Security, Strategy, Policy, and Compliance

Working description differences for procedures, rules, guidelines, and standards utilized in security information, according to Georgia Technology Authority: Policies are broad statements of direction, concepts, methods, procedures, or processes for managing technology and its resources. Standards are standards, specs, techniques, approaches, solutions, products, directions, or processes that are prescribed or followed inside an organization (Johnson & Merkow, 2011). Guidelines, like policies or standards, establish suitable directives, concepts, methods, directions, or specifications, but they are not mandatory. Guidelines are recommended routes of action. Information security procedures, standards, and policies collectively manage and govern info security programs in organizations through delineating the control environment of an institution via guided structure and provide descriptions of prohibited, expected and required activities. Standards, procedures, and policies give guidance to the activities and decisions of developers, managers, administrators, and users and notify them of their info security duties. Procedures, policies, and standards also specify the means by which responsibilities can be achievable (McMillan, 2017). Besides, they give directions on how to acquire, configure, design, implement, operate, maintain, and audit info systems.

For an active external compliance oversight, organization incorporates PSGs’ review process in ensuring that it complies the regulations, contextual requirements, and laws (McMillan, 2017). The process involves identification of compliance requirements, response optimization, and evaluation, acquiring compliance assurance, and ultimately integrating compliance IT reporting with the rest of business corporations.

Question 2

In several organizations with small businesses included, there are many reasons as to why security information policies are often ineffective. Policies are always doomed when they lack fundamental support from the strategic information security goals of the company, when they do not receive good management backing or when there are inconsistency and unfairness in security policy administration (Johnson & Merkow, 2011). The most challenging factor amongst them is inconsistency in policies of safety administration. Accountability and training of the Management Information System staff are the fundamental keys to fairness and consistency in the administration of organizational security policies. Information security policies are destined to fail without the two components above.

However, there are some best practices for establishing effective policy development process. They include identifying critical systems and sensitive information by decision makers, incorporation of federal, local, state laws, and other ethical standards that are relevant. Besides, defining organizational security objectives and goals is also a best practice decision maker can implement (Johnson & Merkow, 2011). Besides, ensuring efficient development of security policies, a course for realizing those objectives and goals must be set.

Question 3

The CIO office strives to assist all the business organizations to provide a secure atmosphere for workers. For the workers to trust the integrity, accuracy, and confidentiality of the info for which they work, the incident response and risk assessment teams are in place. Collaborative working is critical to our success and effectiveness. The five risk assessment highlights are:

Identify the prospection of vulnerabilities and risks.

Review the possible detriment from a realized threat.

Ascertain controls and policies to respond to the potential threats.

Document all RA project associated assets.

Study about threats and vulnerabilities that are external to the firm.

The five incident response key points are:

Incident triage

Investigation of incident

Mitigation

Recovery

Incident Review

It may appear there are some conflicts between the responsibilities of incident response and risk assessment teams, but in reality, they are different. The one objective we do share as a group of connoisseurs is to ensure integrity, availability, and confidentiality of the firm’s data. Therefore, both teams need to work towards this common objective, keeping the company’s interest in mind at the forefront of all undertakings.

The CERT program has witnessed an advancement of organizations that conducted incident response in a plainly reactive, ad hoc methodology to those executing a more comprehensive and formal approach (McMillan, 2017). Implementing such systematized and strategic plan to tackle computer security incidents and activities through their detection by using resolution is a process called, an incident management capability. By having, this ability signifies an extensive management for directing the plan for detecting, monitoring, responding, and recovering from security incidents and events to ensure the business continues to meet its operational target. To achieve this, designing and management of capability require implementation.

The CERT program gives a framework for identification, management, and tracking of software threats (McMillan, 2017). Best practices in link with software threat management are available, as well as the content that outlines the software risks comprehension in a corporate context, documentation and prioritizing of technical and business risks and defining strategies for risk mitigation.

Question 4

Quantitative risk analysis focuses more on executing established safety measures to protect against outlined risks. Organizations are capable of creating an exact analytical interpretation that can represent a risk resolution action that suit different project needs through quantitative approach (Muriana & Vizzini, 2017). The latter makes the quantitative approach more preferable by several teams of management because a risk assessment can give empirical representation in various forms such as probability charts and percentages using metric tools (Savicky et al., 2017). However, the goal of instigating qualitative risk analysis is mainly to acquire safety against identified risks and to enhance the alertness of the team members, personnel, and the management that has a high vulnerability. This risk analysis method identifies impediments of project management, which has the potential of ultimately becoming risk factors.

Qualitative risk analysis method majorly involves measuring a situation by ‘gut feel’ or instinct. The method tries to assign numerical values to risks by enumerating qualitative assessments (Savicky et al., 2017). Example of situations when to apply Quantitative RA method include commenting on moving client servers from one a single data center to a more secure, a newer data center. The client requires absorbing the move cost over the next six years contract (Muriana & Vizzini, 2017). The costs and risks of moving vs. staying are recognized and ranked. Then, the customer can decide whether the cost is valuable to stay or move. The risk concerns the effect of staying vs. moving on the business over the six-year contract. Similar situation with the use of Qualitative RA approach can be when the present location is a high area of criminality, and several businesses have encountered break and vandalism in the past seven months. Thus, sales have dropped because the area is not safe.

Question 5

Identification: At this stage, the key objective is to identify and define the incident nature. Correct identification is essential because, without suitable identification, the entire process will be aimless and worthless. Collection: This stage involves the keen gathering of digital and physical raw facts that are necessary. The essential data will be useful for further investigation. Preservation: Once identification and collection are through, acquiring of digital and physical data become necessary. Isolation, securement, and conservation of received data after that follow (Brennan, Udris, & Gladyshev, 2014). The process is to ensure the essential data will be useful for further investigation. These events take place in a proper sequence analogous to a chain of events. Analyzing: The stage involves examining and studying data. The benefit of copying data onto CD-ROMs is to enable easy viewing free of accidental change risks, and thus, upholding the integrity while investigative the evidence. Presenting: It is the course of introducing proof in a lawfully coherent and satisfactory way. When the matter in question get filed in a law court the jury, having little or no computer knowledge, they must be in a position to comprehend what the case and how it associates with the original, or else all efforts could be useless.

Computer forensics is a science used in conducting investigations into computer related events such as external system intrusion, breaching of the security policy by staff, or internal fraud (Brennan, Udris, & Gladyshev, 2014). The company managements decide the computer forensic approach that is most suitable for conducting investigations. The investigators, therefore, need to be conversant with the practice legally acceptable as acceptability differs from one jurisdiction to another, and this may render collected evidence precluded in the courts of such jurisdictions.

Question 6

A P2eXplorer is a forensic tool that deals with image mounting. Its principal aim is to assist investigators in the assessment of a case (Widup, 2014). Through this tool, one can mount forensic images on local and physical discs as read-only and ultimately explore the image content using the file explorer (Brennan, Udris, & Gladyshev, 2014). Viewing unallocated space and deleted data in the picture is easy. The P2eXplorer tool can mount many images at once, and it supports most of the image formats such as VMWare, EnCasem, WinImage, Linux DD, and safe-Back among others. Besides, it supports both logical and physical image types.

Some of the considerations that organization and investigators need to make when purchasing forensic tools include determining what types of OS will be examined, the minimum requirement for a forensic software tool, the kind of disk-editing tool for overall data examination, and the budget of purchasing more than one.

Question 7

Every organization is a victim of incidences concerning their systems or network. The management will select six members to expedite the team to handle the incident. The six-incident response members of the team would include the team leader, one expert, three IT members, and the event leader. The team captain will be culpable for the entire activities of the team. The event manager will be responsible for the particular incidents, and the team will direct all communication to him. The team members have proficiency in certain areas of IT, and they will report to the incident and team leaders. The expert will get support from various departments.

Firstly, the Incident Response Team (IRT) must decide the responsibility they will hold throughout incident occurrence. They must resolve whether they will play a support role, give the on-site response, or play a coordination role. With the on-site position, the team will have full control of the threat (Muriana & Vizzini, 2017). Concerning support role, they are local team’s resource. With the coordination role, the members help the various incident response parties. A distinctive charter will comprise a mission statement, an executive summary, an event declaration, roles and responsibilities, organizational structure, information flow, methods, reporting, and the authority. A possible challenge, which the IRT could meet, is not being in a position to report to the scene appropriately. Another problem can occur when the IRT does not define the particular objectives concerning the incident.

Question 8

The technical Subject matter experts (SMEs) are in a position to stop an event attack. They comprise of network and system administrators, and developers. The representative of info security possesses the legal skills of gathering evidence for analysis and offers risk management to workers (Jonson & Merkow, 2011). Then, the HR representative provides information of handling employees, particularly when they are direct victims of the attack. Finally, the legal representative legitimately deals with the incident and part of regulatory compliance. They are in a position to give aid to legal issues.

“The management plays a role in approving the response charter, staffing, policy, and budget” (Jonson & Merkow, 2011, pp.303). They are responsible for determining those to be involved in the incident, such as external agencies and the need for law enforcement. They are accountable for the outcome of the whole process of incident response. In many corporations, management does not have the capability of making IT decisions. Normally, the Senior Engineers are the ones who make decisions regarding major issues. They possess sound knowledge and proficiency within the security and network segment. Management has a responsibility of empowering the IRT with sufficient authority in taking a quick, radical action at the critical moment.

Question 9

The challenges that organizations face when executing policy development in IT security consist of accountability in, which management has a pivotal role and consider it as an IT function. However, it is very vital for managers to back the security policies and express positive approach in them to all organization members. Another challenge is lack of budget, required resources or finance may not be accessible, and therefore, the support of management for resources and investment funding is in need (Jonson& Merkow, 2011). Lack of priority, every department has its particular priorities, and implementation of security policy should not interfere with other corporate functions. Tight schedules caused by regulatory compliance and appropriate time restraints could interfere with the adequate training of workers in a timely way. However, the most challenging issue is accountability, whenever the management is not on the forefront portraying positive attitude in complying with the security policies, employees will fail to acknowledge the importance of responsibility when using computer systems of the organization.

Question 10

Awareness and training respect to security policies is very significant. Workers are required to be conversant with the procedures and processes that are compulsory and their importance. Their regular meeting should be there, presentation of real life situations, and creating awareness of the consequences of failing to adhere to security policies. Ensuring employees discern, comprehend, and sign an Acceptable Use Policy (Hall, 2011). Posting these policies on the organization intranet makes them accessible, easy to update, and searchable for a particular item. Therefore, the agency may not incur high costs.

Lack of management backing or support is one of the hindrances. By emphasizing on the need of security awareness training that will lead to the realization of high Return on Investment (ROI) and save the company’s big deal of money in future is the best solution to hindrance. Another hindrance is when the workers are not able to get they can learn from or remember. This scenario goes hand in hand with creativity. Having a dull awareness program will not yield the best results. Money is also another deterrent to effective security awareness plans (Hall, 2011). The business must have the will to invest in the awareness program for the realization of good results. Therefore, the best solution to the latter is to bring management on board earlier and make good budget requisitions with comprehensive clarifications. Finally, when employees fail to take the program with some seriousness, is also a hindrance. To solve this interference, employees must be answerable for compliance and participation.

Question 11

Monitoring how employees use computer systems when working upholds a more active work force, reveals a failure in adhering to security policies, preserves sensitive security data, maintains the company’s reputation, and averts the stolen intellectual property, music or software liabilities (Hall, 2011). Employees can be monitored using automated and manual controls on the computer, the Internet, and email. The rationale is to prevent workers from wasting the organization money and time by surfing the internet. Just as businesses do not like people making excessive with their families or friends, employees need to be at work, not socialize and waste time but make monetary gains for the company. Social media monitoring is also significant in keeping the company’s reputation in the right state. The Acceptable Use Policy will specify on the use of email. It is upon supervisors and frontline managers to train their workers on security systems appropriately.

I believe that every business has the right to monitor the actions and traffic of the user. As explained above, employees are at their place of service mainly to work. It is not just proper for an employee to visit pornographic sites or rather inappropriately buy a movie on a firm’s computers, it could wreak havoc on the reputation of such an employee. Enforcement can be feasible by proper use of information technology rewards, peer pressure practices, reprimanding or terminating employees that fail to comply with the regulations. Alternatively, blocking of social media sites can also be helpful. The company’s policies can help in enforcing clarity and transparent. Automated controls such logging events, verification techniques, data encryption, network segmentation, and data segmentation can be helpful.

Question 12

Organizations must implement three control measures to remain compliant. These include developing a security policy, creating baselines, electronic checks and tools along with changes in the management. The imaging systems will generate snapshots hence providing system benchmarks. It will enhance the level of security and minimize total ownership cost. The configuration of systems together makes it easier for troubleshooting when something is wrong and saves money and time (McMillan, 2017). Automated tools programmed, can run night scans to control their configuration and to authenticate compliance. The book outlines the Group Policy in which, when a company establishes a baseline, it closes security gaps and enhance computer security backgrounds.

According to the case studies, unplanned and unauthorized changes can cause havoc to the system. The management should be aware of the changes kept in a database, of which reviewing and tracking are through an application (McMillan, 2017). The particulars would comprise actual change, the submitter, system, and justification. Version control is applicable when there is a change in policy and lets the reader be aware of the details and date of change along with the person behind the modification. Management of changes permits specialists to assess the changes before their implementation.

References

Brennan, F., Udris, M., & Gladyshev, P. (January 01, 2014). An Automated Link Analysis Solution Applied to Digital Forensic Investigations.

Hall, J. H. (2011). Examining Impacts of Organizational Capabilities in InformationSecurity: A Structural Equation Modeling Analysis.

Johnson , R., Merkow, M. (2011). Security Policies and Implementation Issues. Sudbury, MA: Jones & Bartlett.

McMillan, T. (2017). CompTIA cybersecurity analyst (CSA+) cert guide.

Widup, S. (2014). Computer forensics and digital investigation with EnCase Forensic v7. New York: McGraw-Hill Education.

Muriana, C., & Vizzini, G. (April 01, 2017). Project risk management: A deterministic quantitative technique for assessment and mitigation. International Journal of Project Management, 35, 3, 320-340.

Savicky, J., Lines, B. C., Perrenoud, A., & Sullivan, K. T. (September 01, 2017). Using Best-Value Procurement to Measure the Impact of Initial Risk-Management Capability on Qualitative Construction Performance. Journal of Management in Engineering, 33, 5.)