Monday, June 3, 2019

Creating an IT Infrastructure Asset List

Creating an IT Infrastructure addition ListAbstractThis document was created following Lab 1 titled Creating an IT Infrastructure Asses List and Identifying Where Privacy Data Resides in the laboratory manual that accompanies Legal Issues in Information Security. The lab focuses on creating an IT additions/inventory checklist organized within the seven domains of IT infrastructure. Identifying assets and applying miscellaneas to each asset and explaining how discipline miscellanea standard is linked to customer privacy data and trade protection controls. In addition to answering questions presented in the lab, I will also identify 1 piece of hardware, software, or firmware and provide a technical, operational, and managerial control as defined in SP 800-53 R4.Keywords Asset List, Privacy Data, SP 800-53 R4, Data ClassificationCreating an IT Asset List and Identifying Where Privacy Data ResidesOrganizations who handle customer data are increasingly being attacked by unscrupulous actors. One of the most sought after(prenominal) and stolen data is the disposals private customer data. The theft of this information rear be utilise for a variety of reasons including identity theft. The breastplate of this important privacy data is best enforced with a well-planned strategy focused on minimizing the pretend of improper disclosure.An asset is anything that contains value to the organization. Inventory is considered part of an asset. The purpose for identifying assets and inventory is to assess them and provide insight of affrights to each asset. This is accomplished by using Risk Management. Asset Identification is more than creating a list of the hardware and software in the computer, it must include the information, or data, that is processed on those computers (Kadel, 2004). Part of the assignment should not only be what the assets are, only if also who in the organization is answerable for the asset. Once an organization has identified every last (predicate) the assets they give the bounce assign a value, and classification to the asset. It is important to keep asset and inventory documentation updated when assets are added or removed from the organization.Asset classification is a process in which each asset identified is given a classification. The organizations protective covering policy should make arouse of relevant articulates for classification. The lab manual offers the following three classifications Critical, Major, and Minor. One purpose of asset classification is to label an asset so it receives an appropriate level of protection. This label of necessity to be defined by upper level management but the IT and warrantor staff is then responsible for implementing the required controls. It is important that cured management make this decision. Without data classification information protection decisions are being made every day at the discretion of security, system, and database administrators (Fowler, 2003).An organizations Web set would be classified as minor in this scenario because it is required for normal business functions and operations. The e-commerce server on the other hand would be considered critical because of what the asset does and the type of data it holds. In the lab manual, the web server Linux Server 2 is responsible for hosting the web site. Its function is required for normal business functions but does not contain any information to warrant it being classified as Major and does not represent an intellectual property asset or generate revenue. The e-commerce server on the other hand does generate revenue and is considered as an intellectual property asset. It also contains a customer database subset which contains information that needs to be protected.One reason customer privacy data would be classified as critical is to meet compliance guidelines. For example, the Gramm-Leach-Biley Act (GLBA) is a justice that was passed in 1999 by congress. It requires financial institutions to protect Nonpublic Personal information. One section, known as the safeguards rule required federal bank regulatory agencies to prune security standards to organizations they regulate. If an organization does not follow the law, they can be penalized.The most compelling reason to classify information is to satisfy regulatory mandates. For example, the Gramm Leach Bliley and the wellness Insurance Portability and Accountability Acts mandate information protection controls for financial and medical organizations, respectively. Although information classification is not specified as a required protection measure, it is implied by special handling requirements for sensitive, medical and financial information (Fowler, 2003).Intellectual property would be considered critical because it is intellectual property. Intellectual property by its temperament should be handled as critical. Assume the following example, your organization makes the best widgets, because they are t he best, consumers are willing to pay extra for your widgets. This is because they perform better, and last longer than all other widgets being offered by your competitors. If the competitors had access to your widgets design and manufacturing process, your company would lose its competitive advantage over that competitor. Consumers would no longer rate your widgets as the best, and would defile competitors widgets. Loss of this intellectual property would result in your organizations loss of their competitive advantage and revenue.Some security controls for HIPAA compliance is subcategory PR.DS-5 Protections against data leaks are implanted this can be mapped to the NIST SP 800-53 Rev. 4 controls of AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-32, and SI-4 (HHS, 2016). AC-4 as defined by the NIST SP 800-53 Rev. 4 is referred to as information flow enforcement. Flow control restrictions include, for example, keeping export-controlled information from being genic in t he clear to the Internet, blocking outside duty that claims to be from within the same organization (NIST, 2003).A data classification standard helps with asset classification because it sets a frame cream for uniformly assignment of classification. This in turn gives the organization guidance on what assets are most important and need to have the highest security controls implemented. This is also beneficial because it gives members of the organization an easy way to determine how to handle such assets.Under the SI family of the NIST 800-53 Rev 4, you could implement SI-16 known as reminiscence Protection. You could implement data execution prevention, and address space layout randomization. You could also implement SI-7 known as Software, Firmware, and Information Integrity. The intent of this control is to protect against unauthorized changes to software, or firmware. This should be implemented using an integrity verification tool, that reports any inconsistencies or changes th at were not approved. In the IA family, you could implement Identifier Management or IA-4. In this case the organization could user role based access to the server. If your user narration does not have access to the resource, you will not be able to access it.I would recommend implicating two factor authentications for all users in the Mock infrastructure. This is important because one factor authentication such as something you know is considered a wan form of authentication. A solution such as a device that generates a random token that is also used would make the customer data much more secure. I would also implement a encrypted VPN solution for users that connect over to the ASA_student switch. A VPN uses a secure tunnel and all traffic through the tunnel will be encrypted. Last, I would make modifications to the network layout, the current layout does not allow for protective isolations. For example, the web server should be positioned in a DMZ and separated from the other co mponents of the network.An organization can use risk analysis to help mitigate risks, threats, and liabilities. A risk assessment is used to document the identity of assets, threats, and how the organization wants to mitigate the risk. The overall purpose of risk analysis is to identify the assets within a company and their value so that you can identify threats against those assets (Clark, 2014). The risk assessment is broken in to separate phases. The first phase is the identification of assets in this phase the organization identifies the assets. The second phase, focuses on identification of threats to each asset. It is important to understand that most of the threats come from the fact that weaknesses, or vulnerabilities, exist in the assets of the business (Clark, 2014). The third phase known as the wedge analysis phase. The goal of impact analysis is to identify what the result of the threat occurring would be on the business (Clark, 2014). The fourth phase known as threat p rioritization. In this phase the organization needs to prioritize the threats against each asset. You must prioritize the threats based on their impact and probability of occurring (Clark, 2014). The fifth phase, known as mitigation is the step that in most cases implements a security control to lower the risk associated with a threat. This is the phase where a control is implemented to rivet the risks, threats and liabilities. The last and final step, is evaluation of residual risk. This is looking at the remaining threats and deciding if the organization has properly mitigated the risk. It is critical to express this residual risk to management and decide if you are willing to accept that residual risk or need to implement additional solutions (Clark, 2014).True, under both HIPAA and GLBA it calls for an implementation of IT security policies, standards, procedures, and guidelines. GLBA is comprised of the Privacy Rule, Safeguard Rule, and Pretexting Rule. The safe guards rule ca lls for each of the regulatory agencies to establish security standards. The FTC Safeguards Rule requires financial institutions to create a written information security program (Grama , 2015). HIPAA also calls for a similar implementation of security policies. 45 C.F.R. 164.316 calls for covered entities and business associates to, implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in statute 164.306(b)(2).It is important to identify where privacy data resides so that proper controls can be move on that privacy data. This is also important so that management and staff know if any changes made to places where privacy data resides, they leave the protections planned for and implemented in place. This is important for those organizations who are required to follow legislation such as the GLBA and HIPPA.I choose the workstations in t he user domain indicated in B in the lab manual. The operational control I choose is AC-9 which informs the user upon successful login, the last day and time of login. This is important because it give the user information relative to the last time their credentials were used. If a user was not at work or did not logon on the last logon shown they would be cognizant that their credentials have been used by someone else. The one technical control I choose for this piece of hardware is AU-3 which lays out the ground work in regards to audit records. This is important because unsuccessful, and successful logins will be recorded in the audit logs. The managerial control I choose to apply, is AC-2 which involves controls on account management. This is important for workstations to control access. It also defines who should have access to different resources and monitors the use of the information system accounts.ReferencesFowler, S. (2003, February 28). Information Classification Who, W hy and How. Retrieved March 11, 2017, from https//www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846Kadel, L. A. (2004, March 24). innovation and Implementing an Effective InformationSecurity Program Protecting the Data Assets of Individuals, Small and Large Businesses. Retrieved March 11, 2017, from https//www.sans.org/reading room/whitepapers/hsoffice/designing-implementing-effective-information-security-program-protecting-data-assets-of-1398Grama, J. L. (2015). Legal Issues in Information Security Second Edition. Jones and bartlettLearning.Clark, G.E. (2014). CompTIA Security+ Certification Study Guide (exam SY0-401).Mcgraw-Hill Education.Stewart, J. M. (2014). Network Security Firewalls and Vpns Second Edition. Jones andBartlett Learning.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.