Strayer CIS 462 Security Strategy and Policy, Assignment 1: IT Security Policy Framework, 9 pages, 1735 words, Graded A, Security Policies and Implementation Issues
Exclusive and Original document Available only on Course Answer
Establishing an effective Information Technology Security Policy Framework is critical in the development of a comprehensive security program. Additionally, there are many security frameworks that organizations commonly reference when developing their security programs. Review the security frameworks provided by NIST (SP 800-53), ISO / IEC 27000 series, and COBIT. Assume that you have been hired as a consultant by a medium-sized insurance organization and have been asked to draft an IT Security Policy Framework.
Write a three to five page paper in which you:
1. Select a security framework, describe the framework selected, and design an IT Security Policy Framework for the organization.
2. Describe the importance of and method of establishing compliance of IT security controls with U.S. laws and regulations, and how organizations can align their policies and controls with the applicable regulations.
3. Analyze the business challenges within each of the seven domains in developing an effective IT Security Policy Framework.
4. Describe your IT Security Policy Framework implementation issues and challenges and provide recommendations for overcoming these implementation issues and challenges.
Download Now(sent via email)
Select two principles for policy and standards development (accountability, awareness, ethics, multidisciplinary, proportionality, integration, defense-indepth, timeliness, reassessment, democracy, internal control, adversary, least privilege, continuity, simplicity, and policy-centered security). Examine how these principles would be the same and different for a health care organization and a financial organization. Determine which type of organization would have the most difficulty implementing the principles you selected. Support your answer. I selected Least Privilege and Simplicity. Least privilege would be the same, for the most part, for any organization, by definition, you only allow people who have a need to know something to have access to sensitive information. I think the complexity of maintaining least privilege would depend on how large either organization was. In the health care system you would have to account for your local provider, probably in-network and familiar with your health care, unless you consider travelers who are ill or injured and seen remotely. There are various levels of care within the medical offices, the clerk checking you in, should be privileged to who you are, where you live, your current insurance information etc., but they should not be privileged to your specific health histmy or diagnoses. You also have to consider specialist care, in which case your records are shared outside the PCP offices. In a financial institution, again, this is somewhat dependent on how big the institution is and what services you may be using. If you just go to the bank to deposit a check into an account and take less-cash-back, the teller will have access to your name, account number and balance, but unless you are applying for a loan, no one in the bank need know what your annual salazy is or what your credit score is. If you apply for a loan, these credit history items will need to be known, by the loan officer, but the teller up front, whom you see when you cash your check, still should not have access to this historical information. With regards to simplicity, the size of the organization plays a big part again. Are we talking about Name Your City Here Savings and Loan or Navy Federal Credit Union, who in the last 20 years has opened their field of membership up from only deployed Active Duty Sailors and Marines, to anyone who has ever been in the same room with someone in the militazy or DOD? Are we talking about a State level hospital network or an isolated urgent care center? The larger the organization, the larger the field of membership or network concerned raises the risk as well as both least privilege and simplicity. Minimizing the number of persons who have access to information in all forms is critical to risk mitigation. Keeping your policies simple so they are understood, being nonredundant, which also frees people up to do their primary job as they are not continually re-reading/re-learning covered material is also critical to risk mitigation.
From the e-Activity, provide a brief explanation of the Operationally, Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methods. Explain how they are beneficial for organizations developing their IT risk management approaches. OCTAVE measures the risks that align with the organizations mission, goal objectives, and critical success factors. The organizations information assets are established and each asset is looked at and each assets security needs are defmed. It identifies potential risks to each asset and its contents and develops mitigation approaches to the identified risks. It is beneficial for risk management by examining each asset and its container this ensures all assets get looked at. It can also be tailored to fit with each organizations specific risks and meet security objectives. It can also help with an organizations resilience and can be tailored to meet with the skill level of the IT department. From thee-Activity, explain how the size of the organization impacts the OCTAVE method utilized. Determine the factors that large organizations, as opposed to small organizations, are most concerned with. Large organizations can have massive amounts of information assets that need to be assessed and who, what and where they are connected to. OCTAVE makes this an easier process and can point out assets that are poorly defmed or have been over looked. Larger organizations would probably have more team collaboration because of more departments possessing different kinds of assets. Small organizations may not even have an IT department or if they do they might not posses the knowledge because of not being as large. It would be good for small organizations because their doesn’t have to be collaboration and if there is it can be a casual meeting. It is also based on expertise so someone who is not so tech savvy could do the assessment.