Cybersecurity and Information Security Programs (Week 1)
What is Information Security (IS) and how is IS used in an organization, company or federal agency?
Information security (infosec) is designed to protect information. Information security should protect the Confidentiality, Integrity and availability of the information.
All companies have information that they need to protect. This info could be there employee’s personal information; it also can be their customers email addresses or their credit card account information. It is the company’s job to protect all of that information and if the information gets into the wrong hands this can do damage to the company’s reputation.
The way that companies protect information is by classifying the information on different levels and then only granting people with the level of clearance handle that data and the person also has to have a need to know.
Janssen, C. (n.d.). What is Information Security (IS)? – Definition from Techopedia. Retrieved from http://www.techopedia.com/definition/10282/information-security-is
What is an Information Security Program (ISP) and how is an ISP used in organizations, companies and federal agencies?
An ISP is a detailed plan in which the company measures its risk. Most ISP assessments looking at a company’s strategic, Tactical and Operational plan. The plan also rank and assess amount of risk the company is taking these documents normally take account for contain such as Privacy, Policy, audit, Compliance and technical security and Access control. This plan also details how to protect the company’s information. And also should have a roster of people in the organization.
The Business Side of Cybersecurity (Week 2)
In order an Information Security program to be successful within an organization it must relate to the mission. Cyber Security should not prevent an organization from accomplishing its mission or meeting the needs of their customer. Provide some examples of outside influences that can positively shape a well-designed security program.
Cybersecurity is a concept that can be overlooked by many businesses, as it is often seen as a part of the IT department instead of being viewed as its own department (Fitzgerald, 2012). This oversight serves an indication of the basic misunderstandings that accompany the entity that is cybersecurity and is often the reason that companies encounter costs and technological headaches that could have otherwise been prevented. Despite the ignorance that surrounds cybersecurity in many companies, the advances made in this area are profound and continue to grow as a result of attempts made by various companies to fulfill the external expectations placed upon them.
Three external influences that can assist in positively shaping a well-designed security program are regulative, normative and cognitive expectations (Hu, Hart, and Cooke, 2007). The regulative expectation embodies the concept that companies will design an efficient and comprehensive security program in order to abide by the regulations set forth by its governing body (i.e. HIPPA, FERPA, etc). The normative expectation incoporates the pressure that is experienced due to the security plans and security measures put into place by peer companies and is thereby filled because of the moral obligation the company experiences as it pertains to doing “the right thing”. The cognitive expectation places the pressure on a company to create a security program that is able to anticipate and subsequently combat future incidents.
All of these external factors can affect even the smallest of companies in a major way if breached, which is why a well-designed security program is imperative. By addressing these three areas of external pressure while also attending to the security needs of the company, stakeholders are better able to address future challenges while simultaneously increasing their present-day functionality and efficiency.
References
Fitzgerald, Todd. (2012). Information security governance simplified: from the boardroom to the keyboard. [Books24x7 version] Available fromhttp://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=47187.
Hu, Q., Hart, P., and Cooke, D. (2007). The role of external and internal influences on information systems security – A Neo-Institutional perspective. Journal of Strategic Information Systems, 16(2), 153-172.
Discuss some recent natural disasters that have occurred in the news. How do you think each impacted the businesses in the area? What steps can you imagine were taken in order to resume operations? Be sure to cite your sources.
Planning for disasters that occur due to system hacking or tampering is relatively easy when compared to planning for disasters that are a result of storms inflicted by mother nature. When considering the storms that rocked eastern states this summer as well as the tornadoes in various states this season that have also caused blackouts in different areas, the first thing that comes to mind as an information system security analyst is the amount of man power and time that went into ensuring the safe recovery of material and functality while rebooting business systems. The longer a company is without power, the more money it loses and the more money the company loses, the more at risk it is and so it is safe to assume that any steps that are done must be done quickly and efficiently to preserve the integrity of the company.
The storms in the east this past summer caused a power outage to over 3000 people and businesses (Yan & Alsup, 2014). In order to recover from being without power for anywhere from 24-72 hours is not an easy feat, however, it is one that can be accomplished. The first step would be to ensure the safety and existence of all personnel. Ensuring that personnel is still alive and able to access the work site determines what the next steps will be. Next, it would be necessary to ensure that backup systems are operational and hat only equipment that is absolutely necessary is running. Unplugging all unnecessary technology while placing some items in safe mode simultaneously provides the ability to run necessary processes with available power, have mid-level programs ready to boot once power is restored, and conserve energy until all items can be rebooted. As the backup systems are being assessed, the security systems should be concurrently assessed to ensure the protection of company information, assets, and in tel as companies are most vulnerable to hackers and malintent during and after a blackout (Soifer & Goure, 2014). Once these steps have been taken, communication between pertinent personnel should be reestablished with the goal to have all communication up and running as quickly as possible. If secure communication cannot be established it would be imperative to communicate that to staff. After these steps have been completed, a sweep of program and systems for malware should be conducted to ensure the safety and security of the network before allowing the company to return to full operational status. The final step to be taken would be a memo to staff informing them of the company’s operational status as well as a detailed memo to upper management citing any potential dangers identified, how long the system was down, and the current status of the system. Though not an all-inclusive list, the steps above will assist in ensuring that a business is able to return to full operational status in a reasonable amount of time without sacrificing security or content.
Reference
Soifer, D., Goure, D. (2014). Keeping the lights on: How electricity policy must keep pace with technology. Lexington Institute. July 2014.
Yan, H., Alsup, D. (2014, July 9). Ferocious storms kill 5, leave about 300,000 without power. CNN. Retrieved from: http://www.cnn.com/2014/07/08/us/severe-weather/index.html?iref=allsearch
Laws, Policies, Regulations and Standards (Week 3)
How do policies, regulations and laws impact information security in organizations, companies or federal agencies?
Federal law and regulations ensure the existence of a minimum standard of practice to which companies and federal agencies must adhere as it pertains to the security of information. This standard of practice ensures that any company that uses technology as a core part of its practices has developed a multi-tiered, proactive information security program (Module 2, n.d.). In addition, the aforementioned standard of practice prohibits companies from skimping monetarily in this area, as they require that an adequate amount of budget funds are slated to create and maintain a functional and effective information security program. Moreover, policies that indicate consequences for the release of confidential and/or private information exist on both the civil and federal levels in order to ensure the safety consumer identity.
In 1987, the U.S. Federal Government passed the Computer Security Act, which was an attempt to protect federal computer systems from attack and misuse (Warren, 1962). Since that time, various laws and regulations have been implemented to protect not only the organizations whose daily operations are required to be in compliance but also the consumers whom the organizations serve. Designed to ensure the integrity, confidentiality, and availability of services, the laws and regulations set forth inhibit one size fits all programs from being created and loosely implemented; instead these laws and regulations require that each portion of the company be considered in order to create a well-developed, unique plan for the company it will serve (Fitzgerald, 2012). This level of regulation, though potentially daunting, ensures that companies do not create a program and neglect to use it but instead actively monitor it daily as laws and policies change often.
References
Fitzgerald, Todd. (2012). “Chapter 13 – The law and information security. Information security governance simplified: From the boardroom to the keyboard. Auerbach Publications
N.A. (n.d.). Module 2: Overview, Outcomes, and Commentary sections I, II, and III. Organizations and their security programs.
Whitman, M., Mattford, H. (2011). Reading & cases in information security: Law & ethics. Cengage Learning.
In your opinion, what are the types of Laws that impact information security in organizations, companies or federal agencies?
In my opinion, privacy laws are the ones that impact information security in organizations, companies, and federal agencies. Laws such as the Privacy Act of 1974 regulate the way in which information is not only collected and handled but also who it is released to and how it is stored (Fitzgerald, 2012). I believe this type of law is the most impactful because the breach of one of these laws can be the most catastrophic to a company as it directly affects the company’s reputation and public view. A breach of confidentiality and/or privacy in a company’s information security programs leads to the vulnerability of not only company assets but also assets that belong to consumers who benefit from the services and goods provided. One example of a privacy breach would be the one experienced by Target Corporations last winter that led to the information of 70 million customers being at risk due to a hacking of the Target network. The largest retail hack in history and the fourth largest hack since 2009 overall (Townsend, Coleman-Lochner, & Rupp, 2014), this breach incited public fear and caused organizations to scrutinize their internet security programs more closely. Being in charge of the care and security of someone’s private information is akin to being in charge of the care of their most prized possession, it is difficult and often impossible to replace if damaged or lost.
References
Fitzgerald, Todd. ( © 2012). Information security governance simplified: from the boardroom to the keyboard. [Books24x7 version] Availablefromhttp://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=47187.
Townsend, M., Coleman-Lochner, L., Rupp, L. (2014 May 6). Target is expected to pursue its first outside CEO. Businessweek. Retrieved from: http://www.bloomberg.com/news/2014-05-06/target-is-expected-to-pursue-its-first-outside-ceo.html
Ethical and Professional Issues (Week 4)
How do Laws and Ethics impact information security in organizations, company or federal agencies?
Laws and ethics are two completely different, yet equally important and slightly interdependent entities. Laws are rules or mandates that prohibit certain behaviors and are drawn from ethics which define what constitutes as a socially acceptable behavior (Whittman & Mattford, 2011). With these definitions in mind, laws impact the way in which organizations, companies and federal agencies conduct business. As information security is a profession which is still very much in its infancy with a lot of maturing to endure (Fitzgerald, 2012), laws that define and re-define how information security works are being passed on a fairly regular basis which means that information security professionals must stay aware of what is occurring in the policy and legal realms in order to ensure that their respective organizations are in compliance and to avoid unnecessary fines and/or legal consequences.
In addition to staying aware of legal ramifications, system analysts must also be aware of what is acceptable according to the systems security community that they might perform their duties in light of the ethical standard that has been placed on their profession. Ethics in the realm of information security take into account how decisions should be made as it pertains to the management of a system, permissive access to restricted information, and how a security breach is handled (Tiwary, 2011). Ethics in this area also address how to apply consequences in the case of false representation of self in order to gain access to restricted materials, the quality of security put into place to ensure the privacy of the individual, and the quality of measures put into place to ensure the protection of intellectual property. Ethics extend the legal responsibilities of the IS analyst’s position by ensuring that they take into account the individuals they are required to protect in addition to the information the law states must be safeguarded.
Laws give the basic ramifications that must be followed in order to ensure privacy of the individual. Ethics take into account the law, what other IS agents in the IS community are doing to ensure the safety of their organizations, as well as the specific and unique needs of the organization being served.
References
Fitzgerald, Todd. ( © 2012). Information security governance simplified: from the boardroom to the keyboard. [Books24x7 version] Available fromhttp://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=47187.
Tiwary, D.K. (2011). Security and ethical issues in it: An organization’s perspective. International journal of enterprise computing and business systems. 1(2). Retrieved from: http://national3.com/download.php?id=3474
Whittman, M., Mattford, H. (2011). Principles of information security. Cengage Learning. Retrieved from: http://books.google.com/books?hl=en&lr=&id=L3LtJAxcsmMC&oi=fnd&pg=PR9&dq=information+security+ethics&ots=6VC4OPgOuR&sig=QDXNp7HZTqjRFhRMAHTazNa9Xjc#v=onepage&q=information%20security%20ethics&f=false
What is a System-Specific Security Policy and how does this policy affect a system and application?
The name “System-Specific Security Policy/Plan,” or SSSP, can be quite confusing in that it is not a lengthy collection of documents at all but rather a document that details the operations and controls of any given system (Fitzgerald, 2012). Designed in order to communicate the controls and security measures in place, the policy also details who is responsible for each role that must be played as well as who has access to the system (NIST, 2006). The role of the system within the organization and how large the organization is determines the role the policy plays and how much affect it has on a system/application.
According to Fitzgerald (2012) it is the information that a system or application houses that determines how the policy is applied and subsequently affects the entity. If the information housed by the system or application is extremely sensitive and encases information that can reveal the vulnerabilities of an organization’s system, then the policy is much more rigid and integrates a greater level of restricted access than is seen with a system/application that does not house such information. The policy is designed to strengthen the organization and provide it with the ability to safeguard itself from future attacks by considering all possible security risks/threats before they become a reality (NIST, 2006).
References
Fitzgerald, Todd. ( © 2012). Information security governance simplified: from the boardroom to the keyboard. [Books24x7 version] Available fromhttp://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=47187.
National Institute of Standards and Technology (2006). Guide for devloping security plans for federal information systems(NIST Special Publication 800-18 Revision 1). Gaithersburg, MD: U.S. Department of Commerce.
Risk Identification, Evaluation, and Management (Week 5)
Name an event, present day or in history, where risk was not taken into account. What was the impact of the event? How could risk have been mitigated or managed more effectively? You do not have to limit your submission to the information technology field but try to submit an original example.
Elky (2006) identifies a risk as the function of the likelihood of a threat occurring. An event that has occurred recently that did not take into account the likelihood of risk was the school shooting in Washington State. An event that was preceded by angry and desperate tweets from the student in question as well as multiple previous school shootings (Almasy, Conion, and Brumfield, 2014), it would seem that school officials would have been more aware of the possible risks of something like that happening on their own campus. Though not an event that can necessarily be predicted by anyone, it is one that schools can prevent through risk management and crises plans. According to Borum, Cornell, Modzeleski, and Jimerson (2010), a large majority of schools have not built in effective crises plans and security measures despite the influx of school shootings over the past 10 years. Though all schools may not be equipped with metal detectors or have the personnel necessary to put certain measures into place simple adjustments like zero tolerance as it pertains to bullying behaviors and violence can prevent further larger and more dangerous issues from occurring.
References
Almasy, S., Conlon, K., Brumfield, B. (27 October 2014). Washington school shooter texted lunch table invites to victims. CNN US. Retrieved from: http://www.cnn.com/2014/10/27/us/washington-school-shooting/index.htmlBorum, R., Cornell, D., Modzeleski, W., Jimerson, S. (2010). What can be done about school shootings?: A review of the evidence. Mental Helath Law & Policies Publication. 534 (1) Retrieved from: http://scholarcommons.usf.edu/mhlp_facpub/534/Elky, S. (2006). An introduction to information system risk management. Retrieved from: https://learn.umuc.edu/d2l/le/content/27177/viewContent/1532342/View
Using the Web, search for at least three tools to automate risk assessment. Collect information on automated risk assessment tools. What do they cost? What features do they provide? What are some of the advantages and disadvantages of each one?
Emex is a risk management tool that allows flexibly schedule risk assesments to take place alongside a complete and verfied audit. It has a fast set up with consistent risk-scoring computation, automatic escalation as needed, and dashboard reporting. One of the leading products in Environmental, Health & Safety arena. Specializes in risk & auditing management, incident and event management, carbon management, environmental, CSR and compliance management, and sustainability. Offers a variety of products for each speciality it serves.
Intelex is a tool that facilitates that identification, analysis, monitoring and treatment of both existing and potential hazards and risks throughout the organization it services. It is aligned with risk management standards. Provides up-to-date assesment results on site and through remote access. Allows tasks to be divided by department as well as by role and title. Uses configurable web forms, workflows, email notifications and reporting capabilities to capture critical data an dreplace paper-based or spreadsheet-based processes; gains insight to corporate perfomance by generating boardroom-quality reports instaneously and reports inform the state and quality of environment, safety, corporate social repsoonsibilty, etc. Specifies individual users and working groups while controlling access to files, docs and records.
Berkman Solutions: Risk Manager manages operational, legal, and compliance risks. Risk management is an integral part of the Berkman Solutions suite of products. Designed to simplify the implementation of risk management plans, the risk manager identifies, assesses, and maanges risks easily supplying reports that indicate what happened and how it was handled. A user friendly version of risk management this version is appealing to companies just beginning to implement a plan.
Security Planning and Programming: Organization, Roles and Awareness (Week 6)
What is the mission of an Information Security Program in an organization, company or federal agency?
According to the California Office of Information Security and Privacy Protection (2008) the mission of an information security program (ISP) is to align itself to the mission, purpose, and goals of the organization it serves while simultaneously protecting the confidentiality, integrity and availability of said organization. Wilson & Hash (2003) support this view by stating that the mission of an ISP is to outline the proper behavior for using network systems within any given agency while also outlining consequences and disciplinary action that will be taken in the event of misuse of or harm to the system. An efficient ISP will ensure that the network is secure by outlining the action that should be taken to conduct risk assessments, system scans, and routine disposal of malware that may have worked its way onto the network. It will allow for the training of new employees and retraining of veterans on a systematic basis while performing updates and suggesting upgrades as necessary. Overall, the mission of an ISP is to create awareness, implement training, and educate necessary parties on their roles as it pertains to the organization’s network.
References
California Office of Information Security and Privacy Protection. (2008). Information security program guide for state agencies (Version 3). CA. Retrieved from: http://www.cio.ca.gov/OIS/Government/documents/pdf/Info_Sec_Program_Guide.pdfWilson, M., Hash, J. (2003). Building an information technology security awareness and training program (NIST SP 800-502). Gaithersburg, MD: National Institute of Standards and Technology.
Please name some of the components of an Information Security Program and identify the component that has the most importance in your opinion?
The components of an efficient ISP, as defined by NIST (2003) are awareness, training, and education. Personally, I believe the most important component of the three is awareness. Training and education are definitely essential to being able to effectively and securely run an organization, however, awareness of the issue is what makes training and education relevant. Awareness of the security risk and/or potential breach is what draws the individual in and causes them to become interested in a need for education and training. All too often employees are forced to attend one meeting or another without a well-developed understanding of why they are in attendance to begin with. It is my belief that if employees are made aware of why their presence is required as well as how it will benefit the organization and enhance their role in the organization that many of them would be much more attentive during training sessions and will also be more likely to seek out further education on the topic.
Reference
Wilson, M., Hash, J. (2003). Building an information technology security awareness and training program (NIST SP 800-502). Gaithersburg, MD: National Institute of Standards and Technology.
Security Planning and Programming: Blueprints and Frameworks (Week 7)
Read each of the following articles. Which cyber threat from the list below do you consider to be the most serious threat to the safety and security of the United States and other Western Nation’s? Is there a bigger threat not listed? Be sure to say why and please do not feel like you have to limit your answers to these four threats.
Iran’s Cyber Threat Potential Great, U.S. General Says
http://www.bloomberg.com/news/2013-01-17/iran-s-cyber-threat-potential-great-u-s-general-says.htmlU.S. Must Protect Against Cyber Threats from China
http://thehill.com/blogs/congress-blog/technology/262021-us-must-protect-against-cyber-threats-from-chinaHacktivists – A Growing Cyber Threat
http://defensetech.org/2011/09/06/hacktivists-%E2%80%93-a-growing-cyber-threat/
Snowden serves up another lesson on insider threats
http://www.networkworld.com/news/2013/110813-snowden-serves-up-another-lesson-275785.html?&co=f000000013912s-1248979079
What are Access Controls (AC) and do they protect systems and applications?
What is the difference between an access control and a security control?
Security Planning and Personnel (Week 8)This discussion question was inspired by a former CSIA303 student. Take a look at the Information Assurance Support Environment (IASE) online training that is provided by DISA. Either complete the Cybersecurity Awareness Challenge or take a look at one or more of the IA for Professionals Shorts (I did the ones on SCADA, FISMA, and Zero-Day Vulnerabilities). What did you learn? Will you share the site with others?
The link to the courses can be found at http://iase.disa.mil/eta/online-catalog.html
Name one thing you would change to make this course better (you can list more if you want
The information security program is an integrated approach to selecting and deploying tools, operational processes, and organization roles. What have you learned as a student regarding Information Security and the management of the Information Security Program?
