Colorado Technical University Security Compliance Essay

User Generated


Computer Science

Colorado Technical University



As you prepare for implementation as the information system, Management has asked what formalized testing and validation can take place. You mention that the Certification and Accreditation process could meet this need.

  • Take this opportunity to define the difference between Certification and Accreditation.
  • To help with the process and not have to make up one on your own, describe at least 3 Industry/International Certification Frameworks that are used to evaluate the Security of an Application or System.
  • Describe Common Criteria as one of the frameworks.

Unformatted Attachment Preview

SECURITY COMPLIANCE 1 Security Compliance Vanessa Rosales Colorado Technical University Online CSS441-1804B-01 Professor Mark Ford June 5, 2022 SECURITY COMPLIANCE 2 Table of Contents Section 1a: Company Overview ............................................................................................. 3 Section 1b: Federal and State Regulations, Directives, and Acts ............................................. 5 Section 2: Compliance Plan ................................................................................................... 7 Section 3: Acceptable Use Policy ......................................................................................... 10 Section 4: Certification and Accreditation ........................................................................... 13 Section 5: Preparing for Certification .................................................................................. 14 References .......................................................................................................................... 15 OPERATING SYSTEM SECURITY PLAN 3 Section 1a: Company Overview Amazon is among the largest multinational technology companies specializing in online retail shopping services. Amazon's primary business interests are artificial intelligence, ecommerce, cloud computing, and digital streaming. Amazon is among the top five tech giants in the United States. In terms of revenue, the company is the largest internet-based company worldwide (Kristensen et al., 2017). Amazon started out selling books online in 1994, but Jeff Bezos believed that a company could only succeed online if it grew faster and bigger. Today, Amazon sells everything from groceries to books to shipping container houses (Kristensen et al., 2017). Technology companies have experienced increased regulations from state and federal governments in the recent past. The primary goal of these regulations is to ensure these firms uphold ethical business practices, free of data insecurity, unfair competition, consumer manipulation, and violation of privacy policies. Amazon is currently using the Amazon Web Services (AWS) security infrastructure. The AWS infrastructure is one of the most flexible and secure cloud computing environments available for companies. The infrastructure is designed to provide extremely reliable, scalable platforms that make it possible and easy for customers to deploy applications and data easily, quickly, and securely (Hashemipour & Ali, 2020). The Amazon Web Services (AWS) security infrastructure is built and managed according to the best security best practices and standards and comes with the unique needs of the cloud (Jacquemart et al., 2019). AWS uses layered and redundant controls, is continually tested and validated, and has significant automation that ensures continuous monitoring and protection. Customers significantly benefit from AWS. The infrastructure provides a network and data center that satisfy the requirements of security-sensitive customers. Customers get a resilient OPERATING SYSTEM SECURITY PLAN infrastructure designed to ensure high security without any operational overhead and capital outlay associated with the traditional data center (Hashemipour & Ali, 2020). By using AWS, one gets the confidence and control they need to securely run a business through a secure and flexible cloud computing environment. The AWS data centers are designed to protect identities, information, devices, and applications (Jacquemart et al., 2019). Amazon has met compliance and security requirements with the AWS infrastructure, including data protection, data locality, and confidentiality. 4 OPERATING SYSTEM SECURITY PLAN 5 Section 1b: Federal and State Regulations, Directives, and Acts Lawmakers have gradually developed regulations for big tech. These regulations have primarily been meant to ensure these companies do not gobble up smaller competitors, lock sellers under unfair terms, do not create monopolies, and prevent taking away the power of choice from consumers. Amazon needs to understand and comply with these regulations to avoid costly lawsuits. One of these federal regulations is antitrust enforcement which aims to give power back to consumers (Kelly, 2020). There have been numerous antitrust lawsuits against the big five, which have helped split monoliths and enable fair competition. The other regulation is the federal data privacy framework. The framework requires that consumers be given more control over their data and that privacy policies be written in ways that an average consumer can easily understand (Lewis, 2021). The third regulation requires and allows consumers to sue companies for data misuse. The federal government has also raised the notification fee required from the tech companies if they want to form mergers. The regulation seeks to eliminate highly competitive mergers that will create unfair competition and monopolistic types of business (Kelly, 2020). The final regulation regards data portability. The regulation requires that consumers be allowed to switch platforms with ease. Tech companies must enable easy transfer or migration of data from one platform to another. Countries worldwide have designed efforts to curb the dominance of tech giants. However, the United States has realized negligible success in controlling the operations of tech giants despite the country being the birthplace of the most widely used social network and search engine and the birthplace of the iPhone (Kang, 2022). As most of the proposed regulations and bills sit in limbo, states have decided to take up the responsibility of controlling the technology OPERATING SYSTEM SECURITY PLAN 6 industry. Two of these states are California and Utah. California Consumer Privacy Act (CCPA) allows consumers to demand and be allowed to access all the information companies have about them and the third parties that are permitted to access the information (Kang, 2022). . Utah also signed the Utah Consumer Privacy Act (UCPA), enabling consumers to access and delete the information they provided to controllers (Kang, 2022). The regulation also allows consumers to be provided with portable data formats upon request. Amazon is among the big five tech companies that are also the target of the regulations being proposed and implemented. The company operates through online platforms, which means it hosts vast volumes of consumer data. The data is prone to security and privacy breaches, explaining why Amazon is among the most targeted in the technical regulations. The regulations need to be understood and complied with because of the large numbers of global consumers who have trusted the company with their data. Amazon needs to be on the lookout for the regulations and standards and comply to avoid costly lawsuits which may adversely affect the company's operations. OPERATING SYSTEM SECURITY PLAN 7 Section 2: Compliance Plan The Sarbanes-Oxley Act The Sarbanes-Oxley Act was passed in the United States due to crucial failures in corporate governance and accounting firms in public, private, and government organizations. It aimed to enforce accountability among managers responsible for managing the companies by implementing new rules that companies had to comply with (Doane, 2019). The accountability would restore investors' confidence in the financial markets by preventing public companies from defrauding them. The three incidents considered as contributing factors for enacting the regulation specific to Amazon's infrastructure include data breaches, the creation of fake accounts, and unauthorized transactions. Data breach at Amazon's infrastructure would involve hackers' theft of personal data (Zaeem et al., 2021). The most recent data breach at Amazon Web Service occurred in December 2022, when a hacker stole personal data for more than three million users. The creation of fake accounts occurs when another person other than the owner of an AWS card opens a new AWS account without the owner’s permission. An unauthorized transaction could occur when a third party uses AWS to provide a service to a user. The meaning of the Act is to the IT organizations. The effects of the Sarbanes Oxley Act cut across companies in various sectors, including those in IT and specializing in online retail services, such as Amazon. Its effects have significant meaning to the organizations’ IT management and workers. For example, the CIO will have additional roles, including data analysis, design, development, and maintenance of systems that enforce financial and operational controls (Doane, 2019). They must create a long-term, value- OPERATING SYSTEM SECURITY PLAN 8 creating initiative characterized by an effective ERP system and integrate by SCM back-end system Managers and auditors at the IT organizations will be required to report the effectiveness of internal controls of their management information systems. The organizations will be required to design new systems (Doane, 2019). In some organizations, the Act means they will have to create new computer languages to allow them to handle the new regulations. It also means that the IT entities must integrate defined policies, processes, and procedures. What does it specify that needs to be done? The Sarbanes Oxley Act outlines various specific actions that organizations must undertake. It states that the organizations comply with the Sarbanes Oxley requirements. They include that all the five members of an organization’s PCAOB must be prohibited from receiving compensation (Reza, 2018). Section 302 requires each officer in an organization to certify that financial information and financial reports represent all company material aspects and financial conditions. The organization must perform internal controls and strengthen its audit committee by allowing it to approve numerous audits and non-audit services. Other duties include handling complaints about management’s accounting practices and selecting and overseeing external auditors (Reza, 2018). Companies must make their directors and officials strengthen disclosures, such as material off-balance sheet arrangements. The meaning of the regulation for public, private, and government organizations and Amazon OPERATING SYSTEM SECURITY PLAN 9 The regulation means a lot for the public, private, and government companies. Firms such as Amazon must set new auditor standards to minimize conflicts of interest and transfer responsibility to facilitate handling financial reports thoroughly and accurately. The firm must implement substantial changes in its corporate structure, governance, and reporting. It must perform internal controls and strengthen its audit committee by allowing it to approve numerous audit and non-audit services (Reza, 2018). It must change its management’s responsibility by allowing top managers to certify the accuracy of financial reports. Its directors and officials must strengthen disclosures, such as material off-balance sheet arrangements, special purpose entities, and operating leases. Disclosures aim to help the firm increase transparency in its dealings. Amazon must also make its directors liable for the accuracy of financial statements. It must also establish harsh criminal penalties for securities fraud and violators. OPERATING SYSTEM SECURITY PLAN 10 Section 3: Acceptable Use Policy Sarbanes-Oxley (SOX) Policy for the company Amazon. The policy should Overview and Scope For greater decades, the Sarbanes-Oxley Act (SOX or Act) has been in effect. Investors, customers, regulatory bodies, and the overall public gain from SOX compliance. Complete and regular SOX compliance demonstrates Amazon’s willpower to moral accounting practices and instills agree with in stakeholders who depend upon the organization. Above all, the SOX act prohibits any unlawful coping with or destruction of monetary facts via way of means of Amazon organization. They also are forbidden from retaliating in opposition to whistleblowers or infringing on their rights. The number one legal guidelines of the coverage encompass company responsibility, improved crook punishment, accounting regulation, and new protections. Policy Details The Amazon SOX Act, calls for strict reforms to present securities rules and imposed harsh new consequences on violators. Internal Controls Reports are required to be protected in all monetary reviews below the Sarbanes-Oxley Act. This shows that Amazon's monetary statistics are accurate (inside 5% variance) and that good enough controls to shield monetary statistics are in place. Financial disclosure reviews also are required on the giving up of the year. During a Section 404 audit, an unbiased outside SOX auditor is needed to study controls, regulations, and procedures (Belina & Rama, 2022). An audit can even observe employees and interviews to make certain that personnel’s duties suit their task descriptions and that they have got the essential education to get admission to monetary statistics safely. Enforcement and Punishment OPERATING SYSTEM SECURITY PLAN 11 Amazon organization being publicly traded cannot find to be non-compliant in the eyes of the Sarbanes-Oxley Act and hazard following in the footsteps of multi-billion-greenback companies that went bankrupt after breaking the rules. Any audit that doesn't meet the SOX requirements is taken into consideration as a crime, and any government that corroborates such an audit faces the first-rate of up to one million dollars, a jail sentence of up to 10 years, or both (Belina & Rama, 2022). Any 'willful' violation consists of first-rate of five million dollars and a sentence of up to 20 years in jail. The harm to Amazon’s recognition that could result from violating SOX is possibly greater excessive than any first-rate or prison sentence. Tools and Processes to Investigate Violations. Audit Certifications; Amazon makes use of audit programs to expedite transactions, host statistics outdoor in their very own firewalls, or offer some other big enterprise processes, those offerings should be evaluated for their layout and operational effectiveness as well. Amazon organization should follow Sarbanes-Oxley and make certain that each one of its statistics is hosted on SAS 70 licensed servers via way of means of third-birthday birthday celebration carrier providers. Ethical Considerations 1. Whistleblowers are blanketed. Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud, in step with Section 806. SOX promotes company fraud disclosure via way of means of organizing a fixed of safeguards for personnel or contractors (whistleblowers) who come ahead with concrete evidence. Whistleblowers hired by means of Amazon are blanketed below SOX. Any worker who notices a contravention of organization regulations or authorities’ rules should be allowed to inform the organization. Those who record fraud need to no longer be scared of OPERATING SYSTEM SECURITY PLAN 12 being fired, demoted, denied benefits, subjected to disciplinary action, intimidation, or having their pay or hours reduced. 2. Enforcing the adoption of a code of ethics via way of means of Amazon The U.S. Securities and Exchange Commission (SEC) has been mandated via way of means of SOX to trouble a rule requiring public organizations to reveal whether or not they have got followed a code of ethics that applies to their monetary officers (Ahluwalia et al., 2018). SEC lets Amazon expand its very own code of ethics. Amazon organization must make its very own code of ethics public as soon as it's been developed. 3. Annual SOX audits are required. SOX calls for that Amazon behavior in annual audits and to make audit reviews effortlessly available to stakeholders. To keep away from the warfare of interest, Amazon should rent unbiased auditors to finish the SOX audits, which should be dealt with one after the other from some other audits or inner affairs. OPERATING SYSTEM SECURITY PLAN 13 Section 4: Certification and Accreditation Week 4 - Please populate this Section for Unit 4 Individual Project For Your company, complete the following: - Take this opportunity to define the difference between Certification and Accreditation. - To help with the process and not have to make up one on Your own, describe at least 3 Industry/International Certification Frameworks that are used to evaluate the Security of an Application or System - Describe Common Criteria as one of the frameworks *Delete this gray box before turning in this Section.* OPERATING SYSTEM SECURITY PLAN 14 Section 5: Preparing for Certification Week 5 - Please populate this Section for Unit 5 Individual Project For Your company, complete the following: - Summarize DIACAP and ISO27002’s framework and history. - Choosing either DIACAP or ISO27002, update Your plan to include the following: - Describe how and where the framework could be applied. - Include a discussion about how and if the concepts could be applied to a government or public company or is there a potential for overlap. - Using the framework, show how it can be applied to a medium-sized system. *Delete this gray box before turning in this Section.* OPERATING SYSTEM SECURITY PLAN 15 References Ahluwalia, S., Ferrell, O. C., Ferrell, L., & Rittenburg, T. L. (2018). Sarbanes–Oxley section 406 code of ethics for senior financial officers and firm behavior. Journal of Business Ethics, 151(3), 693-705. Belina, H., & Rama, D. V. (2022). Early Warnings of SOX 404 Material Weaknesses in Internal Control. Current Issues in Auditing. Doane, S. (2019). The Effect of the Sarbanes-Oxley Act on Corporate Governance. Hashemipour, S., & Ali, M. (2020). Amazon web services (AWS)–an overview of the on-demand cloud computing platform. In International Conference for Emerging Technologies in Computing (pp. 40-47). Springer, Cham. Jacquemart, Q., Vitali, A., & Urvoy-Keller, G. (2019). Measuring the Amazon Web Services (AWS) WAN Infrastructure. In CoRes 2019. Kang C. (2022, April 23). As Europe approves new tech laws, the U.S. falls further behind. The New York Times - Breaking News, U.S. News, World News, and Videos. Kelly, M. (2020, March 3). All the ways Congress is taking on the tech industry. The Verge. OPERATING SYSTEM SECURITY PLAN 16 Kristensen, M., Penner, J., Nguyen, A., Moy, J., & Lam, S. (2017). Company Synopsis for Amazon. Com, Inc. Lewis M. (2021, June 13). New federal antitrust legislation puts Amazon and big tech on notice and target. GeekWire. Reza, S. (2018). Sarbanes Oxley Act of 2002 and its impact on the corporate world and textile industry in Bangladesh. Zaeem, R. N., Barber, K. S., Cruz-Nagoski, J., Norrell, L., Sullivan, M., Walsh, J.,& Younus, Y. (2021). Personal Data Early Warning System: Machine Learning Models Extract Identity Theft and Fraud Trends from.
Purchase answer to see full attachment
Explanation & Answer:
3 pages
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

View attached explanation and answer. Let me know if you have any questions.


Security Compliance

Student's Name
Institutional Affiliation
Professor's Name


Security Compliance
Difference between Certification and Accreditation
Certification refers to the verification of a company's products, services, or processes
by a third party through an audit. It entails a third party's endorsement of a service, product, or
method. It's frequently a written assurance of a service's, product's, or process's conformity to
specific stated requirements, which are usually provided by some sort of audit, external review,
evaluation, or education. Accreditation, on the other hand, refers to an authoritative body's
formal recognition of competence against specified standards (Krehnke & Krehnke, 2019). It
is frequently centered on certain activities rather than all of the organization's activities. It also
refers to an independent third-party recognition in which a competent and unbiased entity
performs technical operations such as inspection, testing, and certification.

Industry/International Certification Frameworks

I was stuck on this subject and a friend recommended Studypool. I'm so glad I checked it out!


Related Tags