...VLT2 - Security Policies and Standards - Best Practices Course of Study This course supports the assessments for VLT2. The course covers 3 competencies and represents 3 competency units. Introduction Overview The skills and knowledge measured by performance assessment VLT2 are derived from a survey of information security professionals from around the world and are also based on the many different information security and assurance frameworks (ISO 27001/2, COBIT, ITL, etc.). The results of this survey were used in weighing the subject areas and ensuring that the weighting is representative of the relative importance of the content. The Security Policy and Standards subdomain focuses on creating organizational security activities and policies; assessing information security risk; and implementing and auditing information security management programs, information assurance certification programs, and security ethics. Watch the following video for an introduction to this course: Competencies This course provides guidance to help you demonstrate the following 3 competencies: Competency 427.3.2: Controls and Countermeasures The graduate evaluates security threats and identifies and applies security controls based on analyses and industry standards and best practices. Competency 427.3.3: Security Audits The graduate evaluates the practice of defining and implementing a security audit and conducts an information security audit using industry best practices. Competency 427...
Words: 4354 - Pages: 18
...Management and Guidance to Protect Classified Information and Systems Highlights of GAO-15-544, a report to congressional committees. Why GAO Did This Study What GAO Found Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats. The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National Insider Threat Task Force. However, the components have not consistently incorporated all recommended key elements. For example, three of the six components have developed a baseline of normal activity—a key element that could mitigate insider threats. DOD components...
Words: 17616 - Pages: 71
...TFT2 Cyberlaw, Regulations, and Compliance Overview Kristi Lockett, Course Mentor Kristi.lockett@wgu.edu https://kristilockett.youcanbook.me Performance Assessment • • • Seven (7) Weeks to complete COS Four (4) Tasks Refer to Rubric (in Taskstream) for task requirement details Tasks – submit via Taskstream 1. Task 1 – Policy Statements • For given scenario, develop/revise two policy statements (new users and password requirements). Justify policies based on current federal information security laws/ regulations (i.e., HIPAA) 2. Task 2 - Policy Statements • For given scenario, develop three policy statements that would have prevented a security breach. Justify policies based on national or international standards (i.e., NIST, ISO) 3. Task 3 – Service Level Agreement • • • For given scenario, recommend/justify changes to service level agreement. Address the protection of the parent company’s physical property rights, intellectual property rights and the non-exclusivity clause Use Microsoft Word tracking to track your additions, deletions, and modifications. Insert your justifications after each SLA section, or write an essay describing your changes and justifications 4. Task 4 – Cybercrime • For the given scenario, write an essay responding to the following question prompts (suggested length of 3–5 pages): • • • • • • • • Discuss how two laws or regulations apply to the case study. Discuss how VL Bank will work within the parameters of appropriate legal jurisdiction...
Words: 369 - Pages: 2
...PERFORMANCE WORK STATEMENT Table of Contents 1 OVERVIEW 1 2 CONTRACT REQUIREMENTS 1 2.1 Objectives Fulfillment 1 2.1.1 Business Objectives 1 2.1.2 Technical Objectives 2 2.1.3 Management Objectives 3 2.2 Assumptions and Constraints 3 2.2.1 Access Control 4 2.2.2 Authentication 4 2.2.3 HSPD-12 Personnel Security Clearances 4 2.2.4 Non-Disclosure Agreements 5 2.2.5 Accessibility 5 2.2.6 Data 5 2.2.7 Confidentiality, Security, and Privacy 5 2.3 Tasks/Sub-Tasks to Be Performed Related to Initiating the Service 6 2.3.1 Task 1: 6 2.3.2 Task 2: 7 2.4 Period of Performance 7 3 PERFORMANCE MANAGEMENT OF THE DELIVERED SERVICES 8 3.1 Modifications to Service Level Agreements 8 3.2 Changes to Key Performance Measures. 8 3.3 Quality Assurance Evaluation 8 3.4 Government Roles and Responsibilities. 9 3.4.1 Contracting Officer (CO) 9 3.4.2 Contract Specialist 9 3.4.3 Contracting Officer’s Technical Representative (COTR) 10 3.4.4 Other Key Government Personnel 10 3.5 Contractor Roles and Responsibilities 10 4 METHODS OF QUALITY ASSURANCE SURVEILLANCE 11 5 SECURITY REQUIREMENTS 11 5.1 Required Policies and Regulations for GSA Contracts 11 5.2 GSA Security Compliance Requirements 13 5.3 Certification and Accreditation (C&A) Activities 13 5.3...
Words: 7425 - Pages: 30
...National Instituate of Technology,Rourkela Department of Computer Science and Engineering Term Paper on Directions for Web and E-Commerce Applications Security SupervisorProf.P.M. Khilar Submitted byDinesh Shende Roll No-212CS2102 M.Tech(1st year) Directions for Web and E-Commerce Applications Security Abstract: This paper provides directions for web and e-commerce applications security. In particular, access control policies, workflow security, XML security and federated database security issues pertaining to the web and e-commerce applications are discussed. These security measures must be implemented so that they do not inhibit or dissuade the intended e-commerce operation. This paper will discuss pertinent network and computer security issues and will present some of the threats to e-commerce and customer privacy. These threats originate from both hackers as well as the e-commerce site itself. Another threat may originate at ostensibly friendly companies such as DoubleClick, MemberWorks and similar firms that collect customer information and route it to other firms. Much of this transaction information is able to be associated with a specific person making these seemingly friendly actions potential threats to consumer privacy. Many of the issues and countermeasure discussed here come from experiences derived with consulting with clients on how to maintain secure e-commerce facilities. These methods and techniques can be useful in a variety of client and server...
Words: 3283 - Pages: 14
...MosqueraHerby ThomasLouis Zayas * 13-Jan-14 | | * Table of Contents COVER 1 TABLE OF CONTENTS 2 DOCUMENT CHANGE LOG 3 Project Risk Management Plan Purpose AND SCOPE 4 Key Roles and Responsibilities 4 Risk Management Process and Activities 5 Risk Management Plan Audit Log 5 Risk Assessment and Management Table 6 COMPLIANCE LAWS AND REGULATIONS 8 PROPOSED SCHEDULE 9 Risk Management Plan Approvals 10 * Department: Information Technology Product or Process: Risk Management Document Owner: Battle Creek, MI IT Version | Date | Author | Change Description | 0.1 | 1/6/14 | RFranklin | Initial Draft | 0.2 | 01/12/14 | RFranklin | Revision 1 | 0.3 | 1/13/14 | RFranklin | Revision 2 | * Project Risk Management Plan Purpose and Scope The purpose of this Risk Management Plan is to identify the strategies, methods, and procedures to be used within the Michigan Air National Guard, Battle Creek, Michigan supply chain in identifying, evaluating, and mitigating the risk involved in daily and long term operations. All Department of Defense and federal agencies must at least comply with the minimum standards set forth in Law, DOD directives, branch of service regulations, and local base regulations. This plan provides local guidelines for applying the FISMA standards using the NIST guidelines and procedures. The Scope of this plan is limited to the Michigan Air National Guard...
Words: 1209 - Pages: 5
...1. How can a security framework assist in the design and implementation of a security infrastructure? Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which to proceed. What is information security governance? Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination provide...
Words: 4589 - Pages: 19
...Page 63 2 CHAPTER TWO IT Governance This chapter helps you prepare for the Certified Information Systems Auditor (CISA) exam by covering the following ISACA objectives, which includes understanding the role IT governance plays in providing assurance. The assurance structure starts at the top with senior management and continues downward through the organization. This includes items such as the following: Tasks Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions, and performance of IT so that it supports the organization’s strategies and objectives. Evaluate the IT organizational structure and human resources (personnel) management to ensure that they support the organization’s strategies and objectives. Evaluate the organization’s IT policies, standards, and procedures; and the processes for their development, approval, implementation, and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements. Evaluate the IT strategy and the process for its development, approval, implementation, and maintenance to ensure that it supports the organization’s strategies and objectives. Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance. Evaluate management practices to ensure compliance with the organization’s IT strategy, policies, standards, and procedures...
Words: 14503 - Pages: 59
...SECURITY RISK MANAGEMENT PLAN Prepared by Jeremy Davis Version control Project title | Security Risk Management Plan Draft | Author | Jeremy Davis | VC | 1.0 | Date | 25/10/10 | Contents Executive summary 4 Project purpose 5 Scope of Risk management 5 Context and background 5 Assumptions 5 Constraints 5 Legislation/Standards/Policies 6 Risk management 6 Identification of risk 7 Analysis of risk 8 Risk Category 9 Review of Matrix 9 Action plan 9 Testing Procedures 11 Maintenance 11 Scheduling 11 Implementation 12 Training 12 Milestones 12 Monitoring and review 13 Definition 13 Authorisation 14 Reference 15 Executive summary A Security Risk Management Plan (SRMP) helps CBS by providing specific guidelines and rules to ensure risk management is considered and included. It provides guidelines for its implementation that can minimise the threats by planning, policies, processes and procedures that can help your business get everything back to normal as soon as possible. This SRMP was designed for the guidelines for its implementation of risk management in CBS and in its operations in order to ensure its security and safety of its staff and assets. Throughout this SRMP it identifies threats, procedures, policies, responsible person and etc which will provide you and your staff information to prepare you with the worst disaster event. Every business these days has a SRMP in case of any events which may occur,...
Words: 2028 - Pages: 9
...NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View JOINT TASK FORCE TRANSFORMATION INITIATIVE INFORMATION SECURITY Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2011 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Director Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View ________________________________________________________________________________________________ Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines...
Words: 1680 - Pages: 7
..."why do security enterprise problems exist?" This question of security leads to developing security policies that deal with people issues, and evaluates internal/external risks. Organizations are urging top executives to make information security a priority. Therefore, quality and trustworthiness of information are becoming key business issues (Ezingeard et al, 2005). To better accomplish information security in an organization, a management level infrastructure approach is needed. Just as information and data characteristics are different at the different levels of management, information security has different characteristics at the different levels of management. These levels of management are strategic, tactical, and operational. At the operations level, transaction data is produced and serves as input to create information. Maintaining and monitoring of integrity, confidentiality, and availability of the transaction data are primary objectives which are supported by organizational procedures and guidelines. At the tactical level, information is interpreted and utilized in decision making. Implementations of preventative, detective, and responsive controls are a primary objective which is supported by organizational standards. Further analysis/aggregation of the information creates knowledge to help make strategic level decisions Information security policy provides a framework to ensure that systems are developed and operated in a secure manner. Such policies must consider...
Words: 1173 - Pages: 5
...the following tasks: 1. Configure user accounts and access controls in a Windows Server according to role-based access implementation 2. Configure user account credentials as defined policy, and access right permissions for each user 3. Create and administer Group Policy Objects for the management of Windows Active Directory Domain machines within the IT infrastructure 4. Apply the correct Group Policy Object definitions per requirements defined by policies and access right permissions for users 5. Assign and manage access privileges as requested in the case study to apply the recommended and required security controls for the user accounts Week 1 Lab Part 1 - Assessment Worksheet Assess the Impact on Access Controls for a Regulatory Case Study Overview Watch the Demo Lab in the Week 1 Learning Space Unit 1, and answer the questions below. The lab demonstrates creating an Active Directory domain as well as user and group objects within the new domain. Directories will be created and permissions assigned based on the required access control as defined in the matrix. Group Policy Objects will also be created and linked to Objects within the domain to enforce security settings. Lab Assessment Questions & Answers 1. What does DACL stand for and what does it mean? DACL means discretionary access control list and it is a type of access control defined by the trusted computer system evaluation criteria. 2. Why would you...
Words: 1428 - Pages: 6
...Glossary…………………………………………………………………………………….2-3 Overview, Purpose, Scope……………………..4-5 Training………………………………………………….5-6 Procedure………………………………………………….6 Policy……………….………………………………….….6-9 Policy 1: Information Systems Policy..…..10-13 Policy 2: Security of Laptop…………………..14-16 Policy 3: Clean Desk policy…….……………..17-18 Policy 4: Workstation Policy………………………19 Policy 6: Email Policy………………………..….20-21 Policy 7: Personnel policy………………….…22-23 Policy 9: Data Breach Policy………………...24-27 Policy 10: Software policy………………………29-31 Policy 11: Data and information classification……32 Policy 12: Internal Treats…………………………………….33 Policy 13: Policies and Procedures for Electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII)...34-35 Policy 14: Wireless LAN Security Policy……………………..36 IS security Awareness policy…………………………………..37-38 Conclusion……………………………………………………………………39 References……………………………………………………………………40 Overview: DSA contractors has been awarded a contract with the Department of Defense. Our next task is to revamp the companies’ policy to ensure compliance with DOD policy. All employees have to be retrained on new policy to ensure that DSA medicate violations. The attitudes and atmosphere of change will also be needed to ensure compliance with DOD standards. Training sessions is scheduled for all employees and a policy handbook will be given to the each employee as references at the end of training. The security officer and his staff or human...
Words: 9781 - Pages: 40
...position is a 2210-Supervisory Policy and Planning Specialist. “The USGS serves the nation by providing reliable scientific information to describe and understand the Earth; minimize loss of life and property from natural disasters; manage water, biological, energy, and mineral resources; and enhance and protect our quality of life” (USGS). In this position, you manage the staff members responsible for ensuring that the USGS adheres to all federal legislation related to information security. You have been asked to provide a detailed briefing to executive staff at the USGS. The purpose of your presentation is to justify the need for additional staff to help keep the USGS in compliance with the ever-changing and complex federal requirements for information security. Your presentation will include a comprehensive analysis of federal information security legislation that applies to your agency. Task: A. Prepare a multimedia presentation (e.g., PowerPoint, Keynote) (suggested length of 14–16 slides) based on the given scenario in which you do the following: 1. Analyze the effects of the key points addressed by the policy framework of the Federal Information Security Management Act (FISMA) of 2002 on the USGS. 2. Discuss the role of the federal Office of Management and Budget (OMB) on ensuring that all federal agencies, including the USGS, are compliant with federal information security legislation. 3. Explain the role of the National Security Agency (NSA) and National...
Words: 613 - Pages: 3
...WIRELESS LOCAL AREA NETWORK IMPLEMENTATION SECURITY AND SUPPORT SUBPROJECT Stephen F. Delahunty Project Management in the Technological Environment Scope Definition Plan Wireless Local Area Network Installation Project This document serves to provide a scope definition for the Security and Support subproject of the corporate wireless local area network installation project initiative. It is a functional document to be used by the project team and stakeholders as a central point of reference for this subproject. Security and Support Scope Definition Subproject Justification The business need for this subproject is the constraint to ensure compliance with corporate and industry security standards in order to protect the firm’s information systems and data. If security issues are not addressed there is a potential for a loss of data or access to corporate systems from unauthorized outside parties. Without proper security procedures the firm could increase vulnerability in terms of information technology and proprietary data. Any network-related project such as this wireless network installation must adhere to current corporate security policy and this subproject meets that goal. An additional requirement of this subproject is to facilitate a smooth transition to a pilot program and full implementation. The subproject team will also serve as security subject matter experts for other subproject teams in this overall initiative. ...
Words: 674 - Pages: 3
