Security Policies and Standards – Best Practices

By Research Team
on August 12, 2020
in Sample Papers

Home
Security Policies and Standard...

Security Policies and Standards – Best Practices

Instructions:-

VLT Task 1
Help on this Page link opens in new window
DIRECTIONS
Print

SECURITY POLICY & STANDARDS

Competency 427.3.2: Controls and Countermeasures – The graduate evaluates security threats and identifies and applies security controls based on analyses and industry standards and best practices.
Task 1: Security Threats

Scenario:

A small LLP consisting of a group of private investigators is headed by one of your friends. The partnership has a small office with one server and six workstations. Additionally, the partnership hosts its own website where it allows clients to log in and enter their case information. You suspect that the site may be lacking fundamental security and information safeguards.

During the past few weeks, staff members have noticed that the workstations are running sluggishly, and they routinely get advertisements on their computers when they are not on the Internet. Investigators routinely download and install programs and plug-ins from the Internet. However, the computers are not kept up-to-date with operating system patches or software patches for other installed software programs and plug-ins.

Lastly, there have been several complaints from clients that the company website has been unavailable or has timed out. Recently, the website was completely deleted and the homepage read, “You’ve been hacked.” Fortunately, the website was able to be restored from a backup.

You have been asked by your friend to assist the group with its various security challenges by analyzing the threats the LLP faces.

Requirements:

Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. Use the Turnitin Originality Report available in Taskstream as a guide for this measure of originality.

Note: One type of threat could be a piece of malicious software. A second type of threat could be a physical calamity such as a lightning strike or flood. A type of threat should not be provided more than once in the description of five threats for each of the following.

B. Create a memo (suggested length of 2 pages) in which you do the following:
1. Provide support (e.g., research, current events) for the likelihood of each of the threats described in part A.
2. Discuss how security controls and countermeasures should be used to mitigate each of the threats described in part A.

C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

D. Demonstrate professional communication in the content and presentation of your submission.

====================================================================================================

VLT Task 2
Help on this Page link opens in new window
DIRECTIONS
Print

SECURITY POLICY & STANDARDS

Competency 427.3.3: Security Audits – The graduate evaluates the practice of defining and implementing a security audit and conducts an information security audit using industry best practices.
Task 2: Information Security Management System Plan

Introduction:

An Information Security Management System (ISMS) represents a systematic approach for designing, implementing, maintaining, and auditing an organization’s information system security objectives. As with any process, if an ISMS is not continually monitored, its effectiveness will tend to deteriorate.

Scenario:

For this task, you will use the attached “Task 2 Healthy Body Wellness Center Risk Assessment” case study to write a paper defining the scope of an ISMS plan for the Healthy Body Wellness Center and an evaluation of the previously conducted risk assessment.

The first step in initiating an ISMS is to form a committee of upper-level management to create organizational support for the ISMS. Assume you are part of that team. Initiating an ISMS involves developing a plan that includes the scope of the ISMS and identifying and assessing risk. The risk assessment for the Health Body Wellness Center has already been conducted. Your task is to define the ISMS scope for the Healthy Body Wellness Center and make recommendations for implementing the resulting ISMS plan.

Requirements:

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
A. Create the scope for the ISMS plan being developed in the case study by doing the following:
1. Describe the business objectives being developed in the case study for the organization.
2. Describe the guiding security principles based on the case study.
3. Justify the organization’s business processes that should be included in the scope. Include the following points for each process:
• what the process is
• how you would apply the process to the scenario
• why the process is needed or should be included in the scope of the ISMS
4. Justify the information systems that should be included in the scope. Include the following points for each information system:
• what the information system that should be included is
• what the duties of the information system are, according to the scenario
• why this information system is needed should be included in the scope of the ISMS plan
5. Justify the IT infrastructure that should be included in the scope, including a description of the data flow.

B. Recommend additional steps to address the identified risks in the case study that the organization would need to take to implement the ISMS plan.
1. Discuss what each recommended step entails based on your evaluation of the conducted risk assessment.
2. Justify each recommended step based on your evaluation of the conducted risk assessment.

C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

D. Demonstrate professional communication in the content and presentation of your submission.

==============================================================================================

VLT Task 3
Help on this Page link opens in new window
DIRECTIONS
Print

SECURITY POLICY & STANDARDS

Introduction:

An information security management system (ISMS) represents a systematic approach to designing, implementing, maintaining, and auditing an organization’s information system security objectives. As with any process, if an ISMS is not continually monitored, its effectiveness will tend to deteriorate.

Most organizations perform important information security activities, but the majority of firms do not do so as part of an organization-wide initiative. When organizations place a strategic emphasis on a culture of securing their information assets, they increase the likelihood of maintaining control of their information assets and lower their risk of losing customers, market share, or other resources due to a breach in confidentiality, integrity, or availability of key business assets.

For this task you will be using the attached “Task 3 Healthy Body Wellness Center Risk Assessment” case study. You will be required to conduct a partial as-is audit of the Healthy Body Wellness Center organization.

The idea behind using an as-is question set is to determine the current compliance levels and awareness of the organization’s security posture. The three key aspects of the question set are to determine if the organization has appropriate policies, procedures, and practices in place to adhere to ISO 27002 for the ISMS.

Requirements:

Note: If the policy, procedure, or practice does not exist, provide justification as to why it is needed or why it should exist. If it does exist, give evidence (i.e., page number, brief description) where it is found in the risk assessment.

B. Develop the two additional question sets in the attached “As-Is Question Set” that are relevant to the risk assessment and ISO 27002.

Note: You may consider your own industry, organization, or situation when developing your additional question categories.

1. Justify the inclusion of each additional question within each question set with regard to the case study and ISO 27002.

C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

D. Demonstrate professional communication in the content and presentation of your submission.
================================================================================================

VLT Task 4
Help on this Page link opens in new window
DIRECTIONS
Print

SECURITY POLICY & STANDARDS

Competency 427.3.4: Certifications and Accreditations – The graduate identifies and discusses the Information Assurance certification and accreditation (C&A) process.
Task 4: Certification and Accreditation

Scenario:

You have been hired to review a conducted risk assessment for the Healthy Body Wellness Center since information security management systems should be regularly reviewed, updated, and maintained. To prepare for an upcoming audit and accreditation review, you will use current guidelines from ISO 27002, COBIT, NIST, or ITIL (e.g., NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach) and the attached “Healthy Body Wellness Center Risk Assessment” case study.

You will apply the current guidelines to the risk management framework for the Healthy Body Wellness Center’s information systems. The organization has recently had a risk assessment completed that includes recommendations for implementing security controls and mitigating risks. In your new role, a team of people will be assigned to help you with the task. You are tasked with creating a to-do list by completing the “Task 4 RMF To-Do List” attachment for the specific tasks outlined in each of the six steps in the risk management framework (RMF). The first row of the “Task 4 RMF To-Do List” has been completed for you.

You will then evaluate and create a document that compares the ISO 27002, COBIT, NIST, and ITIL standards with regard to the certification and accreditation process.

Requirements:

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
A. Complete the attached “Task 4 RMF To-Do List” by using the attached “Task 4 Healthy Body Wellness Center Risk Assessment” and doing the following:
1. Identify whether the tasks are done or not done based on the attached “Task 4 Healthy Body Wellness Center Risk Assessment”.
2. Discuss how you determined the status of the tasks if they are done, and include the page numbers from the risk assessment to support that discussion; or, if the tasks are not done, provide recommendations for completing the tasks in compliance with current guidelines from ISO 27002, COBIT, NIST, or ITIL, including where the results should be saved.

3. List the external documents needed for each task that is not done.

B. Compare the ISO 27002, COBIT, NIST, and ITIL frameworks by creating a document in which you do the following:
1. Discuss how each framework is most commonly used.
2. Analyze the purpose of each framework design.
3. Compare the strengths of each framework.
4. Compare the weaknesses of each framework.
5. Discuss the certification and accreditation process for each framework.
6. Explain which type of business each framework applies to according to the certification and accreditation process.

C. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

D. Demonstrate professional communication in the content and presentation of your submission.

Solution

Security Policies and Standards – Best Practices

Task 1 A

This section will analyze five threats on each of the following; server, website, and workstations.

Threats to the server

Organizations across the world spend millions of cash to ensure that their servers are secure. Among the threats that affect servers may include:

Brute Force Attack

Under this kind of threat, an intruder tries to gain access to a server through using guessed passwords (Hampton, 2017). The attack is normally on the root administrator through the mail server, SSH server, or on operational service in the system. The intruder uses Software to check for any combination possible to find a functional password. If a particular combination works, then the server is at a great risk (Hampton, 2017). Software that detects a brute force attack alerts the administrator when a number of failed attempts to the server are made and allows one to disable the access of an attacker using the IP address.

DoS attack

DoS is a technique that is used by attackers to successfully shut off the access of an individual to a particular site. DoS refers to Denial of Service (Hampton, 2017). This threat is achieved by highly increasing the traffic on the site to a level that the server becomes unresponsive. DoS attacks can either be done by an individual or through a coordination of several attackers, commonly referred to as Distributed Denial of Service (DDoS). At times, computer users performing a DDoS may not be aware that they are being used as agents in the attack (Adam, 1999). In relation to the small LLP, such a threat may have been executed since the website of the company is unavailable or has timed out

Malware

A malware is a threat to the server. A malware is a name that implies to malicious software and may take various forms. A malware may take the form of a virus, spyware, Trojans, worms, bots, and any software anticipated to cause harm to a server (Adam, 1999). Normally, installation of a malware is done without the direct consent of the user. The attack may affect computers in an organization as well as other computers in the system. Implementing security software and a proper firewall for protection may help in preventing the spread of a malware.

Unauthorized Access

This is the ability of an individual to obtain access to the server using privileges of the admin without authority (Boca Raton, Tipton, & Krause, 2007). Unauthorized access to the system is a threat since the Availability, Confidentiality, and Integrity is compromised.

Footprinting

Footprinting is the capacity to scan and manipulate information in the server so that an attack can be prepared (Tsohou, Kokolakis, Lambrinoudakis, & Gritzalis, 2010). This threat is as a result of having poorly configured firewalls and running of unnecessary services as well as open ports.

Threats to Workstations

Regardless of the fact that workstations are less prone to attacks like servers and networks, their security is important since they may have sensitive information to an organization. Access to credit card information may be damaging to an organization. Some of the threats that may affect workstation in the company may include:

Malware

Similar to servers, workstations can be affected by a variety of software that are malicious such as spywares, Trojans and worms which enters the workstation unknowingly. After a single workstation is affected by the malware, it easily spreads to other workstations in the network resulting to a threat.

Virus

A virus can spread from one working station to the other. A virus in a workstation may steal, corrupt, or erase data in a workstation including formatting the entire hard drive (Ennis, Hargreaves, & Gulayets, 2015). Besides this, a virus may use different programs such as the email to spread itself to the entire workstations in an organization.

Removable media

A removable media is any kind of storage device that can be introduced to or removed from a workstation in an organization while the system is running. It is a threat since attackers may utilize removable media to obtain access to the system and compromise it.

Default and Weak Passwords

Using of weak and default passwords is a threat to workstations. It establishes vulnerabilities that can exploit the system easily.

Loss of data

Another threat to the workstations is the loss of data. If anything may happens to the workstations, then, the entire information available in the workstations would be lost. This may be as a result of stolen workstations (Hollar, & Murphy, 2006). Such a loss may interfere with the information that investigators may require in the court.

Threat to website Security

Cross-site Scripting

Also referred to as XSS, cross-site scripting is a threat that uses web applications as vulnerabilities. The technique injects JavaScript lines into web pages that are used to access sensitive information from the user or execute a malicious act.

SQL Injection

Similar to XSS or cross-site scripting, the SQL injection requires the presence of vulnerability in the server related to a web application (Pournouri, & Craven, 2014). However under SQL, malicious information is inserted into the website. Such statements are anticipated to manipulate the server through deleting the entire information in the server or accessing delicate information as well as causing trouble to the organization (Pournouri, & Craven, 2014). Such a threat has been executed at the company since malicious messages appear in the homepage.

DDoS attacks

Distributed denial of server (DDoS) is a technique used to slow down the operation of a website or shut it down by sending overwhelming requests to the site (Pournouri, & Craven, 2014). The attacker takes the advantage of vulnerabilities in the security of a website to cause damage.

Manipulation of parameter

Normally, information is passed from one website the other using URL parameters. For instance, if one searches on Google, the terms searched are often passed to the page of results through URL (Pournouri, & Craven, 2014). A threat is posed when a hacker uses this process to manipulate the information in useful ways.

Ransomware

This is another major threat in web security for many organizations. Similar to DoS attack, it has increased its popularity over time (Hollar, & Murphy, 2006). In this technique, the attacker freezes or locks devices and digital assets of an organization until a specific ransom is paid in order to be freed back.

Task 1B

Memo

TO: Limited Liability Partnership

FROM: JKL

DATA: August 31 2017

SUBJECT: Evaluation, Recommendations and Countermeasures to Security Threats

The Limited Liability Company runs in a small office that runs on a single server and six workstations. Besides this, the company hosts its own website that permits users to directly communicate with the company by uploading case files. The task is to identify different threats that affect the server, workstations website has been achieved. Based on the security threats that have been addressed, the company will be required to both implement technical, administrative and physical security measures to control the threats facing the company. This memo will focus on offering recommendations to the company in relation to security controls and countermeasures that should be considered to mitigate threats.

Brute force attack

A brute force attack that is successful may offer an attacker a chance to access the server completely. In the case of a brute force attack, a software to detect and alert any attempts to the system should be installed and proper monitoring to be done by the administrator in order to prevent an attack. Also, account lockouts can be used after unsuccessful attempts are made in order to protect the server against a brute force attack.

Malware attack

The likelihood of a malware to the server and workstations of the company is very high. To solve the threat of malware attack, the company should ensure that all the workstations are patched including security patches of the operating system and programs as they are released (Booth, 2015). This will ensure that the entire system is up to-date. In addition, users should be well trained on the safety of surfing the internet and how to detect mails that are malicious.

DoS attack

The likelihood of a DoS attack to occur in the organization is medium. In order for the company to prevent the likelihood of this attack, the company should consider; installing and always running anti-virus software in all workstations in the company, install a firewall that will ensure that incoming and outgoing traffic is restricted.

Unauthorized Access

If an individual or hacker gains the access of the server without authority, then the server is at a great threat. It is recommended firewalls be installed in the security system of the company and use strong passwords during configuration.

Parameter manipulation

To prevent manipulation of data, the company should consider using a digital signature at the end of all messages; in order ensure that it has not been tampered in the process of sending (Booth, 2015). In addition, the message payload should be encrypted in order to offer privacy and security.

SQL Injection

This attack can be prevented by scanning the problem in the server using a software and fixing it.

Footprinting

Footprinting has a low likelihood of occurrence to the system. LLP is recommended to disable all unused protocols as well as ports to prevent such a threat.

Cross-site Scripting

Cross splitting causes a medium likelihood of occurrence to the website of the company. It is recommended that the LLP to install software, which will scan the entire server and solve the problem, can prevent this threat.

Virus

Installing an antivirus and ensuring that it is up to date can prevent a virus in the workstations of the company.

Ransomware

Ensuring that back up to the system is available can prevent Ransomware and payments should not be made such a kind of threat.

Removable media

Removable media is a big threat to the workstations and may result to corruption, modification or destruction of files. It is recommended that the LLP should ensure that personal removable flash are not used in the workstations, encrypt all information that is stored in a removable media and only use removable media approved by the organization.

Manipulation of parameter

A big threat is posed when on the website when a hacker uses this process to manipulate the information in useful ways.

Loss of data/stolen data

Loss of data can be a great threat to the company while its likelihood of occurrence to the company is medium. It is recommended that proper security measures to the workstations be improved externally. This will prevent the workstations from being stolen.

Use of Default and Weak Passwords

The weak and default passwords used by LLP pose a great threat that an attacker may break into the server. It is recommended that the company should use long unique passwords that contain letters, special characters and numbers. Furthermore, they should be changed on a regular basis.

DDoS attacks

DDoS attack has a high likelihood of attacking the website of the company. As evident, the website of the company has been slow or has timed. It is recommended that the company should install and run an anti-virus software the website as well as a firewall that will ensure that incoming and outgoing traffic is managed (Peltier, 2004).

References

Adam, J. (1999). Data security-threats and countermeasures. IEEE Spectrum, 29(8), 21-28. http://dx.doi.org/10.1109/6.144532

Boca Raton, Tipton, H, & Krause, M. (2007).Information security management handbook, Sixth Edition. BocaRaton, FL: Auerbach Publications.

Booth, D. (2015). Information security management: policies and standards. Engineering & Technology Reference. http://dx.doi.org/10.1049/etr.2015.0082

Hamilton, C. (2000). Risk Management and Security. Information Systems Security, 8(2), 69-78. http://dx.doi.org/10.1201/1086/43305.8.2.19990601/31067.11

Hampton, T. (2017). 9 Server Security Threats You Should Definitely Know – WebMaster View. Webmasterview.com. Retrieved 2 September 2017, from http://www.webmasterview.com/2011/03/server-security-threats/

Hollar, R., & Murphy, R. (2006). Enterprise Web services security. Hingham, Mass.: Charles River Media.

Peltier, T. (2004). Information security policies and procedures. Boca Raton, FL: Auerbach Publications.

Pournouri, S., & Craven, M. (2014). E-business, recent threats and security countermeasures. International Journal Of Electronic Security And Digital Forensics, 6(3), 169. http://dx.doi.org/10.1504/ijesdf.2014.064402

Security Controls. (2017). Sans.edu. Retrieved 2 September 2017, from https://www.sans.edu/cyber-research/security-laboratory/article/security-controls

Tsohou, A., Kokolakis, S., Lambrinoudakis, C., & Gritzalis, S. (2010). A security standards’ framework to facilitate best practices’ awareness and conformity. Information Management & Computer Security, 18(5), 350-365. http://dx.doi.org/10.1108/09685221011095263

English Language Exercises

Introduction

Reading is an important skill that involves the interpretation of a written text. A reader usually applies both their knowledge and opinions when engaging a piece of written material. There are many aspects of reading skills. The emphasis is usually on the ability of the reader to grasp meaningful insight from the material they are reading. In this task, a couple of exercises are developed for two articles. The first is a current news story about a serial killer who was recently captured by police. The second is a sports story about the craziest sporting fans.

Article 1: The Apprehension of a Serial Killer

The title of this article is “Serial Killer Undone by Asking McDonald’s Co-Worker to Mind His Gun, Police Say”. It is written by Richard Perez-Pena and was published in the New York Times. The article narrates the tale of how a serial killer suspect was arrested after asking a co-worker to watch his gun for him. After reading the article, students should carry out the following exercises.

Exercise 1

Answer the following questions about the article in full sentences:

What is the name of the suspect?
Where did this incident occur? (Provide geographical information)
How was the suspect apprehended?
For how long had the suspect been on the loose?
When did this incident occur?
Who are the key individuals involved in this incident?
What kind of weapon did the suspect use to execute his murders?

Exercise 2

For the following statements, indicate whether each is True or False

This incident occurred in Florida.
The suspect was a known criminal with an elaborate record of previous crimes.
The suspect turned himself in to the police.
The suspect was arrested at a McDonald’s while he was eating.
The police were able to match shell casings form three of four murders to the gun recovered from the suspect.
The suspect was a university graduate.
The suspect was targeting female victims in their late 20s to early 30s.

This writing can fit into an ESL lesson in a number of ways. One of the major benefits of this article is that it narrates an unusual incidence through everyday language. It provides a lot of context and contains a lot of descriptive material. For instance, the neighborhood where the killings occurred is described as quiet and residential. Secondly, the text also contains both direct speech and narration. Consequently, it can be used to illustrate the differences between spoken English and written English.

The Craziest Sports Fans

The second article is “A weekend at skiing’s World Cup with the craziest fans in sport”. It was written by Aimee Lewis and published by CNN. This text narrates the experience of the winter Olympics, with an emphasis on the sport of skiing. This article takes on a conversational tone, describing the events as if they are ongoing. Students are expected to complete the following exercises once they have read the article.

Exercise 1

Indicate whether the following statements are True or False

Fans of Skiing sports are better at celebrating than any other sports fans.
The weather at the top of Rettenbach Glacier is so warm that people can stay gloveless.
The climax of the Winter Olympics will take place in Sweden.
Fans congregate near the finish line because this is the only place where they can enjoy the thundering music of the event.
Fans engage in a variety of activities such as singing along to music, dancing and linking arms with friends because the weather is bone-chillingly cold.
The warmest fans at the event were four French fans who are dressed as Teenage Mutant Ninja Turtles.
Supporting skiing and attending skiing events is an expensive hobby.
The Winter Olympics take place over a period of nearly five months.

Exercise 2

Complete the following sentences

The men and women who love snow and dedicate themselves to the ski season _______________________________________________________
Gloveless hands become numb on days when _______________________________ ______________________________________
The skiing performances by female skiers on the Soelden slopes is a chance for _____ _________________________________________________________________
Thundering music can be heard from _____________________________________ ____________________________________
The weather is so bone-chillingly cold that fans _____________________________ ____________________________________________________
Members of the Ted Ligety fan club wear __________________________________ ____________________________________________
Thousands of fans line the slopes of a floodlit winter evening during _____________ ________________________________________________

This text is useful for ESL lessons because of its conversational tone. It is very engaging. Secondly, it includes a lot of new words which can enhance the vocabulary of students. Another reason for its usefulness is that it is context specific. The domain of the article is sporting. Thus, students can learn a lot about sporting, and about winter, especially for those who may come from places where they do not have winter. Finally, just like the previous article, this article contains a mix of narration and quoted speech, and can thus be used to juxtapose the two contexts of language usage.

References

Lewis, A. (2017, November 27). A weekend at skiing’s World Cup with the craziest fans in sport. Retrieved November 30, 2017, from http://edition.cnn.com/2017/11/25/sport/fis-ski-world-cup-fans-soelden-austria/index.html

Pérez-Peña, R. (2017, November 29). Serial Killer Undone by Asking McDonald’s Co-Worker to Mind His Gun, Police Say. Retrieved November 30, 2017, from: https://www.nytimes.com/2017/11/29/us/tampa-serial-killer-arrest.html

Completed Orders	18000
Preparing Orders	80
Writers	90
Live Chat Operators	7

Security Policies and Standards – Best Practices

Solution

Security Policies and Standards – Best Practices

Like this:

OUR GUARANTEES

WHY CHOOSE US

CURRENT ACTIVITY

Security Policies and Standards – Best Practices

Solution

Security Policies and Standards – Best Practices

Share this:

Like this:

OUR GUARANTEES

WHY CHOOSE US

CURRENT ACTIVITY