technical report/powerpoint presentatiom

Drezzydre92

Implementasubsetofselectedsecuritycontrols.pdf

Home >Information Systems homework help >technical report/powerpoint presentatiom

Step 4: Implement a Subset of Selected Security Controls

Task: View this topic

Last Visited Jun 18, 2021 5:40 PM

Now that the moderate-impact security

controls have been selected, you need to

describe how to implement them. The good

news is that the controls have been divided

among other CARS team members, leaving

only a small subset for you to complete on

your own.

Using the themes of access, authentication,

and authorization, focus on the access

control (AC) and planning (PL) families. The

following controls have been assigned to you:

AC-7 Unsuccessful Logon Attempts

AC-8 System Use Notification

PL-8 Information Security Architecture

Specifically, you need to provide details on

how each of the following security controls

will be implemented. To further define each

of these implementations, complete the

following:

AC-7 System Use Notification

For security control AC-7, define the

following parameters associated with AC-7:

1. The number of consecutive invalid

logon attempts by a user before the

user is locked out.

2. The time period in which the number of

consecutive logon attempts is

considered.

3. The time period the account is locked

when the number of consecutive invalid

logons criteria is met.

4. The manner in which the account is

unlocked (e.g., administrative

intervention versus automatic).

You do not need to write the actual code to

implement the control.

AC-8 Unsuccessful Logon Attempts

For the AC-8 security control, draft the

message or warning banner that will be

displayed to users before granting access to

the system. This banner should provide

privacy and security notices aligned with

directives or other policies as applicable. The

message should be unique to your system

design but follow approaches similar to

government, university, or other

organizational access messages.

PL-8 Information Security

Architecture

Resources for Creating System

Architecture Diagrams

Microsoft PowerPoint

Microsoft Word

Microsoft Visio

Apache OpenOffice Impress

The information security architecture is a

fundamental document describing the overall

system security architecture and the defense-

in-depth approaches to defending the

system. For this control, the following

components should be included:

1. architectural description in the form of

a high-level logical view (see the figure

titled “Notional High Level Logical

Architectural View”);

2. system categorization (in this case,

moderate-impact);

3. minimum security requirements, based

on the moderate-impact categorization;

4. security controls (i.e., the prioritized list

you developed in the previous step);

and

5. a description of how you will use

defense-in-depth , layered

approaches to allocate security

safeguards and mechanisms.

Notional High Level Logical Architectural

View

Save the Information Security Architecture as

well as the descriptions you created of the

AC-7 and AC-8 security controls in a Word

document to include in your technical report

later in this project.

Security Architecture Across

Organizations

The NIST documents are used by US

government agencies, contractors, and

others. Other documents providing

security control implementation exist

for non-federal systems and

organizations, but they provide similar

guidance. For example, “Protecting

Controlled Unclassified Information in

Nonfederal Systems and Organizations”

(NIST SP-800-171) has been applied

to health care organizations, small

businesses, and other organizations

outside the federal government.

Banking and the finance groups rely on

the Payment Card Industry (PCI)

Security Controls Council. Founded by

the world’s leading global payment

brands, the council develops and drives

adoption of security standards and

resources for safe payments worldwide.

Their document library (PCI Security

Standards Council, n.d.) includes a

framework of specifications, tools,

measurements and support resources

to ensure the safe handling of

cardholder information.

Other countries have processes similar

to those defined by NIST. The European

Union has its own risk management

framework, procedures, and guidelines

for secure information systems. “How

to Implement Security Controls for an

Information Security Program at CBRN

Facilities” (O’Neil et al., 2015) is a

technical report that provides guidance

for instituting security controls for

chemical, biological, radiological, and

nuclear facilities.

References

PCI Security Standards Council,

Document Library. (n.d.).

Retrieved June 08, 2020, from

https://www.pcisecuritystandar

ds.org/document_library

O'Neil L., C.S. Glantz, J.D. Lenaeus, J.L.

Bryant, G.P. Landine, R.M.

Leitch, and J. Lewis, et al.

(2015). How to Implement

Security Controls for an

Information Security Program

at CBRN Facilities. PNNL-

25112. Richland, WA: Pacific

Northwest National

Laboratory. Retrieved from

https://www.pnnl.gov/main/pu

blications/external/technical_r

eports/PNNL-25112.pdf

Professionals in the Field

Activity Details

6/18/21, 6:13 PM Page 1 of 1