Is3350

In: Computers and Technology

Submitted By mnicely10
Words 260
Pages 2
Assignment 1: Security and Compliance Policy Document: Assessment of Risk
Availability, Integrity, and Confidentiality, are the biggest roles in IT security in protecting data. Availability to whom has access to the data and how it is transferred. Integrity of that data is not intact by being stored as well as being transferred from point a to point b. Integrity is very improntant to any company, government agency and healthcare. It is very important that integrity is maintained at all times. Confidentiality of data goes along with integrity to only who needs to know type basis. Confidentiality keeps data inline as far who you want to see the data as well as encryption. Encryption and patches to network data will keep Availiablity, Integrity, and Confidentiality in our network environment as well as physical security, locked data rooms with badge access to those who need to be in server rooms. Firewalls help in the network environment with servers and databases and vpns. Lets you control your traffic in out of your network. A very good configured firewall is key essential to the triad CIA. Users need background checks and user training courses to know how to be more secure in the work environment as well working from home. Workstations need AV and USB ports configured and secure. Updates security scans and record of activity logs will help with keeping in our standards CIA. Ports over the network need to be patched and secure. This is just some of security to ensure CIA is kept throughout the seven layers of the…...

Similar Documents

Is3350 Unit 2 Assignment 1

...Executive Summary on Veteran’s Affairs (VA) and Loss of Private Information IS3350 Unit 2 Assignment 1: Executive Summary on Veteran’s Affairs (VA) and Loss of Private Information Background On 3 May 2006, a Department of Veterans Affairs (VA) laptop was stolen from a VA data analyst’s home in Montgomery County, Maryland. In addition to the laptop, a personal external hard drive was stolen. The external hard drive contained the personal data (names, social security numbers, dates of birth, disability ratings) for 26.5 million veterans and their spouses. It should be noted that the massive data theft was only one of many that had been discovered over the course of 1.5 years. Upon discovery of the theft, the VA employee immediately notified the local police and his supervisors. His supervisors did not notify the Veterans Affairs Secretary until 16 May 2006. On 17 May 2006, the Veterans Affairs Secretary notified the FBI, who began to work with the Montgomery County police to investigate the theft. Results and Conclusions Issue 1: The VA employee had authorization to access and use the VA databases for performance of official duties. He was not, however, authorized to take it home as he had no official need to have the data at home. The private data was not properly safeguarded. He failed to password protect (at the very minimum) and encrypt it (Opfer, 2006). For this, he receives the highest honors in the idiot category. Issue 2: The response of......

Words: 796 - Pages: 4

Hipaa

...Jesse Martinez IS3350 Unit 4 Assignment 1 Unit 4 Assignment 1 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to develop some type of regulations protecting the privacy and security of certain health information which shouldn’t be accessible to others. The U.S. Department of Health and Human Services (HHS) is responsible for HIPAA compliance within the Privacy Rule as well as the Security Rule. The Privacy Rule develops national standards for protecting certain health information while the Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. One of the specific sections of the form that need critical attention while filing the complaint is having your complaint filed in writing, either on paper or electronically to have records of the complaint. You are also required to name the covered entity involved in your complaint while reviewing whichever requirements being violated in the Privacy and/or Security Rule. It also requires the complaint being filed within 180 days of when you knew that the act or omission happened. OCR may extend the 180-day period if you have good reason for the extension. HIPAA also prohibits retaliation. This means that anything under HIPAA cannot retaliate against you for complaining. If any retaliation activity occurs, you are required to immediately get ahold of OCR. Finally, you submit your complaint......

Words: 331 - Pages: 2

Is3350

...IS3350 Unit 3 Assignment 1 Fourth Amendment The Fourth Amendment of the United States Constitution requires that no search or seizure shall be carried out unless a warrant has been issued. While that is a wonderful right to give to citizens, in reality, it is not always possible. Over the years the Supreme Court of the United States has come to that same realization and has provided several exceptions to the warrant requirement. Those exceptions are: searches with consent, frisks, plain feel/plain view, incident to arrest, automobile exceptions, exigent circumstances and open fields, abandoned property and public place exceptions. Under the searches with consent exception, individuals, "with the authority to do so," can consent to be searched without a warrant and, likewise, can revoke that right at any time. In order for an individual to be searched, he or she must give consent. "Consent to search any property must be given by the actual owner or, by a person in charge of that property". If, for instance, more than one person owns a property, only one of those individuals must give consent. Because automobiles are mobile, it is reasonable to assume that they would qualify as an exception to the warrant clause of the Fourth Amendment. Under this particular exception, an automobile may be search "if a government agent has probable cause to believe the vehicle contains contraband or evidence of a crime without a warrant" because "in the time it would take to get a......

Words: 370 - Pages: 2

Is3350

...1. What is the purpose of identifying IT assets and inventory? So that the organization has a detailed knowledge of what they need to protect. 2. What is the purpose of an asset classification? So that an organization can determine risk to its assets. 3. For the scenario you picked, give three examples of customer privacy data elements. Login ID passwords, student grade report, student and teacher personal information. 4. Why is your websites classification minor but its e-commerce server considered critical for your scenario? Because there is customer’s credit card information stored on the servers. 5. Why would you classify customer privacy data and intellectual property assets as critical? These are things that can be damaging to not just an organization but to individuals as well. 6. What are some examples of security controls for recent compliance law requirements? Biometrics, Tokens, Smart cards 7. How can a data classification standard help with asset classification? You can properly classify what might normally be a low priority a high risk classification because of the data that’s on it. 8. How can you minimize leakage of customer privacy data through the public Internet? - One way is to encrypt the sensitive data with at least 256 bit encryption key. Another way is to label whatever the sent information is as something not out of the ordinary. 9. Give the importance of the Master SQL database that house customer privacy data and intellectual......

Words: 577 - Pages: 3

Is3350

...Larry Brown IS3350 Unit 9 Assignment 1 24 May 2914 Risk Mitigantion The most effective risk management practices used by project management in the public and private sectors. The methods described here are appropriate for public- and private-sector project owners’ representatives, including senior managers, program managers, project directors, and project managers. The primary objective of this report is to provide DOE project directors with a basic understanding of both the risk management role of an owner’s representative member of a project management team and the knowledge needed for effective oversight of risk management activities that are delegated to contractors. The report also discusses the roles and responsibilities of senior managers and program managers in developing risk consciousness among all owner, contractor, and supplier personnel by educating them about the importance of explicit consideration of risks and the implementation of an effective risk management process. This document is not intended as a rigid process to be followed for all projects but as a guide for all project stakeholders to ensure that project risks are adequately addressed. Identification and analysis of project risks are required for effective risk management. One cannot manage risks if one does not characterize them to know what they are, how likely they are, and what their impact might be. But project risk management is not limited to the identification and aggregation......

Words: 310 - Pages: 2

Is3350 Assessment Answer Key

...IS3350 Security Issues in Legal Context QUIZ 1 IS3350 Assessment Answer Key Revision Table Change Date Implementation Date Updated Section Change Description Change Rationale 07/11/2011 All New Curriculum New Curriculum September 2011 December 2011 12/02/2011 Q12 and Q32 1) Final Exam Q12: Answer Key modified 2) Final Exam Q32: Both question and Answer Key modified Corrections -1- Change Date: 12/02/2011 IS3350 Security Issues in Legal Context QUIZ 1 Quiz 1 Answer Key Question Number Correct Answer Course Objective Tested 2.1, 2.5 2.3 2.3 1.3 2.5 Reference in Course Source Page (s) Ch 2, p. 37 Ch 2, p. 38 An Introduction to Law and Information Security Issues Ch 2, p. 38 Ch 2, p. 41 Ch 2, p. 56 1. 2. 3. 4. 5. b a b a c -2- Change Date: 12/02/2011 IS3350 Security Issues in Legal Context QUIZ 1 Quiz 2 Answer Key Question Number Correct Answer Course Objective Tested 4.1-4.2 4.2 4.2 4.3 4.4 Reference in Course Source Page (s) Ch 4, p. 94 Ch 4, p. 95 An Introduction to Law and Information Security Issues Ch 4, p. 93 Ch 6, p. 147 Ch 6, p. 161 1. 2. 3. 4. 5. c b c b b -3- Change Date: 12/02/2011 IS3350 Security Issues in Legal Context QUIZ 1 Quiz 3 Answer Key Question Number Correct Answer Course Objective Tested 5.2 5.4 5.1 6.3 6.4 Reference in Course Source Page (s) Ch 5, p. 135 Ch 7, p. 187 1. 2. 3. 4. 5. a c c b d An......

Words: 868 - Pages: 4

Is3350

...KAB TWYMAN SC4730: ENVIRONMENTAL SCIENCE UNIT 7 PROJECT PART 2: PROJECT SOURCES 14 AUG 2014 1. “10 Ways to Clean the Air”, Allen, Caffilene // Cats Magazine; Jan1999, Vol. 55 Issue 1, p40  Suggests ways of removing air pollutants in the house. 2. Sizing up RTO and RCO heat transfer media Momtaz, Sameh W.; Truppi, Thomas J.; Seiwert, Jr., Joseph J. // Pollution Engineering; Dec97, Vol. 29 Issue 13, p34  Discusses various aspects on regenerative heat recovery systems for air emissions abatement. Heat transfer materials for packed bed regenerators; Criteria for ceramic media designs; Catalyst systems for regenerative oxidizers. 3. Breathe Easier Outside Momtaz, Sameh W.; Truppi, Thomas J.; Seiwert, Jr., Joseph J. // Body Bulletin; Sep99, p3  Presents tips on protecting against air pollution when exercising outdoors. Effects of inhaling bad air; Protection of lungs by antioxidants; Avoidance of vigorous exercise when the air is thick and still; Peak of ozone levels at noon; Avoidance of traffic jams. 4. Improve RTO Performance Meuier, Dennis; Guerra, Paul; Eldridge, James; Russell, James // Pollution Engineering; Jun2003, Vol. 35 Issue 6, p38  Focuses on the improvement of the process of regenerative thermal oxidizer (RTO) for air pollution control in the U.S. Benefits of incineration; Design of RTO; Presence of heat recovery media in canisters 5. Clean Coal Conferees Tell of Fights Against Air Pollution Goselin, Steven // Electric......

Words: 360 - Pages: 2

Is3350 Final Project Litigation Notice

...Litigation Hold Notice To: Employees of Premier College, Who May Have Relevant Information From: Department of Education Premier College Chief Information Officer Re: Litigation Hold Preservation of Relevant Information: Paper Documents and Electronically Stored Information Date: August 20, 2014 We are currently involved in a dispute involving state-specific testing and compliance procedures. The state of Florida alleges, among other things, that Premier College violated state-specific testing and compliance procedures. This is a putative class action that we intend to vigorously defend. During the course of litigation, it is important that Premier College is able to make its paper files and electronically stored information available to our own lawyers and, if discovery requests are issued to us, available to the lawyers representing the other parties in the case. It is crucial that you take affirmative steps to preserve both paper documents and electronically stored information that are relevant to this dispute and that are in your custody or control. The failure to preserve these materials could be detrimental to our position in the litigation. We request that you preserve paper records and electronically stored information, including voicemail, email, electronic calendars, financial spreadsheets, Word documents, and other information created and/or stored on your computer, relating to students of Premier College. The above list is intended to give examples of the......

Words: 416 - Pages: 2

Lab 2 Case Study Executive Summary Is3350

...Executive Summary on Veteran’s Affairs (VA) and Loss of Private Information On 3 May 2006, a Department of Veterans Affairs (VA) laptop was stolen from a VA data analyst’s home in Montgomery County, Maryland. In addition to the laptop, a personal external hard drive was stolen. The external hard drive contained the personal data (names, social security numbers, dates of birth, disability ratings) for 26.5 million veterans and their spouses. It should be noted that the massive data theft was only one of many that had been discovered over the course of 1.5 years. Upon discovery of the theft, the VA employee immediately notified the local police and his supervisors. His supervisors did not notify the Veterans Affairs Secretary until 16 May 2006. On 17 May 2006, the Veterans Affairs Secretary notified the FBI, who began to work with the Montgomery County police to investigate the theft. There were two main issues in this incident that I identified. Issue 1 was the VA employees had authorization to access and use the VA databases for performance of his duties. He was not authorized to take it home as he had no official need to have the data at home. The private data was not properly safeguarded. He failed to password protect (at the very minimum) and encrypt it. Issue 2 was the response of managers and senior executives regarding the notification of stolen data were inappropriate and not timely. They failed to determine the magnitude of the data loss. There was a failure......

Words: 336 - Pages: 2

Lab 3 Assessment Questions Is3350

...1. Did CardSystems Solutions break any federal or state laws? • Federal Trade Commission presented a decision order on CardSystems Solutions and its predecessors as a result of negligence and violation of FTC Act 15, U.S.C. 41-58. 2. CardSystems Solutions claim to have a hired an auditor to assess compliance with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings? • If compliant they would have implemented proper IP s firewalls or maintained their anti-virus program definitions. Also they were required to encrypt all stored sensitive privacy data for research. 3. Can CardSystems sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue? • No because they were PCI DSS compliant in 2004 but was not certifiably compliant at the time of attack in June of 2005. 4. Who do you think is negligent in this case study and why? • CardSystems. Given their high profile, they were expected to be in compliance for properly storing and protecting all privacy data including gathered transactions and credit card information of their cliental in an encrypted manner. 5. Do the actions of the CardSystems warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)? • Yes,...

Words: 649 - Pages: 3

Is3350 - Lab 6

...1. A successful data and security breach notification law was Florida passed senate bill 1524 in 2014. 2. An entity is not required to notify individuals if it "reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed." If an entity determines that notification to individuals is required, such notification should include the date of the breach, a description of the information compromised, and contact information for the entity. 3. The purpose of State governments imposing is to encourage companies to better protect user information by threatening neglectful companies to better protect user information. 4. The State government data security breach notification laws are mostly protects individual information, which are phone numbers, names, birth dates, home address and social security numbers. 5. State governments have data security breach to protect citizens that could potentially have serious life threatening situations happen to them because the loss of this data. 6. The state law: a. Protects the Citizens. b. Both organizations c. Yes d. Yes e. Only if it is in encrypted do they not need to announce it. f. Within two months. 7. True 8. Most State have to data and security breach notification laws to prevent identity theft and protect the safety of the citizens. 9. No......

Words: 251 - Pages: 2

Is3350 Discussion 1

...Failing to do a risk assessment before crafting a policy, but it is a crucial step many overlook. With Web Services Security Policy Language, the policy is in place. Having a 'one-size-fits-all' mentality. But writing a security policy that is going to work for you means more than just editing. While you might use a template or borrow from another organization's example, after your risk assessment, it is important to customize your policy for what YOUR organization needs. They have a very detailed lay out. An A, B,C if you will. Failing to have a standard template. Have consistency for policies within your organization, policy and governance, and awareness training. There is extensive training Having policies that only look good on paper. Organizations that are failing to do sufficient and frequent compliance checking. This is recommended but no time of checking Failing to get management to buy in to the policy Everyone needs to abide by security policy, said Cresson Wood. That includes the most high-level staff members. Again detailed policy for all Writing policy after a system is deployed Security needs to be part of the systems development process, according to Cresson Wood, who said he often sees patch management programs that clients have put in place that are out of date and miss the mark of what is really going on in security. Lack of Security policy needs to be reevaluated at least once a year, perhaps even more frequently follow up This is not written......

Words: 255 - Pages: 2

Is3350 Security Issues in Legal Context

...Security and Compliance Policy Why is a security and compliance policy important? Businesses would not be in operation without a good security and compliance policy. Businesses need to be able to comply with government and state requirements. Security safeguards employee data, customer data, and business data. Without proper security, a business would compromise the quality of their data. There are several steps to identifying security and compliance procedures. It is necessary to any infrastructure to perform a risk assessment. This identifies any gaps in your infrastructure, classifies what is acceptable risk, and what isn’t. The first step is system characterization. In system characterization, you are identifying system components and their criticality in the environment. Production equipment would have a higher criticality in the event of an outage or virus outbreak versus a test machine which is generally open and does not contain safeguarded information. This process is important and pieces of equipment should be labeled for criticality. Servers need protection in the company, as well as other data center resources such as routers/switches. If a malicious user or rogue user were to interrupt business functionality by gaining access, this is a great risk to business continuity. Threat identification is the next step in a risk assessment. It is important to do port scans, virus scans, and observe permissions in an environment. This helps identify any......

Words: 690 - Pages: 3

Is3350 Unit 7 Discussion

...Violation of your copyright privileges, and how you feel knowing that thousands of users are simply copying and sharing your composition, for which they might have paid for otherwise. Peer-to-Peer (“P2P”) file sharing is a way of exchanging or transferring files of which you do not have permission to share can have serious consequences. We have worked hard to compose this new pop song and it is unfair that others are sharing and copying this song without paying for it. We are in the business of entertaining our fans but we are also a business and as such, we rely on the revenues generated from the sales of our music. • Enabling your case as a consideration in the purview of “fair use” under the law. Fair use is a concept that allows use of limited portions of a copyrighted work, without the permission of the copyright owner, for purposes such as scholarship, research, and criticism. Fair use does not mean that if you think it's fair that you should be able to use a work, it's okay. Rather, whether a particular use of copyrighted material is a fair use must be judged according to the four criteria in the Copyright Act: Purpose and character of the use (why do you want to use it?). Nature of the copyrighted work (what kind of work is it?). Amount and substantially used (how much do you want to copy?). Effect on the potential market for or value of the work (will your copying contribute to decreasing the value or demand for the work?). ...

Words: 417 - Pages: 2

Is3350 Unit 9 Assignment 1

...IS3350 Unit 9 Assignment 2/17/16 These are the most effective risk management practices used by project management in the public and private sectors. The methods described here are appropriate for public- and private-sector project owners’ representatives, including senior managers, program managers, project directors, and project managers. The primary objective of this report is to provide DOE project directors with a basic understanding of both the risk management role of an owner’s representative member of a project management team and the knowledge needed for effective oversight of risk management activities that are delegated to contractors. The report also discusses the roles and responsibilities of senior managers and program managers in developing risk consciousness among all owner, contractor, and supplier personnel by educating them about the importance of explicit consideration of risks and the implementation of an effective risk management process. This document is not intended as a rigid process to be followed for all projects but as a guide for all project stakeholders to ensure that project risks are adequately addressed. Identification and analysis of project risks are required for effective risk management. One cannot manage risks if one does not characterize them to know what they are, how likely they are, and what their impact might be. But project risk management is not limited to the identification and aggregation of risks, and it cannot...

Words: 260 - Pages: 2

Brotherhood: Final Fantasy XV | Stick Man (2015) | Full Version