FIPS and FedRAMP have a strict focus on governmental and public sector organizations. We talk about the need for consistent standards within the industry and I agree with that. However for private or smaller organizations should a new standard emerge to standardize security requriements for the private sector or do we believe Sarbanes Oxley, GDPR and COPPA already accomplish that?
Our class readings this week included a lot on ISO compliance certifications. Out of those mentioned (ie ISO 27001, 27004, 27007, etc.), which do you think is the most important to modern information security?
While the goal of FIPS 200, minimum security requirements for federal information and information systems, is to provide what the title suggests in terms of managerial, operational, and technical aspects, are the seventeen areas that it defines to be required sufficient? Are they any notable possible oversights to be considered now in 2022 compared to those defined when it was suggested in 2006?
This is a great question to discuss with the class. I found this article stating phishing is involved in 36% of breaches and 85% of the breaches involved a human element (https://www.phishingbox.com/resources/phishing-facts).
However, organizations can educate their employees of what a potential phishing attack may look like. For example, emails should be sent out every month, if not quarterly, to see if an employee can point out a phishing attack.
An employee should look for poor grammar/spelling, sent from a free account, use of emotional queues, and URLs are not real. Another way to mitigate a risk of a phishing attack is MFA. It is an extra protection of layer to protect an account.
Given the number of security controls listed in FIPS 200 and how many organizations have more controls than the bare minimum, how many people and how much time does it take to conduct a good audit on a large organization or government agency?
FIPS 200 is the same as NIST SP 800 53 r 5, which encompasses 20 control families and 272 controls in total is the guidelines for Security Controls implementation in the United States. What would be the most appropriate/standard security guideline for auditing businesses that choose to operate outside the United States
Kelly Sharadin says
FIPS and FedRAMP have a strict focus on governmental and public sector organizations. We talk about the need for consistent standards within the industry and I agree with that. However for private or smaller organizations should a new standard emerge to standardize security requriements for the private sector or do we believe Sarbanes Oxley, GDPR and COPPA already accomplish that?
Lauren Deinhardt says
Our class readings this week included a lot on ISO compliance certifications. Out of those mentioned (ie ISO 27001, 27004, 27007, etc.), which do you think is the most important to modern information security?
Kyuande Johnson says
How many steps are involved in the RMF Process? and Describe each step.
zijian ou says
What are the 17 security-related areas covered by the minimum security requirements related to protection?
Antonio Cozza says
While the goal of FIPS 200, minimum security requirements for federal information and information systems, is to provide what the title suggests in terms of managerial, operational, and technical aspects, are the seventeen areas that it defines to be required sufficient? Are they any notable possible oversights to be considered now in 2022 compared to those defined when it was suggested in 2006?
Victoria Zak says
What is the purpose of FIPS 200? What are the minimum security requirements?
Dan Xu says
NIST 800 60 V1R1 mentions the RMF process. Which is the most critical step in the RMF process and why?
Madalyn Stiverson says
How would you go about creating an information risk profile for a small start-up business? How should the business use the risk profile?
kofi bonsu says
The likely question that I would discuss with my classmates is how might we mitigate the risk of phishing attacks?
Victoria Zak says
Hi Kofi,
This is a great question to discuss with the class. I found this article stating phishing is involved in 36% of breaches and 85% of the breaches involved a human element (https://www.phishingbox.com/resources/phishing-facts).
However, organizations can educate their employees of what a potential phishing attack may look like. For example, emails should be sent out every month, if not quarterly, to see if an employee can point out a phishing attack.
An employee should look for poor grammar/spelling, sent from a free account, use of emotional queues, and URLs are not real. Another way to mitigate a risk of a phishing attack is MFA. It is an extra protection of layer to protect an account.
Michael Jordan says
Given the number of security controls listed in FIPS 200 and how many organizations have more controls than the bare minimum, how many people and how much time does it take to conduct a good audit on a large organization or government agency?
Bernard Antwi says
What are the security functional requirements in information security system explain the FIPS 200?
Olayinka Lucas says
FIPS 200 is the same as NIST SP 800 53 r 5, which encompasses 20 control families and 272 controls in total is the guidelines for Security Controls implementation in the United States. What would be the most appropriate/standard security guideline for auditing businesses that choose to operate outside the United States
Olayinka Lucas says
What is the most important step out of the 6 recommended by the Risk management Framework in NIST SP 800-37