other IT security policies that can help mitigate all known risks, threats, and vulnerabilities throughout the 7 domains of a typical IT infrastructure Week 5 Lab Part 1: Assessment Worksheet (PART A) Sample IT Security Policy Framework Definition Overview Given the following IT security policy framework definition, specify which policy probably can cover the identified risk, threat, or vulnerability. If there is none, then identify that as a gap. Insert your recommendation for an IT security policy that can eliminate the gap. Risk – Threat – Vulnerability | IT Security Policy Definition | Unauthorized access from pubic Internet | Acceptable use policy | User destroys data in application and deletes all files | Backup Recovery Policy | Hacker penetrates your IT infrastructure and gains access to your internal network | Threat Assessment & Management Policy | Intra-office employee romance...
Words: 1625 - Pages: 7
...(PII) and Data Breaches By Stevie D. Diggs University Maryland University College IFSM201 Section 7974 Semester 1309 Personally Identifiable Information (PII) and Data Breaches Knowing and training on personally identifiable information (PII) is important in today’s society. There has been research on data breaches and identity theft that links them both together. This is to help personnel have a clear understanding on the impact of what is at steak and an explanation of PII. Many businesses and organizations have different definition for PII because of the classification of data for each, and that is why understanding PII is important. Examples of PII include, but are not limited to the following: full name, maiden name, mother‘s maiden name, or alias; personal identification number, social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number; address information, street address or email address; personal characteristics, including photographic image, fingerprints, handwriting, or other biometric data. How do you protect PII? Who has access to PII? Who are affected by data breaches and identity theft? How to prevent data breaches and identity theft? The research introduced in this essay is from Verizon along with multiple articles involving military and organizations. PII is defined definitely by military and organizations. Training along with knowing ways to prevent data breaches and...
Words: 1541 - Pages: 7
...IT 454 Security Management Plan Marshall Miller December 20, 2015 Table of Contents Section 1: Information Security Management 4 Intro to Organization 4 People 4 Physical Security 4 Training of Security 4 Information Technology Training 4 Technology 5 Project Manager Roles 5 Section 2: Security Program 6 Data Classification 6 Management Support 7 Hierarchy Reporting Structure 8 8 Section 3: Security Policies 10 Acceptable Use Policy 10 1. Overview 10 2. Purpose 10 3. Scope 11 4. Policy 11 5. Enforcement 13 6. Definitions 13 7. Implementation Date 13 Section 4: Security Policies 14 Risk Assessment 14 Quantitative Risk Analysis 14 Quantitative Risk Analysis 14 Methodologies 15 1. Transfer 15 2. Avoid 15 3. Reduce 15 4. Accept 16 Summary 16 Section 5: Controlling Risk 17 Administrative 17 Human Resources 17 Organizational Structure 17 Security Policies 18 Technical 18 Access Control 18 System Architecture 18 System Configuration 18 Physical 19 Heating and Air Conditioning 19 Fire 19 Flood 19 Summary 19 Bibliography 20 Section 1: Information Security Management Intro to Organization My organization is about a federally recognized business called JPPSO (Joint Personnel Property Shipment Office). JPPSO specializes in the shipping of military personnel goods. JPPSO works hand in hand with the United States Air Force to enforce the safe shipping of military household goods...
Words: 2755 - Pages: 12
...1. Why is it important to perform a risk assessment on the systems, applications, and data prior to designing layered access controls? 2. What purpose does a Data Classification Standard have on designing layered access control systems? 3. You are tasked with creating a Microsoft Windows Enterprise Patch Management solution for an organization, but you have no budget. What options does Microsoft provide? 4. How does network monitoring, performance monitoring, alarming, and incident response help secure the IT infrastructure? 5. Provide an example of multi-factor authentication and identify an application that you think would require multi-factor authentication. 6. In which of the seven domains of a typical IT infrastructure would be policy definitions for implementation of anti-virus application/tool as a security countermeasure? Explain. 7. What is the difference between a Host-based Firewall and a Network-based Firewall? What domains of the typical IT infrastructure would you deploy each of these within? Explain how firewalls help mitigate risk exposure by preventing or blocking unauthorized access. 8. Give at least 3 examples of controls typically implemented in the User Domain. Explain these controls. 9. Provide 3 example of encrypted remote access communications commonly used through the public Internet (i.e., remote access via Internet) 10. Which domain within a typical IT infrastructure is the weakest link? From am access control perspective...
Words: 376 - Pages: 2
...Unit Plans Unit 1: Information Systems Security Fundamentals Learning Objective Explain the concepts of information systems security (ISS) as applied to an IT infrastructure. Key Concepts Confidentiality, integrity, and availability (CIA) concepts Layered security solutions implemented for the seven domains of a typical IT infrastructure Common threats for each of the seven domains IT security policy framework Impact of data classification standard on the seven domains Reading Kim and Solomon, Chapter 1: Information Systems Security. Keywords Use the following keywords to search for additional materials to support your work: Data Classification Standard Information System Information Systems Security Layered Security Solution Policy Framework ------------------------------------------------- Week 1 Assignment (See Below) * Match Risks/Threats to Solutions * Impact of a Data Classification Standard Lab * Perform Reconnaissance & Probing Using ZenMap GUI (Nmap) * Page 7-14 in lab book. Project (See Below) * Project Part 1. Multi-Layered Security Plan ------------------------------------------------- Unit 1 Assignment 1: Match Risks/Threats to Solutions Learning Objectives and Outcomes You will learn how to match common risks or threats within the seven domains of a typical IT infrastructure with solutions and preventative actions...
Words: 1409 - Pages: 6
...the standard for “internal use only” is. The definition of “internal use only” is “Information or data shared internally by an organization. While confidential information or data may not be included, communications are not intended to leave the organization.” What does that mean? It means that information being used by this classification is to be created, used, and distributed through the organization and nowhere else. Let’s now explain the technical side of things. The IT infrastructure domains consist of 7 different domains. These domains are user domain, workstation domain, LAN domain, LAN-to WAN domain, remote access domain, system/application domain, and WAN domain. For the use of “Internal use only” classification it should only include the following domains. The following contains information on how “internal use only” classification is affected by these domains. User domain- The user domain is by far the most vulnerable. This domain can be vulnerable by the employee’s actions, emotions, and awareness of company policies and procedures. It is up to the user to use the information correctly not necessarily up to the network protocols in place. The best way to mitigate this issue it to monitor abnormal behavior and have employees understand the company’s acceptable use policy. Workstation domain- The workstation domain is how the user connect to the company’s IT infrastructure. It can be from workstations to personal data assistance devices. The desktop support group...
Words: 510 - Pages: 3
...layered security that supports confidentiality * Defining organization wide policies, standard, procedures, and guidelines to protect confidential data. * Adopting a data classification standard that defines how to treat data throughout AT. * Limiting access to systems and application that house confidential data to only those authorized to use it * Using cryptography techniques to hide confidential data to keep it invisible to unauthorized user * Encrypting data that crosses the public internet. * Encrypting data that is stored within databases and storage devices 4. Definition of policy, standard, guide, procedure * Policy: is written statement that the people in charge of an organization have set as a course of action or direction. Come from upper management-apply to whole organize * Standard: detail information for hardware and software, how it use-ensure consistent security controls are used throughout IT system * Procedure: instruction for how to use policies and standards: plan of action, install, test, auditing * Guidelines: suggest course of action for using the policy, standard or procedure. 5. Definition of classification of data * Goal and objective of DCS is to provide a consistent definition for how an organization should handle and secure different types of data: private data, confidential, internal use only, and public domain data. 6. Result of lapse in security...
Words: 963 - Pages: 4
...Impact of Data Classification Standard and Internal Use Only Data classification standard provides the means of how the business should handle and secure different types of data. Through security controls different data types can be protected. All these security controls should apply to each of every IT infrastructure in which it will state how the procedures and guidelines will guarantee the organization’s infrastructures security. This report will identify the definition of “Internal Use Only” data classification standard of Richman Investments. Internal Use Only includes information that requires protection from unauthorized use, disclosure, modification, and or destruction pertaining to a particular organization. This report will tackle 3 IT infrastructure including workstation domain, LAN-Wan Domain, and Remote Access Domain. Internal Use Only data includes data related to business operations, finances, legal matters, audits, or activities of a sensitive nature, data related to stake holders, information security data including passwords, and other data associated with security related incidents occurring at the business company, internal WCMC data, the distribution of which is limited by intention of the author owner or administrator. For the Workstation Domain, the impact of data classification standard internal use only can possibly applied when a user violates AUP and generates security hazard for the establishment’s IT infrastructure. In order to prevent something...
Words: 596 - Pages: 3
...antivirus scanning for e-mails with attachments. • Enable content filtering and antivirus scanning for e-mail attachments. Content filtering network devices are configured to permit or deny specific domain names in accordance with AUP definition. • Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. • Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee position and access. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic as per policy definition. o Workstation Domain • Enable password protection on workstations for access, Enable auto screen lockout for inactive times. • Define workstation operating system vulnerability window policy definition. A vulnerability window is the gap in time that you leave a computer unpatched with a security update. • Use workstation antivirus and malicious code policies, standards, procedures, and guidelines. o LAN Domain • Make sure wiring closets, data centers, and computer rooms are secure. Do not allow anyone access without proper ID. • Define a strict software vulnerability window policy requiring quick software patching. • Use WLAN network keys that require a password for wireless access. • Implement encryption between workstation and WAP to maintain confidentiality. o LAN-to-WAN Domain • Apply strict...
Words: 651 - Pages: 3
...Lab #3 – Assessment Worksheet Identify & Classify Data for Access Control Requirements Course Name & Number: IS3230 ______________________________________________________________ Student Name: Heather Young ______________________________________________________________________ Instructor Name: MR. Gibbs _____________________________________________________________________ Lab Due Date: Jan. 2014 _______________________________________________________________________ Overview This lab provides the student with the opportunity to develop a data classification standard with procedures and guidelines to classify data access based on the job responsibilities – not an organizational position. In this lab, students aligned a data classification standard with the job function and roles that are required to access specific data. This alignment allows access controls policy definition to be properly implemented throughout the IT infrastructure to mitigate risk from unauthorized access. Lab Assessment Questions & Answers 1. What is the Data Classification Standard used in the U.S. Department of Defense (DoD)/Military?Google “Data Classification Standard + DoD”. Summarize the different data classifications. Top Secret- highest level of information sensitivity Secret- information that would cause serious damage, most common classification level Confidential- Is the lowest of sensitivity. This information may only be handled by personnel with a clearance, may...
Words: 993 - Pages: 4
...Which of the following is an action that could damage an asset?* | Risk | Threat | Data transfer | Filtering | 2. An AUP is part of a layered approach to security and it supports confidentiality. What else supports confidentiality?* | Threat monitoring | Vulnerability assessments | Data classification standards | Security awareness policies | 3. Which of the following is NOT a common type of data classification standard?* | Guideline | Top secret | Internal use only | Private data | 4. Which domain of a typical IT infrastructure includes cabling, servers, and wireless access points?* | User | Workstation | LAN | Remote Access | 5. In which domain of a typical IT infrastructure do service level agreements (SLAs) figure prominently?* | LAN | LAN-to-WAN | WAN | Remote Access | 6. Which of the following is considered a threat rather than a risk?* | An earthquake | Losing data | Losing business due to the aftermath of a tornado | A financial organization failing to comply with federal regulations | 7. Which law does not require securing private information, but it does require security controls to protect the confidentiality and integrity of the reporting itself?* | SOX | GLBA | HIPAA | FISMA | 8. You are calculating the availability of a server for the month of June. The total possible uptime is 43,200 minutes. The actual downtime was 60 minutes. What was the percentage of availability...
Words: 279 - Pages: 2
...After completing this unit, the student should be able to: • Explain the concepts of information systems security (ISS) as applied to an IT infrastructure. Key Concepts: ▪ Confidentiality, integrity, and availability (CIA) concepts ▪ Layered security solutions implemented for the seven domains of a typical IT infrastructure ▪ Common threats for each of the seven domains ▪ IT security policy framework ▪ Impact of data classification standard on the seven domains Materials: Week 1 PowerPoint Presentation Assignment Overview: Refer to Assignment 1: Match Risks/Threats to Solutions in the Graded Assignment Requirements section of this instructor guide. In this assignment, the students need to match common risks or threats within the seven domains of a typical IT infrastructure with the possible solutions or preventative actions. Use the hand out worksheet NT2580.U1.WS1.doc. Refer to Assignment 2: Impact of a Data Classification Standard, you must write a brief report on how the "Internal Use Only" data classification standard impacts the seven domains of the investment firm's IT infrastructure. Refer to Project Part 1. Multi-Layered Security Plan in the Project section of this instructor guide. Assign the Project Part 1 to students and inform them that they need to submit it by the beginning of Unit 2. In this assignment, students need to research the...
Words: 530 - Pages: 3
...IT Security and Compliance Policy | IS3350/Security Issues; Roger Neveau; 3/12/2013; Mike Taylor, Instructor | This document is the Final Project for IS3350 Security Issues, creating and improving security policies for LenderLive Network | | Table of Contents Introduction2 Risk Analysis2 SWOT Analysis2 Physical Security5 Data Classification6 Regulatory Compliance8 Intellectual Property…………………………………………………………………………………………………………………………….10 Training……………………………………………………………………………………………………………………………………..............11 Security Breach……………………………………………………………………………………………………………………………………..12 Appendix A SWOT Analysis…………………………………………………………………………………………………………………..14 Appendix B Definitions………………………………………………………………………………………………………………………….17 Appendix C Roles…………………………………………………………………………………………………………………………………..18 Works Cited…………………………………………………………………………………………………………………………………………..19 Introduction An effective IT Security policy protects the organization against possible threats to the infrastructure and data that the organization has. It will provide and maintain its ability to provide confidentiality, integrity, availability, and security of the client’s data within the organization’s environment. Overview The IT Security and Compliance policy for LenderLive Network Inc. will detail the policies, procedures, and guidelines that the organization will adhere to, to ensure compliance of the Graham-Leach-Bliley Act (GLBA) and Federal Trade Commission’s Safeguards Rule. It describes...
Words: 4550 - Pages: 19
...- Information Security Policy Document Reference Date Document Status Version Revision History P01 - IS Policy Final 1.0 Table of Contents 1. 2. 3. 4. 5. 5.1. 5.2. 5.3. 5.4. 5.5. 5.6. 5.6.1. 5.6.2. 5.6.3. 5.6.4. 6. 6.1. 6.2. Policy Statement ....................................................................................................................... 3 Review and Update of the Policy Statement .......................................................................... 3 Purpose ...................................................................................................................................... 3 Scope.......................................................................................................................................... 3 Information Security Framework ........................................................................................... 3 Reporting Structure for the Business .......................................................................................... 3 Associated Teams....................................................................................................................... 4 Annual Policy Review................................................................................................................ 4 Policy Breaches .......................................................................................................................... 4 Individual Policies ..........................
Words: 1892 - Pages: 8
