Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

IT SECURITY Security and Risk Management +++++++++++++++++++++++++++++++++++++++

ID: 669415 • Letter: I

Question

IT SECURITY

Security and Risk Management

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Assume that you work for the federal agency the Center for Disease Control. There is no information security policy documented. The employees are allowed to bring laptops and their unfinished work home. Since the department is handling sensitive information about communicable diseases and how they seem to be spreading in an urban center at an alarming rate, the question of the confidentiality is important. The personnel have no education regarding information security. Decisions are made when a situation arises, but they are only verbal agreements. This could endanger both the integrity and confidentiality of the client. The information is a huge security concern.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Assignment

Write at least two to three paragraphs on how to work out an information threat strategy for the organization using security management key factors identified in this section. Make sure you state any assumptions you may make regarding the scenario above.

Assume that you work for the federal agency the Center for Disease Control. There is no information security policy documented. The employees are allowed to bring laptops and their unfinished work home. Since the department is handling sensitive information about communicable diseases and how they seem to be spreading in an urban center at an alarming rate, the question of the confidentiality is important. The personnel have no education regarding information security. Decisions are made when a situation arises, but they are only verbal agreements. This could endanger both the integrity and confidentiality of the client. The information is a huge security concern.

Write at least two to three paragraphs on how to work out an information threat strategy for the organization using security management key factors identified in this section. Make sure you state any assumptions you may make regarding the scenario above.

Explanation / Answer

A strong security position is maintained through the application of security controls, data ownership responsibilities, and maintenance of the security infrastructure. This policy articulates requirements that assist management in defining a framework that establishes a secure environment. This framework provides the overarching structure for safeguarding Information Technology (IT) Resources, achieving confidentiality, integrity and availability of the data and IT Resources used to manage the services provided by Commonwealth agencies, authorities, and business partners.

It is the responsibility of Agency Heads to have controls in place and in effect that provide reasonable assurance that security objectives are addressed. The Agency Head has the responsibility to exercise due diligence in the adoption of this framework. Agencies must achieve compliance with the overall information security goals of the Commonwealth including compliance with laws, regulations, policies and standards to which their technology resources and data, including but not limited to personal information, are subject.

Who This Policy Applies To

Other Commonwealth entities are encouraged to adopt security requirements in accordance with the Enterprise Information Security Policy at a minimum or a more stringent agency specific policy in compliance with agency and business related directives, laws, and regulations.

Policy Statement

Agencies are required to implement policies, associated procedures and controls that protect the agency’s information assets, including but not limited to personal information and IT Resources from all threats, whether internal or external, deliberate or accidental. In addition to the three guiding principles of information security (confidentiality, integrity and availability), agencies must review the overall implementation of security controls against all applicable laws, regulations, policies, standards and associated risks.

Risk assessments must include at a minimum:

2.1      Identification of risk factors: Evaluation of risk by considering the potential threats to the information and the IT Resources, including:

2.1.1        Loss of the information or systems due to accident or malicious intent.

2.1.2        Loss of availability such as the system being unavailable for a period of time.

2.1.3        Unknown changes to the information or system so the information is no longer reliable.

2.2      Identification of threat: Evaluation of impact and likelihood of potential threat, including:

2.2.1        Cost if each threat were to actually occur. Costs should be interpreted broadly to include money, resources, time, and loss of reputation among others.

2.2.2        Evaluation of the probability of each threat occurring.

  3. Risk Treatment: Agencies are required to monitor and evaluate the specific controls that must be implemented to meet the stated security objectives. This process must identify which security controls will be or are implemented and identify and justify which security controls are not deemed necessary or applicable.

4. Statement of Applicability: The Statement of Applicability is a document that lists the entities’ information security control objectives, controls and adopted policies that are relevant and applicable to the organization's information security management program. Agencies are required to maintain a statement of applicability for all IT Resources and information assets, including but not limited to personal information. Specific agency information security objectives and controls, including document sources and details, are defined within the Statement of Applicability document.

5. Security Policy, Policy Adoption and Documentation Review: Agencies are required to adopt and document a comprehensive information security policy. Agencies may adopt the Enterprise Information Security Policy or a more granular policy (or set of policies) based on an evaluation of their own business drivers.

Agencies are required to review the adopted Information Security Policy annually at a minimum. The purpose of the review is to ensure the continued suitability, adequacy and effectiveness of the policies. Agencies are encouraged to review their Information Security Policy on a more frequent basis particularly if significant changes occur within their organization that may have an impact on the effectiveness of the policy. Agencies should inform ITD of any policy related changes that are needed but conflict with current enterprise security policies.

6. Organization of Information Security: Agencies are required to maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by employees and contractors (staff), and third parties by:

7. Asset Management: Agencies are required to achieve and maintain appropriate protection of information assets, including but not limited to personal information and IT Resources by assigning the responsibility to implement controls for achieving:

All entities must formally adopt, and comply with, an acceptable use policy. The Executive Office of Administration and Finance (EOAF) has issued an Acceptable Use Policy (AUP) that entities may use or augment with additional procedures and guidelines for the use of IT Resources within their organizations.

8. Human Resources Security: Agencies are required to ensure that employees, contractors and third party users understand their security responsibilities and have the requisite skills and knowledge to ensure the effective execution of the roles they are assigned to reduce the risk of unauthorized access, use or modification of IT Resources (theft, fraud or misuse of facilities), including:

9. Physical and Environmental Security: Agencies are required to secure against unauthorized physical access, damage and interference to the agency’s premises and information assets including but not limited to personal information and IT Resources by implementing:

10. Communications and Operations Management: Agencies are required to implement procedures for managing system activities associated with access to information and information systems, modes of communication, and information processing by implementing:  

11. Access Control: Commonwealth Secretariats and their respective Agencies, authorities and business partners are required to protect applications, information assets, IT Resources and infrastructure against improper or unauthorized access which could result in compromise of confidentiality, integrity and availability of data and IT Resources. Access control rules must take into account the existing Enterprise policies for information dissemination and authorization which map directly to the following ISO 27001/27002 Access Control Domain security objectives:

12. Information Systems Acquisition Development and Maintenance: Agencies must ensure that information security is an integral component to IT Resources from the onset of the project or acquisition through implementing:

13. Information Security Incident Management: Agencies are required to implement management controls that result in a consistent and effective approach for addressing incidents that is aligned with Enterprise Policies and Standards including:

14. Business Continuity Management: Agencies are required to document, implement and annually test plans including the testing of all appropriate security provisions to minimize impact to systems or processes from the effects of major failures of IT Resources or disasters via adoption of:

15. Compliance: Agencies are required to implement the security requirements of this policy in addition to any state or federal law, regulatory, and/or contractual obligations to which their information assets and IT Resources are subject, including but not limited to:

16. Maintenance: Agencies must implement a regular or event driven schedule by which the ISP is reviewed for ongoing effectiveness. The agency’s ISP, including security policies, procedures, and other controls, should be subject to an appropriate level of monitoring and evaluation.   Changes to the components of the agency’s ISP should be subject to appropriate review and approval and be adequately documented.

Roles and Responsibilities

The roles and responsibilities associated with implementation and compliance with this policy follow:

Assistant Secretary for Information Technology

Secretariat Chief Information Officer (SCIO) and Agency Head

Secretariat or Agency Information Security Officer (ISO)

Enterprise Security Board (ESB)

Information Technology Division (ITD)

Related Questions

ISSUE : Should we pay dividends? PRELUDE : Over the years, General Electric [GE]
Question #2512039
ISSUE MANAGEMENT Issue Management over an Extranet Value Engineering Proposal An
Question #2311959
ISSUE WITH C++ I/O CODE Below Is my code thus far, but I keep getting stuck in a
Question #3795828
ISSUED CAPITAL (m) $87.00. DEPT RATIO = 54.5% and 27.3% TIME INTEREST EARNED RAT
Question #2737499
ISSUER Corp. needed to raise money and, on 01/01/2010 issued $6 million of 8%, 1
Question #2478607
ISSUER Corp. needed to raise money and, on 01/01/2010 issued $6 million of 8%, 1
Question #2479369
ISSUES OF AFRICAN ART HEALTH AND SECURITY In traditional African societies, ther
Question #181926
ISSUES arise while making changes in organisation 1).The basic issues in organis
Question #373408
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
IT SECURITY Power Point Presentation A slide deck that is seven to eight slides
Next
IT SHOULD BE 10-15 LINES, 2 PARAGRAPHS, PLEASE. Governor Abbott recently called

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.