Loading...

Info Sec & Risk Management

Open Posted By: highheaven1 Date: 09/09/2020 Graduate Proofreading & Editing

 

Your lesson discussed several compliance laws, standards, and best practices (see the Lesson 2 activities, under the Rationale tab).  The Department of Health and Human Services (the agency responsible for managing HIPAA compliance among healthcare providers) lists recent breaches at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf  - think of it as their "Wall of Shame." Find an article online that discusses a breach or violation of a regulation, such as HIPAA, or of a standard such as PCI-DSS, GLBA, or FERPA. You can also look at Federal Agencies and discuss those that have not had sufficient controls in place (think of the breach that the Office of Personnel Management had). Summarize the article in your own words and address the controls that the organization should have had in place, but didn't, that facilitated the breach. What were the ramifications to the organization and the individuals involved?

Do NOT post the article or include word document of your write-up - post only your summary discussion directly and a link to the article. Please follow proper APA style with a minimum of two references.




Category: Arts & Education Subjects: Education Deadline: 12 Hours Budget: $120 - $180 Pages: 2-3 Pages (Short Assignment)

Attachment 1

Managing Risk in Information Systems

Lesson 3

Maintaining Compliance

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective and Key Concepts

Learning Objective

Identify compliance laws, standards, best practices, and policies of risk management.

Key Concepts

Compliance laws and regulations

U.S. risk management initiatives

Standards and guidelines used for compliance

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

U.S. Compliance Laws

Federal Information Security Management Act (FISMA)

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act (GLBA)

Sarbanes-Oxley Act (SOX)

Family Educational Rights and Privacy Act (FERPA)

Children’s Internet Protection Act (CIPA)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Federal Information Security Management Act (FISMA)

A U.S. federal law enacted in 2002 that requires each federal agency to develop an agency-wide program to provide information security.

Health Insurance Portability and Accountability Act (HIPAA)

Provides patients with access to their medical records and provides more control over how their personal health information is used and disclosed.

Gramm-Leach-Bliley Act (GLBA)

Also known as the Financial Services Modernization Act of 1999, opening up the market among banking companies, securities companies, and insurance companies.

Repealed part of the Glass-Steagall Act of 1933, which prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company.

Sarbanes-Oxley Act (SOX)

Sarbanes–Oxley contains 11 titles that describe specific mandates and requirements for financial reporting. Each title consists of several sections.

Family Educational Rights and Privacy Act (FERPA)

Regulations protect the privacy of student records. FERPA applies to all schools that receive any funding from the U.S. Department of Education.

Children’s Internet Protection Act (CIPA)

CIPA is one of many bills that the United States Congress proposed to limit children's exposure to pornography and explicit content online.

3

Law Applicability
FISMA Federal agencies
HIPAA Any organization handling medical data
GLBA Banks, brokerage companies, and insurance companies
FERPA Educational institutions
CIPA Schools and libraries using  E-Rate discounts

U.S. Compliance Laws and their Applicability

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

FISMA

Federal agencies

The act recognizes the importance of information security to the economic and national security interests of the United States.

HIPAA

Medical organizations

Provides privacy standards to protect patients' medical records and other health information.

GLBA

Banks, brokerage companies, and insurance companies

Companies must securely store personal financial information.

Companies must advise consumers of their policies on sharing of personal financial information.

Companies must give consumers the option to opt-out of some sharing of personal financial information.

FERPA

Educational institutions

The right to access educational records kept by the school.

The right to demand educational records be disclosed only with student consent.

The right to amend educational records.

The right to file complaints against the school for disclosing educational records in violation of FERPA.

CIPA

Schools and libraries using E-Rate discounts

To operate "a technology protection measure with respect to any of its computers with Internet access that protects against access through such computers to visual depictions that are obscene, child pornography, or harmful to minors..." .

This technology protection measure must be employed during any use of computers by minors.

The law also provides that the school or library "may disable the technology protection measure concerned, during use by an adult”.

Schools and libraries that do not receive E-Rate discounts do not have any obligation to filter under CIPA.

4

HIPAA Compliance Process

HIPAA covers any organization that handles health data

Medical facilities

Insurance companies

Any company with a health plan if employees handle health data

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

U.S. Compliance Regulatory Agencies

Securities and Exchange Commission (SEC)

Federal Trade Commission (FTC)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Securities and Exchange Commission (SEC)

Oversees the exchange of securities to protect investors.

Holds primary responsibility for enforcing the federal securities laws and regulating the securities industry, the nation's stocks and options exchanges, and other electronic securities markets in the United States.

Federal Trade Commission (FTC)

Created in 1914, its purpose was to prevent unfair methods of competition in commerce.

Deals with issues that touch the economic life of every American.

6

U.S. Compliance Regulatory Agencies

Federal Deposit Insurance Corporation (FDIC)

Department of Homeland Security (DHS)

State Attorney General (AG)

U.S. Attorney General (U.S. AG)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

State Regulations

Each state has its own regulations and regulatory agencies.

Attorney General - the main legal advisor at the state level in most common law jurisdictions.

7

Organizational Policies for Compliance: Fiduciary Responsibility

Fiduciary

Refers to a relationship of trust

Could be a person who is trusted to hold someone else’s assets

Trusted person has the responsibility to act in the other person’s best interests and avoid conflicts of interest

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

8

Organizational Policies for Compliance: Fiduciary Responsibility (Cont.)

Examples of trust relationships:

An attorney and a client

A CEO and a board of directors

Shareholders and a board of directors

Fiduciary is expected to take extra steps:

Due diligence

Due care

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

9

PCI

DSS

NIST

GAISP

COBIT

ISO

IEC

ITIL

CMMI

RMF DoD

Standards and Guidelines

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

10

PCI DSS

Payment Card Industry Data Security Standard

A worldwide information security standard defined by the Payment Card Industry Security Standards Council.

NIST

National Institute of Standards and Technology

A measurement standards laboratory which is a non-regulatory agency of the United States Department of Commerce.

GAISP

Generally Accepted Information Security Principles

Industry-wide guidelines for information security.

COBIT

Control Objectives for Information and Related Technology

A set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute.

ISO

International Organization for Standards

ISO is the world's largest developer and publisher of International Standards, including those in the IT industry.

IEC

International Electrotechnical Commission

The IEC is the world's leading organization that prepares and publishes international standards for all electrical, electronic, and related technologies.

ITIL

Information Technology Infrastructure Library

A set of concepts and practices for IT services management, IT development, and IT operations.

CMMI

Capability Maturity Model Integration

A process improvement approach to management that helps organizations improve their performance.

RMF for DoD IT (as of March 2014)

Risk Management Framework (RF) for Department of Defense Information Technology (IT), formerly Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP)

Defines DoD-wide formal and standard sets of activities, general tasks, and a management process for lifecycle cybersecurity risk to DoD IT.

10

PCI DSS Compliance

Created by Payment Card Industry Security Standards Council

American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Modernized by the Security Standards Council

Effort to obstruct and prevent further theft of personal information

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

PCI DSS Standards

Use of personal identification numbers (PIN)

Installation of software used to store, process, and/or transmit cardholder data

PCI DSS standards serve as PCI DSS goals

Merchants who store, process, and/or transmit cardholder data must comply

Merchants should establish processes that work toward PCI DSS goals

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Goals Process Steps
Build and maintain a secure network that is PCI compliant Install a firewall system Perform testing when configurations change Identify all connections to cardholder information Review configuration rules every six months Change all default passwords

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Goals Process Steps
Protect cardholder data Display the maximum of the first six and last four digits of the primary account number Encrypt all online information
Maintain a vulnerability management program Install anti-virus software Install vendor-provided security patches

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Goals Process Steps
Implement strong access control measures Limit the accessibility of cardholder information Assign an unreadable password Monitor the physical access to cardholder data Maintain a visitor log and save the log for at least three months

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Goals Process Steps
Regularly monitor and test networks Use a wireless analyzer to check for wireless access points Scan internal and external networks Install software to recognize any modification by unauthorized personnel

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Goals Process Steps
Maintain an information security policy Include annual and day-to-day security procedures and policies to recognize security breaches Perform background checks on potential employees Educate employees on compliance regulations

Goals and Process Steps to PCI DSS

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

PCI DSS Process

Build and maintain a secure network that is PCI compliant

Protect cardholder data

Maintain a vulnerability management program

Implement strong access control measures

Regularly monitor and test networks

Maintain an information security policy

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Seven COBIT Enablers

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

ITIL Lifecycle

Phases

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

CMMI

Primary areas of interest

Product and service development

Service establishment, management, and delivery

Product and service acquisition

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Risk Management Framework (RMF) for Department of Defense Information Technology (IT)

Government transitioned from DIACAP to RMF for DoD IT in March 2014

Six steps of RMF:

Step 1: Categorize system

Step 2: Select security controls

Step 3: Implement security controls

Step 4: Assess security controls

Step 5: Authorize system

Step 6: Monitor security controls

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

22

Summary

Defining risk

Balancing risk

Seven domains of a typical IT infrastructure

Addressing confidentiality, integrity, and availability

Compliance laws and regulations

U.S. risk management initiatives

Standards and guidelines used for compliance

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Attachment 2

Managing Risk in Information Systems

Lesson 2

Risk Management Planning

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objectives

Explain methods of mitigating risk by managing threats, vulnerabilities, and exploits.

Describe the components of an effective organizational risk management program.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

2

Key Concepts

Risk, threats, vulnerabilities, and exploits

Public resources for risk management

Use of threat/vulnerability pairs in managing risk

Fundamental components of a risk management plan

Objectives of a risk management plan

Objectives and scope of a risk management plan

Importance of assigning responsibilities

Significance of planning, scheduling, and documentation

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3

Chapter 2 Slides

Chapter 2: “Managing Risk: Threats, Vulnerabilities, and Exploits”

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

4

The Uncontrollable Nature of Threats

Threats can’t be eliminated.

Threats are always present.

You can take action to reduce the potential for a threat to occur.

You can take action to reduce the impact of a threat.

You cannot affect the threat itself.

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

5

Unintentional Threats

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

6

Environmental

Human

Accidents

Failures

Intentional Threats

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7

Greed

Anger

Desire to Damage

Unintentional Threats Intentional Threats
Environmental: Fire, wind Lighting, flooding Accident Equipment failures Individuals or Organizations: Hackers Criminals Disgruntled employees
Human: Keystroke errors Procedural errors Programming bugs

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Common Attackers

Criminals

Advanced persistent threats (APTs)

Vandals

Saboteurs

Disgruntled employees

Activists

Other nations

Hackers

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

9

Best Practices for Managing Threats

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

10

Create a security policy.

Purchase insurance.

Use access controls.

Use automation.

Best Practices for Managing Threats (Cont.)

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

11

Include input validation.

Provide training.

Use antivirus software.

Protect the boundary.

Understanding and Managing Vulnerabilities

Countermeasures reduce risk and loss

Reduce vulnerabilities

Reduce impact of loss

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

12

Threat/Vulnerability Pair

Occurs when a threat exploits a vulnerability

A vulnerability provides a path for the threat that results in a harmful event or a loss

Both the threat and the vulnerability must come together to result in a loss

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

13

Threat/Vulnerability Pair and Threat Action

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Threat

Ex-employee

Vulnerability

Ex-employee who still has access to the system

Threat Action

Accessing proprietary data

Threat/Vulnerability Pair Example 1

Threat Source

Fire or negligent person

Vulnerability

Sprinklers used to suppress fire damage

Protective tarpaulins not in place

Threat Action

Sprinkler system turned on

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

15

Threat/Vulnerability Pair Example 2

Threat Source

Unauthorized users (e.g., hackers)

Vulnerability

Identified flaws in system design

New patches not applied

Threat Action

Unauthorized access to files

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

16

Vulnerability Mitigation Techniques

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

17

Policies and procedures

Documentation

Training

Separation of duties

Vulnerability Mitigation Techniques (Cont).

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

18

Configuration management

Version control

Patch management

Intrusion detection

Vulnerability Mitigation Techniques (Cont).

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

19

Incident response

Continuous monitoring

Technical controls

Physical controls

Best Practices for Managing Vulnerabilities

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

20

Identify vulnerabilities.

Match the threat/vulnerability pairs.

Use as many of the mitigation techniques as feasible.

Perform vulnerability assessments.

Understanding and Managing Exploits

An exploit is the act of taking advantage of a vulnerability

Executes a command or program against an IT system to take advantage of a weakness

Results in a compromise to the system, an application, or data

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

21

Understanding and Managing Exploits (Cont.)

Attacks executed by code primarily affect public-facing servers:

Web servers

Simple Mail Transfer Protocol (SMTP) e-mail servers

File Transfer Protocol (FTP) servers

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

22

Attack public-facing servers

Buffer overflow

SQL injection

DoS attack

DDoS attack

Exploits

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

23

Risk Mitigation Techniques for Protecting Public-Facing Servers

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

24

Remove or change defaults.

Reduce the attack surface.

Keep systems up to date.

Enable firewalls.

Risk Mitigation Techniques for Protecting Public-Facing Servers

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

25

Enable intrusion detection systems (IDSs)

Enable intrusion prevention systems (IPSs)

Install antivirus software

Best Practices for Managing Exploits

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

26

Harden servers.

Use configuration management.

Perform risk assessments.

Perform vulnerability assessments.

U.S. Government Risk Management Initiatives

The National Institute of Standards and Technology (NIST)

The Department of Homeland Security

The National Cybersecurity and Communications Integration Center (NCCIC)

U.S. Computer Emergency Readiness Team (US-CERT)

The MITRE Corporation – Common Vulnerabilities Exposure (CVE) List

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

27

Relationships Among Organizations

Page ‹#›

Managing Risk in Information Systems

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

28