Essay Example on IT Security

RMF Tasks Status (may be done or not done) Discuss how you determined the status of each task. Consider the following: If done is it complete? Where is it located?

If not done what are the recommendations for completing? Where should the results be saved? External documents needed for task.

RMF Step 1. Categorize Information Systems

1.1 Security categorization Not done No security plan done (p.18) Add the security categorization based on FIPS 199found on P. 16 to the security plan. FIPS 199 for national security systems, CNSS 1253 for non national security systems.

1.2 Information systems description Done FIBS publication guidelines for automated data processing risk analysis IT Governance Institute

1.3 Information systems registration Done Training program at organizational offices FIPS 199 for national security systems, CNSS 1253 for non national security systems.

RMF Step 2. Select Security Controls

2.1 Common Control Identification Done Establish continuity of support Jaquith & Andrew

2.2 Security control selection and documentation Done Dial up through approved entry points IT Governance Institute

2.3 Monitoring Strategy Done Te security administrator will review reports Management summary

2.4. Security plan approval Done Information technology (IT) Policies and guidelines Open security Architecture

RMF Step 3: Implement Security Controls

3.1. Security control implementation Not Done Management control should focus on the management of IT security systems and risks for the system. FIPS 199 for national security systems, CNSS 1253 for non national security systems.

3.2 Security control documentation Not done Continuity during emergencies should be enabled by coordinating site facilities and developing and coordinating COOP. Jaquith & Andrew

RMF Step 4: Asses security Controls

4.1 Assessment preparation Done Application user accounts lists should be reviewed regularly by personnel designated to do so. Jaquith & Andrew

4.2 Security control assessment Not done Develop procedures for restoring the system at an offsite location FIPS 199 for national security systems, CNSS 1253 for non national security systems.

4.3 Security assessment report Not done Documentation of detailed procedures for the transition to alternative backup resources during emergency IT Governance Institute

4.4 Recommend Actions IT Governance Institute

RMF Step 5: Authorize Information Systems

5.1 Plan of action and Milestones Not done Perform risk assessment IT Governance Institute

5.2 Security Authorization package Not done Develop and maintain a comprehensive security Inventory Open security architecture

5.3 Risk determination Done Report review Management summary

5.4 Risk acceptance Not done Controls should permit access only when specific authorization has been granted Jaquith & Andrew

RMF Step 6: Monitoring security controls

6.1 Information system & Environment changes Done The security plan is implemented Open security architecture

6.2 Ongoing security control assessments Not Done The SHGTS security plan has not been undertaken Open security architecture

6.3 Ongoing recommendations Done Assign responsibility in each system to a qualified individual Jaquith & Andrew

6.4 Key updates Continuity during emergencies should be enabled by coordinating site facilities and developing and coordinating COOP. Management summary

6.5 Security Status reporting Not done SHGTS is prone to future attacks from information gained. IT Governance Institute

A comparison of COBIT, ISO 27002, ITIL AND NIST

Four standards that are related to risk management implementation framework are discussed.

COBIT

This is a high-level IT management and governance framework that lays out best practices in managing responsibilities, processes, controls and resources. As such, its purpose is to enable top management to execute key policies and procedures by providing a framework that maps Key IT processes. Its main strength is that it is easy to implement but this also makes it wide in scope and short in details. It is thus used when senior management wishes to have a framework for managing risks (IT Governance Institute). COBIT has four levels of certification as explained below:

CISA which is the most sorted certification for individuals and is offered to those who monitor, audit, control and asses organizations information technology and business systems.

CISM is the globally accepted standard for those who design, build and manage enterprise information security programs.

CGEIT covers professionals knowledge and application of IT governance principles.

CRISC positions IT professionals for future career growth by creating a link between IT risk management and enterprise risk management.

ITIL

This is a technology management best practice tool that helps organizations align IT resources with its goals with its main strength being the fact that it is visible. On the other hand however, it is a long and detailed process that can be disruptive to introduce and may lack flexibility. It is thus deployed when an organization does not have a structure and mode of operation (IT Governance Institute). It also has four levels of accreditation as listed below:

Foundation certification establishes that one has knowledge of ITIL basic concepts, structure and terminology and a comprehension of its core practices for service management.

Intermediate level provides a modular structure which focuses on different issues and one can take as many modules as required.

Expert is a certification level is for those who have gone through the foundation level, have undertaken required modules at the intermediate level and done a lifecycle management course (MASC).

Master certification scheme evaluates ones ability to analyze and apply ITIL concepts in new areas. Its candidates have to submit a proposal, work package and complete an interview with a panel of assessors.

ISO ..2

It is commonly used, specifically to the organizations technology department to provide best practice recommendations for implementing Information Security management systems. Its main strength is that it makes it possible for management to identify and mitigate gaps and overlaps but then again it only focuses on information security. This framework is therefore necessary when there is a need to build confidence in inter-organizational activities. ISO 27001 is aligned with ISO 27002 providing a certification path from 27001 to 27002 (ISO).

NIST

This is a Federal guide used by US federal organizations to assist in the selection of security controls and is thus a mandatory security compliance guide for federal organizations apart from those that deal with national security. Its advantage is that it is quite detailed but this makes it necessary to have multiple publications to have comprehensive coverage. This framework is handy when world class research is being done within an industry that values advancement of organizational technology infrastructure. It is also helpful in providing assistance to small businesses tin streamlining their operations. Since federal bodies obtain certification by maintaining proof of adherence to a number of Federal regulations that are related to FISMA (National Institute of Standards and Technology, 8-17)

References

Aylward, Anton J. "COBIT for ISO270001 Users | Concepts, Myths and Misconceptions."The Fourth Canadian ISO 17799/ISO 27001 Conference. Systems Integrity, Toronto.

Toronto. 30 Nov. 2006. Lecture.

National Institute of Standards and Technology, Framework for improving Critical Infrastructure Cyber security. (2016).

IT Governance Institute, "Overview of International IT Guidance."COBIT Mapping2 (2006)

IT Governance Institute,"Aligning COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary (2007).

Jaquith, Andrew. "Creating meaningful information security metrics." Information Security Magazine 1 Mar. 2010

ISO. ISO/IEC 27001 - Information security management. Web 13th November 2016