1.Based on previous discussions in class/online about FISMA, HIPPA, and Sarbanes
ID: 3677222 • Letter: 1
Question
1.Based on previous discussions in class/online about FISMA, HIPPA, and Sarbanes Oxley (SOX) security controls, answer the following questions:
a.Your IT enterprise is comprised of both host-based and network-based IDSs, application gateway firewalls, and VPN-enabled applications to support its sales department. Identify the security controls that each of technologies implement and explain how these controls support confidentiality, integrity, and availability.
b.Identify the appropriate security controls that apply to an organization that has medical applications. Specifically, identify 5 security controls and briefly explain (1-2 sentences) how these controls help mitigate the risk of inadvertent disclosure of personal information, modification of data, or the availability of data.
c.You report to the CIO for a large financial institution and he tasked you to develop procedures to implement 5 Access Control mechanisms for the IT systems. Briefly explain (1-2 sentences for each mechanism) how you would implement the control.
Explanation / Answer
Federal Information Processing Standards (FIPS)
Host-based controls are an important aspect of a layered defense-in-depth approach. Host controls protect individual computers on the network from direct attack. Protection methods for hosts can target the physical aspects of hosts (lockdown), software applications or the operating system. Host-centric
security controls include:
•Antivirus software
•Hard disk encryption
•Application data and session encryption
•Operating system hardening
•Configuration management
•Periodic audits
•Host-based firewalls (where applicable)
Host-based (personal) firewalls are typically deployed as operating or application software that filters and blocks incoming and outgoing traffic.Host firewalls are usually configured on a per-application basis, allowing the user or administrator to specify which applications and services gain access to the network. Host-based firewalls are avaluable defense-in-depth tool because they allow a defense perimeter close proximity to the user data. Although host firewalls can be highly effective, they don’t eliminate the need to harden well-known ports and services on each host. One approach to host hardening is to turn off all open services of the operating system and application software until the host is fully secured. Then, network ports and services are progressively unhardened to the point at which the host operates correctly using the most secure possible configuration.
For custom-designed application programs,software engineers should conduct hardening of the codebase, which can greatly reduce vulnerabilities.
So-called “design time” and “compile time” hardening involve such strategies as:
•Removing unused/dead code
•Killing temporary memory objects deleted when application exits
•Providing validation of all input data
•Detecting and controlling buffer overflows
•Building in explicit error and fault handling
•Eliminating hard-coded pass addresses code
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
Boundary Defense
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
b) HIPAA
1. Unique User Identification (Required)
2.Emergency Access Procedure (Required)
3.Automatic Logoff (Addressable)
4.Encryption and Decryption (Addressable)
1)unique user identification
“Assign a unique name and/or number for identifying and tracking user identity.”
2)Emergency Access procedure
“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”
3)Automatic Logoff (Addressable)
Implement electronic procedures that terminate an electronic session after a pre determined time of inactivity.”
4)Encryption and Decryption (Addressable)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered
entity must
:“Implement a mechanism to encrypt and decrypt electronic protected health information.”
Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Intigrity
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Sarbanes Oxley (SOX) security controls
Preventive controls exist to prevent compromise. This statement is true whether the control is administrative, technical, or physical. The ultimate purpose for these controls is to stop security breaches before they happen.
However, a good security design also prepares for failure, recognizing that prevention will not always work. Therefore, detective controls are also part of a comprehensive security program because they enable you to detect a security breach and to determine how the network was breached. With this knowledge, you should be able to better secure the data the next time.
With effective detective controls in place, the incident response can use the detective controls to figure out what went wrong, allowing you to immediately make changes to policies to eliminate a repeat of that same breach. Without detective controls, it is extremely difficult to determine what you need to change.
Deterrent controls are designed to scare away a certain percentage of adversaries to reduce the number of incidents. Cameras in bank lobbies are a good example of a deterrent control. The cameras most likely deter at least some potential bank robbers. The cameras also act as a detective control.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.