7-3 Project Three Submission - Service Level Agreement Requirement Recommendations

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

260

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

4

Uploaded by SuperKoala931

Report
1 7-3 Project Three Submission: Service Level Agreement Requirement Recommendations Chris Lawton Southern New Hampshire University CYB 260: Legal and Human Factors of Cybersecurity Prof. Aaron Dozier October 15, 2023
2 With an initial agreement between Helios Health Insurance and Fit-vantage, it is important to outline proper CIS controls within the service level agreement (SLA). This can help to set guidelines to ensure appropriate measures are taken to maximize the security and confidentiality of customer’s data. Three of the CIS controls outlined in the SLA that Helios Health Insurance has provided that I would like to touch on are Control 4: Controlled Use of Administrative Privileges, Control 14: Controlled Access Based on the Need To Know, and Control 17, Section 6: Train Workforce on Identifying Social Engineering Attacks. One sub-control within Control 4: Controlled Use of Administrative Privileges is 4.5: Use Multifactor Authentication For All Administrative Access is an important, yet simple step that could help to provide an extra layer of defense. The only change I would recommend is the use of it for all accounts, not just employees with administrative access. This can be done in a few ways, such as sending a randomized number via text message or the use of an authenticator app that generates a new randomized number every few seconds. This can help if credentials are compromised by an attacker and prevent that attacker from being able to use them ease. This can also assist in the case where a user might have a weak password that is easily cracked to add that extra layer. The utilization of this control will ensure that the overall control of administrative privileges is properly met, and measures are taken for a layered security approach to improve the confidentiality of sensitive information. Another sub-control I would like to touch on falls under Control 14: Controlled Access Based on the Need To Know. That sub-control is 14.4: Encrypt All Sensitive Information in Transit. This sub-control is crucial to ensuring that all customer data remains private and protected while it is flowing back and forth between servers and devices. All data that is
3 transmitted would be considered sensitive and needs to be confidential. Utilizing the encryption tools can help to keep our customer's data as private as possible while in transit. Fit-vantage prides itself on investing in every customer and by using this sub-control, we are investing in their trust by keeping their information confidential and private. In my opinion, training programs are vital to a company’s success. Everyone within an organization plays a role in protecting data and preventing social engineering attacks. Having an engaging and educational program that outlines these types of threats can help employees recognize if they are a target and the proper steps to mitigate the threat at the lowest level. This can prevent the escalation of attacks or raise alarms to the security department if the knowledge level is higher than what the employee is trained on. This is perfectly outlined with the implementation of CIS sub-control 17.6: Train Workforce on Identifying Social Engineering Attacks. According to Williams (n.d.), 95% of cybersecurity breaches are caused by human error, with 20% of all employees likely to click on phishing email links. Those numbers are staggering as roughly 45% of organizations provide mandatory cybersecurity training, with only 10% being deemed optimal (Staff, 2018). These numbers show the importance of a training program and with an optimal one, you can expect to see those numbers decrease as employees will be more engaged and aware of the potential threats and how to prevent them at the earliest stages. Proper training will provide employees with the necessary tools to keep their heads on a swivel and be mindful of the types of attacks they might expect to see.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 References Staff, D. R. (2018, December 6). 55% of companies don’t offer mandatory security awareness training. Dark Reading . https://www.darkreading.com/risk/55-of-companies-don-t-offer- mandatory-security-awareness-training Why Multi-Factor Authentication (MFA) is important | Okta . (n.d.). Okta, Inc. https://www.okta.com/identity-101/why-mfa-is-everywhere/#:~:text=MFA%20Enables %20Stronger%20Authentication&text=With%20MFA%2C%20it's%20about %20granting,attacks%20that%20cost%20organizations%20millions. Williams, M. (n.d.). 10 statistics that show why training is key to good data protection . https://www.pensar.co.uk/blog/cybersecurity-infographic