...Security Requirements and the Possible Risks associated with the Benefits Elections Systems of Huffman Trucking Company CMGT/442 Security Requirements and the Possible Risks associated with the Benefits Elections Systems of Huffman Trucking Company Huffman Trucking has sent out a service request regarding the development and installation of a benefits election system to support the tracking and reporting of employee (union and non-union) benefits (University of Phoenix, 2011). Per this request, this paper will discuss possible security requirements and possible risks that may occur or be associated with the development and implementation of the Benefits Elections Systems. Typically, information on each employee and his or her respective benefits package is stored and managed using some type of database system. This can be either a hardcopy file version or an electronic one. Whatever method is used, security measures have to be put in place to protect each employee from the loss or theft of their information, as well as protect company assets from possible legal action. The purpose of this paper is to discuss some of the potential security requirements of Huffman’s system as well as the some of the risks associated with the implementation of this type of system. When deciding what security requirements will be needed to implement the Benefit Election System one will need to keep in mind of securing both the company and employees’ data from breaches. Security breaches...
Words: 1019 - Pages: 5
... Information System Audit Guide VERSION 11.1 January 2012 Table of Contents 1. Introduction to Accreditation 4 2. The Information System Audit – Checklist 7 2.1. What is an Information System Audit? 7 2.2. Why is an Information System Certification needed? 7 2.3. Assessing an Information System’s Security Risks 7 2.4. Selecting an Information System’s Security Controls 7 3. Purpose of the Checklist 8 4. How to Use the Checklist 8 4.1. The Checklist Structure 8 4.2. Security Objectives 9 4.3. Guidance for IRAP Assessors 9 4.4. Information System Compliance 10 5. Guidance for IRAP Assessors 10 6. The Checklist 11 6.1. The Information Security Policy & Risk Management 11 6.2. Information Security Organisation 14 6.3. Information Security Documentation 17 6.4. Information Security Monitoring 20 6.5. Cyber Security Incidents 22 6.6. Physical & Environmental Security 24 6.7. Personnel Security for Information Systems 26 6.8. Product & Media Security 27 6.9. Software, Network & Cryptographic Security 30 6.10. Access Control & Working Off-site Security 33 Appendix A – Accreditation Governance 36 The ISM & Certification 36 Compliance Levels 37 Compliance Report 37 Compliance Comments 37 Audit Documentation Submissions 38 Appendix B – Standards 39 | ...
Words: 6447 - Pages: 26
...system at an acceptable level of risk? a. Accrediting Authority 3. Who is responsible for ensuring that the appropriate operational security posture is maintained for an information system and in many organizations is assigned responsibility for the day-to-day security operations of a system? a. Information System Security officer 4. Who is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls? a. system owner, and/or the senior agency information security officer 5. Who is the highest-level senior official or executive within an organization with the overall responsibility to provide information security protections commensurate with the risk and magnitude or harm? a. The head of agency (or chief executive officer) 6. The six steps of the Risk Management Framework and what occurs on each step. a. Step 1: Categorize i. Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. b. Step 2: Select i. Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions. ...
Words: 5295 - Pages: 22
...tracking and reporting of employee (union and non-union) benefits (Apollo Group Inc., 2011). With the new benefit system coming online brings new security requirements and possible risks that must be addressed. This document will list some of those security requirements and risks of the Benefits Election System of the company. Paper Risks and Security Requirements Huffman Trucking is a national transportation company with 1,400 employees working in logistical hubs across the United States. The human resources department currently maintains several tracking mechanisms for its employee information. The company has an HRIS system that was developed in-house that maintains a database of personal information. One of the company’s managers also maintains an Excel spreadsheet for individual compensation decisions and surveys. With the recommendation to convert the Excel spreadsheet to a database system, it is a wise choice to integrate the paper data into the already made HRIS system database. In either case, there is a need to provide planning and security for the system. To address the one possibility of integrating the Excel spreadsheet into the benefit election system, there are a few risks associated with paper-based systems and security baselines that must be met. Maintaining paper presents risks such as environmental risks. This can include fire, water, and weather....
Words: 1290 - Pages: 6
...Huffman Trucking Service Request Huffman Trucking is in need of addressing possible security requirements as well as security risks within their Benefit Elections System. Throughout the report the security requirements and security risks for the Benefits Electronic System will be documented and addressed. A few of the risks that are involved with the Benefits Electronic System are errors that cannot be controlled, taking too much time to complete, not having a correct plan and most importantly support from the stakeholders. It is important that the Huffman Trucking current system is reviewed and documented so that risks can be documented as well as requirements. It is important that the stakeholders are updated throughout the entire project. Any of the systems that Huffman Trucking is unclear about needs to be documented and any security requirements need to documented and corrected before the analysis phase can be started. A few of the security requirements that might need to be documented are what resources will be used; any risk boundaries that are with the system and what data diagrams are being used. There also needs to be a backup plan in case the system is hacked into during the project process. Without some type of a backup plan there can be a lot of information stolen from within the system. When the Benefits Elections System starts the upgrade process it is important that a project manager is assigned to the project. The purpose of the project manager is to help...
Words: 830 - Pages: 4
...Information Security Policy Best Practice Document Produced by UNINETT led working group on security (No UFS126) Authors: Kenneth Høstland, Per Arne Enstad, Øyvind Eilertsen, Gunnar Bøe October 2010 © Original version UNINETT 2010. Document No: Version / date: Original language : Original title: Original version / date: Contact: © English translation TERENA 2010. All rights reserved. GN3-NA3-T4-UFS126 October 2010 Norwegian “UFS126: Informasjonsikkerhetspolicy” July 2010 campus@uninett.no UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT led working group on security as part of a joint-venture project within the HE sector in Norway. Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and copyright preserved. The translation of this report has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 238875, rel ating to the project 'Multi-Gigabit European Research and Education Network and Associated Services (GN3)'. 2 Table of Contents EXECUTIVE SUMMARY INTRODUCTION 1 1.1 1.2 4 5 6 6 6 INFORMATION SECURITY POLICY Security goals Security strategy 2 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 ROLES AND AREAS OF RESPONSIBILITY PRINCIPLES FOR INFORMATION SECURITY AT Risk management Information security policy Security organization Classification and control...
Words: 6043 - Pages: 25
...THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION Thesis Submitted in partial fulfillment of the requirements for the degree of MASTER OF TECHNOLOGY in COMPUTER SCIENCE & ENGINEERING - INFORMATION SECURITY by EBENEZER JANGAM (07IS02F) DEPARTMENT OF COMPUTER ENGINEERING NATIONAL INSTITUTE OF TECHNOLOGY KARNATAKA SURATHKAL, MANGALORE-575025 JULY, 2009 Dedicated To My Family, Brothers & Suraksha Group Members DECLARATION I hereby declare that the Report of the P.G Project Work entitled "THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION" which is being submitted to the National Institute of Technology Karnataka, Surathkal, in partial fulfillment of the requirements for the award of the Degree of Master of Technology in Computer Science & Engineering - Information Security in the Department of Computer Engineering, is a bonafide report of the work carried out by me. The material contained in this report has not been submitted to any University or Institution for the award of any degree. ……………………………………………………………………………….. (Register Number, Name & Signature of the Student) Department of Computer Engineering Place: NITK, SURATHKAL Date: ............................ CERTIFICATE This is to certify that the P.G Project Work Report entitled " THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION" submitted by Ebenezer Jangam (Register Number:07IS02F)...
Words: 18945 - Pages: 76
...Information Security Program Guide For State Agencies April 2008 Table of Contents INTRODUCTION .......................................................................................................................................................3 A SUGGESTED IMPLEMENTATION STRATEGY .............................................................................................5 SECURITY COMPONENTS ...................................................................................................................................12 RISK MANAGEMENT ................................................................................................................................................12 POLICY MANAGEMENT ............................................................................................................................................14 ORGANIZING INFORMATION SECURITY ....................................................................................................................16 ASSET PROTECTION .................................................................................................................................................18 HUMAN RESOURCES SECURITY ...............................................................................................................................20 PHYSICAL AND ENVIRONMENTAL SECURITY ...........................................................................................................22 COMMUNICATIONS...
Words: 14063 - Pages: 57
...Build a Web Applications and Security Development Life Cycle Plan What are the elements of a successful SDL? The elements of a successful SDL include a central group within the company (or software development organization) that drives the development and evolution of security best practices and process improvements, serves as a source of expertise for the organization as a whole, and performs a review (the Final Security Review or FSR) before software is released. What are the activities that occur within each phase? Training Phase- Core Security Training Requirements Phase- Establish security requirements, create Quality Gates/Bug Bars, perform Privacy Risk assesments. Design Phase-Establish Design Requirements, perform Attack Surface Analysis/Reduction, use Threat Modeling Implementation Phase- Use approved tools, Deprecate unsafe functions perform static analysis Verification Phase- Perform Dynamic Analysis, Perform Fuzz Testing, Conduct Attack Surface Review Release Phase- Create an incident Response Plan, Conduct Final Security Review, Certify release and archive Response Phase- Execute Incident Response Plan Phase Activities Roles Tools Requirements - Establish Security Requirements -Create Quality Gates/Bug Bars -Perform Security and Privacy Risk Assessments -Project Managers -Security Analysts -Microsoft SDL Process Template for Visual Studio Team System - MSF-Agile + SDL Process Template Design -Establish Design Requirements -Perform Attack Surface Analysis/Reduction ...
Words: 2006 - Pages: 9
...Cycle ENISA: Risk Management and Isms activities An information security management system[1] (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. Contents * 1 ISMS description * 2 Need for an ISMS * 3 Critical success factors for ISMS * 4 Dynamic issues in ISMS * 5 See also * 6 Notes and references ISMS description As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach: * The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. * The Do phase involves implementing and operating the controls. * The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. * In the Act phase, changes are made where necessary to bring the ISMS back to peak performance. ISO/IEC 27001:2005 is a risk based information security standard, which means that organizations need to have a risk management process...
Words: 5234 - Pages: 21
...Grace xxxxxx IFSM 370 Section 6380 Risk Analysis: Metric Machine Parts and Supplies Corp. This white paper examines the risks and security issues faced by MMPS Company’s strained network and the impact of those risks on the business’s data and functions. This paper would also seek to identify the business problems and evaluate technology solutions that can used to combat those risks. The challenge of mitigating security risks arising from compromised network is brought to focus in this analysis as we evaluate how to effectively build merge new technology solutions to the existing infrastructure for operational improvement. It is not of no surprise that although most businesses long for growth, they do not adequately consider scalability of their technology solutions as part of their ongoing business strategy which ultimately proves to be a costly endeavor when the need arises. The Business Problem Metric Machine Parts and Supplies Corporation (MMPS) is a growing company with over 75, 000 customers across the world cataloging over 100, 000 parts that are typically made available online to its customers. The telecommunications network aspect of the business is outsourced to an outside management company responsible for managing the upkeep of its network. Due to frequent crashes and disruptions, the MMPS is seeking other alternatives to handle the growing problems. The business telecommunication network is incapable of handling the simultaneous orders from its customers...
Words: 2106 - Pages: 9
...HIPAA COW Risk Analysis & Risk Management Toolkit Networking Group Guide for the HIPAA COW Risk Analysis & Risk Management Toolkit Disclaimers This Guide and the HIPAA COW Risk Analysis & Risk Management Toolkit (Toolkit) documents are Copyright by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). They may be freely redistributed in their entirety provided that this copyright notice is not removed. When information from this document is used, HIPAA COW shall be referenced as a resource. They may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This Guide and the Toolkit documents are provided “as is” without any express or implied warranty. This Guide and the Toolkit documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Guide and the Toolkit documents. Therefore, these documents may need to be modified in order to comply with Wisconsin/State law. The Toolkit provides an example HIPAA Security Risk Assessment and documents to support completing a Risk Analysis and Risk Mitigation Implementation Plan. While it covers a broad spectrum of the requirements under the HIPAA Security Rule and HITECH, it may not cover all measures needed to secure your patients’ electronic protected health information (ePHI). It...
Words: 3778 - Pages: 16
...WHAT IS INFORMATION SECURITY? 0.2 WHY INFORMATION SECURITY IS NEEDED? 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS 0.4 ASSESSING SECURITY RISKS 0.5 SELECTING CONTROLS 0.6 INFORMATION SECURITY STARTING POINT Information security is defined as the preservation of confidentiality, integrity and availability of information … Information security is defined as the preservation of confidentiality, integrity and availability of information … 0.7 CRITICAL SUCCESS FACTORS 0.8 DEVELOPING YOUR OWN GUIDELINES 1 SCOPE 2 TERMS AND DEFINITIONS 3 STRUCTURE OF THIS STANDARD 3.1 CLAUSES Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. 3.2 MAIN SECURITY CATEGORIES 4 RISK ASSESSMENT AND TREATMENT 4.1 ASSESSING SECURITY RISKS Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization 4.2 TREATING SECURITY RISKS 5 SECURITY POLICY 5.1 INFORMATION SECURITY POLICY 5.1.1 Information security policy document 5.1.2 Review of the information security policy 6 ORGANIZATION OF INFORMATION SECURITY Defines the hierarchical...
Words: 1623 - Pages: 7
...the information security management standards, plus potential metrics for measuring and reporting the status of information security, both referenced against the ISO/IEC standards. Scope This guidance covers all 39 control objectives listed in sections 5 through 15 of ISO/IEC 27002 plus, for completeness, the preceding section 4 on risk assessment and treatment. Purpose This document is meant to help others who are implementing or planning to implement the ISO/IEC information security management standards. Like the ISO/IEC standards, it is generic and needs to be tailored to your specific requirements. Copyright This work is copyright © 2010, ISO27k Forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k Forum at www.ISO27001security.com, and (c) derivative works are shared under the same terms as this. Ref. | Subject | Implementation tips | Potential metrics | 4. Risk assessment and treatment | 4.1 | Assessing security risks | Can use any information security risk management method, with a preference for documented, structured and generally accepted methods such as OCTAVE, MEHARI, ISO TR 13335 or BS 7799 Part 3. See ISO/IEC 27005 for general advice. | Information security risk management...
Words: 4537 - Pages: 19
...password, policy, to educate the users. SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE. Each information security environments unique, unless modified to adapt to meet the organization’s needs. The System Development Life Cycle (SDLC) the system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Service decisions about security made in each of these phases to assure that the system is secure. The initiation phase begins with a determination of need for the system. The organization develops its initial definition of the problem that solved through automation. This followed by a preliminary concept for the basic system that needed, a preliminary definition of requirements, and feasibility and technology assessments. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. The information developed in these early analyses used to estimate the costs for the entire life cycle of the system, including information system security. An investment analysis determine the appropriate strategy for achieving the system requirements, while taking mission needs and budget constraints into account. Expenditures for security before the system built. It is difficult...
Words: 1444 - Pages: 6
