Module 4 Assignment

docx

School

Saint Leo University *

*We aren’t endorsed by this school

Course

510

Subject

Communications

Date

Feb 20, 2024

Type

docx

Pages

4

Uploaded by ColonelKomodoDragonPerson999

Report
Joshua Dowling COM 510 2/10/2024 Saint Leo University Chapter 8 2. Compare the ISO/IEC 27001 outline with the NIST documents discussed in this chapter. Which areas, if any, are missing from the NIST documents? Identify the strengths and weaknesses of the NIST programs compared to the ISO standard. NIST (Strengths) ISO/IEC 27001 (Strengths) Provides a complete model about information security More efficient in the way it secures information. Open Source Reduces business risk Long Availability Helps organizations comply with federal regualtions Widely used, understood; used often Reduces mistakes (Weaknesses) Information is not greatly detailed Ambiguous delivery of terms Because it is open source, it leaves room for false or inaccurate data Too much flexibility Requires a purchase to be compliant 3. Search the Internet for the term security best practices. Compare your findings to the recommended practices outlined in the NIST documents. TechTarget.com NIST Update Security Policies Principle 1 Establish sound security policy Require strong authentication for all users Principle 22 Authenticate Users Refresh your network security controls Principle 26 Protect Informaiton Prepare for Compromises Principle 4 Reduce Risk Keep your security knowledge current Principle 33 Ensure Developers are trained and aware Improve employee awareness of security Principle 33 Ensure Developers are trained and aware Be skeptical Principle 22 Authenticate Users and processes Be selective Principle 20 Perform audits to detect unauthorized usage 4. Search the Internet for the term data classification model. Identify two such models and then compare and contrast the categories those models use for the various levels of classification.
Levity.ai gives a wonderful explanation of data classification and the different approaches that can be taken. Content-based classification: the contents of each file become the basis for which they are organized. User-based classification: relies on the user’s knowledge of creation, editing, reviewing, or dissemination to label sensitive documents. Each individual can specify the degree of sensitivity of each document. Context-based classification: focuses on the context of the data, such as the location, application, and creator, as well as other variables that affect the data. Amazon Web Services also supplies some information on a wide range of different schemes from around the world. All of them very similar, I imagine that is because we are world community now more than ever. We have to speak some of the same language. One of the models they share is the US Information Categorization Scheme. Low — Limited adverse effect on organization operations, organization assets, or individuals. Moderate — Serious adverse effect on organization operations, organization assets, or individuals. High — Severe or catastrophic adverse effect on organization operations, organization assets, or individuals. In contrast to the US, they share the United Kingdom Government classifications as well. This was recently revised in 2014, from six levels to three. Official — Routine business operations and services, some of which could have damaging consequences if lost, stolen, or published in the media, but none of which is subject to a heightened threat profile. Secret — Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors (e.g., compromise could significantly damage military capabilities, international relations, or the investigation of serious organized crime). Top Secret — Most sensitive information requiring the highest levels of protection from the most serious threats (such as compromise could cause widespread loss of life or could threaten the security or economic well-being of the country or friendly nations). 5. Search the Internet for the term Treadway Commission. What was the Treadway Commission, and what is its major legacy in the field of InfoSec? The Treadway Commission or Committee of SponsoringOrganizaitons of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise
risk management, fraud, and financial reporting. COSO has established a common internal control model against which companies and organizations may assess their control systems. The major contribution that the Treadway Commission gave the infosec community is a framework for internal control and oversight. The COSO framework defines internal control as a process, affected by an entity’s board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations Chapter 9 4. Download and review “NIST SP 800-55, Rev. 1: Performance Measurement Guide for Information Security.” Using this document, identify five measures you would be interested in finding the results from based on your home computing systems and/or network. The percentage of security breaches my ISP, Spectrum, has experienced as a result of faulty controls and misconfigured access permissions. How many WiFi routers in the area are on standard configurations, thus providing little to no protection. The amount of security patches that have been provided or issues that have been mitigated. Percentage (%) of system and service acquisition contracts that include security requirements and/or specifications. Percentage of system components that undergo maintenance in accordance with formal maintenance schedules. 5. Using the template provided in Table 9-1, develop documentation for one of the performance measurements you selected in Exercise 4. The percentage of security breaches my ISP, Spectrum, has experienced as a result of faulty controls and misconfigured access permissions. Field Data Implementation Evidence 1. The number of physical security breaches that occurred during the specified time period. 2. The number of incidents where attackers were able to obtain customer data and/or personal information. 3. The number of customers that felt a direct impact as a result of these incidents. Frequency Collection Frequency: Continuous; until sufficient data is
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
received. Reporting Frequency: Monthly, upon request Responsible Parties Information Owner: Spectrum’s Security Officer Information Collector: Computer Security Incident Response Team(CSIRT) Information Customer: Spectrum’s Chief Information Officer (CIO), Information System Security Officer (ISSO) Data Source Physical security incident reports Physical access control logs Report Format An easy to read graph that compares the number of security breaches experienced by different ISPs, reporting based on improperly configured access controls.

Related Documents

A Few Thoughts on Teaching and Education.docx
discussion communication.docx
conflict.docx
COMM277_Week_3_CCC_Template_1.docx
Case 4.pdf
Ella Singleton- Outline and Works Cited.pdf
Excel Assignment.docx
Module Summary Paper.docx
Learning Analysis.pdf
Culture & Emotion (Ch9) Qs without answers.docx
NQ #01 • Snowflakes • THE QUESTIONS (2).pdf
Module 2 Literacy Grid (1).docx