CASE STUDY 4303

SEC 4303, IS Security Policy Analysis 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

3. Create a dissemination plan for a policy. 3.1 Identify the best method to send the policy to users.

4. Analyze a security policy for its completeness.

4.1 Identify the domains of an information security program. 4.2 Identify the importance of the CIA security model. 4.3 Discuss the reasons behind an organizational security framework.

Reading Assignment Chapter 3: Cybersecurity Framework Unit Lesson In the previous unit, we covered the policy hierarchy, including the standards, guidelines, procedures, and baselines. We now focus on the security framework to include confidentiality, integrity, and availability (CIA), and security models. The framework should address the organization’s overall purpose for creating its policies. It is necessary to have a common security strategy or model because this helps dictate how all policies are created. If we understand the importance of CIA, then it helps us define how the documents, data, Internet, email, and systems should be treated. We can also see how adopting a model can help establish IT governance, which usually drives the creation of the policies. If no model is adopted by the organization, then it makes it more difficult for organizations to provide justification for the policies and procedures.

UNIT III STUDY GUIDE IS Security Frameworks

SEC 4303, IS Security Policy Analysis 2

UNIT x STUDY GUIDE Title

Confidentiality Organizations want a majority of their internal information to be protected and not shared externally. Santos (2019) explains confidentiality as the requirement that employees not disclose private and confidential information to unauthorized individuals. Consider all of the documents, emails, and procedures that organizations have on shared drives, email folders, and removable media. What happens if any of these storage locations are breached? This is why organizations provide multiple authentications and access controls to protect their data and information. Many small- and medium-size businesses do not create policies to address how information should be protected. Therefore, these organizations are at risk when it comes to their data and information. Santos (2019) illustrates how organizations can also use encryption of data, virtual private networks (VPNs), and server/client encryption using transport layer security (TLS). It is key to note some of the common concerns are related to unethical employees misusing the information or intentionally distributing the information to unauthorized personnel. Integrity The integrity of a system or infrastructure is critical because it can ultimately determine overall protection of the data and information. There are thousands of Web applications online connecting to Microsoft SQL Server, MySQL, or Oracle databases. Think about a website that is connecting to a MySQL database. If this website login is penetrated, then a hacker can do almost anything to the data, including manipulations or deletions. These database interfaces are well designed, but access controls and logins can be insufficient from a Web application. This becomes a major issue if a hacker can gain access to the Web application and then connect to the database. The integrity of the system is the ability to ensure the system and its data have not been altered or compromised. How long do you think it would take for a database administrator (DBA) to find out that an unauthorized individual has accessed the data? If it is a small company, then it could take a while. The key here is to consider what policies should be in place to address the integrity of a system, application, or data. The figure below shows how Integrity needs to apply to both the data and systems. As we know, the system or applications retain the data, so focusing on the integrity protections for both is imperative.

Integrity is connected to both the data and system

Integrity

Data System

CIA Triad (Santos, 2019)

SEC 4303, IS Security Policy Analysis 3

UNIT x STUDY GUIDE Title

Availability Availability refers to the continuous access of the data, systems, and applications. What happens if your organization experiences a denial of service (DOS) attack? If the attack brings down the network, then the systems and data are no longer available. As we have seen throughout the years, organizations lose millions of dollars when their websites or portals are not available to the customers and clients. The following site provides insights on the latest cyber and digital hijacking events. The benefit of checking a site like this is to review the latest practices or review the unfortunate events for other organizations. It can be difficult to read all current posts, but visiting the site regularly will provides insights on current issues and provide inspiration for new policies or revisions to existing policies. DDOS Attacks website: http://ddosattacks.net/latest-news/ The article below explains attacks by Trojan horses, botnets, and distributed denial of service (DDOS). These attacks are alarming because they are not only destructive, but also cause loss of availability with the networks and systems. It is explained in the article is that most attacks are associated with financial gains by the criminals or competition to gain more sensitive information. We can consider competitors not only competing firms; they can also be other countries. Khalimonenko, A., Kupreev, O., & Badovskaya, E. (2018, April 26). DDoS attacks in Q1 2018.

https://securelist.com/ddos-report-in-q1-2018/85373/ Models Security architectures involve the study of formal security models at the highest levels of IT security such as those that protect our national security and other governmental agencies. Below, we will review the National Institute of Standards and Technology (NIST) Framework and Internal Organization for Standards (ISO) to determine how these entities help form the policies. These standards are essential, especially for small and medium-size businesses, because they act as guidelines and templates for IT personnel to use within their organization. As mentioned by Santos (2019), although developed for government use, the framework is applicable to the private sector, and it addresses the management, operational, and technical aspects of protecting the CIA. NIST Framework The NIST’s mission is to raise awareness of IT risks, provide cost-effective solutions, deploy security standards, and provide security guidance for IT planning, implementations, and management (Santos, 2019). NIST provides a quick search option, which can be found here, to locate the necessary documentation or templates that can be used for standard processes. Many of the templates are living documents; consequently, they are updated as needed to address new concerns or provide alternative approaches. In regard to IS security, NIST defines it as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (NIST, 2018). ISO Standards The International Organization for Standardization (ISO) provides requirements, specifications, and guidelines that organizations can use. The standards provide frameworks for organizations to create security policies, identify roles to protect the organization, offer employment check practices for hiring new employees, manage assets, and control access to systems, networks, and facilities. These standards help organizations create and maintain security policies using best practices identified in the industries. It is important to note these guides can be altered to meet each business environment. Additionally, the organization may have future audits so building policies that align with ISO standards justifies the content provided for the policies along with the reason for access control parameters. These recommendations can be applied to many domains associated with organization, human resources, access control, asset management, cryptography, operations, communication, and business continuity. An excellent place to start is by going to the ISO.org website and examining specific standards.

SEC 4303, IS Security Policy Analysis 4

UNIT x STUDY GUIDE Title

Summary In summary, we covered the CIA model, NIST, and ISO standards, which help build an organization cybersecurity framework. As mentioned, organizations can use these models and standards as recommendations to help develop a secure and solid framework. Organizations have to review these practices routinely in order to keep the policies current with the industry. Luckily, these recommendations do not change too often, but we know cyberattacks are constantly evolving; consequently, organizations can use these as baselines and augment them with current prevention techniques.

References International Organization for Standardization. (n.d.). ISO/IEC 27002:2013 Information technology – Security

techniques – Code of practice for information security controls (2nd ed.). http://www.iso27001security.com/html/27002.html#Section5

National Institute of Standards and Technology. (2018). Information Security.

https://csrc.nist.gov/Glossary/?term=4782 Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson.

SEC 4303, IS Security Policy Analysis 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

3. Create a dissemination plan for a policy. 3.1 Identify the best method to send the policy to users.

4. Analyze a security policy for its completeness.

4.1 Identify the domains of an information security program. 4.2 Identify the importance of the CIA security model. 4.3 Discuss the reasons behind an organizational security framework.

Reading Assignment Chapter 3: Cybersecurity Framework Unit Lesson In the previous unit, we covered the policy hierarchy, including the standards, guidelines, procedures, and baselines. We now focus on the security framework to include confidentiality, integrity, and availability (CIA), and security models. The framework should address the organization’s overall purpose for creating its policies. It is necessary to have a common security strategy or model because this helps dictate how all policies are created. If we understand the importance of CIA, then it helps us define how the documents, data, Internet, email, and systems should be treated. We can also see how adopting a model can help establish IT governance, which usually drives the creation of the policies. If no model is adopted by the organization, then it makes it more difficult for organizations to provide justification for the policies and procedures.

UNIT III STUDY GUIDE IS Security Frameworks

SEC 4303, IS Security Policy Analysis 2

UNIT x STUDY GUIDE Title

Confidentiality Organizations want a majority of their internal information to be protected and not shared externally. Santos (2019) explains confidentiality as the requirement that employees not disclose private and confidential information to unauthorized individuals. Consider all of the documents, emails, and procedures that organizations have on shared drives, email folders, and removable media. What happens if any of these storage locations are breached? This is why organizations provide multiple authentications and access controls to protect their data and information. Many small- and medium-size businesses do not create policies to address how information should be protected. Therefore, these organizations are at risk when it comes to their data and information. Santos (2019) illustrates how organizations can also use encryption of data, virtual private networks (VPNs), and server/client encryption using transport layer security (TLS). It is key to note some of the common concerns are related to unethical employees misusing the information or intentionally distributing the information to unauthorized personnel. Integrity The integrity of a system or infrastructure is critical because it can ultimately determine overall protection of the data and information. There are thousands of Web applications online connecting to Microsoft SQL Server, MySQL, or Oracle databases. Think about a website that is connecting to a MySQL database. If this website login is penetrated, then a hacker can do almost anything to the data, including manipulations or deletions. These database interfaces are well designed, but access controls and logins can be insufficient from a Web application. This becomes a major issue if a hacker can gain access to the Web application and then connect to the database. The integrity of the system is the ability to ensure the system and its data have not been altered or compromised. How long do you think it would take for a database administrator (DBA) to find out that an unauthorized individual has accessed the data? If it is a small company, then it could take a while. The key here is to consider what policies should be in place to address the integrity of a system, application, or data. The figure below shows how Integrity needs to apply to both the data and systems. As we know, the system or applications retain the data, so focusing on the integrity protections for both is imperative.

Integrity is connected to both the data and system

Integrity

Data System

CIA Triad (Santos, 2019)

SEC 4303, IS Security Policy Analysis 3

UNIT x STUDY GUIDE Title

Availability Availability refers to the continuous access of the data, systems, and applications. What happens if your organization experiences a denial of service (DOS) attack? If the attack brings down the network, then the systems and data are no longer available. As we have seen throughout the years, organizations lose millions of dollars when their websites or portals are not available to the customers and clients. The following site provides insights on the latest cyber and digital hijacking events. The benefit of checking a site like this is to review the latest practices or review the unfortunate events for other organizations. It can be difficult to read all current posts, but visiting the site regularly will provides insights on current issues and provide inspiration for new policies or revisions to existing policies. DDOS Attacks website: http://ddosattacks.net/latest-news/ The article below explains attacks by Trojan horses, botnets, and distributed denial of service (DDOS). These attacks are alarming because they are not only destructive, but also cause loss of availability with the networks and systems. It is explained in the article is that most attacks are associated with financial gains by the criminals or competition to gain more sensitive information. We can consider competitors not only competing firms; they can also be other countries. Khalimonenko, A., Kupreev, O., & Badovskaya, E. (2018, April 26). DDoS attacks in Q1 2018.

https://securelist.com/ddos-report-in-q1-2018/85373/ Models Security architectures involve the study of formal security models at the highest levels of IT security such as those that protect our national security and other governmental agencies. Below, we will review the National Institute of Standards and Technology (NIST) Framework and Internal Organization for Standards (ISO) to determine how these entities help form the policies. These standards are essential, especially for small and medium-size businesses, because they act as guidelines and templates for IT personnel to use within their organization. As mentioned by Santos (2019), although developed for government use, the framework is applicable to the private sector, and it addresses the management, operational, and technical aspects of protecting the CIA. NIST Framework The NIST’s mission is to raise awareness of IT risks, provide cost-effective solutions, deploy security standards, and provide security guidance for IT planning, implementations, and management (Santos, 2019). NIST provides a quick search option, which can be found here, to locate the necessary documentation or templates that can be used for standard processes. Many of the templates are living documents; consequently, they are updated as needed to address new concerns or provide alternative approaches. In regard to IS security, NIST defines it as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (NIST, 2018). ISO Standards The International Organization for Standardization (ISO) provides requirements, specifications, and guidelines that organizations can use. The standards provide frameworks for organizations to create security policies, identify roles to protect the organization, offer employment check practices for hiring new employees, manage assets, and control access to systems, networks, and facilities. These standards help organizations create and maintain security policies using best practices identified in the industries. It is important to note these guides can be altered to meet each business environment. Additionally, the organization may have future audits so building policies that align with ISO standards justifies the content provided for the policies along with the reason for access control parameters. These recommendations can be applied to many domains associated with organization, human resources, access control, asset management, cryptography, operations, communication, and business continuity. An excellent place to start is by going to the ISO.org website and examining specific standards.

SEC 4303, IS Security Policy Analysis 4

UNIT x STUDY GUIDE Title

Summary In summary, we covered the CIA model, NIST, and ISO standards, which help build an organization cybersecurity framework. As mentioned, organizations can use these models and standards as recommendations to help develop a secure and solid framework. Organizations have to review these practices routinely in order to keep the policies current with the industry. Luckily, these recommendations do not change too often, but we know cyberattacks are constantly evolving; consequently, organizations can use these as baselines and augment them with current prevention techniques.

References International Organization for Standardization. (n.d.). ISO/IEC 27002:2013 Information technology – Security

techniques – Code of practice for information security controls (2nd ed.). http://www.iso27001security.com/html/27002.html#Section5

National Institute of Standards and Technology. (2018). Information Security.

https://csrc.nist.gov/Glossary/?term=4782 Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Pearson.