7-3 Project Three Submission - Service Level Agreement Requirement Recommendations
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
260
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
4
Uploaded by SuperKoala931
1
7-3 Project Three Submission: Service Level Agreement Requirement Recommendations
Chris Lawton
Southern New Hampshire University
CYB 260: Legal and Human Factors of Cybersecurity
Prof. Aaron Dozier
October 15, 2023
2
With an initial agreement between Helios Health Insurance and Fit-vantage, it is
important to outline proper CIS controls within the service level agreement (SLA). This can help
to set guidelines to ensure appropriate measures are taken to maximize the security and
confidentiality of customer’s data. Three of the CIS controls outlined in the SLA that Helios
Health Insurance has provided that I would like to touch on are Control 4: Controlled Use of
Administrative Privileges, Control 14: Controlled Access Based on the Need To Know, and
Control 17, Section 6: Train Workforce on Identifying Social Engineering Attacks.
One sub-control within Control 4: Controlled Use of Administrative Privileges is 4.5: Use
Multifactor Authentication For All Administrative Access is an important, yet simple step that
could help to provide an extra layer of defense. The only change I would recommend is the use
of it for all accounts, not just employees with administrative access. This can be done in a few
ways, such as sending a randomized number via text message or the use of an authenticator app
that generates a new randomized number every few seconds. This can help if credentials are
compromised by an attacker and prevent that attacker from being able to use them ease. This can
also assist in the case where a user might have a weak password that is easily cracked to add that
extra layer. The utilization of this control will ensure that the overall control of administrative
privileges is properly met, and measures are taken for a layered security approach to improve the
confidentiality of sensitive information.
Another sub-control I would like to touch on falls under Control 14: Controlled Access
Based on the Need To Know. That sub-control is 14.4: Encrypt All Sensitive Information in
Transit. This sub-control is crucial to ensuring that all customer data remains private and
protected while it is flowing back and forth between servers and devices. All data that is
3
transmitted would be considered sensitive and needs to be confidential. Utilizing the encryption
tools can help to keep our customer's data as private as possible while in transit. Fit-vantage
prides itself on investing in every customer and by using this sub-control, we are investing in
their trust by keeping their information confidential and private.
In my opinion, training programs are vital to a company’s success. Everyone within an
organization plays a role in protecting data and preventing social engineering attacks. Having an
engaging and educational program that outlines these types of threats can help employees
recognize if they are a target and the proper steps to mitigate the threat at the lowest level. This
can prevent the escalation of attacks or raise alarms to the security department if the knowledge
level is higher than what the employee is trained on. This is perfectly outlined with the
implementation of CIS sub-control 17.6: Train Workforce on Identifying Social Engineering
Attacks. According to Williams (n.d.), 95% of cybersecurity breaches are caused by human error,
with 20% of all employees likely to click on phishing email links. Those numbers are staggering
as roughly 45% of organizations provide mandatory cybersecurity training, with only 10% being
deemed optimal (Staff, 2018). These numbers show the importance of a training program and
with an optimal one, you can expect to see those numbers decrease as employees will be more
engaged and aware of the potential threats and how to prevent them at the earliest stages. Proper
training will provide employees with the necessary tools to keep their heads on a swivel and be
mindful of the types of attacks they might expect to see.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
References
Staff, D. R. (2018, December 6). 55% of companies don’t offer mandatory security awareness
training.
Dark Reading
.
https://www.darkreading.com/risk/55-of-companies-don-t-offer-
mandatory-security-awareness-training
Why Multi-Factor Authentication (MFA) is important | Okta
. (n.d.). Okta, Inc.
https://www.okta.com/identity-101/why-mfa-is-everywhere/#:~:text=MFA%20Enables
%20Stronger%20Authentication&text=With%20MFA%2C%20it's%20about
%20granting,attacks%20that%20cost%20organizations%20millions.
Williams, M. (n.d.).
10 statistics that show why training is key to good data protection
.
https://www.pensar.co.uk/blog/cybersecurity-infographic