July 21, 2022

In week 4, describe a plan of action and its impact on creating a risk management plan.? ??You must use at least one scholarly resource. Every discussion posting must be properly APA forma

In week 4, describe a plan of action and its impact on creating a risk management plan. You must use at least one scholarly resource. Every discussion posting must be properly APA formatted.

CHAPTER 9

Identifying and Analyzing Risk Mitigation Security Controls

Learning Objective(s) and Key Concepts

Identify risk mitigation security controls and develop a risk mitigation plan.

In-place and planned controls

Families of controls defined by NIST

Procedural, technical, and physical controls

Learning Objective(s)

Key Concepts

In-Place Controls

Installed in an operational system

Replace in-place controls that don’t meet goals

Three primary objectives of controls:

Prevent

Recover

Detect

Planned Controls

Those that have been approved but not yet installed

Identify planned controls before approving others

Vulnerabilities that planned controls mitigate still exist

Evaluate effectiveness of a planned control through research

Control Categories

Some controls are categorized using either of the following methods:

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

Implementation method—Three implementation methods are used to categorize controls:

Procedural controls

Technical controls

Physical controls

NIST Control Families

Access Control (AC)

Audit and Accountability (AU)

Awareness and Training (AT)

Configuration Management (CM)

Contingency Planning (CP)

Identification and Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Personnel Security (PS)

NIST Control Families (Cont.)

Physical and Environment Protection (PE)

Planning (PL)

Program Management (PM)

Risk Assessment (RA)

Assessment, Authorization, and Monitoring (CA)

System and Communications Protection (SC)

System and Information Integrity (SI)

System and Services Acquisition (SA)

Personally Identifiable Information Processing and Transparency (PT)

Supply Chain Risk Management (SR)

Procedural Control Examples

Policies and procedures

Security plans

Insurance and bonding

Background and financial checks

Procedural Control Examples (Cont.)

Data loss prevention program

Education, training, and awareness

Rules of behavior

Software testing

Policies and Procedures

Written documents that provide guidelines and rules for an organization

Policy: A high-level document that provides overall direction without details

Procedure: Provides the detailed steps needed to implement a policy

Policy examples:

Acceptable use policy (AUP)

Vulnerability scanning policy

Removable media policy

Procedure examples:

AUP procedure

Vulnerability scanning procedures

Removable media enforcement

Security Plans

Business continuity plan (BCP)

Helps an organization prepare for different types of emergencies

Disaster recovery plan (DRP)

Provides the details for recovering one or more systems after a disaster

Backup plan

Identifies data valuable to the organization and specifies storage and retention requirements

Incident response plan

Documents how an organization should respond to a security incident

Insurance and Bonding

Insurance policies specify shared responsibilities between the insurance company and the customer

Fire and flood

Business interruption

Errors and omissions

Bonding covers against losses by

Theft

Fraud

Dishonesty

Background and Financial Checks

Initiation – Existing architecture and security systems are documented and a risk assessment is conducted

Acquisition and Development – A more complete risk assessment is completed and a baseline security level is established

Implementation and Testing – The new system is installed and unit and integration tests are conducted

Operation and Maintenance – Longest phase; systems are continuously monitored, incidents are addressed and a business continuity plan is created

Sunset or Disposal – Old systems must be removed without exposing the organization to addition risk during the migration to a new system

Background checks

Financial checks

Internet resources

Commonly include police and FBI checks, which will identify any criminal behavior

A person with a poor credit rating may be viewed suspiciously

Google and Facebook may expose problematic behavior

Data Loss Prevention Program

Loss of confidentiality

Occurs when unauthorized entities view a company's data

Loss due to corruption

Can occur many ways, have reliable backups to mitigate

Education, Training, and Awareness

Controls aren’t effective if employees don’t know what they are or how to implement them

Awareness programs are generic and apply to all personnel

Logon or welcome banners

Emails

Posters

Training can be generic for all personnel or specialized and targeted at specific groups

Rules of Behavior

Document that lets users know what they can and cannot do with systems

Users must read and/or sign the document to indicate they understand the rules

Common elements in a rules of behavior document:

Privacy

List of restricted activities

Email usage

Protection of credentials

Consequences or penalties for noncompliance

Software Testing

Organizations that develop software should have a policy that mandates software testing

Goal is to reduce the number of undiscovered bugs in the software

Types of software testing include data range and reasonableness checks

Technical Control Examples

Logon identifier

Session time-out

System logs and audit trails

Data range and reasonableness checks

Firewalls and routers

Encryption

Public key infrastructure

Firewalls and Routers

Control traffic by allowing some traffic and blocking other traffic

Router provides basic filtering of traffic based on:

Internet protocol (IP) addresses

Ports

Some protocols

Encryption

Changes plaintext data into ciphered data

Example: "password" is in plaintext may look like this in encrypted form: MFIGs3x/$6o0D

Data can be encrypted at rest or when transferred

Encryption algorithms are designed to make decryption too difficult and take too much time to make it worthwhile

Encryption is classified as either:

Symmetric

Asymmetric

Public Key Infrastructure (PKI)

Some elements of a PKI

Certificate authority

Issues and manages certificates; can be public, such as VeriSign, or private

Certificates

Used for identification and to aid in encryption

Public and private keys

Data encrypted with one key can be decrypted only with the matching key

Web of trust

Ensures that the binding between a public key and its owner is authentic

Public Key Infrastructure (Cont.)

Physical Control Examples

Locked doors, guards, CCTV

Fire detection and suppression

Water detection

Temperature and humidity detection

Electrical grounding and circuit breakers

Temperature and Humidity Detection

Best Practices for Risk Mitigation Security Controls

Ensure the control is effective

Review controls in all areas

Review NIST SP 800-53 families

Redo a risk assessment if a control has changed

Summary

In-place and planned controls

Families of controls defined by NIST

Procedural, technical, and physical controls

10/9/2020

CHAPTER 10

Planning Risk Mitigation Throughout an Organization

Learning Objective(s) and Key Concepts

Identify risk mitigation security controls and develop a risk mitigation plan.

Scope of a risk management plan

Legal and compliance issues, including operational impacts

Assessing security countermeasures and safeguards

How to identify risk mitigation and risk reduction elements for an organization

Learning Objective(s)

Key Concepts

Where Should an Organization Start with Risk Mitigation?

Identify assets

High

Medium

Low

Identify and analyze threats and vulnerabilities

Evaluate the controls to determine what controls to implement

What Is the Scope of Risk Management for an Organization?

Critical business operations

Mission-critical business systems, applications, and data access

Seven domains of a typical IT infrastructure

Information systems security gap

Customer service delivery

Critical Business Operations

A business impact analysis (BIA) helps an organization identify the impact on the business if various risks occur

BIAs identify the maximum acceptable outage (MAO), the maximum amount of time a system or service can be down before the mission is affected

When completing a BIA of a specific service or function, ask:

How does this service affect the organization’s profitability?

How does this service affect the organization’s survivability?

How does this service affect the organization’s image?

How will an outage affect employees?

How will an outage affect customers?

When does this service need to be available?

What is the MAO of the service?

Customer Service Delivery

Service level agreement (SLA) identifies an expected level of performance; includes the minimum uptime or the maximum downtime

Organizations use SLAs as a contract between a service provider and a customer

SLA can identify monetary penalties if the terms aren’t met

Internal customer services:

Email services

Internet access

Network access

Server applications, such as database servers

Access to internal servers, such as file servers

Desktop computer support

Mission-Critical Business Systems, Applications, and Data Access

Critical business functions (CBFs)

Any function considered vital to an organization

Critical success factors (CSFs)

Any element necessary to perform the mission of an organization

Mission-Critical Business Systems, Applications, and Data Access (Cont.)

Critical business functions: making the purchase

Mission-Critical Business Systems, Applications, and Data Access (Cont.)

Critical business functions: receiving funds

Mission-Critical Business Systems, Applications, and Data Access (Cont.)

Critical business functions: shipping the product

Seven Domains of a Typical IT Infrastructure

Information Systems Security Gap

The difference between the controls that are in place and the controls that are needed

Gap analysis reports are often used when dealing with legal compliance

Combined with a remediation plan, the gap analysis report identifies how to close a security gap

Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization

Compliance is a mitigation control

Assessing the impact of compliance issues:

Identify what compliance issues apply to organization

Assess impact of issues on business operations

Legal Requirements, Compliance Laws, Regulations, and Mandates

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley Act (SOX)

Federal Information Security Management Act (FISMA) (2002)

Federal Information Security Modernization Act (FISMA) (2014)

Family Educational Rights and Privacy Act (FERPA)

Children’s Internet Protection Act (CIPA)

Payment Card Industry Data Security Standard (PCI DSS)

Gramm-Leach-Bliley Act (GLBA)

General Data Protection Regulation (GDPR)

Assessing the Impact of Legal and Compliance Issues on an Organization’s Business Operations

CIPA requires a technology protection measure (TPM)

Proxy server used as a TPM

Payment Card Industry Data Security Standard (PCI DSS) Principles and Requirements

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall

Requirement 2: Do not use defaults, such as default passwords

Protect Cardholder Data

Requirement 3: Protect stored data

Requirement 4: Encrypt transmissions

Maintain a Vulnerability Management Program

Requirement 5: Use and update antivirus software

Requirement 6: Develop and maintain secure systems

Payment Card Industry Data Security Standard (PCI DSS) Principles and Requirements (Cont.)

Implement Strong Access Control Measures

Requirement 7: Restrict access to data

Requirement 8: Use unique logons for each user. Don’t share usernames and passwords

Requirement 9: Restrict physical access

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to systems and data

Requirement 11: Regularly test security

Maintain an Information Security Policy

Requirement 12: Maintain a security policy

Translating Legal and Compliance Implications for an Organization

Losses can be direct or indirect

A public relations (PR) campaign can sometimes restore an organization’s reputation

Proactively spending money on PR campaigns can reduce the effects of an incident

Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation

Controls are implemented at a point in time to reduce the risks at that time

A control will attempt to mitigate risk by:

Reducing the impact of threats to an acceptable level

Reducing a vulnerability to an acceptable level

A risk assessment (RA) evaluates threats and vulnerabilities at a point in time

Understanding the Operational Implications of Legal and Compliance Requirements

HIPAA

SOX

FISMA

FERPA

CIPA

PCI DSS

GDPR

Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization

Account management controls

Access controls

Physical access

Personnel policies

Security awareness and training

Performing a Cost-Benefit Analysis (CBA)

Compare cost of control to cost of risk if it occurs

Calculating projected benefits:

Loss Before Control ─ Loss After Control = Projected Benefits

Determining if control should be used:

Projected Benefits ─ Cost of Control = Control Value

Best Practices for Planning Risk Mitigation Throughout an Organization

Review historical documentation

Although risks change, many of the threats and vulnerabilities will be the same

Include both a narrow and broad focus

Identify specific risks and mitigation strategies and broaden the focus to include the entire organization

Ensure that governing laws have been identified

If you don’t know what laws apply, you won’t be in compliance

Redo risk assessments when a control changes

If the control changes, the original risk assessment is no longer valid

Include a CBA

CBAs provide justification for controls and help determine their value

Summary

Scope of a risk management plan

Legal and compliance issues, including operational impacts

Assessing security countermeasures and safeguards

How to identify risk mitigation and risk reduction elements for an organization

10/9/2020

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.

In week 4, describe a plan of action and its impact on creating a risk management plan.? ??You must use at least one scholarly resource. Every discussion posting must be properly APA forma

Related Posts

Write a review of the four major cloud service providers, identifying the key services of each. After the completion of the review, discuss the security str

With Lulubox Pro APK, users can access premium game features for free. More than 500 million gamers are connected to the service. https://thelulubox

Welcome to NamesBoom, your ultimate destination for all things name-related! Today, we are thrilled to introduce you to our innovative Pokemon Name G