CYB 260 7-3 Project Three KOCH

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

260

Subject

Business

Date

Jun 22, 2024

Type

docx

Pages

5

Uploaded by CorporalGoldfish2212

Report
7-3 Project Three: Service Level Agreement Requirement Recommendations James Koch August13, 2023 CYB-260 Legal and Human Factors of Cybersecurity Instructor: Aubrian Smith
Introduction This brief is written for the partnership between Helios Health Insurance (COMPANY) and Fit-vantage Technologies (CLIENT) for hosting services for product or custom software development. The service level agreement (SLA) defines the relationship, service scope, availability, management, exceptions, and reimbursement. The SLA also covers some CIS Controls, which are best practices for securing IT systems and data. The purpose of this brief is to provide requirement recommendations for the SLA and the approach to meeting the requirements. The brief will focus on two controls related to social engineering attacks, which are cyberattacks that exploit human psychology and behavior. The brief will also describe a training program for a specific social engineering threat. Control One: Controlled Use of Administrative Privileges This sub-control is from CIS Control 4, which is covered by the SLA. This control reduces the risk of unauthorized access or misuse of sensitive data and systems by limiting administrative accounts. Administrative accounts have elevated privileges or permissions to perform tasks that regular users cannot. These accounts are often targeted by attackers who want to gain full control. The recommended control type is policy, which is a formal document that defines the rules, roles, responsibilities, and expectations for managing administrative privileges. The implementation of this policy will meet the SLA requirements by: Reducing the risk of unauthorized access or misuse of sensitive data and systems by limiting administrative accounts.
Enhancing the accountability and traceability of administrative actions by enforcing strong authentication and auditing mechanisms. Aligning with industry best practices and compliance standards for securing administrative privileges. Control Two: Train Workforce on Identifying Social Engineering Attacks This sub-control is from CIS Control 17, Section 6, which is covered by the SLA. This control increases the awareness and skills of employees on how to recognize and respond to social engineering attacks, such as phishing, vishing, baiting, pretexting, etc. These attacks can take various forms, such as emails, phone calls, text messages, fake websites, etc. These attacks can cause serious damage, such as data breaches, financial losses, reputation harm, legal liabilities, etc. The recommended control type is procedure, which is a step-by-step guide that describes how to perform a task or activity. The implementation of this procedure will meet the SLA requirements by: Increasing the awareness and skills of employees on how to recognize and respond to social engineering attacks. Testing the effectiveness and measuring the susceptibility of employees to social engineering attacks by using simulated campaigns and providing feedback and guidance. Updating the training content and frequency based on the latest trends and techniques used by attackers, and incorporating lessons learned from real incidents. Training Program: Social Engineering Spies
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
One specific social engineering threat that requires a training program is tailgating. Tailgating is a technique that leverages trust or distraction to gain access to a secure physical space. For example, an attacker may pretend to be an employee or a visitor and follow someone who has a valid badge or key card to enter a restricted area. Alternatively, an attacker may create a diversion or an emergency that causes someone to open a door or leave it unlocked. Tailgating can compromise the physical security and data protection of the organization, especially in a healthcare setting where electronic protected health information is involved. An attacker who gains access to a secured area may be able to steal or tamper with equipment, devices, files, or documents that contain sensitive information. This can result in data breaches, identity theft, fraud, lawsuits, fines, or other consequences. Therefore, it is essential for employees to be vigilant and alert when entering or exiting a secure area, and to follow proper procedures for verifying and reporting any suspicious individuals or activities. The training program should educate employees on how to prevent or stop tailgating attempts by using methods such as checking badges, locking doors, escorting visitors, challenging strangers, and reporting incidents. Training Program Expected Outcomes The expected outcomes of a training program that addresses tailgating are: Using an engaging and interactive format that illustrates realistic scenarios of tailgating attempts and how to prevent or stop them. Providing employees with clear instructions on how to check badges, lock doors, escort visitors, challenge strangers, and report incidents.
Assessing employees’ knowledge and performance on tailgating prevention. Resources Raza, M. (n.d.). Service Level Agreement (SLA) Examples and template. BMC Blogs. https://www.bmc.com/blogs/sla-template-examples/ Learn about the CIS Controls TM . (2021, November 30). CIS. https://www.cisecurity.org/controls/v7 TeachPrivacy. (2021, January 31). Training program: Social Engineering Spies - TeachPrivacy. https://teachprivacy.com/training-program-social-engineering-spies/ Kumar, A. (2023). What is Tailgating in Cybersecurity? Top 9 Preventive Measures. Emeritus Online Courses. https://emeritus.org/blog/cybersecurity-what-is-tailgating-in- cybersecurity/