FIPS and FedRAMP have a strict focus on governmental and public sector organizations. We talk about the need for consistent standards within the industry and I agree with that. However for private or smaller organizations should a new standard emerge to standardize security requriements for the private sector or do we believe Sarbanes Oxley, GDPR and COPPA already accomplish that?
Our class readings this week included a lot on ISO compliance certifications. Out of those mentioned (ie ISO 27001, 27004, 27007, etc.), which do you think is the most important to modern information security?
While the goal of FIPS 200, minimum security requirements for federal information and information systems, is to provide what the title suggests in terms of managerial, operational, and technical aspects, are the seventeen areas that it defines to be required sufficient? Are they any notable possible oversights to be considered now in 2022 compared to those defined when it was suggested in 2006?
This is a great question to discuss with the class. I found this article stating phishing is involved in 36% of breaches and 85% of the breaches involved a human element (https://www.phishingbox.com/resources/phishing-facts).
However, organizations can educate their employees of what a potential phishing attack may look like. For example, emails should be sent out every month, if not quarterly, to see if an employee can point out a phishing attack.
An employee should look for poor grammar/spelling, sent from a free account, use of emotional queues, and URLs are not real. Another way to mitigate a risk of a phishing attack is MFA. It is an extra protection of layer to protect an account.
Given the number of security controls listed in FIPS 200 and how many organizations have more controls than the bare minimum, how many people and how much time does it take to conduct a good audit on a large organization or government agency?
FIPS 200 is the same as NIST SP 800 53 r 5, which encompasses 20 control families and 272 controls in total is the guidelines for Security Controls implementation in the United States. What would be the most appropriate/standard security guideline for auditing businesses that choose to operate outside the United States
FIPS and FedRAMP have a strict focus on governmental and public sector organizations. We talk about the need for consistent standards within the industry and I agree with that. However for private or smaller organizations should a new standard emerge to standardize security requriements for the private sector or do we believe Sarbanes Oxley, GDPR and COPPA already accomplish that?
Our class readings this week included a lot on ISO compliance certifications. Out of those mentioned (ie ISO 27001, 27004, 27007, etc.), which do you think is the most important to modern information security?
How many steps are involved in the RMF Process? and Describe each step.
What are the 17 security-related areas covered by the minimum security requirements related to protection?
While the goal of FIPS 200, minimum security requirements for federal information and information systems, is to provide what the title suggests in terms of managerial, operational, and technical aspects, are the seventeen areas that it defines to be required sufficient? Are they any notable possible oversights to be considered now in 2022 compared to those defined when it was suggested in 2006?
What is the purpose of FIPS 200? What are the minimum security requirements?
NIST 800 60 V1R1 mentions the RMF process. Which is the most critical step in the RMF process and why?
How would you go about creating an information risk profile for a small start-up business? How should the business use the risk profile?
The likely question that I would discuss with my classmates is how might we mitigate the risk of phishing attacks?
Hi Kofi,
This is a great question to discuss with the class. I found this article stating phishing is involved in 36% of breaches and 85% of the breaches involved a human element (https://www.phishingbox.com/resources/phishing-facts).
However, organizations can educate their employees of what a potential phishing attack may look like. For example, emails should be sent out every month, if not quarterly, to see if an employee can point out a phishing attack.
An employee should look for poor grammar/spelling, sent from a free account, use of emotional queues, and URLs are not real. Another way to mitigate a risk of a phishing attack is MFA. It is an extra protection of layer to protect an account.
Given the number of security controls listed in FIPS 200 and how many organizations have more controls than the bare minimum, how many people and how much time does it take to conduct a good audit on a large organization or government agency?
What are the security functional requirements in information security system explain the FIPS 200?
FIPS 200 is the same as NIST SP 800 53 r 5, which encompasses 20 control families and 272 controls in total is the guidelines for Security Controls implementation in the United States. What would be the most appropriate/standard security guideline for auditing businesses that choose to operate outside the United States
What is the most important step out of the 6 recommended by the Risk management Framework in NIST SP 800-37