Oakton Community College Cyber Security Presentation

User Generated

nnyznel

Computer Science

Oakton Community College

Description

Part 1:

Write a paper (title page and endnotes are not part of page count) from one of the suggested topics or from a topic pre-approved by the instructor in advance. Include at least 3-5 references cited. Use APA format for the paper and citations from Style Guide. Page count should be 5-6 pages (single space) or 10-12 pages (double-space)

Possible topics can be chosen from the list below - other topics can be considered if reviewed first with the instructor:

Compare and contrast Internet and Telephony communications and the security issues that must be addressed in each
What are considerations in defending against malware?
What are access controls and how are they part of a defense-in-depth strategy?
Define a best practice security operations organization and how someone could aspire to various security roles
Compare and contrast three or four security frameworks and the controls for each. How do they relate to each other?
Compare and contrast three or four risk assessment methodologies and the processes for each
Identify major types of encryption methods in use today and how are they used to secure and protect information
Discuss each of the seven domains of a network infrastructure and the types of safeguards that can be applied to each
Describe three or four major federal laws involving security or privacy. Compare and contrast these to each other
Describe a few of the top security or privacy certification programs and what value each would bring to enhancing someone’s career

Part 2:

a 2-3-minute summary of one of the articles as a PowerPoint presentation . I have attached to you a link for you to kinda look at other presentations from other students. I also attached to you some lectures for you to choose a topic for your presentation unless you want to go back to the previous articles you did before and kinda do presentation from those articles

https://depaul.voicethread.com/myvoice/course/2308...

Unformatted Attachment Preview

INFORMATION SECURITY PROFESSIONAL CERTIFICATIONS LEARNING OBJECTIVES Distinguish between the U.S. DoD/military 8570.01 standard and the newer 8140 standard Describe popular vendor-neutral professional certifications Identify popular vendor-specific professional certifications DOD DIRECTIVE 8570.01 "Information Assurance Training, Certification and Workforce Management" Defines many training and certification requirements for DoD personnel and contractors with respect to information security. Gov IT Wiki (http://govitwiki.com/wiki/8570.01) - resource for additional information; provides details about the specific certification requirements for each job type. Affects any DoD facility or contractor organization DEFENSE INFORMATION SYSTEMS AGENCY (DISA) Agency arm of the U.S. Department of Defense that provides information technology and communications support to the White House, Secretary of Defense, and all military sectors that contribute to the defense of the United States of America. DISA is developing a new, operationally focused cybersecurity training framework that will replace the previous 8570.01 standard. The vision of this new cybersecurity training framework is to: "establish a robust workforce training and certification program that will better prepare DoD cyberwarriors to operate and defend our networks in an increasingly threat-based environment." U.S. DOD/MILITARY—8140 STANDARD A"Training Strategy Roadmap" for role-based and crew certification will be provided. Commercial certifications, which have long been relied on, although they are often just too broad for military use, will be adapted and tightened to meet Defense Department needs better. DISA can produce focused, relevant qualifications and certifications for the cyberwarriors of the United States. Crew certification is a grouping of qualified role-based operators who obtain the desired effects necessary to defend and operate in cyberspace. A"Cyber Defense Academy" will qualify role-based individuals to work effectively as part of crews and teams. Joint Cyberspace Training & Certification Standard (JCT&CS) is the current baseline for work-role definition. The National Initiative for Cybersecurity Education (NICE) will be the baseline for federal and DoD work-role definitions DOD INITIATIVES SUPPORTING 8140 STANDARD DoD 8140 workforce requirements initiative (This will define the requirements for the cybersecurity roles identified by the JCT&CS.) Learning Management System selection by Office of the Under Secretary of Defense for Personnel and Readiness (OSD P&R) JCT&CS concept of operations (CONOPs) and Implementation Plan Department of Homeland Security (DHS) and National Security Agency (NSA) Centers of Academic Excellence DISA Cyber Workforce Developments JOINT CYBERSPACE TRAINING AND CERTIFICATION STANDARDS U.S. DOD/NSA TRAINING STANDARDS  The DoD and NSA have adopted several training standards to serve as a pathway to satisfy Directive 8570.01.  These training standards include long lists of learning objectives for topics related to specific job responsibilities.  They were developed by the Committee on National Security Systems (CNSS) and the National Security Telecommunications and Information Systems Security (NSTISS) Committee.  They provide guidance for course and professional certification vendors to develop curriculum and materials that meet the DoD/NSA requirements U.S. DOD/NSA TRAINING STANDARDS  Some of the standards define different levels of expertise, such as entry, intermediate, and advanced.  Others address general requirements targets at a single level  These training standards provide comprehensive descriptions of job competencies.  They provide guidance for potential and existing InfoSec professionals.  Anyone who currently works in InfoSec or wants to work in the field can use these standards to ensure they possess the necessary skills U.S. DOD/NSA TRAINING STANDARDS NSTISS-4011 National Training Standard for Information Systems Security (INFOSEC) CNSS-4012 National Information Assurance Training Standard for Senior System Managers CNSS-4013 National Information Assurance Training Standard for System Administrators (SA) CNSS-4014 Information Assurance Officer (IAO) Training NSTISSC-4015 National Training Standard for System Certifiers CNSS-4016 National Information Assurance Training Standard for Risk Analysts VENDOR-NEUTRAL PROFESSIONAL CERTIFICATIONS A certification is an official statement that validates the fact that a person has satisfied specific requirements A certification does not guarantee that a person is good at a specific job. An organization that is empowered to state that an individual has met the certification's requirements issues the certification. Obtaining them is a standard way for security professionals to further their security education and training. Certifications show that a security professional has invested time, effort, and money into learning more about security. Many prospective employers consider security certifications as they screen job applicants. True security expertise involves more than just holding a certification QUESTION How have government programs and standards for information security influenced the information security profession? Does government still have the same influence that it once did? VENDOR-NEUTRAL PROFESSIONAL CERTIFICATIONS Certifications target specific areas of knowledge and expertise. There is at least one certification for most security-related job functions and expertise levels. The first type of certification is the vendor-neutral certification which covers concepts and topics that are general in nature and does not focus on a specific product or product line (ISC)2 International Information Systems Security Certification Consortium, Inc. (ISC)2 One of the most respected global certification organizations. Not-for-profit organization that focuses on educating and certifying security professionals from all experience levels. (ISC)2 CREDENTIALS SSCP Systems Security Certified Practitioner Enables security practitioners to demonstrate their level of competence. Covers the seven domains of best practices for information security published in SSCP Common Body of Knowledge (CBK). Ideal for those who are working toward or already hold positions as senior network security engineers, senior security systems analysts, or senior security administrators. CISSP Certified Information Systems Security Professional Was the first ANSI/ISO-accredited credential in the field of information security. Provides information security professionals with an objective measure of competence and a globally recognized standard of achievement. Demonstrates competence in the 10 domains of the (ISC)2 CISSP CBK. Targets middle and senior-level managers who are working toward or already hold positions as chief information security officers (CISOs), chief security officers (CSOs), or senior security engineers. (ISC)2 CREDENTIALS CAP Certified Authorization Professional Provides a method to measure the knowledge and skills necessary for professionals involved in the process of authorizing and maintaining information systems. Personnel responsible for developing and implementing processes used to assess risk and for establishing security requirements. Professionals seeking the CAP credential could include authorization officials, system owners, information owners, information security officers, and certifiers. This credential is appropriate for both private-sector and U.S. government personnel. CSSLP Certified Secure Software Lifecycle Professional One of the few credentials that address developing secure software. Evaluates professionals for the knowledge and skills necessary to develop and deploy secure applications. Appropriate for software developers, software architects, and anyone involved in the software development and deployment process. (ISC)2 CREDENTIALS ISSAP® Requires a candidate to demonstrate two years of professional experience in the area of architecture and is an appropriate credential for chief security architects and analysts, who may typically work as independent consultants or in similar capacities. ISSEP® Developed in conjunction with the NSA, providing an invaluable tool for any systems security engineering professional. Road map for incorporating security into projects, applications, business processes, and all information systems. ISSMP® Requires that a candidate demonstrate two years of professional experience in the area of enterprise-wide security operations and management. Contains deeper managerial elements such as project management, risk management, setting up and delivering a security awareness program, and managing a business continuity planning program. GIAC/SANS INSTITUTE Background Global organization that is ANSI accredited. Global Information Assurance Certification (GIAC) Credentials Over 20 individual credentials spanning several information security job disciplines: Audit Forensics Legal Management Security administration Software security GIAC/SANS INSTITUTE SANS Institute Close relationship with GIAC Provides specific training that prepares students for each of the GIAC credentials. Technical papers Anyone who holds a GIAC credential can submit a technical paper that covers an important area of information security. An accepted technical paper adds the Gold credential to the base GIAC credential. GIAC Security Expert (GSE) Requirements include holding three GIAC credentials (with two of the credentials being Gold), passing a GSE exam, and completing an intensive two-day hands-on lab. The GSE represents the highest-level credential within GIAC. GIAC CREDENTIALS CERTIFIED INTERNET WEBMASTER (CIW) Background Offers several credentials that focus on both general and Web-related security. Advanced credentials require a combination of passing an exam and holding at least one recognized credential from another vendor. Uses this blended approach to encourage a breadth of security knowledge and skills. Credentials List  CIW Web Security Associate  CIW Web Security Specialist  CIW Web Security Professional  Credentials from other vendors that satisfy the CIW Web Security Specialist and CIW Web Security Professional credentials.  (ISC)2 SCCP or CISSP  Various GIAC credentials, such as GSE, GCFW, GCIH, and so on.  CompTIA Security+  Several vendor-specific credentials COMPTIA Administers a testing process to validate knowledge within specific IT support functions. Security certification has become the entry-level information security certification of choice for IT professionals who want to pursue further work and knowledge in this area. INFOTEC SECURITY CERTIFIED PROGRAM (SCP) Security Certified Network Specialist (SCNS) A credential for IT professionals entering the network security environment. Security Certified Network Professional (SCNP) An intermediate credential for experienced network security professionals. Security Certified Network Architect (SCNA) A credential primarily targeted for IT managers and advanced IT security professionals. Foundational credential that covers important knowledge and skills necessary for solid network security. Covers prevention techniques, risk analysis, and security policy to address a complete network security environment. Focuses on more than just the technical aspects of security. It tackles management and environmental issues such as legal, forensics, organization security policy, and security architecture. INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION (ISACA) Certified Information Security Manager (CISM) The CISM certification program is a credential for experienced information security professionals who are involved in security management. Certified Information Systems Auditor (CISA) The CISA certification program targets information systems audit, control, and security professionals. Certified in the Governance of Enterprise IT (CGEIT) The CGEIT is a new ISACA certification program. It targets security professionals who ensure their organization satisfies IT governance requirements. Certified in Risk and Information Systems Control (CRISC) The CRISC certification applies to a wide range of security professionals. It provides a way to measure the knowledge and skills necessary to design, implement, and manage enterprise security programs. It defines and promotes the skills and practices that are the building blocks of success in the IT audit and control field. The CGEIT bases its requirements on the ISACA and the IT Governance Institute's (ITGI's) audit and control guidelines, which come from global subject-matter experts. This certification focuses on the knowledge and skills required to design, deploy, monitor, and manage security controls to address risk. CRISC addresses all risk-management areas, including identification, assessment, response, and monitoring. OTHER PROFESSIONAL CERTIFICATIONS International Council of ECommerce Consultants (ECCouncil) Certified Ethical Hacker (CEH) Software Engineering Institute— Carnegie Mellon University CERT—Certified Computer Security Incident Handler High Tech Crime Network Certified Computer Crime Investigator (Basic, Advanced) Computer Hacking Forensic Investigator (CHFI) EC-Council Certified Security Analyst (ECSA)/ Licensed Penetration Tester (LPT) SEI—Authorized CERT Instructor Certified Computer Forensic Technician (Basic, Advanced) OTHER PROFESSIONAL CERTIFICATIONS Mile 2 Certified Wireless Network Professional International Society of Forensic Computer Examiners Certified Computer Examiner (CCE) CyberSecurity Institute - CyberSecurity Forensic Analyst (CSFA) VENDOR-SPECIFIC PROFESSIONAL CERTIFICATIONS Vendor-specific certifications help identify professionals who possess in-depth product knowledge. Holding a certification for a specific vendor does not guarantee competence, but it does imply it. If an applicant meets the requirements for a certification, it means he or she has a certain level of knowledge and skills. CISCO SYSTEMS Levels of certification Certification Paths Entry Design Associate Security Professional Voice Expert Wireless Architect Routing and switching Service provider operations CISCO CERTIFICATIONS Entry Cisco Certified Entry Networking Technician (CCENT)) Cisco Certified Technician (CCT) Associate Cisco Certified Design Associate (CCDA) Cisco Certified Network Associate (CCNA) Data Center Cisco Certified Network Associate (CCNA) Routing and Switching Cisco Certified Network Associate (CCNA) Security Cisco Certified Network Associate (CCNA) Service Provider Cisco Certified Network Associate (CCNA) Service Provider Operations Cisco Certified Network Associate (CCNA) Video Cisco Certified Network Associate (CCNA) Voice Cisco Certified Network Associate (CCNA) Wireless CISCO CERTIFICATIONS Professional Cisco Certified Design Professional (CCDP) Cisco Certified Network Professional (CCNP) Cisco Certified Network Professional (CCNP) Data Center Cisco Certified Network Professional (CCNP) Security Cisco Certified Network Professional (CCNP) Service Provider Cisco Certified Network Professional (CCNP) Service Provider Operations Cisco Certified Network Professional (CCNP) Voice Cisco Certified Network Professional (CCNP) Wireless CISCO CERTIFICATIONS Expert Cisco Certified Design Expert (CCDE) Cisco Certified Internetwork Expert (CCIE) Data Center Cisco Certified Internetwork Expert (CCIE) Routing and Switching Cisco Certified Internetwork Expert (CCIE) Security Cisco Certified Internetwork Expert (CCIE) Service Provider Cisco Certified Internetwork Expert (CCIE) Service Provider Operations Cisco Certified Internetwork Expert (CCIE) Voice Cisco Certified Internetwork Expert (CCIE) Wireless Architect Cisco Certified Architect (CCAr) JUNIPER NETWORKS CERTIFICATION LEVELS AND TRACKS RSA RSA Symantec Certified Specialist (SCS) RSA is a global provider of security, risk, and compliance solutions for enterprise environments. Administration of Veritas Storage Foundation 6.0 for UNIX Administration of Veritas Cluster Server 6.0 for UNIX Administration of Symantec NetBackup 7.5 for UNIX Administration of Symantec Enterprise Vault 10.0 for Exchange Administration of Symantec Endpoint Protection 12.1 Administration of Symantec Backup Exec 2012 Administration of Veritas Storage Foundation and High Availability Solutions 6.0 for Windows Administration of Symantec NetBackup 7.5 for Windows Administration of Symantec Client Management Suite 7.1 / 7.x Administration of Symantec Management Platform 7.1 Administration of Symantec Clearwell eDiscovery Platform 7.x Administration of Symantec Data Loss Prevention 11.5 Administration of Symantec Network Access Control 12.1 Symantec Certified Professional (SCP) CHECKPOINT Associate Check Point Certified Security Principles Associate (CCSPA) Administrator Check Point Certified Security Administrator (CCSA) Checkpoint Endpoint Administrator (CCEPA) Expert Check Point Certified Security Expert (CCSE) Check Point Certified Managed Security Expert (CCMSE) Check Point Certified Endpoint Expert (CCEPE) Master Check Point Certified Master Architect (CCMA) Check Point Certified Master Architect (CCMA) ADDITIONAL INFORMATION SYSTEMS SECURITY CERTIFICATIONS QUESTION What do you feel is the value of certifications? Should everyone pursue a certification? Why or why not? DISCUSSION U.S. COMPLIANCE LAWS GOALS Explain What compliance is and how it's related to information security Describe the main features of Federal Information Security Management Act Health Insurance Portability and Accountability Act Gramm-Leach-Bliley Act Sarbanes-Oxley Act Family Educational Rights and Privacy Act Children's Internet Protection Act COMPLIANCE IS THE LAW Organizations Use And store a lot of data. Information as one of their most important assets. Information to conduct business. Large and complex databases to keep track of customer product preferences. The same information technology (IT) systems to manage the products and services that they offer customers. Transfer data to other businesses. Sensitive Data Data is often collected that you can use to identify a person. Is called personally identifiable information (PII) PERSONALLY IDENTIFIABLE INFORMATION (PII) First, middle, and last name Home mailing address Social Security numbers Driver's license numbers Financial account data, such as account numbers or personal identification numbers (PINs) Health data and biometric data Authentication credentials, such as logon or usernames and passwords PERSONALLY IDENTIFIABLE INFORMATION (PII) Organizations sometimes don't do a very good job of protecting PII. They might lose the data in a security breach. They also could use it in ways their customers and clients don't approve. When organizations don't voluntarily protect PII, governments create laws that force them to. Once the laws are enacted, these organizations must follow them. COMPLIANCE Compliance is An important legal concept. Act of following laws, rules, and regulations that apply to your organization. Involves not only following laws and regulations, but interpreting them so policies and procedures can be defined. Organizations must Document policies, standards, procedures, or guidelines as part of its compliance activities. Be able to prove it is compliant in case of a lawsuit or litigation COMPLIANCE Organizations under a compliance law should do the following: Review the compliance law and its requirements. Assign a designated compliance officer or individual responsible and accountable for your organization's compliance. Create policies, standards, procedures, and guidelines to comply with legal and regulatory requirements. Identify your organization's gaps in compliance and prioritize the gap remediation. Implement proper security controls and countermeasures throughout your IT infrastructure in support of the compliance law's requirements. Create and deliver annual security awareness training that educates employees about the organization's legal requirements for compliance. COMPLIANCE Not only includes the actual state of being compliant, but it also includes the steps and processes taken to become compliant. Compliance usually asks the questions: What are the rules? How must the rules be followed? If an organization fails to meet its obligations, it can be subject to penalties. An organization must be able to prove that it's complying with laws every day. It does this by implementing policies, standards, procedures, and guidelines COMPLIANCE Comprehensive data protection law. Doesn’t exist in the U.S. Many laws focus on different types of data found in different industries. These laws contain privacy and information security concepts. They also focus on how that data is used. A number of federal agencies regulate compliance with these types of laws. PRIVACY Information security and privacy Are closely related. Privacy A person's right to control the use and disclosure of his or her own personal information. Most federal data protection laws contain both privacy and information security requirements. It means that people have the opportunity to assess a situation and determine how their data is used. Information security The process used to keep data private. Security is the process; privacy is a result PRIVACY Means that a person Simple term that describes a number of different but related concepts. Has control of his or her personal data - can decide how his or her data can be collected, used, and shared. This is accomplished via an organization's Privacy Policy statement. Gets to decide how to share his or her personal data with third parties Individuals are provided with an "OptIn" or "Opt-Out" option regarding the organization's use of their privacy data PRIVACY Belief that the government's power to interfere in the privacy of its citizens is limited. This means that people and their information must be free from unreasonable government intrusion. The government must not investigate people or their personal information without a good reason. Courts spend a lot of time defining the reasons to allow governments to investigate their citizens. This is a core privacy concept for most Americans QUESTION How do you feel that privacy and security are related? How are they different? INFORMATION SYSTEMS SECURITY Is about ensuring the confidentiality, integrity, and availability of IT infrastructures and the systems they comprise. Information security is about maintaining the confidentiality of data. Data can be business data or customer privacy data. Data encryption can secure the data. Role-based access controls can keep the data private. Systems grant access to data based on the role that employee has. By implementing security controls, privacy of data can be achieved within an organization. LAWS FOR INFORMATION SECURITY COMPLIANCE The United States doesn't have one single data protection law resulting in many laws focus on different types of data at federal and state levels It's not practical to have separate information security programs for each law an organization must follow - organization's information security program must be comprehensive and be able to accommodate a general response to many laws. Systems security professionals must understand what each law has in common from an information security standpoint. All of the federal data protection laws have some elements of C, I, A LAWS THAT INFLUENCE INFORMATION SECURITY Children's Internet Protection Act Internet access in certain schools and libraries Family Educational Rights and Privacy Act Student educational records Federal Information Systems Management Act Federal information systems Gramm-Leach-Bliley Act Consumer financial information Health Insurance Portability and Accountability Act Protected health information Sarbanes-Oxley Act Corporate financial information FTC U.S. Department of Education Office of Management and Budget FTC Department of Health and Human Services Securities and Exchange Commission COMPLIANCE IS THE LAW Security professionals must be familiar with the compliance laws Your job is not to understand the legal implications of the law but rather know how that law impacts your organization and what you must do from an IT security perspective. As an information systems security professional, you will be responsible for working with your organization's legal counsel, executive management, and IT organizations. Your key responsibility is to help bridge the gap between the compliance law's requirements and your organization's implementation of security controls to achieve compliance. FEDERAL INFORMATION SECURITY MANAGEMENT ACT Federal government is the largest creator and user of information in the United States Government IT systems hold data that's critical for government operations. They contain data that's important for running the business of the federal government. They also hold sensitive military data. These systems also hold personal information about U.S. citizens. Federal IT systems and the data in them are attractive criminal targets. FEDERAL INFORMATION SECURITY MANAGEMENT ACT Created by Congress in 2002 - partly in response to the September 11, 2001, terrorist attacks. The attacks stressed the need for better information security in the federal government. After the attacks, the government realized that computer security for federal IT systems wasn't what it should be. FISMA changed the government's approach to information security. It superseded most of the federal government's previous computer security laws. It's now the main law that defines how federal agencies must secure their IT systems. FEDERAL INFORMATION SECURITY MANAGEMENT ACT Applies to federal agencies and their IT systems. Federal agencies fall under the executive branch of the U.S. government. The Office of Management and Budget (OMB) is responsible for FISMA compliance FISMA defines information security as protecting federal agency IT systems to provide confidentiality, integrity, and availability Agencies must protect their IT systems (and data in those systems) from unauthorized use, access, disruption, modification, and destruction. FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: Risk assessments Agencies must perform risk assessments. They must measure the harm that could result from unauthorized access to or use of their IT systems. Agencies must base their information security programs on the results of these risk assessments. Annual inventory Agencies must inventory their IT systems. They must update it each year. Policies and procedures Agencies must create policies and procedures to reduce risk to an acceptable level. The policies must protect IT systems throughout their life cycles. Agencies also must create configuration management policies. FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: Subordinate plans Agencies must make sure they have plans for securing networks, facilities, and systems or groups of IT systems. These plans are for technologies or system components that are a part of the larger information security program. Security awareness training Agencies must give training to employees and any other users of their IT systems, including contractors. This training must make people aware of risks to the agency's IT systems. It also must make them aware of their duties to protect these systems. Testing and evaluation Agencies must test their security controls at least once a year. They must test management, operational, and technical controls for each IT system FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: Remedial actions Agencies must have a plan to fix weaknesses in their information security program. Incident response Agencies must have an incident response procedure. They must state how the agency detects and resolves incidents. Agencies also must report incidents to the Department of Homeland Security (DHS). Continuity of operations Agencies must have business continuity plans as part of their information security programs FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: Agencies must name a senior official in charge of information security. In most cases, this is the chief information security officer (CISO). These officials must be information security professionals with security experience FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: An agency's information security program applies to any other organization that uses the agency's IT systems or data. An agency must protect the IT systems that support its operations. It must protect them even if another agency or contractor owns the IT systems. This can broaden the scope of FISMA beyond a federal agency. This is important because IT systems and functions are often outsourced. Systems security professionals must know if any of their organization's IT systems use or process information belonging to federal agencies FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: One of the most important parts of a FISMA information security program is that agencies test and evaluate it. FISMA requires agencies to test their IT systems at least yearly. They must test IT systems with greater risk more often. Agencies also must review the information security controls on these systems FEDERAL INFORMATION SECURITY MANAGEMENT ACT FISMA requires each federal agency to create an agency-wide information security program that includes: Each agency must report yearly to the OMB on its FISMA compliance work. The report must review the agency's information security program. It also must assess the agency's progress on fixing any weaknesses in the program or security controls. An agency must send a copy to certain congressional committees and other federal agencies. The FISMA yearly reporting process is time consuming. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) FISMA requires the U.S. Department of Commerce to create information security standards and guidelines – this has been delegated to the NIST Creates guidance that all federal agencies use for their information security programs NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) Federal Information Processing Standards (FIPSs) Special Publications (SPs). Standards Agencies use to classify their data and IT systems States mandatory actions that an organization must take to protect its IT systems. Guidelines Minimum information security controls for IT systems States recommended actions that an organization should follow. UNITED STATES COMPUTER EMERGENCY READINESS TEAM (US-CERT) Under FISMA, the government must have a federal incident response (IR) center. In 2003, the Department of Homeland Security was given the responsibility to run a federal IR center. The DHS center is called the United States Computer Emergency Readiness Team, or USCERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM (US-CERT) Under FISMA, all federal agencies must report security incidents to the US-CERT. This includes incidents involving national security systems. An incident is a violation of computer security policies or practices. It also includes an imminent threat of violation of these policies or practices. The government has six incident response categories. Agencies must report incidents within certain time periods. The reporting period depends upon the incident category. NIST RISK MANAGEMENT FRAMEWORK (RMF) NIST recommends using a risk management framework (RFM) approach for FISMA compliance Government agencies that organize and prioritize risk can adopt an information systems security program to mitigate that risk. NIST's RMF recommends a continuous process of categorization and assessment. It also requires continuous monitoring RISK MANAGEMENT FRAMEWORK (RMF) PROCESS NIST RISK MANAGEMENT FRAMEWORK (RMF) Categorize information systems An agency must sort its IT systems based on risk. Select the minimum security controls An agency must select controls for its IT systems based on their risk category. Implement security controls in IT systems An agency must apply controls in certain areas that are specified by NIST. Assess security controls for effectiveness An agency must assess its controls on a continuous basis to make sure that they're effective in reducing risk. Authorize the IT system for processing An agency must test its IT systems and approve their operation. Continuously monitor security controls An agency must monitor its security controls continuously to make sure they're effective. They also must document any changes to their IT systems. They must assess changes for new risks Included in these areas are access control, contingency planning, and incident response. An agency specifically must accept the risks of operation prior to allowing a system to operate. This process used to be known in FISMA terminology as "certification and accreditation." NATIONAL SECURITY SYSTEMS National Security Systems (NSS) FISMA requires federal agencies to secure national security systems (NSSs) using a risk-based approach. These systems must be specially protected due to their national security significance. The Committee on National Security Systems (CNSS) oversees FISMA activities Federal agencies with national security systems must follow CNSS policies, which use a six-step process for protecting these systems. This process is the same as the NIST RMF. NIST and the CNSS worked together to create them. Intelligence activities National defense Foreign policy Military activities OFFICE OF MANAGEMENT AND BUDGET (OMB) The OMB is responsible for making sure that federal agencies meet their FISMA obligations. It has broad powers. It can withhold funding from agencies that fail to follow the law. The OMB shares some oversight responsibility with other agencies. The responsibility is shared for NSSs. The DoD has FISMA responsibility for NSSs that hold military data. The CIA has responsibility for NSSs with intelligence data QUESTION Do you think that the federal government takes as much time and interest in securing its own data as it does establishing rules for other industries? What are some of the basic requirements that federal agencies have to secure their data? HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT Most people consider their health information to be among the most sensitive types of personal information - full of private details. People share this information with health care providers to receive treatment. Their medical records include details on illness diagnoses, lab results, and treatment options. These records also contain details about lifestyle, chronic conditions, or mental health counseling. People fear they will be embarrassed if their health data isn't kept secret. Some people may even fear for their lives if particularly intimate facts, such as reasons for health counseling, are disclosed. Other people may fear that insurance companies or employers could reject them because of information in their health records. People often feel that they have little control over how their health information is shared and protected HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. It was amended in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA is best known for its data protection rules - address the security and privacy of personally identifiable health information Oversight is by the Department of Health and Human Services/Office for Civil Rights PROTECTED HEALTH INFORMATION (PHI) HIPAA applies to PHI - any individually identifiable information about a person's health. It includes mental and physical health data. PHI includes past, present, or future information It also includes information about paying for health care. PHI can be in any form. It's commonly considered to be all information that is put in a person's medical record including medical notes, billing information, and insurance data HIPAA APPLICABILITY Covered Entity Covered entities may only use PHI in certain ways Health plans Health care clearinghouses Any health care provider that transmits PHI in an electronic form Business Associates HIPAA also applies to the business associates of covered entities. A business associate is an organization that performs a health care activity for a covered entity. Covered entities may outsource some health care functions, such as claims and billing, to these organizations. They must comply with HIPAA. Under the HITECH Act, HHS may directly require business associates to comply with HIPAA. HITECH ACT Enacted as part of the American Recovery and Reinvestment Act of 2009 Designed to promote the widespread adoption and standardization of health information technology. Providers that adopted electronic health record (EHR) systems can apply for meaningful use incentives to help pay for transition to EHR platforms. Participation in federally funded programs such as meaningful use requires providers to maintain HIPAA security and privacy rule compliance. HIPAA PRIVACY RULE Determines how covered entities must protect the privacy of PHI. Published in December 2000; compliance required in April 2003 First time the U.S. government has specified federal privacy protections for PHI HIPAA PRIVACY RULE Covered entities may not “use” or “disclose” a person's PHI without his or her written consent. “Use” Refers to how a covered entity shares or handles PHI within its organization. “Discl Refers to how a covered entity osure” shares PHI with other organizations that may not be affiliated with it HIPAA PRIVACY RULE EXCEPTIONS Treatment, Payment, Healthcare Operations Allow a covered entity to share a person's PHI without a person's written consent. Main permitted use and disclosure of PHI under the Privacy Rule There are other times a covered entity may disclose PHI without consent such as reporting victims of child abuse and neglect. A covered entity doesn't need a person's written consent to share PHI for this purpose because it's assumed that most people want their health care providers to use their PHI to provide medical treatment. The rules for disclosing PHI without consent are complicated. Common covered entity activities. Requiring a person's written consent to complete these functions would be inefficient Covered entities must analyze the rules carefully to make sure that they follow them HIPAA PRIVACY RULE – MINIMUM NECESSARY Even if a covered entity is allowed to use or disclose PHI without written consent, it must follow the minimum necessary rule A covered entity may disclose the amount of PHI necessary to satisfy the reason why the information is being used or disclosed, but no more. A covered entity must use its professional judgment and make reasonable efforts to limit its use or disclosure. A health care provider shouldn't disclose a person's entire medical record if only a portion of it is needed to respond to a request HIPAA PRIVACY RULE – PRIVACY NOTICE A covered entity must inform people about how it uses and discloses PHI using a privacy notice. The covered entity must only use and disclose PHI in the ways described by this notice. The Privacy Rule has many requirements for how these notices must be written. The most important requirement is that a covered entity use plain language to draft its notice. An average person must be able to understand it HIPAA BREACH NOTIFICATION RULE Under HIPAA, a breach is any impermissible use or disclosure of unsecured PHI that harms its security or privacy. The use or disclosure must cause a significant risk of harm to the affected person. The harm can be financial or reputational The Privacy Rule requires covered entities to mitigate an unauthorized use or disclosure of PHI Prior to the HITECH Act, a covered entity didn't have to notify people if their PHI was used or disclosed in an unauthorized manner. The HITECH Act now requires them to do so. It creates notification requirements that covered entities must follow in the event of a breach of unsecured PHI PHI must be encrypted through an HHS-approved process to be considered secure HIPAA BREACH NOTIFICATION RULE Both covered entities and business associates must follow the breach notification rules. If a covered entity has a breach of unsecured PHI, it must notify the victims within 60 days of the discovery. A breach is "discovered" on the first day that the covered entity knows about it. Individuals must be notified without "unreasonable delay." A covered entity may delay notification if a law enforcement official requests it. HIPAA has many rules for how notice of a breach must be given. Under the breach notification rules, business associates also are required to notify covered entities following their discovery of a breach of unsecured PHI. The business associate must tell the covered entity no later than 60 days after it discovers the breach. It must help the covered entity notify victims. HIPAA SECURITY RULE Requires Covered Entities to Protect the confidentiality, integrity, and availability of electronic PHI that they create, receive, maintain or transmit Use security safeguards to protect electronic protected health information (EPHI). Protect EPHI from reasonably anticipated threats. Guard PHI from uses or disclosures that aren't allowed by the Privacy Rule. Security Rule First time the federal government addressed security safeguards for electronic PHI HIPAA SECURITY RULE Information Security Programs Covered entity must consider Requires covered entities to create an information security program Its size and complexity They have flexibility in creating these programs. They don't have to use specific types of security technology. Its technical infrastructure, hardware, and software security resources An information security safeguard is also called an information security control The costs of security measures The potential risks to EPHI HIPAA SECURITY RULE Safeguards and Specifications “Addressable” Requires covered entities to use information security principles to protect EPHI. Covered entities have discretion in implementing addressable specifications. Must use administrative, physical, and technical safeguards. For addressable specifications, the entity must assess whether the control is reasonable and appropriate in its environment “Required” - Covered entities must implement them If it is, then the covered entity must use it. If it isn't, the covered entity doesn't have to use it HIPAA SECURITY RULE - SAFEGUARDS Administrative Actions, policies, and procedures that a covered entity must implement to follow the Security Rule. Physical Controls put in place to protect a covered entity's physical resources. They protect information systems, equipment, and buildings from environmental threats. Technical Applied in the hardware and software of an information system SECURITY RULE ADMINISTRATIVE SAFEGUARDS SECURITY RULE PHYSICAL SAFEGUARDS SECURITY RULE TECHNICAL SAFEGUARDS HIPAA - OVERSIGHT HHS/Office for Civil Rights Enforces both rules against covered entities and against business associates. Investigates and responds to complaints from people who claim that a covered entity has violated HIPAA. Can levy fines on a covered entity that is in violation of HIPAA security or privacy rule compliance HIPAA - PENTALTIES Tier A For violations in which the offender didn't realize he or she violated the act and would have handled the matter differently if he or she had. Tier B For violations due to reasonable cause, but not "willful neglect." Tier C For violations due to willful neglect that the organization ultimately corrected. Tier D For violations of willful neglect that the organization did not correct. This results in a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year. The result is a $1,000 fine for each violation, and the fines cannot exceed $100,000 for the calendar year. The result is a $10,000 fine for each violation, and the fines cannot exceed $250,000 for the calendar year. The result is a $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for the calendar year. in 2013 as an update to HIPAA and HITECH HIPAA -Released OMNIBUS Modifications to Standards for reporting breaches of unsecured personal health information (PHI) Requirements for business associate agreements Limitations on The sale of PHI And clarifications concerning the use and disclosure of PHI for marketing Relaxation of certain limitations on the use of PHI for fundraising Removal of limitations on the liability of covered entities for the acts and omissions of business associates Other Improvement to the regulations concerning authorizations for the use or disclosure of PHI for research Extension of HHS enforcement authority over business associates Expansion of the definition of the term business associate to include Health Information Organizations, E-prescribing Gateways, entities that provide data transmission services for PHI and which require routine access to such PHI, and personal health record vendors New obligations for business associates to enter into business associate agreements with their own subcontractors Changes to the requirements for notices of privacy practices GRAMM-LEACH-BLILEY ACT (FINANCIAL SERVICES MODERNIZATION ACT OF 1999) Addresses the privacy and security of consumer financial information. Purpose was to allow banks, securities, and insurance companies to merge After GLBA, these new, larger corporations would have access to large amounts of consumer financial information and people feared that their privacy would suffer – GLBA included privacy and security protections The Federal Trade Commission tracks consumer complaints for identity theft, fraud, and other consumer-related scams like Ponzi schemes in the "Consumer Sentinel Network Data Book" GRAMM-LEACH-BLILEY ACT Consumer financial information (CFI) Personally identifiable information. Information that a person provides to a vendor to get a good or service. Customers can provide it to get services from banks or other financial institutions which use this data to provide home or car loans, credit cards, or to open checking accounts. Consumers demand that their financial institutions protect it. GLBA Because of their vulnerability to fraud, financial institutions must follow GLBA privacy and security rules to help mitigate data breaches and identity theft. Any financial transaction, such as borrowing, lending, credit counseling, debt collection, or similar activities, requires special attention when maintaining privacy of consumer data. GLBA applies to consumer financial activities only. They're transactions made for personal, family, or household services GLBA doesn't apply to business transactions GLBA NPI includes GLBA requires financial institutions to protect consumers' nonpublic financial information. Nonpublic personal information (NPI) is personally identifiable financial information that a consumer gives to a financial institution. NPI also includes PII that an institution gets from sources other than a consumer. Social Security number Financial account numbers Credit card numbers Date of birth NPI can be in paper or electronic form. Name, address, and phone numbers when collected with financial data Details of any transactions or the fact that an individual is a customer of a financial institution GLBA OVERSIGHT Different federal agencies have GLBA oversight responsibilities which makes compliance difficult Their responsibilities are based on the type of financial institution under review The agencies that oversee GLBA compliance may take action against the financial institution that they regulate. Institutions that violate GLBA can be subject to both criminal and civil penalties. GLBA OVERSIGHT Securities and Exchange Commission (SEC) Oversees securities brokers and dealers Federal Reserve System (the Fed) Oversees state-chartered member banks and bank holding companies Federal Deposit Insurance Corporation (FDIC) Oversees state-chartered banks that aren't members of the Fed National Credit Union Administration (NCUA) Oversees federally insured credit unions Office of the Comptroller of the Currency (OCC) Oversees nationally chartered banks Office of Thrift Supervision (OTS) Oversees all nationally chartered and some state-chartered thrifts Federal Trade Commission (FTC) Oversees GLBA for any financial institution that isn't regulated by one of the other agencies GLBA – PRIVACY RULE The GLBA Privacy Rule went into effect July 1, 2001. Under this rule, a financial institution may not share a consumer's NPI with nonaffiliated third parties GLBA – PRIVACY RULE – NOTICE OF PRIVACY PRACTICES A financial institution can share this information only when it first provides the consumer with notice of its privacy practices. This notice must tell consumers about the types of data that the institution collects. It also must state how the institution uses the collected information. The notice also must describe how the institution protects a consumer's NPI GLBA – PRIVACY RULE – NOTICE OF PRIVACY PRACTICES Non-Affiliated Third Party Affiliated Party The Privacy Rule requires that consumers have a chance to opt out of certain types of data sharing with nonaffiliated third parties. Has a legal relationship. An entity that isn't legally related to a financial institution They are members of the same corporate family. An affiliated party is any entity that controls, is controlled by, or is under the common control of another entity GLBA – PRIVACY RULE – CUSTOMERS AND CONSUMERS Consumer Any person who gets a consumer financial product or service from a financial institution. A financial institution doesn't have to give a privacy notice to a consumer if it doesn't share the consumer's NPI with nonaffiliated parties. Financial institutions must give their privacy notice to consumers if they plan to share the consumer's NPI with nonaffiliated parties. The privacy notice must give the consumer a chance to stop the financial institution from sharing the consumer's NPI with nonaffiliated third parties GLBA – PRIVACY RULE – CUSTOMERS AND CONSUMERS Consumer The privacy notice must tell consumers how to opt out. If a consumer doesn't opt out, then the financial institution can share NPI in ways described by its privacy notice. GLBA doesn't give consumers the right to opt out of situations where a financial institution shares NPI with its affiliates. In some instances, consumers don't have the ability to opt out at all. For example, consumers can't opt out of a disclosure that is required by law GLBA – PRIVACY RULE – CUSTOMERS AND CONSUMERS Customer A consumer who has a continuing relationship with the institution. An example of a consumer without a customer relationship is a person who withdraws cash from an ATM that doesn't belong to his or her personal bank. Customers must receive the financial institution's privacy notices. An institution must give a customer notice of its privacy practices as soon as the customer relationship begins. Customers also must receive a copy of the privacy notice each year for as long as the relationship continues. The notice must be provided in writing and be understandable. QUESTION Should there be a single federal law that covers concepts of information security, privacy, and breach notification? Why or why not? SARBANES-OXLEY ACT Many large corporate scandals rocked the early 2000s. Companies such as Enron, Adelphia, and WorldCom made news for their inaccurate and misleading financial reporting practices. These practices duped investors by making the corporations look more successful than they actually were. Many of these investors, which included corporate employees, lost large amounts of money. By the time everyone knew the truth, it was too late to recover investment losses. When these scandals came to light, they shook investor confidence in the U.S. economy. Accurate information is the "investor's best tool.“ People need accurate financial information so they can invest wisely and make money Congress passed the Public Company Accounting Reform and Investor Protection Act in 2002 to help protect investors This law is more commonly known as the Sarbanes-Oxley Act of 2002 (also known as “SOX” or “Sarbox”) SARBANES-OXLEY ACT The main goal of SOX is to protect investors from financial fraud. SOX supplements other federal securities laws. It applies to publicly traded companies that must register with the Securities and Exchange Commission. Investors own a publicly traded company by buying its stock on a stock exchange. SOX doesn't apply to privately held companies SARBANES-OXLEY ACT When it was first enacted, most companies assumed that it didn't have any IT components – IT not mentioned anywhere within the act. Many SOX provisions require companies to verify the accuracy of their financial information. Since IT systems hold many types of financial information, companies and auditors quickly realized that these systems were part of SOX compliance. That meant that the way those systems are used and the controls used to safeguard those systems had to be reviewed for SOX compliance SARBANES-OXLEY ACT – SECTION 404 Requires an organization's executive officers to establish, maintain, review, and report on the effectiveness of the company's internal controls over financial reporting (ICFR). An organization's executives must understand how its IT systems work in order to make these certifications Management makes this certification on reports filed with the SEC to help ensure that a company's financial reports are accurate. It helps protect investors from fraudulent financial activities SARBANES-OXLEY ACT - ICFR A company must create, document, and test its ICFR annually After a company makes its yearly report, outside auditors must review it and verify that the ICFR specified in the report actually work. Under SEC rules, ICFR are processes that provide reasonable assurance that an organization's financial reports are reliable SARBANES-OXLEY ACT - ICFR ICFR provide management with reasonable assurance that: Financial reports, records, and data are accurately maintained. Transactions are prepared according to accounting rules and are properly recorded. Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner SARBANES-OXLEY ACT – SECTION 404 Companies trying to comply with Section 404 quickly learned that they needed to review their IT systems - specifically, they needed to review the ICFR on their IT systems. An error in these systems could cause financial statements to contain errors or mistakes. To comply with Section 404, companies had to make sure that system data were accurate. They had to make sure that they had processes in place to detect inaccurate data. Section 404 is very general about the types of ICFR that companies must implement SARBANES-OXLEY ACT – SECTION 404 In 2007, the SEC issued additional guidance to help companies assess ICFR during their Section 404 review. The SEC stated two broad principles in its guidance: Management should assess how its internal controls prevent or detect significant deficiencies in financial statements. Management should perform a risk-based review of the effectiveness of these controls. The SEC also said that management must exercise its professional judgment to limit the scope of a Section 404 review. Reminded companies that SOX applies to internal controls, including IT controls that affect financial reporting only SARBANES-OXLEY ACT – SECTION 404 IT Controls Management must review general IT controls to make sure that IT systems operate properly and consistently. The controls must provide management with reasonable assurance that IT systems operate properly to protect financial reporting Outsourcing SOX requires companies to monitor ICFR for outsourced operations as well. Many companies do this by asking their outsourcing companies to provide them with a special audit report about the outsourced operations. A company must review this report to determine if the outsourcing company's controls are sufficient. SARBANES-OXLEY ACT – RECORD RETENTION Audit papers Public companies are required to maintain their financial audit papers for seven years to include records used to assess ICFR Most documents used in an audit - support the conclusions made in an audit report. Other federal and state laws contain record retention requirements. This includes work papers, memoranda, and correspondence. Organizations should develop document retention policies to help them track their different obligations. It also includes any other records created, sent, or received in connection with the audit Penalties for failing to retain records for the right amount of time can be severe and include criminal penalties Includes electronic records SARBANES-OXLEY ACT - OVERSIGHT Securities and Exchange Commission (SEC) Provides oversight and enforcement Created under the Securities and Exchange Act of 1934. Mission is to protect investors and maintain the integrity of the securities industry. Has the power to investigate and sanction public companies that don't comply with SOX. Reviews a public company's yearly and quarterly reports at least once every three years to try to detect fraud and inaccurate financial statements that could harm the investing public QUESTION How are Internal Audit and Information Security similar? How are they different? Are there skills necessary that are used in both areas? FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) Family Educational Rights and Privacy Act (FERPA) Educational institutions Main federal law protecting the privacy of student information. Collect and store student data: Demographic information Address and contact information Parental demographic information Parental address and contact information Grade information Disciplinary information FERPA Educational institutions include: Congress created FERPA in 1974 Community colleges Colleges and universities It applies to any education agency or institution that receives federal funding. Primary and secondary schools (kindergarten through twelfth grade) State and local educational agencies (such as a school board) Most educational institutions receive some kind of funding from the U.S. Department of Education - if a school chooses not to comply with FERPA, it can't receive any federal funds. Schools or agencies offering a preschool program Any other educational institution that receives federal funding FERPA Student Record Protects the privacy of student records. Data about a student that a school keeps. Written documents, computer media, video, film, and photographs. Records maintained by an outside party acting on a school's behalf. Can be in paper or electronic form. Information Security Specific information security controls not specified to be implemented to protect student records. Systems security professionals must be aware of FERPA's requirements. The organization must then implement security controls in IT systems to protect the privacy of electronic student records. Or their parents if the student is under 18 FERPA – STUDENT RIGHTS Know what data is in the student's student record Inspect and review that record Request that a school correct errors in a student record Consent to have certain kinds of student data released FERPA - PII Personally identifiable information Schools must protect the personally identifiable information that is located in the records Direct Identifiers: e.g., name, Social Security number, and student number. Indirect Identifiers: when they're matched with a student name. Indirect identifiers are personal characteristics that can be used easily to identify a student FERPA – RELEASE OF INFORMATION Exceptions A school can't release a student's records to a third party without the student's written consent Some school officials can view student records when required by their job duties. A school can transfer a student's record from the old school to a new school without the student's consent. Schools can transfer student records for some financial aid or accreditation purposes. Schools can disclose some student information in order to comply with a court order or lawful subpoena FERPA – DIRECTORY INFORMATION Special category of personally identifiable information to be disclosed without student consent. A school can do this so long as it has given notice to the student that it will disclose this information. Information that is publicly available about all students. Includes information such as a student's name, address, or telephone number. Colleges and universities often provide this type of information in an online directory. A student can choose to forbid the release of this type of information - must tell the school not to release this type of information; then school must put measures in place to make sure that this information is not released FERPA – ANNUAL NOTICE Schools must give annual notice about the school's FERPA practices This notice informs students and parents about their FERPA rights. It tells students about the school officials who have access to records without student consent FERPA - SECURITY IT and information systems security professionals who work for highereducation institutions must also comply with FERPA. IT departments within higher-education institutions are responsible and accountable for maintaining the confidentiality of student privacy data. FERPA - OVERSIGHT Family Policy Compliance Office (FPCO) Oversees FERPA compliance. Violations Schools that violate FERPA can lose their federal funding. Has the authority to review and investigate FERPA complaints. Students who have had their FERPA rights violated aren't allowed to sue a school for that violation. Only the FPCO is allowed to sanction schools that violate FERPA CHILDREN'S INTERNET PROTECTION ACT (CIPA) Protects children from exposure to offensive Internet content. It requires certain schools and libraries to filter offensive Internet content so that children can't access it Requires public school systems and public library systems that participate in E-Rate federal funding to be in compliance with CIPA. The E-Rate program provides discounts to most primary and secondary schools and libraries for Internet access. Provides best practices for parents and providers of free, public Wi-Fi access to protect our children from offensive content. Congress passed CIPA in 2000 CHILDREN'S INTERNET PROTECTION ACT (CIPA) Minor Defined as anyone under the age of 17. Anyone who is not of legal adult age as a minor A minor is a child - different laws may state different ages for determining when a person is a minor and when he or she is not. Offensive content Includes any visual depictions that are obscene, child pornography, or harmful to minors (if the computers are accessed by minors). “Harmful to minors“ Defined as any visual picture that: Appeals to a prurient interest in nudity, sex, or excretion with respect to what is suitable for minors Depicts, describes, or represents sexual acts, contact, or genitalia in a patently offensive way with respect to what is suitable for minors Taken as a whole, lacks serious literary, artistic, political, or scientific value with respect to what is suitable for minors CHILDREN'S INTERNET PROTECTION ACT (CIPA) Obscene and Objectionable Material Most people agree that children should be protected from obscene material Miller v. California. A 1973 U.S. Supreme Court case helps define what is obscene. Definition of obscene material is complex. The Supreme Court said that for material to be identified as obscene, it must meet three conditions based on the average person applying contemporary community standards. Miller Test Under the test, material is obscene if it: Appeals predominantly to prurient interests; prurient indicates a morbid, degrading, and unhealthy interest in sex Depicts or describes sexual conduct in a patently offensive way Lacks serious literary, artistic, political, or scientific value CHILDREN'S INTERNET PROTECTION ACT (CIPA) – E-RATE Discounts range from 20 percent to 90 percent of actual costs. Schools and libraries don't have to accept these funds. They can either pay for the Internet access with private funds, or choose not to use the Internet. Federal Communications Commission (FCC) manages the E-Rate program CHILDREN'S INTERNET PROTECTION ACT (CIPA) Challenges American Library Association and the American Civil Liberties Union claimed CIPA violated the free speech rights of adults and claimed the law could prevent minors from getting information about topics such as breast cancer. First Amendment Sets forth the right to freedom of religion, speech, the press, and assembly. Implicit right of freedom of thought, which has a privacy component. Censorship actions can violate the First Amendment CHILDREN'S INTERNET PROTECTION ACT (CIPA) Federal courts Agreed that CIPA violated free speech rights - temporarily overturned CIPA in 2002. The government appealed the decision of the federal court to the U.S. Supreme Court (United States et al. v. American Library Association, Inc. et al. ) Supreme Court In 2003, the Supreme Court overturned the lower court and upheld the law. The Supreme Court held that only schools and libraries that receive E-Rate funding for Internet access must comply with CIPA. The case also specifically held that CIPA applies to minors only. Schools and libraries must have some way to allow adults unfiltered Internet access - if they don't, then they face scrutiny for censorship and violating the First Amendment rights of the adult CHILDREN'S INTERNET PROTECTION ACT (CIPA) Filter Covered schools and libraries must filter offensive Internet content so that children can't get to it. Schools and libraries can use technological tools to meet this requirement. CIPA states what must be filtered but not how to filter it. Technology protection measure (TPM) Any technology that can block or filter the objectionable content. Disabling Library or school must be able to disable the TPM for any adult who needs to use a computer as a First Amendment right Federal Communications Commission (FCC) Recognizes that a TPM cannot be 100 percent effective - local authorities should determine which measures are most effective for their community. Neither CIPA nor the FCC defines what level is acceptable. School or library is expected to take steps to resolve failures – if not resolved patron can file a complaint with the FCC. CHILDREN'S INTERNET PROTECTION ACT (CIPA) - INTERNET SAFETY POLICY Basics Be created to identify a method to address filtering exceptions Be able to monitor the online activity of children. State how the school or library will restrict access to objectionable online materials. Address The safety and security of children when using e-mail, chat rooms, or other electronic communications. Situations where a child uses the Internet for unlawful activities The unauthorized use of a child's personal information. CHILDREN'S INTERNET PROTECTION ACT (CIPA) - OVERSIGHT Federal Communications Commission (FCC) Provides oversight Applications by a school or library for E-Rate funding must certify CIPA compliance Investigations If the FCC receives complaints that too many objectionable images are getting through, it may investigate. Presumes that Congress never intended libraries to be fined if they don't comply with CIPA. May require a library to refund the ERate discount for the period of time it wasn't in compliance. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS): PURPOSE AND SCOPE Assists merchants and financial institutions in understanding and implementing standards for security policies, technologies, and ongoing processes that protect their payment systems from reaches and theft of cardholder data Helps vendors understand and implement PCI standards and requirements for ensuring secure payment solutions are properly implemented PCI DSS: PURPOSE AND SCOPE (CONT.) To validate compliance: • On-site PCI audit by a qualified security assessor (QSA) • Quarterly vulnerability assessment scanning performed by an approved scanning vendor (ASV) • Complete an annual self-assessment questionnaire (SAQ) with quarterly vulnerability assessment scanning from an approved ASV scanning company • SAQ lists all security control requirements that are needed for various SAQ levels PCI DATA SECURITY STANDARD REQUIREMENTS PCI DSS: MAIN REQUIREMENTS  Requirement 3.3  Updated requirement to clarify that any displays of the primary access number (PAN) (e.g., a 16-digit credit card number) greater than first six/last four digits of the PAN requires a legitimate business need  Added guidance on common masking scenarios  Requirement 8.3  Expanded Requirement 8.3 into subrequirements that require multifactor authentication for personnel with nonconsole administrative access and personnel with remote access to cardholder data environment (CDE) PCI DSS: MAIN REQUIREMENTS (CONT.)  Requirement 10.8.1(effective February 1, 2018)  A new requirement for service providers to detect and report on failures of critical security control systems  Requirement 11.3.4.1 (effective February 1, 2018)  A new requirement for service providers to perform penetration testing on segmentation controls at least every six months PCI DSS: MAIN REQUIREMENTS (CONT.)  Requirement 12.4 (effective February 1, 2018)  A new requirement for service providers’ executive management to establish responsibilities for the protection of cardholder data and a PCI DSS compliance program  Requirement 12.11.1 (effective February 1, 2018)  A new requirement for service providers to perform reviews at least quarterly, to confirm that personnel are following security policies and operational procedures DISCUSSION INFORMATION SECURITY STANDARDS LEARNING OBJECTIVES Identify prominent information security standards organizations Summarize what ISO 17799 contains Explain how ISO/IEC 27002 pertains to information security Describe PCI DSS requirements INTRODUCTION Standards How can so many products from different vendors work together? Necessary to create and maintain a competitive market for hardware and software vendors. They work together because of standards Guarantee compatibility between products from different countries. Provide guidelines to ensure products in today's computing environments work together Adhering to standards is necessary to increase market appeal and for regulatory compliance QUESTION What are some challenges of trying to adhere to a security standards framework? Do you think that everyone in the organization will want to use the same standards? Why or why not? NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) Federal agency within the U.S. Department of Commerce Founded in 1901 as the National Bureau of Standards (NBS) America's first federal physical science research laboratory Mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life." Provides standards for measurement and technology on which nearly all computing devices rely NIST COOPERATIVE PROGRAMS NIST Laboratories Laboratories that conduct research to advance the United States' technology infrastructure. The nation's industry uses this infrastructure to improve the quality of products and services. Baldrige National Quality Program A national program that empowers and encourages excellence among U.S. organizations, including manufacturers, service organizations, educational institutions, health care providers, and nonprofit organizations Strives to increase quality and recognize organizations that achieve quality goals NIST COOPERATIVE PROGRAMS Hollings Manufacturing Extension Partnership A network of centers around the nation that offer technical and business assistance to small and medium-sized manufacturers. Technology Innovation Program Another national program that offers awards to organizations and universities to support potentially revolutionary technologies that apply to critical needs of national interest. NIST PUBLICATIONS NIST maintains a list of standards and publications of general interest to the computer-security community. NIST established this collection of documents, called the Special Publications 800 series, in 1990 to provide a separate identity for information technology security publications The publications in this series report on research and guideline efforts related to computer security in government, industry, and academic organizations. The NIST Special Publications 800 series contains many standards that provide guidance for information systems security activities INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) Formed in 1946 - is a nongovernmental international organization. Its goal is to develop and publish international standards. ISO, based in Geneva, Switzerland, is a network of 163 national standards institutes. ISO serves as a bridge between the public and private sectors. Some members are governmental entities, while others are in the private sector INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO's goals are to develop standards that do not cater to either group exclusively but reach consensus. Although the organization's short name, ISO, appears to be an acronym, it is not. Because ISO is an international organization, its full name is different depending on the language. ISO members agreed on the short name ISO derived from the Greek word isos, which means "equal." ISO strives for consensus, even in the choice of its name. This focus on consensus is what makes ISO such a successful authority in developing and promoting standards in many areas. ISO PUBLICATIONS ISO publishes many standards for nearly all industries. For example, the International Standard Book Number (ISBN) is an ISO standard. ISO organizes its many standards by both the International Classification for Standards (ICS) and the Technical Committee (TC) to which it assigns each standard. You can find standards spread among 40 different Level 1 ICSs, assigned to one of over 200 TCs. OPEN SYSTEMS INTERCONNECTION (OSI) REFERENCE MODEL Best-known ISO standard - governs how separate computer systems communicate using networks. The reference model contains seven distinct layers that address seven different issues related to networked communications. The reference model defines the standards that enable computers and devices from different vendors to communicate. Each layer in the model represents a collection of related functions Each function provides services to the layer immediately above it and receives services from the layer immediately below it. THE OSI REFERENCE MODEL INTERNATIONAL ELECTROTECHNICAL COMMISSION (IEC) IEC's standards Standards organization that often works with ISO. Power generation The IEC is the preeminent organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes. Power transmission and distribution People refer to the collective body of knowledge addressed by the IEC as electrotechnology. The IEC formed in 1906 to address issues with the expanding technologies related to electrical devices. The IEC was instrumental in the development of standards for electrical measurements, including the gauss, hertz, and weber. You will most likely encounter IEC standards relating to physical computer and networking hardware. Commercial and consumer electrical appliances Semiconductors Electromagnetics Batteries Solar energy Telecommunications WORLD WIDE WEB CONSORTIUM (W3C) The creation of the World Wide Web in 1990 marked a turning point in the way users accessed resources on the Internet. In the early days of the Internet, competing vendors released their own versions of the primary language of the Web, HTML which led to incompatible browsers, limited functionality Sir Tim Berners-Lee, the computer scientist who wrote the original proposal for what eventually became the World Wide Web, founded the World Wide Web Consortium (W3C) in 1994 to address the lack of standards. The W3C immediately became the main international standards organization for the World Wide Web. The stated purpose of the W3C is to develop protocols and guidelines that unify the World Wide Web and ensure its long-term growth. The W3C develops many Web-related standards that govern and coordinate many aspects of Web development and operation WORLD WIDE WEB CONSORTIUM (W3C) W3C Standards Cascading Style Sheets (CSS) Common Gateway Interface (CGI) Hypertext Markup Language (HTML) Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) Extensible Markup Language (XML) Each of these standards and specifications is necessary to ensure that Web applications interact with Web components from other vendors. INTERNET ENGINEERING TASK FORCE (IETF) The Internet Engineering Task Force (IETF) develops and promotes Internet standards. According to the IETF Web site, the purpose of the IETF is to "make the Internet work better." The IETF focuses on the engineering aspects of Internet communication and attempts to avoid policy and business questions. The IETF works closely with the W3C and ISO/IEC, focusing primarily on standards of the TCP/IP or Internet protocol suite INTERNET ENGINEERING TASK FORCE (IETF) The IETF is an open organization. There are no membership requirements. All participants, including contributors and leaders, are volunteers. Their employers usually fund their work. The IETF first met in 1986 as a group of 21 researchers wanting to formalize the main Internet communication protocols. Today, the IETF is a collection of working groups (WGs), with each group addressing a specific topic - every WG has a dedicated mailing list to which anyone can subscribe. REQUEST FOR COMMENTS (RFC) An RFC is a series of documents that range from simple memos to standards documents. Each RFC's introduction indicates its status. The RFC model allows input from many sources and encourages collaboration and peer review REQUEST FOR COMMENTS (RFC) - GUIDELINES Only some RFCs are standards Only RFCs that open with phrases like "This document specifies…" or "This memo documents…" should be considered standards or normative documents. RFCs never change Any changes to an RFC get a new number and become a new RFC. Always look for the latest RFC, because previous documents may be out of date. RFCs may originate with other organizations The IETF creates only some RFCs. Others may come from independent sources, the IAB, or the Internet Research Task Force (IRTF) REQUEST FOR COMMENTS (RFC) - GUIDELINES Stages RFCs that define formal standards have four stages Proposed Standard (PS)—The initial official stage of a standard Draft Standard (DS)—The second stage of a standard, after participants have demonstrated that the standard has been deployed in working environments As an RFC moves from one stage to the next, it becomes more formal and more organizations accept it Standard (STD)—The final stage of a standard, after it has been shown to be widely adopted and deployed Best Current Practice (BCP)—The alternative method used to document operational specifications that are not formal standards INTERNET ARCHITECTURE BOARD (IAB) The Internet Architecture Board (IAB) is a subcommittee of the IETF. It also serves as an advisory body to the Internet Society (ISOC). The IAB is composed of independent researchers and professionals who have a technical interest in the well-being of the Internet. The IAB provides much of the high-level management and validation of the processes of conducting IETF business. The IAB is an important committee that has substantial influence over many standards that affect the Internet INTERNET ARCHITECTURE BOARD (IAB) – OVERSIGHT ACTIVITIES Architecture for Internet protocols and procedures Processes used to create standards Editorial and publication procedures for RFCs Confirmation of IETF chair and technical area directors INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE) The world's largest professional association for the advancement of technology. The IEEE is an international nonprofit organization that focuses on developing and distributing standards that relate to electricity and electronics. With more than 425,000 members in approximately 160 countries, it has the largest number of members of any technical professional organization in the world. The IEEE formed in 1963 through the merger of two older organizations: the Institute of Radio Engineers, formed in 1912, and the American Institute of Electrical Engineers, formed in 1884. IEEE supports 38 societies that focus activities on specific technical areas - technical areas include magnetics, photonics, and computers. The 802 working group takes its name from the date it first convened, in February (month 2) of 1980. INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS (IEEE) IEEE is also one of the largest standards-producing organizations. The IEEE Standards Association (IEEE-SA) manages these standards. IEEE standards cover many industries, including information technology IEEE currently publishes or sponsors more than 1,300 standards and projects The best-known standard that relates to information security is the IEEE 802 LAN/MAN standard family This group of standards defines how different types of local area network (LAN) and metropolitan area network (MAN) protocols work Students can obtain student memberships to IEEE; they can enjoy all the benefits of full membership except the right to vote COMMON IEEE 802 STANDARD WORKING GROUPS Working Group 802.1 802.3 802.11 Name Higher Layer LAN Protocols Ethernet Wireless LAN (802.11a, 802.11b, 802.11g, 802.11n, 802.11ad, etc.) 802.15 802.16 802.18 802.19 802.20 Wireless Personal Area Network (WPAN) Broadband Wireless Access (WiMAX) Radio Regulatory TAG Wireless Coexistence Mobile Broadband Wireless Access INTERNATIONAL TELECOMMUNICATION UNION TELECOMMUNICATION SECTOR (ITU-T) The International Telecommunication Union (ITU) is a United Nations agency. It is responsible for managing and promoting information and technology issues. ITU is a global point of focus for both governmental and commercial development of networks and related services. ITU was formed in 1865 as the International Telegraph Union to develop international standards for the emerging telegraph communications industry. ITU became a United Nations agency in 1947. It was renamed the International Telegraph and Telephone Consultative Committee (CCITT) in 1956, and eventually adopted its current name in 1993. INTERNATIONAL TELECOMMUNICATION UNION TELECOMMUNICATION SECTOR (ITU-T) The oldest and most recognizable activity of the ITU is its work developing standards. The ITU Telecommunication Sector (ITU-T) performs all ITU standards work. The ITU-T is responsible for ensuring the efficient and effective production of standards covering all fields of telecommunications for all nations. ITU-T also defines tariff and accounting principles for international telecommunication services INTERNATIONAL TELECOMMUNICATION UNION TELECOMMUNICATION SECTOR (ITU-T) ITU-T calls the international standards it produces recommendations. They become mandatory only when adopted as part of a member state's national law. Because the ITU-T is a United Nations agency, its standards carry significant international weight. Even though ITU-T calls its standards recommendations, they tend to carry substantial authority INTERNATIONAL TELECOMMUNICATION UNION TELECOMMUNICATION SECTOR (ITU-T) ITU-T divides its recommendations into 26 separate series, each bearing a unique letter of the alphabet. For example, switching and signaling recommendations are in the Q series. Data networks, open systems communications, and security recommendations are in the X series. ITU-T has developed and published many communication recommendations that address technical details of all types of communication. Three recommendations of particular interest in information security are X.25, X.75, and X.509. Table 12-3 lists a few details of each of these ITU-T recommendations ITU-T INFORMATION SECURITY RECOMMENDATIONS ITU-T Recommendation X.800 – X.849: Security X.1000 – X.1099: Information and network security X.1100 – X.1199: Secure applications and services Description Recommendations in this series address security issues as they relate to different networking layers General network security Ensuring that applications and services are developed and deployed in a secure manner ITU-T INFORMATION SECURITY RECOMMENDATIONS (CONT.) ITU-T Recommendation X.1200 – X.1299: Cyberspace security Description Overall cybersecurity, identity management, and countering spam X.1300 – X.1399: Secure applications and services Different from X.1100 – X.1199, this series focuses on emergency communications and sensor network security Focused on exchanging information between actors in a secure manner Security topics specifically related to cloud environments X.1500 – X.1599: Cybersecurity information exchange X.1600 – X.1699: Cloud computing security AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI) One of the leading standards agencies in the United States is the American National Standards Institute (ANSI). ANSI's goal is to strengthen the U.S. marketplace within the global economy. At the same time, it strives to ensure the safety and health of consumers and the protection of the environment. It seeks to accomplish this by promoting voluntary consensus standards and conformity assessment systems AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI) ANSI was formed in 1918 through the merger of five engineering societies and three government agencies. These groups merged to form the American Engineering Standards Committee (AESC). In 1928, the AESC became the American Standards Association (ASA). In 1966, the ASA reorganized and became the United States of America Standards Institute (USASI). Finally, in 1969, the USASI became ANSI. Today, ANSI is composed of government agencies, organizations, educational institutions, and individuals. ANSI represents more than 125,000 companies and 3.5 million professionals AMERICAN NATIONAL STANDARDS INSTITUTE (ANSI) ANSI oversees the creation, publication, and management of many standards and guidelines that directly affect businesses in nearly every sector. ANSI standards cover such business sectors as acoustical devices, construction equipment, dairy and livestock production, and energy distribution. ANSI produces standards that affect nearly all aspects of IT. Unlike other organizations that specifically focus on engineering or technical aspects of computing and communication, ANSI primarily addresses standards that support software development and computer system operation ISO 17799 ISO 17799 is an international security standard. This standard documents a compre-hensive set of controls that represent best practices in information systems. The standard actually consists of two separate parts: The ISO 17799 code of practice; BS 17799-2 specification for an information security management system The main purpose of the standard is to identify security controls needed for information systems in today's business environments. The standard originally appeared as the "DTI Code of Practice" in Britain and was later renamed BS 7799 ISO 17799 Developers submitted the standard to ISO for accreditation and publishing. ISO published the standard as ISO 17799 in 2000. Interest in the standard increased quickly. Several companies began providing tools and services to help implement ISO 17799. It quickly became the predominant information security standard. ISO 17799 gave many organizations a framework on which to build their security policy. It also became a differentiator among competitors. The standard enabled potential customers to evaluate organizations on their efforts toward securing data. ISO 17799 - SECTIONS Security Policy A statement of management direction Security Organization Governance of information security, or how information security should be enforced Asset Classification and Control Procedures to classify and manage information assets Personnel Security Guidance for security controls that protect and limit personnel Physical and Environmental Security Protection of computer facilities ISO 17799 - SECTIONS Communications and Operations Management Managing technical security controls in systems and networks Access Control Controls that limit access rights to network resources, applications, functions, and data System Development and Maintenance Guidelines for designing and incorporating security into applications Business Continuity Management Protecting, maintaining, and recovering business-critical processes and systems Compliance Ensuring conformance with information security policies, standards, laws, and regulations ISO/IEC 27002 A newer standard, ISO/IES 27002, has superseded ISO 17799. It provides a generic information security standard accessible by all organizations, regardless of size, industry, or location. Although ISO/IES 27002 replaced ISO 17799, you will still see references to ISO 17799 as a leading information security standard ISO/IEC 27002 ISO/IEC 27002 appeared in 2005 as an update to the ISO 17799 standard. Originally named ISO 17799:2005, ISO changed its name to ISO/IEC 27002:2005 in 2007. This was to conform to the naming convention used by other 27000series ISO/IEC standards. The ISO/IEC 27000 series is a growing family of general information security standards. ISO/IEC 27002 is "Information Technology Security Techniques Code of Practice for Information Security Management." ISO/IEC 27002 Like its predecessor, ISO/IEC 27002 provides organizations with best-practice recommendations on information security management. ISO/IEC 27002 expands on its predecessor by adding two new sections and reorganizing several others. The standard directs its recommendations to management and security personnel responsible for information security management systems. The standard specifies and outlines the recommended security controls within each section. Information security is within the standard in the context of the C-I-A triad Most people regard the information security controls as best practices. ISO/IEC 27002 - SECTIONS Risk Assessment Formal methods of identifying and classifying risks Security Policy A statement of management direction Organization of Information Security Governance of information security, or how information security should be enforced Asset Management Procedures to acquire, classify, and manage information assets Human Resources Security Security guidelines for personnel joining, leaving, or moving within an organization Physical and Environmental Security Protection of computer facilities ISO/IEC 27002 - SECTIONS Communications and Operations Management Managing technical security controls in systems and networks Access Control Controls that limit access rights to network resources, applications, functions, and data Information Systems Acquisition Development and Maintenance Guidelines for designing and incorporating security into applications Information Security Incident Management Anticipating and responding appropriately to information security breaches Business Continuity Management Protecting, maintaining, and recovering business-critical processes and systems Compliance Ensuring conformance with information security policies, standards, laws, and regulations PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) The is an international standard for handling transactions involving payment cards. The Payment Card Industry Security Standards Council (PCI SSC) developed, publishes, and maintains the standard. PCI DSS is different from other standards you have seen so far PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) Some of the largest payment card vendors in the world formed PCI DSS: Visa; MasterCard; Discover; American Express; Japan Credit Bureau Each of these organizations had its own standard for protecting payment card information.These organizations combined their efforts and published the first version of the PCI DSS in December 2004 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) They created PCI DSS to protect payment card users from fraud and to preempt legislative requirements on the industry. It requires layers of controls to protect all payment card– related information as it is processed, transmitted, and stored. The standard applies to all organizations that participate in any of the processes surrounding payment card processing PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) Compliance with PCI DSS standards is a prerequisite for doing business with any of the member organizations. If any organization violates PCI DSS standards, it could lose its ability to process payment cards. In most cases, noncompliance results in fines and/ or audits that are more frequent. Habitual offenders may find their processing privileges revoked. The rules with which an organization must comply depend on the number of payment card transactions the organization processes PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) Organizations assess compliance at least annually. Organizations that handle large volumes of transactions must have their compliance assessed by an independent Qualified Security Assessor (QSA). Organizations that handle smaller volumes of transactions can choose to self-certify using a PCI DSS Self-Assessment Questionnaire (SAQ) PCI DSS version 2.0 defines 12 requirements for compliance, organized into six groups, called control objectives QUESTION What value do you think that security standards provide to an organization? Is there any negative effect by adhering to standards? DISCUSSION
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached. Please let me know if you have any questions or need revisions.

Information Security
Standards Organizations
With Focus on Those Dealing With the Internet
and Cybersecurity

◦ Organizations that create the standards for protecting
information in cyberspace exist to give guides and
recommendations to companies and the individual.

Background

◦ Each country has their own as well as international
organizations from the United Nations and other
global unions.
◦ Most of these organizations are broken into multiple
sections to each cover an area of cyberspace and/or
general technology.

National Institute of
Standards and
Technology
◦ The NIST is a government organization that
branches off from the Department of
Commerce.
◦ They aim to protect and advance technology of
all kinds and provide research to the technology
sector.
◦ They provide standards that computers and
other devices must adhere to (NIST, 2009).

International
Organization for
Standardization
◦ The ISO differs as it is not run by any
government.
◦ It is instead a conglomeration of 163 standards
institutes from around the globe.

◦ Their aim to is create standards that cater to
everyone who uses technology and the
internet, and to create a global consensus with
these standards (International Organisation for
Standardization, 2015).

International
Electrotechnical
Commission
◦ The IEC covers a much broader range when it
comes to technology than most organizations of
its kind.
◦ They cover everything from cyber security to
solar power. (International Electrotechnical
Commission, 2020)

World Wide Web
Consortium
The W3C was founded in 1990 due to the
lack of standards that existed in the
cyberspace of the time.

The lack of standards across the board
when the internet was introduced made
this organisation critical to its functionality.

Their long-term goal is to unify the world
wide web (World Wide Web Consortium,
2020)

Internet Engineering Task
Force
◦ The IETF is an organization that creates standards for the internet.
◦ The IETF works in conjunction with the W3C and the ISO.
◦ As listed on their website, their overall goal is to “make the Internet
work better.”
◦ They have many sub committees including the Internet Architecture
Board who play an advisory role (Hoffman, 2012).
◦ They often contribute to the writing and introduction of Request for
Comments (standard documentation).

International
Telecommunication Union
Telecommunication Sector
◦ The ITU-T cover all areas of technological
advancement.
◦ While many articles exist on cyber security such
as X.1200 – X.1299, they also cater to topics
such as data networks and security.
◦ They are an organization of the United Nations
(ITU-T, 2018).

References
◦ Hoffman, OP. (2012). The Tao of IETF: A Novice’s Guide to the Internet Engineering Task Force. IETF. p. 1-5.
◦ International Electrotechnical Commission. (2020). What we do: What we do for safety, sustainability and
global trade. IEC. https://www.iec.ch/what-we-do
◦ International Organization for Standardization. (2015). ISO Strategy 2016-2020. ed. 2. ISO.
https://www.iso.org/publication/PUB100364.html

◦ ITU-T. (2008, April 18). “ITU-T X.1205 (04/2008)” ITU-T Recommendations. ITU-T.
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=9136&lang=en
◦ National Institute of Standards and Technology. (2009, 10 July). NIST Mission, Vision, Core, Competencies, and
Core Values. NIST. https://www.nist.gov/about-nist/our-organization/mission-vision-values
◦ World Wide Web Consortium. (2020). W3C Mission. W3. https://www.w3.org/Consortium/mission#principles


Outline
This assignment addresses the differences between internet and telephone communications
and the differences in their security risks and needs. The essay concludes that while internet
communication comes with more risks, it is also more easily protected. The assignment also
includes a 9 slide PowerPoint covering the standardization organizations that have a focus on
the internet and cyberspace.


The Security Issues Facing Internet and Telephone Communications
Name:

The Security Issues Facing Internet and Telephone Communications

All forms of communication for both individuals and companies need to be
protected from being stolen. When considering the two types of communication and how
different they are, we can safely assume that their protection needs will also be vastly
different. In this essay I will explore the ways in which internet and telephone
communications are different and the ways in which they are similar. It seems that the
general consensus in research is that because of the constant advancement of the internet
and its related technologies, methods of protecting it have advanced beyond that of
telephone communication. Internet communications are generally more easily hacked so
there are many considerations a company or individual must consider when protecting
themselves. This essay also covers the organizations and the acts put in place to create
standards and guides for both forms of communication.
Internet and telecommunications are vastly different in the modern day and while
both serve the same basic function, they complete this through very different means.
Telecommunications was always the basis for any company or individual to keep in
contact with employees, fri...

Similar Content

Related Tags