CIS 349 Designing FERPA Technical Safeguards

Strayer CIS 349 Information Technology Audit and Control, Assignment 1: Designing FERPA Technical Safeguards. 5 pages, 846 words, for Auditing IT Infrastructures for Compliance.
Imagine you are an Information Security consultant for a small college registrar’s office consisting of the registrar and two (2) assistant registrars, two (2) student workers, and one (1) receptionist. The office is physically located near several other office spaces. The assistant registrars utilize mobile devices over a wireless network to access student records, with the electronic student records being stored on a server located in the building. Additionally, each registrar’s office has a desktop computer that utilizes a wired network to access the server and electronic student records. The receptionist station has a desktop computer that is used to schedule appointments, but cannot access student records. In 1974, Congress enacted the Family Educational Rights and Privacy Act (FERPA) to help protect the integrity of student records. The college has hired you to ensure technical safeguards are appropriately designed to preserve the integrity of the student records maintained in the registrar’s office.


Download Now
(sent via email)



Discussion

Select an organization with which you are familiar. Identify the compliance laws that you believe would be most relevant to this organization. Justify your response: 1•m most familiar with govemment organizations so 1•11 go with that. Two primary things we need to comply with are FISMA as well as CNSSI 1253, also know as Intelligence Community Directive 503. The reason we must meet FISMA requirements is because of our use of national security systems in a federal agency. We must report our compliance on those system deemed FISMA reportable. We also must follow lCD 503 which basically says we must use N 1ST Special Pub 800-53 controls and apply those to our agency. These controls are not just technical controls, but also policy requirements as well as other management and operational controls. I Defina the scope of an IT compliance audit that would verify whether or not this organization is in compliance with the laws you identified: An IT compliance audit would consist of a review of all the controls from 800-53 that we have applied to our organization. The audit would make sure that we had policies written as required by N 1ST as well as all the other controls from the families that apply to things like access controls, audit, physical, personnel, and configuration management, just to name a few of them. The audit would most likely use 800-53a to identify what inspection method would best be used to determine how well our organization meets the specific controls.