July 10, 2022

analyze the difference between intentional and unintentional threats.? The initial post must be completed by Thursday at 11:59 eastern.? You are also required to post a

analyze the difference between intentional and unintentional threats. The initial post must be completed by Thursday at 11:59 eastern. You are also required to post a response to a minimum of two other student in the class by the end of the week. You must use at least one scholarly resource. Every discussion posting must be properly APA formatted.

CHAPTER 3

Understanding and Maintaining Compliance

Learning Objective(s) and Key Concepts

Identify compliance laws, standards, best practices, and policies of risk management.

Compliance laws that affect information technology (IT) systems

Regulations related to compliance

Organizational policies for compliance

Standards and guidelines for compliance

Learning Objective(s)

Key Concepts

U.S. Compliance Laws

Federal Information Security Modernization Act (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley Act (SOX)

Family Educational Rights and Privacy Act (FERPA)

Children’s Internet Protection Act (CIPA)

Children’s Online Privacy Protection Act (COPPA)

U.S. Compliance Laws and Their Applicability

Law	Applicability
FISMA	Federal agencies
HIPPA	Any organization handling medical data
GLBA	Banks, brokerage companies, and insurance companies
SOX	All publicly traded companies
FERPA	Educational institutions
CIPA	Schools and libraries using E-Rate discounts
COPPA	Websites or online services directed at children under 13 and you collect personal information from them

Health Insurance Portability and Accountability Act

Covers any organization that handles health data

Medical facilities

Insurance companies

Any company with a health plan if employees handle health data

HIPPA Compliance

Assessment

Risk analysis

Plan creation

Plan implementation

Continuous monitoring

Gramm-Leach-Bliley Act (GLBA)

Also known as the Financial Services Modernization Act

Most of GLBA relates to how banking and insurance institutions can merge

Financial Privacy Rule

Requires companies to notify customers about privacy practice

Explains how the bank or company collects and shares data

Safeguards Rule

Requires companies to have a security plan to protect customer information

Ensures data isn’t released without authorization; ensures data integrity

Companies must use a risk management plan, provide security training

Sarbanes-Oxley (SOX) Act

Applies to publicly traded companies

Designed to hold company executives and board members personally responsible for financial data

Chief executive officers (CEOs) and chief financial officers (CFOs) must be able to:

Verify accuracy of financial statements

Prove the statements are accurate

Family Educational Rights and Privacy Act (FERPA)

Protects the privacy of student records, which includes education and health data

Applies to all schools that receive funding from the U.S. Department of Education:

State or local educational agencies

Institutions of higher education

Community colleges

Schools or agencies that offer a preschool program

All other education institutions

For students under 18, parent can inspect records and request corrections

Protects student personally identifiable information (PII)

Children’s Internet Protection Act (CIPA)

Designed to limit access to offensive content from school and library computers

Covers schools and libraries that receive funding from the E-Rate program

Requires schools and libraries to block or filter Internet access to pictures that are obscene or harmful to minors

Requires schools and libraries to:

Adopt and enforce a policy to monitor online activity of minors

Implement an Internet safety policy that addresses:

Access by minors to inappropriate content

Safety and security of minors when using email and chat rooms

Unauthorized access

Unlawful activities by minors online

Unauthorized use of minors’ personal information

Measures restricting minors’ access to harmful materials

Children’s Online Privacy Protection Act (COPPA)

Designed to protect the privacy of children under 13

Sites must require parental consent to collect or use personal information of young website users

Sites must post:

Contents of privacy policy

When and how to seek verifiable consent from a parent or guardian

Responsibility of a website operator regarding children’s privacy and safety online, including restrictions on the types and methods of marketing that targets those under 13

Regulations Related to Compliance

Securities and Exchange Commission (SEC)

Federal Trade Commission (FTC)

Protects consumers

Prevents anticompetitive practices

Evaluates economic impact of actions

Federal Trade Commission (FTC)

Bureau of Consumer Protection

Bureau of Competition

Bureau of Economics

U.S. Compliance Regulatory Agencies

Federal Deposit Insurance Corporation (FDIC)

Department of Homeland Security (DHS)

State Attorney General (AG)

U.S. Attorney General (U.S. AG)

Organizational Policies for Compliance

Fiduciary

Refers to a relationship of trust

Could be a person who is trusted to hold someone else’s assets

Trusted person has the responsibility to act in the other person’s best interests and avoid conflicts of interest

Organizational Policies for Compliance (Cont.)

Examples of trust relationships:

An attorney and a client

A CEO and a board of directors

Shareholders and a board of directors

Fiduciary is expected to take extra steps:

Due diligence

Due care

Organizational policy could include:

Mandatory vacations

Job rotation

Separation of duties

Acceptable use

Standards and Guidelines for Compliance

Payment Card Industry Data Security Standard (PCI DSS)

National Institute of Standards and Technology (NIST)

Generally Accepted Information Security Principles (GAISP)

Control Objectives for Information and Related Technology (COBIT)

International Organization for Standardization (ISO)

Standards and Guidelines for Compliance (Cont.)

International Electrotechnical Commission (IEC)

Information Technology Infrastructure Library (ITIL)

Capability Maturity Model Integration (CMMI)

General Data Protection Regulation (GDPR)

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

Payment Card Industry Data Security Standard

Created by Payment Card Industry Security Standards Council

American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Key pieces of data:

Name

Credit card number

Expiration date

Security code

Merchants using credit cards are required to comply

Payment Card Industry Data Security Standard (Cont.)

Goals	Process Steps
Build and maintain a secure network that is PCI compliant	Install and maintain a firewall Do not use defaults, such as default passwords
Protect cardholder data	Protect stored data Encrypt transmissions
Maintain a vulnerability management program	Use and update antivirus software Develop and maintain secure systems
Implement strong access control measures	Restrict access to data Use unique logins for each user Don’t share usernames and passwords Restrict physical access
Regularly monitor and test networks	Track and monitor all access to systems and data Regularly test security
Maintain an information security policy	Maintain a security policy

Payment Card Industry Data Security Standard (Cont.)

Build and maintain a secure network that is PCI compliant

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

Assess

Report

Remediate

National Institute of Standards and Technology (NIST)

Promotes U.S. innovation and competitiveness

Hosts the Information Technology Laboratory (ITL)

Special publications, SP 800-30: Guide for Conducting Risk Assessments

Generally Accepted Information Security Principles (GAISP)

Includes two major sections:

Pervasive principles

Broad functional principles

Control Objectives for Information and Related Technology (COBIT)

Meet stakeholder needs

Cover the enterprise end to end

Apply a single integrated framework

Enable a holistic approach

Separate governance from management

Control Objectives for Information and Related Technology (Cont.)

International Organization for Standardization (ISO)

ISO 27002

Security Techniques

ISO 31000

Principles and Guidelines on Implementation

ISO 73

Risk Management—Vocabulary

International Electrotechnical Commission (IEC)

Meet the requirements of the global market

Ensure maximum use of its standards

Assess and improve products and services covered by its standards

Aid in interoperability of systems

Increase the efficiency of processes

Aid in improvement of human health and safety

Aid in protection of the environment

Information Technology Infrastructure Library (ITIL)

ITIL life cycle:

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement

Capability Maturity Model Integration (CMMI)

Primary areas of interest:

Product and service development

Service establishment, management, and delivery

Product and service acquisition

Level 5

Optimized

Level 4

Defined

Level 2

Managed

Level 1

Initial

Level 0

Nonexistent

Quantitatively Managed

Level 3

General Data Protection Regulation (GDPR)

Regulates how companies protect the personal data of EU citizens and those in the European Economic Area (EEA)

Applies to all businesses that deal with the personal data of individuals living in the EU or EEA

Key changes to GDPR in 2018:

Increased territorial scope (extraterritorial applicability)

Penalties

Consent

Data subject rights

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

Phase 1

Initiate and Plan

Phase 2

Make Certification and Accreditation Decisions

Phase 4

Maintain ATO/Review

Phase 5

Decommission

Implement and Validate

Phase 3

Summary

Compliance laws that affect information technology (IT) systems

Regulations related to compliance

Organizational policies for compliance

Standards and guidelines for compliance

10/8/2020

CHAPTER 4

Developing a Risk Management Plan

Learning Objective(s) and Key Concepts

Describe the components of and approaches to effective risk management in an organization.

Fundamental components of a risk management plan

Objectives, boundaries, and scope of a risk management plan

Importance of assigning responsibilities in a risk management plan

Significance of planning, scheduling, documentation, and reporting

Steps of the NIST Risk Management Framework

Learning Objective(s)

Key Concepts

Objectives of a Risk Management Plan

A list of threats

A list of vulnerabilities

Costs associated with risks

A list of recommendations to reduce the risks

Costs associated with recommendations

A cost-benefit analysis (CBA)

One or more reports

Implementing a Risk Management Plan

Document management decisions

Document and track implementation of accepted recommendations

Create a plan of action and milestones (POAM)

Objectives Examples

Identifying threats

Identifying vulnerabilities

Identifying assets

Assigning responsibilities

Objectives Examples (Cont.)

Identifying the costs of an outage/noncompliance

Providing recommendations

Identifying the costs of recommendations

Providing a CBA

Objectives Examples (Cont.)

Documenting accepted recommendations

Tracking implementation

Creating a POAM

Scope of a Risk Management Plan

Identify the boundaries of the plan

Avoid scope creep

Identify stakeholders

Create a change control board

Draft a scope statement

Scope Examples

Website

Creating a risk management plan to secure a website:

Scope includes:

Security of the server hosting the website

Security of the website itself

Availability of the website

Integrity of the website’s data

Stakeholders include:

Vice president of sales

Information technology (IT) support department head

Written approval is required for all activities outside the scope of this plan

HIPAA Compliance

Creating a risk management plan to ensure HIPAA compliance:

Scope includes:

Identifying all health data

Storing health data

Using health data

Transmitting health data

Stakeholders include:

Chief Information Officer (CIO)

Human resources (HR) department head

Written approval is required for all activities outside the scope of this plan

Assigning Responsibilities

Responsibilities can be assigned to:

Risk management PM

Stakeholders

Departments or department heads

Executive officers, such as the CIO or CFO

Individual responsibilities:

Identifying risk

Assessing risk

Identifying risk mitigation steps

Reporting

Responsibilities Examples

Website

The IT department is responsible for providing:

A list of threats

A list of vulnerabilities

A list of recommended solutions

Costs for each of the recommended solutions

The sales department is responsible for providing:

Direct costs of all outages that last 15 minutes or longer

Indirect costs of all outages that last 15 minutes or longer

The CFO will:

Validate the data provided by the IT and sales departments

Complete a CBA

HIPAA Compliance

The HR department is responsible for providing:

A list of all health information sources

Inspection results for all data sources regarding HIPPA compliance

How the data is stored, protected, and transmitted

A list of existing and needed HIPAA policies

A list of recommended solutions to ensure HIPPA compliance

Costs for each of the recommended solutions

Costs associated with noncompliance

The IT department is responsible for providing:

Identification of access controls used for data

A list of recommended solutions to ensure compliance with HIPAA

Costs for each of the recommended solutions

The CFO will:

Validate the data provided by the IT and sales departments

Complete a CBA

Using Affinity Diagrams

Describing Procedures and Schedules for Accomplishment

Include a recommended solution for any threat or vulnerability, with a goal of mitigating the associated risk

The solution will often include multiple steps

Describe each step in detail

Include a timeline for completion of each step

Remember:

Management is responsible for choosing the controls to implement

Management is responsible for residual risk

Procedures Examples

Website

Mitigating the risk of denial of service (DoS) attacks:

Recommendation—Upgrade the firewall.

Justification—The current firewall is a basic router; it does not provide advanced firewall capabilities

Procedures—The following steps can be used to upgrade the new firewall:

Start firewall logging

Create a firewall policy

Purchase a firewall appliance

Install the firewall

Configure the firewall

Test the firewall before going live

Bring the firewall online

HIPAA Compliance

Procedures for mitigating the risk of HIPPA noncompliance:

Recommendation—Increase awareness of HIPAA

Justification—Make clear that noncompliance can result in fines totaling $25,000 a year for mistakes

Procedures—Use the following steps to increase awareness:

Require all employees to read and comply with HIPAA policies

Provide training to all employees on HIPAA compliance

Reporting Requirements

Present recommendations

Document management response to recommendations

Document and track implementation of accepted recommendations

Create a plan of action and milestones (POAM)

Presenting Recommendations

Report should include:

Findings

Reports are often summarized in risk statements

Use risk statements to communicate a risk and the resulting impact

Recommendation cost and time frame

Cost-benefit analysis (CBA)

Findings

Cause—The threat

Criteria—The criteria that will allow the threat to succeed

Inadequate manpower

Unmanaged firewall

No intrusion detection system (IDS)

Operating system not updated

Antivirus software not installed and updated

Effect—Often an outage of some type

Findings (Cont.)

Website cause and effect diagram

Findings (Cont.)

HIPAA compliance cause and effect diagram

Recommendation Cost and Time Frame

Each item should include the cost and timeframe required to implement it

Example list of recommendations included in the website risk management plan

Upgrade firewall

Purchase and install IDS

Create a plan to keep the system updated

Install antivirus software on server

Update antivirus software

Add one IT administrator

Cost-Benefit Analysis (CBA)

CBA should include two items:

Cost of the recommendation, including any anticipated ongoing costs

Projected benefits in terms of dollars

Example of a CBA for a website recommendation:

Recommendation

Cost of the recommendation

Background

Loss before recommendation

Expected loss with recommendation

Benefit of the recommendation

CBA = Loss before recommendation − Loss after recommendation − Cost of recommendation

Risk Statements

Used to communicate a risk and the resulting impact

Often written using “if/then”

Should be matched to the scope and objectives of the project

Documenting Management Response to Recommendations

Management can approve the recommendation

Defer

Management can defer a recommendation

Modify

Management can modify a recommendation

Documenting and Tracking Implementation of Accepted Recommendations

The documentation doesn’t need to be extensive; it could be a simple document listing the recommendation and the decision, for example:

Recommendation to purchase antivirus software

Accepted. Software is to be purchased as soon as possible.

Recommendation to hire an IT administrator

Deferred. IT department needs to provide clearer justification for this. In the interim, the IT department is authorized to use overtime to ensure security requirements are met.

Recommendation to purchase SS75 firewall

Modified. Two SS75 firewalls are to be purchased as soon as possible. These two firewalls will be configured as a DMZ.

Plan of Action and Milestones (POAM)

Is a living document

A document used to track progress

Used to assign responsibility

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.

analyze the difference between intentional and unintentional threats.? The initial post must be completed by Thursday at 11:59 eastern.? You are also required to post a

Related Posts

Write 3-5 page paper on implementing and monitoring a technology initiative within an educational system. Discuss strategies for overcoming resistance and en

This week, you will?write your rough draft of the APA documented research paper. The paper will be?between 5 and 7 pages in length. The assumption is that yo

What would be your approach to introduce potential information systems security (ISS) risks to management? Also, how could you enforce the security control