...attacks into the system by gaining authentication for access rights including a password, policy, to educate the users. SECURITY CONSIDERATIONS IN THE INFORMATION SYSTEM DEVELOPMENT LIFE CYCLE. Each information security environments unique, unless modified to adapt to meet the organization’s needs. The System Development Life Cycle (SDLC) the system development life cycle starts with the initiation of the system planning process, and continues through system acquisition and development, implementation, operations and maintenance, and ends with disposition of the system. Service decisions about security made in each of these phases to assure that the system is secure. The initiation phase begins with a determination of need for the system. The organization develops its initial definition of the problem that solved through automation. This followed by a preliminary concept for the basic system that needed, a preliminary definition of requirements, and feasibility and technology assessments. Also during this early phase, the organization starts to define the security requirements for the planned system. Management approval of decisions reached is important at this stage. The information developed in these early analyses used to estimate the costs for the entire life cycle of the system, including information system security. An investment analysis determine the appropriate strategy for achieving the system requirements, while taking mission needs and budget constraints...
Words: 1444 - Pages: 6
...Data Classification and Privacy: A foundation for compliance Brian Markham, CISA University of Maryland at College Park Office of Information Technology Goals for today: Give you a solid understanding of both Data Classification and Data Privacy with respect to compliance; Link data classification and privacy to ongoing compliance issues; Discuss various best practices, methodologies, and approaches that you can take with you; Do my best to answer any questions you may have on audit related issues regarding these topics. So...who am I? IT Compliance Specialist @ the Office of Information Technology at UMCP Responsible for audit and compliance initiatives within OIT Formerly employed by KPMG LLP and Grant Thornton LLP as an IS Auditor Have worked with many federal, state, and local governments as well as public companies, hospitals, and not-for-profits. Why do we want to be in compliance? No one likes audit findings; Reduces organizational risk; Processes based on best practice and widely adopted standards are more effective than ad-hoc processes; Systems and data are more secure as a result of good internal control practices. What is Data Privacy? Data Privacy - the relationship between technology and the legal right to, or public expectation of privacy in the collection and sharing of data. The U.S. has trailed the E.U. and other countries in data privacy regulations and legislation; Passed Legislation: HIPAA, Gramm-Leach-Bliley, COPPA; Proposed Legislation: Data...
Words: 1305 - Pages: 6
...identify and characterize similar assets, gathering them into groups, and making the assets easier to find. 3. For the scenario you picked, give three (3) examples of customer privacy data elements. 4. Why is your organization’s website classification minor but its e-commerce server considered critical for your scenario? a. Because there is customer’s credit card information stored on the servers 5. Why would you classify customer privacy data and intellectual property assets as critical? a. These are things that can be damaging to not just an organization but to individuals as well. 6. What are some examples of security controls for recent compliance law requirements? a. Biometrics, Tokens, Smart cards 7. How can a Data Classification Standard help with asset classification? a. You can properly classify what might normally be a low priority a high risk classification because of the data that’s on it. 8. How can you minimize leakage of customer privacy data through the public Internet? a. One way is to encrypt the sensitive data with at least 256 bit encryption key. Another way is to label whatever the sent information is as something not out of the ordinary 9. Given the importance of the Master SQL database that houses customer privacy data and intellectual property assets, what security controls and security countermeasures can you apply to help protect these assets? a. First setup securities policies and software to prevent SQL injection so the database can’t be compromised...
Words: 482 - Pages: 2
...Lab #3 – Assessment Worksheet Identify & Classify Data for Access Control Requirements Course Name & Number: IS3230 ______________________________________________________________ Student Name: Heather Young ______________________________________________________________________ Instructor Name: MR. Gibbs _____________________________________________________________________ Lab Due Date: Jan. 2014 _______________________________________________________________________ Overview This lab provides the student with the opportunity to develop a data classification standard with procedures and guidelines to classify data access based on the job responsibilities – not an organizational position. In this lab, students aligned a data classification standard with the job function and roles that are required to access specific data. This alignment allows access controls policy definition to be properly implemented throughout the IT infrastructure to mitigate risk from unauthorized access. Lab Assessment Questions & Answers 1. What is the Data Classification Standard used in the U.S. Department of Defense (DoD)/Military?Google “Data Classification Standard + DoD”. Summarize the different data classifications. Top Secret- highest level of information sensitivity Secret- information that would cause serious damage, most common classification level Confidential- Is the lowest of sensitivity. This information may only be handled by personnel with a clearance, may...
Words: 993 - Pages: 4
...The PCI-DSS Framework: Protecting Stored Cardholder Data Wednesday, November 25th 2009 Contents The PCI-DSS Framework: Protecting Stored Cardholder Data 3 Introduction 3 PCI-DSS Compliance 4 Solutions for Encrypting Data at Rest 4 Data Classification, an Alternative to Encryption 8 Building Policies and Procedures 12 Conclusion 12 References 14 The PCI-DSS Framework: Protecting Stored Cardholder Data Introduction Payment cards, whether they are debit or credit cards are an essential component of modern commerce. EMV-based cards have already helped improve the security of millions of bank cards throughout the world, giving even more people the confidence to make payments. But there are other security concerns associated with bank cards. (Card Technology Today, 2009) Globally, debit and credit cards are used for a wide variety of payments with Internet card payments increasingly significantly in recent years. However, with this growth in Internet-based transactions has come an increase in stories related to Card Not Present (CNP) fraud via Internet channels. (Laredo, 2008) The proliferation of fraud and identity theft cases has put the Payment Card Industry (PCI) on the offensive frontlines. (Morse and Raval, 2008) American Express, Discover, JCB, MasterCard, and Visa have joined forces and formed the PCI Security Standards Council, an independent...
Words: 3961 - Pages: 16
...and state requirements. Security safeguards employee data, customer data, and business data. Without proper security, a business would compromise the quality of their data. There are several steps to identifying security and compliance procedures. It is necessary to any infrastructure to perform a risk assessment. This identifies any gaps in your infrastructure, classifies what is acceptable risk, and what isn’t. The first step is system characterization. In system characterization, you are identifying system components and their criticality in the environment. Production equipment would have a higher criticality in the event of an outage or virus outbreak versus a test machine which is generally open and does not contain safeguarded information. This process is important and pieces of equipment should be labeled for criticality. Servers need protection in the company, as well as other data center resources such as routers/switches. If a malicious user or rogue user were to interrupt business functionality by gaining access, this is a great risk to business continuity. Threat identification is the next step in a risk assessment. It is important to do port scans, virus scans, and observe permissions in an environment. This helps identify any possible threats in the environment and classify them. It’s important to maintain physical security and logical security in an environment. Identifying risks entails if doors are locked to certain areas, who has access to certain...
Words: 690 - Pages: 3
...When an organization implements controls to limit access to buildings, rooms, or computer systems, these are referred to as __________ controls. Technical The organizational hierarchy can be considered a part of __________ controls. Formal Training and an employee awareness program could be considered a part of what type of control? Informal The first step in developing good management practices and reducing the risk of a security breach is by adopting some __________ standards. Baseline Most breaches of information system security occur shortly __________ the terminated employee leaves the organization. Before Formal controls should address not only the hiring procedures but also the structures of __________ during employment. Responsibility Training and awareness programs are extremely important in developing a __________ core of members of the organization. Trusted Coordination in threes still applies, but a further layer of __________ is added when organizations establish relationships with each other. Complexity A firewall is an example of a(n) __________ control. Technical Name two other security requirements that have become important, especially in a networked environment. Authentication and non-repudiation Privacy of data is ensured by what requirement? Confidentiality The Trusted Computer System Evaluation Criteria (TCSEC) was originally developed by _______________. The US Department of Defense Access controls could be either _________ or __________...
Words: 741 - Pages: 3
...Access Control: Final Exam Review: What is subject to an access control scenario? Policies Subject Objects What are the elements of a well-defined access control system? Policies Procedures Tools What is the purpose of access control? To regulate interactions between a subject (usually, but not always, a human user) and an object, like a network, device, or data itself. What components can be used to measure the confidence in any authentication system? Thetype of correlation and the number of authentication factors in place. What holds true while hardening an organizational network through security controls? 100percent of access control threats cannot be eliminated What should be considered while implementing a layered access security approach? Use of case studies to learn from what others have done and apply those lessons to your own situation (risk assessments) Which attack strategies has the highest success rate of making a particular system vulnerable? Denial of Service (DoS) attacks What is the preferred method to reduce risks while managing access security controls within the system/application domain? Checking and applying updates and new patches on a regular basis True or False: When considering access control security options to mitigate vulnerabilities within the infrastructure, it is unnecessary to place access controls on each asset. True Defense-in-depth is the concept and strategy of implementing multiple...
Words: 1028 - Pages: 5
...Network security and management in Information and Communication Technology (ICT) is the ability to maintain the integrity of a system or network, its data and its immediate environment. The various innovations and uses to which networks are being put are growing by the day and hence are becoming complex and invariably more difficult to manage by the day. Computers are found in every business such as banking, insurance, hospital, education, manufacturing, etc. The widespread use of these systems implies crime and insecurity on a global scale. In addition, the tremendous benefits brought about by Internet have also widened the scope of crime and insecurity at an alarming rate. Also, ICT has fast become a primary differentiator for institution/organization leaders as it offers effective and convenient means of interaction with each other across the globe. This upsurge in the population of organizations depending on ICT for business transaction has brought with it a growing number of security threats and attacks on poorly managed and secured networks primarily to steal personal data, particularly financial information and password. This paper therefore proposes some policies and guidelines that should be followed by network administrators in organizations to help them ensure effective network management and security of ICT facilities and data. http://ljs.academicdirect.org 7 Network Security: Policies and Guidelines for Effective Network Management Jonathan Gana KOLO, Umar Suleiman...
Words: 3892 - Pages: 16
...Assignment: Improving Security through Layered Security Control Learning Objectives and Outcomes * Analyze the given case study to evaluate how information technology (IT) security can be improved through layered security control. Assignment Requirements Read the text sheet named “Global Access Control Case Study” and prepare a report capturing the following points: * Synopsis of the given case problem * Analysis of the strengths and weaknesses of the steps taken by the organization * Assessment of access control/IT domains given in the business problem for data confidentiality, integrity, and availability * Evaluation of how layered security proved to be a positive solution in the given problem, including the impacts of layered security In addition, your report must also include answers to the following questions: * What is the significance of compliance and financial reporting from an insecure system? * What influence did the risk management process have in Global fulfilling its goals? * What is the significance of remote external access into the Global network? * What are the other tools comparable to the ones used by Global to solve their internal problems? Required Resources * Text sheet: Global Access Control Case Study (ts_globalcasestudy) Submission Requirements * Format: Microsoft Word * Font: Arial, Size 12, Double-Space * Citation Style: APA * Length: 1–2 pages Self-Assessment Checklist ...
Words: 1445 - Pages: 6
...of what they need to protect. 2. The purpose of an asset classification is so that an organization can determine risk to its assets. 3. The e-commerce server might be considered a critical value because it might be what the company runs under and it the server crashes, everything including all customers’ purchases and transactions may be lost and that will cause a data leak, which will destroy the company. 4. Because these are things that can be damaging to not just an organization, but to individuals as well. 5. Some examples of security controls for recent compliance law requirements are tokens, smart cards, and biometrics. 6. You can properly classify what might normally be a low priority a high-risk classification because of the data that’s on it. 7. Frist setup securities policies and software to prevent SQL injection so the database can’t be compromised. Then have a schedule policy to keep the database to only be online when in use. Limited access to database, so only certain people can access. 8. In order to ensure the confidentiality of customer privacy data throughout the Mock IT infrastructure, both of the LANS and WANS must be overlooked and secured when it is connecting to multiple cities. This will ensure that there is a secure connection between all of the users and the corporation. 9. Your organization can document all previous types of risks, threats, and liabilities to ensure future protection that attacks in occurred...
Words: 355 - Pages: 2
...* ------------------------------------------------- Why are information security policies important to an organization? ------------------------------------------------- They strengthen the company's ability to protect its information resources * ------------------------------------------------- Which of the following should include any business process re-engineering function? ------------------------------------------------- Security review * ------------------------------------------------- Policies and procedures differ, because policies are ___ and procedures are ___. ------------------------------------------------- Requirements, technical * ------------------------------------------------- Among other things, security awareness programs must emphasize value, culture, and ___. ------------------------------------------------- Resiliency * ------------------------------------------------- To achieve repeatable behavior of policies, you must measure both ___ and ___. ------------------------------------------------- Consistency, quality * ------------------------------------------------- Within the user domain, some of the ways in which risk can be mitigated include: awareness, enforcement, and ___. ------------------------------------------------- reward * ------------------------------------------------- In a workstation domain, you can reduce risk by ___. ------------------------------------------------- Securing the workstation ...
Words: 867 - Pages: 4
...-The purpose of information system security is to develop security controls to prevent security weaknesses from being exploited by threat agents. -A threat agent is an entity who is responsible for or who materially contributes to the loss or theft of data. Threat agents may be internal or external to an organization. -Unintentional agents—Unintentional threat agents are employees, contractors, or other insiders who have no motivation to jeopardize information, but who are untrained or negligent in their handling of sensitive information. An example of an unintentional internal threat agent would be someone in the mailroom who accidentally mailed employee pay information to the wrong addresses. -Malicious agents—Malicious internal threat agents are current or former employees, contractors, or other insiders who are motivated to compromise security because of unhappiness with company policies, organizational processes, financial difficulties, or personnel actions. In many cases, the malicious internal threat agent is disgruntled, already fired, or soon to be fired from his or her position. An example of a malicious internal threat agent would be an employee who decided to sabotage systems or data just before a round of layoffs. -Criminal enterprises—Criminal enterprises are groups of skilled technicians who can identify and exploit weaknesses in the systems that store, process, or transmit valuable financial information. -State-sponsored agents—State-sponsored external threat...
Words: 2248 - Pages: 9
...from an outdated system to a more modern version. Currently, the data is stored manually in their headquarters in San Jose and this needs to be fixed, there will be several modules places into a single system that can be accessed from the rest of their locations countrywide. Companies should not try to quickly consolidate data center operations (Lemos, 2009) and based on this the next application architecture and process design will be recommended. System Data and Application Architecture The current system is not properly set, therefore the data access is unsafe and hard to access as there is much of data stored and only accessible to few people, the new system that will be put in place will receive all the imported data and then classify it into different levels of access, restrictions will be put in place so the data is only accesed by the people who is supposed to. ADP the company that will send the checks will be able to access information such as hours worked reported in timecards and pay rate but information such as insurance, training and certifications will not be available to them. When required direct managers can access most of the data but a log will be put in place so each time the personal file is accessed there is proof of who accessed the information and for what reason. System Processes When an employee access the system an SSO system will verify the login information in order to access the right profile, then they will be asked to input the last 4 digits...
Words: 912 - Pages: 4
...TABLE OF CONTENTS 1. POLICY STATEMENT ..................................................................2 2. ACCESS CONTROL.....................................................................3 4. DOCUMENTED DATA SECURITY POLICY.................................4 1. POLICY STATEMENT It shall be the responsibility of the I.T. Department to provide adequate protection and confidentiality of all corporate data and software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorized members of staff, and to ensure the integrity of all data and configuration controls. Summary of Main Security Policies 1.1. Confidentiality of all data is to be maintained through discretionary and mandatory access controls, and wherever possible these access controls should meet with C2 class security functionality. 1.2. Access to data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment. 1.3. The use of unauthorized software is prohibited. In the event of unauthorized software being discovered it will be removed from the workstation immediately. 1.4. Data may only be transferred for the purposes determined in the corporate data- protection policy. 1.5. All disk drives and removable media from external sources must be virus checked before they are used within the corporation. 1.6. Passwords must...
Words: 1364 - Pages: 6
