Great question! I was thinking about this when reading NIST SP 800-100 and considering how a company would effectively translate the government specific concepts to private business.
Ultimately, I think using frameworks like NIST provide a flexible approach that includes stakeholders in a scalable security process that mitigates risk. Private businesses may not face the same threats or regulatory drivers as government entities; however,using frameworks such as NIST demonstrates they’ve taken reasonable measures to protect their assets. It’s compelling for businesses to show alignment to frameworks like NIST as they are considered to be best practice. This mitigates the impact of incidents and potential litigation that may follow.
Organizations and federal government agencies faces stiff fines and penalties for not complying to the FISMA rules and regulations. More importantly no organization takes cybersecurity for a joke with the infinite rise in series of security threats faced by this vendor for security negligence. The framework implemented by U.S. Department of Defense is a standard for setting data security for all agencies of the federal government partners and contractors and other organizations. It also helps in determining which activities are most important to assure critical operation and service delivery.
Great question. For me, the penalty and reputation are the main reasons to drive firms to use formal governance frameworks to guide their security processes.
First, the growing number of compliance laws and regulations all over the world are driving firms to use formal governance frameworks, so they can guide their security processes. The new era requires better protection of information and its systems so appliance of frameworks important as plan-based creation of guidelines.
Also, digital transformation of business processes brings additional risk while providing benefits for firms. The organizations want to handle security risks with controls being placed and formal governance frameworks help to avoid incidents.
Hi Yangyuan,
It’s a good question. For me, prevent is the key. Therefore, awareness and training (AT) is the most important in 17 specific security requirements.
FIPS 200 provides 17 specifications for Minimum Security Requirements. Of these specifications, #10 calls for proper media protection inclusive of digital and paper assets. Do you think it’s easier or harder to protect the confidentiality, integrity, and availability of paper assets compared to digital assets?
Mathew, you raise a strong point in the FIP200 for minimum security requirement which applies to all Federal Government information and information systems, except national security systems and certain classified information.
Lin to answer your question, all the 17 security controls are important requirements and tailored for protection and in it, all federall agencies are to abide by this standards.
Thanks for sharing Jason I was going to make this my question as well. Personally, I think it should stay within the IT department, though I was surprised the Boyle reading indicated it would make sense to make it independent of IT. In an ideal world, I think organizations should deploy the hybrid model where the security function is viewed as a facilitator of security while the business process owners are aware of security requirements and ultimately ensuring they are met with help from security.
Hi Bryan and Jason,
At first, I had the same thought with Bryan. However, I think my role as an IT auditor that should be independent to audit IT system. Moreover, to be a good IT auditor, we should have IT knowledge.
I believe that it’s important for IT security to work very closely with the IT department. IT security won’t run efficiently if they don’t understand the IT department’s needs. Similarly, the IT department may not follow good security practices if they don’t understand or are not in agreement with IT security. That being said, the departments should be separate as IT and IT security should report to different people. IT likely has productivity goals to meet and ease of use/speedy productivity can take precedence over security.
There are a number of insider threats related to data leakage (accidental or on purpose), fraudulent action through an integrity breach, loss of availability, or business continuity as a result of insider mistakes or deliberate action. In general, insider threats can cause significant business impact, not only because of the privileges that employees have over information technology but also because the company theoretically has its employees under its control, being responsible for their actions, in contradiction to external threats
Based on the Boyle and Panko reading it’s clear top management support is crucial to the success of a security program. If you were responsible for gaining buy in from top management what metrics would you deploy and use in your security department to help ensure top management is are aware of the importance for providing an adequate budget to the security program?
I would find financial metrics that closely resembled my proposed plan. I would find the average loss per year, per organization that is missing a security program or a specific security control vs the average loss per year for those that have the security control. Then, I would prove that the annual cost of the control is lower than the difference in average loss due to an incident. The goal of most organizations is to make money and if I can prove that security is a good financial investment, I believe I would be able to get management on board.
I want to focus on control security.
I think it’s very important that those people have access to the company’s data and how to ensure that only authorized users have access. An organization’s access control policy must address all of these issues. Access should be limited to authorized users, and this control ensures that each employee has the correct level of access.
Hey Lin,
Access control is a very important policy. If the policy is not adequate enough, it will fail and put the organization in danger. I would like to see an organization go over an access control policy at least every 6 months to make sure they are on top of their game. It’s better to be safe than sorry.
About your question, every organization have their own setup of rules and polices. Most policies would depend on the type of organization. Of course, most of the core policies are the same across most organizations. However, the rest of the policies can differ based on the type of organization. For example, and hospital and an nonprofit will have different policies based on their organization
I know Temple does have some mandatory training exercises for security, my wish would be that they were held more often, instead of once a year maybe every 3-6 months.
What kind of mandatory training exercises? I have not seen or have been met with any mandatory trainings for security. I do agree that trainings should be more often. It is good to have a refresher more often.
I don’t like the fact that there is not many authentication or controls while you are making payment for the TU portal. Any transaction I make on the TUPay account seems easily accessible. For example, if someone can get into my portal account, I think it’s easy enough to change my bank account with some other, where they can receive payments or refunds from school.
I agree, there needs to be a control to prevent an incident like this. Have you tried using duo two factor authentication for your account? You would have the ability to have a text message code sent to your phone every time you log in to help protect your account. https://guide.duo.com/
What are the limitations associated with classic risk analysis calculations? Despite some sources claiming that classic risk analysis is impractical, is the method still worth using? Otherwise, what alternatives do you suggest?
I think it’s important for small companies to have a good security policy because probably they wouldn’t be investing a lot in corrective or defective methods of control where hopefully policies will serve as preventative.
We all know big companies have the perfect security policies followed by insurance companies taking the load or expensive software to detect the incident. Since a limited budget wouldn’t cover these options, I think security policies should be good enough to limit the incidents.
Although ideal, I definitely don’t think it’s feasible. I think the best course of action is to implement as many preventative measures as possible. Anti-virus software, two-factor authentication, employee awareness, firewalls, enforced password policies. There’s only so much you can expect a company to do in the realm of cyber security when the budget is limited, but cheaper options like those I mentioned are at least slightly feasible.
What would happen if by accident you misinterpreted the integrity appropriate level of information system in your final review? Let’s say, the integrity was high but you put it as a low impact level, what would happen?
Maintaining the integrity of data and the completeness of data is essential to ensure effective data accuracy and data protection. Without integrity, data is not of much use. The consequences of data loss, corrupted or compromised data can considerably damage a business. With reference to your question, potentially under protecting your organization’s information system places important operations and assets at risk.
The Penalties are calculated based on Cybersecurity laws. For example, if you broke healthcare cybersecurity law, You will have to pay from 50 to 50000 dollars per record. https://cyberinsureone.com/laws-penalties/
Though the exact penalties for not complying with laws and regulations in the realm of corporate computer security is not directly stated in the chapter, I can infer that it depends on a number of factors such as the kind of violation, the document’s violated, the type of business, and the type of data you work with. In other words, the exact nature of the penalty is often relative to the nature of the attack and the amount of data that was exposed. There also may be specific laws or statutes determining the sanctions placed on the business. As a result of non-compliance, I think they could expect their company’s reputation to be negatively impacted and face financial penalties such as fines.
Can’t speak on compliance for most of the laws/regulations mentioned. But I know that not complying with SOX is super strict, mainly due to the Enron scandals and other similar ones that happened during the early 2000’s. Upon looking it up, first time offense for executives knowingly certifying financial reports that don’t comply with their standards results in fines up to $1 million & up to ten years imprisonment.
Question for the week: Asked in reference to FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems”, pp.1-9
In reference to section 3: MINIMUM SECURITY REQUIREMENTS, There are 17 security-related areas listed and outlined on page 8 with regard to minimum security requirements. Of the 17, is there one or more listed that stands out to you or make you want to dwell on it? If so which one and why.. if this is not the case, then why not?
The security-related area that I wanted to address was physical security because with everything becoming more digitized, people fail to realize how critical it remains for business operations. I would argue that the minimum security requirements for this area are still lacking in some regards. Organizations should be required to implement multi-level authentication in order to better secure their business. In addition, while an organization may have physical security guards and cameras, they should also enforce a security policy to follow. Though at the end of the day, many physical security vulnerabilities depend on a number of factors, including but not limited to: the size of the building, number of buildings or sites, number of employees, location and number of building entrance and exit points, and the placement of the data centers and other confidential information.
Joshua, I had similar thoughts when reading through the 17 minimum security requirements. In my opinion Awareness and Training is one that always stands out to me. So many security-related issues are due to human error, so idealistically a ton of issues can be eliminated if you simply begin here.
I believe that it security professionals can be assured that they’re creating effective enough plans for their firms’ information systems by using the NIST publications as a guideline. Specifically the categorization of information system’s is imperative to have a cost-effective approach to protection. Companies need to be sure they’re correctly categorizing their systems using the low, moderate, or high impact levels. If this step is done correctly they can utilize the minimum security baselines for controls that are established in NIST Publication 800-53.
Most organizations use a top-down approach to security management planning, in which upper management defines and initiates policies and middle management builds aligning standards, baselines, guidelines, and procedures. In a bottom-up approach, Technical staff makes security decisions without any input from upper management. What problems do you see with the bottom-up approach? Are there any circumstances in which you could see the bottom-up approach working well for an organization?
What “methodology” should be used to compare IT security policies and compliance of two different countries and how to adjust when you have an American company operating in Europe?
As we already know and have once again seen in this week’s reading, there are several governance frameworks, each with differences in focus. This creates a level of complexity, and I’m curious if you would you prefer to see more unified frameworks?
The service level agreement is incredibly important in protecting an organization against the threats that its vendors face. Additionally, organizations can request third-party audit results from their vendors to ensure that their vendors’ security practices meet their security needs.
What is driving firms to use formal governance frameworks to guide their security processes?
Great question! I was thinking about this when reading NIST SP 800-100 and considering how a company would effectively translate the government specific concepts to private business.
Ultimately, I think using frameworks like NIST provide a flexible approach that includes stakeholders in a scalable security process that mitigates risk. Private businesses may not face the same threats or regulatory drivers as government entities; however,using frameworks such as NIST demonstrates they’ve taken reasonable measures to protect their assets. It’s compelling for businesses to show alignment to frameworks like NIST as they are considered to be best practice. This mitigates the impact of incidents and potential litigation that may follow.
Organizations and federal government agencies faces stiff fines and penalties for not complying to the FISMA rules and regulations. More importantly no organization takes cybersecurity for a joke with the infinite rise in series of security threats faced by this vendor for security negligence. The framework implemented by U.S. Department of Defense is a standard for setting data security for all agencies of the federal government partners and contractors and other organizations. It also helps in determining which activities are most important to assure critical operation and service delivery.
Great question. For me, the penalty and reputation are the main reasons to drive firms to use formal governance frameworks to guide their security processes.
First, the growing number of compliance laws and regulations all over the world are driving firms to use formal governance frameworks, so they can guide their security processes. The new era requires better protection of information and its systems so appliance of frameworks important as plan-based creation of guidelines.
Also, digital transformation of business processes brings additional risk while providing benefits for firms. The organizations want to handle security risks with controls being placed and formal governance frameworks help to avoid incidents.
Do companies hold certain laws and regulations to a higher regard than others? What rules are most necessary to comply with?
Which one is the most important in the 17 security requirements in FIPS 200?
Hi Yangyuan,
It’s a good question. For me, prevent is the key. Therefore, awareness and training (AT) is the most important in 17 specific security requirements.
FIPS 200 provides 17 specifications for Minimum Security Requirements. Of these specifications, #10 calls for proper media protection inclusive of digital and paper assets. Do you think it’s easier or harder to protect the confidentiality, integrity, and availability of paper assets compared to digital assets?
Mathew, you raise a strong point in the FIP200 for minimum security requirement which applies to all Federal Government information and information systems, except national security systems and certain classified information.
Lin to answer your question, all the 17 security controls are important requirements and tailored for protection and in it, all federall agencies are to abide by this standards.
I am curious to know where our class stands on the placing of IT Security, should it be Within or Outside of the Information Technology Department?
Thanks for sharing Jason I was going to make this my question as well. Personally, I think it should stay within the IT department, though I was surprised the Boyle reading indicated it would make sense to make it independent of IT. In an ideal world, I think organizations should deploy the hybrid model where the security function is viewed as a facilitator of security while the business process owners are aware of security requirements and ultimately ensuring they are met with help from security.
Hi Bryan and Jason,
At first, I had the same thought with Bryan. However, I think my role as an IT auditor that should be independent to audit IT system. Moreover, to be a good IT auditor, we should have IT knowledge.
I believe that it’s important for IT security to work very closely with the IT department. IT security won’t run efficiently if they don’t understand the IT department’s needs. Similarly, the IT department may not follow good security practices if they don’t understand or are not in agreement with IT security. That being said, the departments should be separate as IT and IT security should report to different people. IT likely has productivity goals to meet and ease of use/speedy productivity can take precedence over security.
Jason,
There are a number of insider threats related to data leakage (accidental or on purpose), fraudulent action through an integrity breach, loss of availability, or business continuity as a result of insider mistakes or deliberate action. In general, insider threats can cause significant business impact, not only because of the privileges that employees have over information technology but also because the company theoretically has its employees under its control, being responsible for their actions, in contradiction to external threats
Based on the Boyle and Panko reading it’s clear top management support is crucial to the success of a security program. If you were responsible for gaining buy in from top management what metrics would you deploy and use in your security department to help ensure top management is are aware of the importance for providing an adequate budget to the security program?
I would find financial metrics that closely resembled my proposed plan. I would find the average loss per year, per organization that is missing a security program or a specific security control vs the average loss per year for those that have the security control. Then, I would prove that the annual cost of the control is lower than the difference in average loss due to an incident. The goal of most organizations is to make money and if I can prove that security is a good financial investment, I believe I would be able to get management on board.
Is there a security policy that you wish your company or Temple had? If so what is it?
Hi Corey,
I want to focus on control security.
I think it’s very important that those people have access to the company’s data and how to ensure that only authorized users have access. An organization’s access control policy must address all of these issues. Access should be limited to authorized users, and this control ensures that each employee has the correct level of access.
Hey Lin,
Access control is a very important policy. If the policy is not adequate enough, it will fail and put the organization in danger. I would like to see an organization go over an access control policy at least every 6 months to make sure they are on top of their game. It’s better to be safe than sorry.
About your question, every organization have their own setup of rules and polices. Most policies would depend on the type of organization. Of course, most of the core policies are the same across most organizations. However, the rest of the policies can differ based on the type of organization. For example, and hospital and an nonprofit will have different policies based on their organization
Hello Corey,
I know Temple does have some mandatory training exercises for security, my wish would be that they were held more often, instead of once a year maybe every 3-6 months.
Hey Jason,
What kind of mandatory training exercises? I have not seen or have been met with any mandatory trainings for security. I do agree that trainings should be more often. It is good to have a refresher more often.
Hi Corey,
I don’t like the fact that there is not many authentication or controls while you are making payment for the TU portal. Any transaction I make on the TUPay account seems easily accessible. For example, if someone can get into my portal account, I think it’s easy enough to change my bank account with some other, where they can receive payments or refunds from school.
Hi Miray,
I agree, there needs to be a control to prevent an incident like this. Have you tried using duo two factor authentication for your account? You would have the ability to have a text message code sent to your phone every time you log in to help protect your account.
https://guide.duo.com/
What are the limitations associated with classic risk analysis calculations? Despite some sources claiming that classic risk analysis is impractical, is the method still worth using? Otherwise, what alternatives do you suggest?
Is it feasible for a small company with limited IT budget to create a security policy for every one of their systems? Why or why not?
Hi Ryan,
I think it’s important for small companies to have a good security policy because probably they wouldn’t be investing a lot in corrective or defective methods of control where hopefully policies will serve as preventative.
We all know big companies have the perfect security policies followed by insurance companies taking the load or expensive software to detect the incident. Since a limited budget wouldn’t cover these options, I think security policies should be good enough to limit the incidents.
Ryan,
Although ideal, I definitely don’t think it’s feasible. I think the best course of action is to implement as many preventative measures as possible. Anti-virus software, two-factor authentication, employee awareness, firewalls, enforced password policies. There’s only so much you can expect a company to do in the realm of cyber security when the budget is limited, but cheaper options like those I mentioned are at least slightly feasible.
What would happen if by accident you misinterpreted the integrity appropriate level of information system in your final review? Let’s say, the integrity was high but you put it as a low impact level, what would happen?
Maintaining the integrity of data and the completeness of data is essential to ensure effective data accuracy and data protection. Without integrity, data is not of much use. The consequences of data loss, corrupted or compromised data can considerably damage a business. With reference to your question, potentially under protecting your organization’s information system places important operations and assets at risk.
What are the penalties when not complying with the laws and regulations mentioned in chapter 2 of corporate computer security?
The Penalties are calculated based on Cybersecurity laws. For example, if you broke healthcare cybersecurity law, You will have to pay from 50 to 50000 dollars per record.
https://cyberinsureone.com/laws-penalties/
Though the exact penalties for not complying with laws and regulations in the realm of corporate computer security is not directly stated in the chapter, I can infer that it depends on a number of factors such as the kind of violation, the document’s violated, the type of business, and the type of data you work with. In other words, the exact nature of the penalty is often relative to the nature of the attack and the amount of data that was exposed. There also may be specific laws or statutes determining the sanctions placed on the business. As a result of non-compliance, I think they could expect their company’s reputation to be negatively impacted and face financial penalties such as fines.
Can’t speak on compliance for most of the laws/regulations mentioned. But I know that not complying with SOX is super strict, mainly due to the Enron scandals and other similar ones that happened during the early 2000’s. Upon looking it up, first time offense for executives knowingly certifying financial reports that don’t comply with their standards results in fines up to $1 million & up to ten years imprisonment.
Question for the week: Asked in reference to FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems”, pp.1-9
In reference to section 3: MINIMUM SECURITY REQUIREMENTS, There are 17 security-related areas listed and outlined on page 8 with regard to minimum security requirements. Of the 17, is there one or more listed that stands out to you or make you want to dwell on it? If so which one and why.. if this is not the case, then why not?
The security-related area that I wanted to address was physical security because with everything becoming more digitized, people fail to realize how critical it remains for business operations. I would argue that the minimum security requirements for this area are still lacking in some regards. Organizations should be required to implement multi-level authentication in order to better secure their business. In addition, while an organization may have physical security guards and cameras, they should also enforce a security policy to follow. Though at the end of the day, many physical security vulnerabilities depend on a number of factors, including but not limited to: the size of the building, number of buildings or sites, number of employees, location and number of building entrance and exit points, and the placement of the data centers and other confidential information.
Joshua, I had similar thoughts when reading through the 17 minimum security requirements. In my opinion Awareness and Training is one that always stands out to me. So many security-related issues are due to human error, so idealistically a ton of issues can be eliminated if you simply begin here.
How do IT security professional know that their plans are good enough to protect their firms’ information and IS with a cost-effectiveness?
I believe that it security professionals can be assured that they’re creating effective enough plans for their firms’ information systems by using the NIST publications as a guideline. Specifically the categorization of information system’s is imperative to have a cost-effective approach to protection. Companies need to be sure they’re correctly categorizing their systems using the low, moderate, or high impact levels. If this step is done correctly they can utilize the minimum security baselines for controls that are established in NIST Publication 800-53.
Most organizations use a top-down approach to security management planning, in which upper management defines and initiates policies and middle management builds aligning standards, baselines, guidelines, and procedures. In a bottom-up approach, Technical staff makes security decisions without any input from upper management. What problems do you see with the bottom-up approach? Are there any circumstances in which you could see the bottom-up approach working well for an organization?
What “methodology” should be used to compare IT security policies and compliance of two different countries and how to adjust when you have an American company operating in Europe?
As we already know and have once again seen in this week’s reading, there are several governance frameworks, each with differences in focus. This creates a level of complexity, and I’m curious if you would you prefer to see more unified frameworks?
How do you determine if a control can be compensated, and should the original control still be judged as an open risk?
In Security planning how do we handle Cyber threats from third-party vendors?
The service level agreement is incredibly important in protecting an organization against the threats that its vendors face. Additionally, organizations can request third-party audit results from their vendors to ensure that their vendors’ security practices meet their security needs.