SEC310 Project Module 2 - Pietro Mariano
docx
keyboard_arrow_up
School
DeVry University, Chicago *
*We aren’t endorsed by this school
Course
310
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
6
Uploaded by GrandMosquitoPerson821
Student Name: Pietro Mariano
Date: 12/11/2023
NIST Cyber Framework Policy In The Workforce
Security Awareness and Training Policy
NIST functions and Sub-categories
:
Identify: Asset Management (PR.AT-1)
Protect: Awareness and Training (ID.AM-1, ID.AM-2, ID.AM-3)
Amazon Web Services (AWS) is the implementation example identified. It is under the ecommerce section of industry. The Security Awareness and Training Policy ensures the appropriate level of information security awareness training is provided to all Information Technology users (IT system managers, administrators, and users of systems and data). Everyone
has a role to play in the success of a security awareness and training program but agency heads, Chief Information Officers (CIOs), program officials, and IT security program managers have key responsibilities to ensure that an effective program is established agency wide. This NIST policy template
includes a basic understanding of the need for information security and user actions to maintain security. Basically it gives the framework of how to prevent and to respond to suspected security incidents. This policy can be customized for any organization as the need to
protect information and have employees understand the importance is critical. In the case of AWS, they have implemented security response plans in order to train their users and employees and what to do in a security incident. First preparation, after detection and analysis, then containment, eradication and recovery lastly, post incident activity. To verify compliance the NIST policy outlines that it is mandatory to keep security training records. It is defined in the policy: The entity shall: Designate personnel to document and monitor individual information system security training activities including basic security awareness training and specific information system security training. Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to IT resources, and other actions as well as both civil and criminal penalties
. The frequency of evaluation is not stated in the policy but It’s advised to revise and recheck it yearly with goals to strengthen the company’s information security policy design and analyze its effectiveness.
Contingency Planning Policy
NIST functions and Sub-categories
:
Recover: Recovery Planning (RC.RP-1), Improvements (RC.IM-1, RC.IM-2)
The organization implementation example is the University of Arizona which is in the education sector. The University of Arizona’s policy aims to establish the organization’s overall contingency objectives and responsibilities. It also provides a framework for developing and implementing procedures related to system contingency planning. This policy applies to all individuals with access to the University’s information systems and computers. As well as those who are responsible for maintaining and operating these systems on behalf of the University. They are also required to develop and implement contingency plans for those systems that are classified as restricted or business critical. The plans must provide preventative measures,
recovery strategies, and technical considerations in the event of a disruption. This NIST policy template is created with the aims to ensure that normal Information Technology resources and information systems are available during times of disruption of services. The University of Arizona created two custom policies based off the NIST policy example. The first way provide contingences is they provide this link as guidance for the classification and handling of University information assets in an event of a disruption (
New University of Arizona Data Classification and Handling Standard | UA
@Work
).
The second is they provide what a Contingency plans must include (guidelines):
Procedures for restoring the Information System, including the acquisition and maintenance of resources needed to facilitate the recovery and/or continuity of essential system functions; Processes for acquiring and maintaining the resources necessary to ensure viability of the restoration procedures; Training for personnel to execute contingency procedures; the assignment of responsibilities to designated staff or positions involved in the execution of the plan; and readiness and preparedness procedures for the annual review and testing of the plan.
The Criteria is defined for University of Arizona is Tracking, Measuring, and Reporting.
The ISO must develop, test, review, maintain, and communicate a representation of the University-wide information security posture to University leadership. The ISO is authorized to initiate mechanisms to track the effective implementation of information security controls associated with this policy and to produce reports measuring individual or Unit compliance to support University decision making.
Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as both civil and criminal penalties. Non-employees, including, without limitation, contractors, may be subject to termination of contractual agreements, denial of access to Information Technology (IT) resources, and other actions as well as both civil and criminal penalties.
Risk Assessment Policy
NIST functions and Sub-categories:
Identify: Risk Management Strategy (ID.RM-1)
DeVry University is the example identified. It is in the education sector. The purpose of Risk assessment is to ensure that Information Technology (IT) performs risk assessments in compliance with IT security policies, standards, and procedures. This policy is applicable to all departments and users of IT resources and assets. The Chief Executive Officer with the assistance from the Chief Risk Officer, senior managers and/or risk owners are responsible for implementing the risk management policy. The Risk assessment policy a school sets out has the requirements to identify and manage risks that might affect their students, staff or operations. The first way the provide risk assessment is DeVry preforms conducts an independent third party
risk assessment annually. The second way is they then use the findings from the risk assessment and roll them into the risk register for tracking, treatment and reporting. The results are reported through the Cyber Risk Management Committee, Executive Committee, Audit and Finance Committee and the Board so they can define threats and create a new risk policy to combat those threats. The Criteria is to Conduct (or have conducted by a qualified third-party) an assessment of risk and to Document, Review, Disseminate and Update the risk assessment (quarterly or whenever there are significant changes to the information system or environment of operation). Also, as outlined by this policy you must scan for vulnerabilities to prevent future attacks.
Access Control Policy
NIST functions and Sub-categories: Identify: Asset management (ID.AM-1, ID.AM-2)
Protect: Identity Management and Access Control (PR.AC-1, PR.AC-4), Data Security (PR.DS-
3), Information Protection Processes and Procedures (PR.IP-1), Protective Technology (PR.PT-
1).
The example Identified Is University of Central Florida. It is in the education sector. Access control policies help define the standards of data security and data governance for organizations. They set up the level of access to sensitive information for users based on roles, policies, or rules. This applies to all people accessing data in the organization. The Chief Executive Officer, security liaisons are responsible for ensuring the appropriate access controls are in effect. This policy is fitted for their needs by providing guidelines for access to secured spaces via online or in person. The purpose is to ensure that access controls are implemented and in compliance with IT security policies, standards, and procedures. This university explains in detail its policies regarding in person access via key card, electronic access via online login credentials, individual responsibilities and records and audits for accountability. The 3 main pieces of criterial for access control are Account management (Establish conditions for group and role membership), accesses enforcement (enforces approved authorizations for logical access) and least privilege (allowing only authorized accesses for users which are necessary to accomplish assigned tasks). It does not say in the university guidelines but, an access control review process should be conducted on a regular basis, such as annually or bi-annually. The frequency of the review will depend on the level of risk it faces as the years continue. Vulnerability Scanning Standard
NIST functions and Sub-categories:
Detect: Anomalies and Events (DE.AE-3), Security Continuous Monitoring (DE.CM-1, DE.CM-
4, DE.CM-7). The example identified is for West Virginia University. It is in the education sector. The purpose of this policy is to utilize automated tools to scan systems, computing and network devices, web applications and application code. The results of these scans help inform management and system administrators of known and potential vulnerabilities reducing the risk of cyberattacks and data breaches. The Chief Information Officer, supported by the Chief Information Security Officer, is responsible for the implementation and enforcement of this Standard. For WVU, they customize this policy to identify potential internal and external threats to University Data. The University will then conduct Vulnerability scans to prevent these threats. The purpose of this Standard is to establish the rules and requirements for how the University will identify, assess, and remediate Vulnerabilities. Another way they customize this for WVU is Vulnerability scans are conducted to detect security weaknesses within the Campus Network. Weekly, they conduct Authenticated Scans of individual IP addresses and created or modified University Technology Resources deployed on the Campus Network. As per the Information Security Policy, all systems
must be scanned for vulnerabilities. In addition, each system must be inventoried and have an individual or group assigned responsibility for maintenance and administration. Compliance is expected with all enterprise policies and standards
Encryption Standard
NIST function and Sub-categories:
Detect: Security Continuous Monitoring (DE.CM-1)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Protect: Data Security (PR.DS-1, PR.DS-2), Information Protection Processes and Procedures (PR.IP-4), Protective Technology (PR.PT-4). The example identified is for Florida State University. It is in the education sector. Encryption is a cryptographic operation that transfers readable information (“plaintext”) into unintelligible information (“ciphertext”). The purpose of encryption is to provide users enhanced security and protect the electronic data. The Chief Information Officer, supported by the Chief Information Security Officer, is responsible for the implementation and enforcement of this Standard. For FSU, they customize this policy to baseline security protections and controls that are appropriate and required to protect the confidentiality, integrity, and availability of data, including the minimum-security standards fitting for the encryption of all institutional data accessed, created, stored, processed, or transmitted. They also customize this policy to ensure users of the systems protect and secure FSU data, devices, and portable storage media. They encrypt to protect data in
transit and data at rest. This is required to reduce the risk of unencrypted data being intercepted or monitored as it is transmitted on trusted/untrusted networks or if it is stored on a server or storage medium. As per the Encryption Standard policy, organizations must apply this to all systems, which includes websites and web services, for which the entity has administrative responsibility, including those managed and hosted by third-parties on behalf of the entity. Encryption is required when electronic personally identifying information (PII) is transmitted (including, but not limited to, e-mail, File Transfer Protocol (FTP), instant messaging, e-fax, Voice over Internet Protocol (VoIP), etc.) and when remotely accessing an entity’s internal network and or devices over a shared (Internet) or personal (Bluetooth, infrared) network. Compliance is expected with all enterprise policies and standards.
Physical and Environmental Protection Policy
NIST function and Sub-categories:
Protect: Awareness and Training (PR.AT). The example is department of consumer affairs for the state of California. It is in the government
sector. The purpose of this policy is to ensure that Information Technology (IT) resources are protected by physical and environmental security measures that prevent physical tampering, damage, theft, or unauthorized physical access. This policy applies to all departments and users of IT resources and assets. This policy is customized to the needs of DCA because it establishes physical security and environmental controls to safeguard DCA information assets and restricts physical access to information assets reduces the potential for their misuse. First, Access to buildings, file rooms, and work areas that house information assets shall be limited to authorized personnel. Appropriate physical access controls (e.g., proximity card readers, gates, guards, turnstiles, etc.) must be implemented to control physical access to information assets. Second, personnel identification systems (e.g., badges, identification cards, etc.) and facility access controls must be implemented for employees and visitors. Third, keys, combinations and other physical access devices must be appropriately secured. Keys and combinations must be changed when keys are lost, when combinations are compromised or when individuals with knowledge of
the combinations are transferred or terminated.
Secure System Development Life Cycle Standard
NIST functions and Sub-categories:
Protect: Identity Management and Access Control (PR.AC-1, PR.AC-4), Data security (PR.DS-
3), Identity Management and Access Control (PR.IP-1).
The example is the University of Kansas, It’s in the education sector. The purpose of the Systems
Development Life Cycle (SDLC) Policy is to describe the requirements for developing and/or implementing new software and systems at the University of Kansas and to ensure that all development work is compliant as it relates to any and all regulatory, statutory, federal, and /or state guidelines University employees (faculty, staff, and student employees), students, and other
covered individuals (University affiliates, vendors, independent contractors, etc.) that perform any type of software or systems development work under the auspices of the University. The Chief Information Officer, supported by the Chief Information Security Officer, is responsible for the implementation and enforcement of this Standard. KU customizes this standard and applies it to all systems and software development work done at the University of Kansas so it can adhere to industry best practices with regard to a Systems (Software) Development Life Cycle. They also apply this standard to these Subtasks: System Initiation, System Requirements Analysis, system Design, System Construction (Procurement), System Testing and Acceptance, System Implementation, System Maintenance. The policy does not outline a time for review. KU
reviewed this policy every 5-10 years. It is advised to review this annually for modifications as the cyber world is quickly evolving and threats are present now more than ever.
References
https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/
introduction.html
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-50.pdf
https://policy.arizona.edu/information-technology/contingency-planning-policy
https://policies.ucf.edu/documents/3-105.pdf
https://www.it.unlv.edu/policies/computer-security-policy
https://it.wvu.edu/policies-and-procedures/security/vulnerability-management-standard
https://its.fsu.edu/cybersecurity/standards/encryption-standard
https://dca.ca.gov/bizmod/iso_1901.pdf
https://policy.ku.edu/IT/systems-development-life-cycle-policy
NIST Cybersecurity Framework
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help