Unit_4_WorkSheet_2

Unit 4 Privacy Data Security Gap Mitigation Recommendations Instructions: Given a Request for Proposal (RFP), the results of information technology (IT) security compliance and governance gap analysis, and a list of privacy data related gaps, describe each recommendation from the gap analysis and suggest at least one control change to satisfy the recommendation. Provide a narrative explaining the importance of mitigating each privacy data security gap. Privacy Data Security Gap Mitigation Control Mitigation Importance Personnel Background Investigation 1- Reinvestigation requirements. 2-Risk level changes. If an employee or appointee experiences a change to a higher position risk level due to promotion, demotion, or reassignment, or the risk level of the employee’s or appointee’s position is changed to a higher level. * Agencies must ensure that reinvestigations are conducted and a determination made regarding continued employment of persons occupying public trust positions at least once every 5 years * Agencies must notify all employees covered by this section of the reinvestigation requirements under this paragraph. 2- the employee or appointee may remain in or encumber the position. Any upgrade in the investigation required for the new risk level should be initiated within 14 calendar days after the promotion, demotion, reassignment or new designation of risk the level is final.

Unit 4 Privacy Data Security Gap Mitigation Recommendations Segregation of Duties SOD 1- Authorization or approval of transactions. 2- Custody of assets. 3-Reviewing and reconciliation transactions. 4- Monitoring user access rights 5- Reviewing financial reports . A manager or someone with the delegated authority approves certain transactions. Using an inventory, a manager authorizes the purchase and the budget. This is where that extra layer of financial auditing comes in for the inventory. The worker who records the items as received has their work reviewed and reconciled for accuracy and compliance. Separation of Development and Production Facilities Separating development and test activities from and restricting developer access to operational environments reduces the risks of inadvertent or unauthorized modifications to the operational system that could compromise the system’s integrity or availability. One worker orders the goods, and another worker marks the items as received in the company’s system . This way, the person who orders the items can’t pad the order with more than needed and take some for personal use at the company’s expense. Production Environment Access Control 1- change access to Group Policy Objects (GPOs) in the production environment of the domain. 2- replacing any existing permissions on those GPOs. 3- configure permissions at the domain level to either allow or prevent users from editing, deleting, or modifying the security of GPOs in the production environment when they are not using the Change Control folder in the Group Policy Management Console (GPMC). Changing how access to the production environment is delegated does not affect users' ability to link GPOs . add permissions for a user or group that does not have access to the production environment, or to replace the permissions for a user or group that does have access: Application Control 1- Removing local admin rights. 2- Enforcing least privilege. 3- Implementing application control policies. protecting the workstations beyond the corporate network is necessary. Workstations have become the new edge, and Windows, macOS and Linux devices present a common entry point for threat actors offers best practices for defending against breaches without hampering end user productivity or creating operational bottlenecks using an endpoint privilege manager . Operating System Access Control 1- protect your staff, customers, visitors, stock, and spaces within a building is the cornerstone of a well-functioning access access control systems should enable effortless movement and enhance the overall efficiencies of day-to-day business.

Unit 4 Privacy Data Security Gap Mitigation Recommendations Password Management 1- Set Up and Enforce Password Policies. 2- Use a Password Manager 3- Use a Second Factor (2FA/MFA) 4- Train Employees About Password Hygiene 5- Use Phishing Simulations to Reduce Password Theft. Password policies include everything associated with managing passwords and keeping passwords secure. a policy should include the safe storage of passwords and how often a password needs to be changed. such as Lastpass and password generators reduce password fatigue and, therefore, can help eliminate password reuse and sharing. Using a second factor, such as a mobile authentication code, is a useful way to add another layer of security to the access of an application. enforcing this policy requires employees to understand why secure passwords are essential. By training employees on how phishing works and what the tell-tale signs of a phishing message look like, a company can help prevent the theft of credentials via phishing. Use of Shared Technology Resources 1- The company must provide the CSP services 2- provide cloud security configuration tools and monitoring systems. 3- Provide Organizational administrators in the company are usually responsible for configuring application-level security ( access controls for authorization to data) CSPs and cloud customers share unique and overlapping responsibilities to ensure the security of services and sensitive data stored in public clouds. Shared technology resources affects routine operations, such as patch management, and exceptional events, such as security incident response. Monitoring System Access and Use 1- mitigation controls when it is not possible to separate Segregation of duties SoD from the business process. 2- use Mitigating Controls to associate controls with risks, and assign them to users, roles, profiles, or HR objects. 3- mitigation monitors are assigned to control monitor alerts. * Create mitigating controls (that you cannot remove) * Assign mitigating controls to users, roles, and profiles that contain a risk *Establish a period of time during which the control is valid * Specify steps to monitor conflicting actions associated with the risk * Create administrator, control monitors, approvers, and risk owners, and assign them to mitigating controls monitoring system Access allows company to proceed for risk analysis under Access Management Event Logging your audit logs should feature these elements: User ID Terminal identity Log on and log off time and date Systems, data, applications, files, and networks accessed When security breaks down and your application or network is compromised, event logging and monitoring can notify you that a problem exists as well as where the breach has occurred, enabling

Unit 4 Privacy Data Security Gap Mitigation Recommendations Failed attempts to access systems, data, applications, files, and networks Changes to system configurations and use of system utilities Alarms and other security events Activity from cybersecurity tools like the firewall or antivirus software activity within your applications needs to be regularly saved and analyzed Logged events typically include the following: *Application exceptions *Major events like startups, stops, and *restarts, as well as security events. *Error events that prevent the application from starting *Some debug information *SQL logs you to stop or limit the damage. It can also help you understand the vulnerabilities that have been exploited by an outside threat so you can attempt to recover or protect that data—or at least do what’s necessary to avoid similar breaches in the future. System Development and Maintenance Control 1-equipment maintenance 2- the information security related requirements should be included in the requirements for new information systems or enhancements to existing information systems. 3- Securing application services on public networks – information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. Protecting application services transactions – Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized The objective of Security requirements of information systems is to ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. The objective of security in development and support processes is to ensure that information security is designed and implemented within the development lifecycle of information systems.

Unit 4 Privacy Data Security Gap Mitigation Recommendations 4-Ask your vendors to regularly supply a list of their employees who are assigned to your account.