Summarize DIACAP or ISO27002 framework and history and discuss the following about applying it .

User Generated

gnbbsyf

Computer Science

Security Compliance

Colorado Technical University

Description

Key Assignment

At this point the management team is quite impressed with the work performed to this point. They like the basis you have provided to ensure compliance with State and Federal regulations and to prepare the organization for a Certification and Accreditation process. For the final deliverable, you have been asked to complete the Security Compliance Auditing Plan by providing information about the application of ISO27002 or DIACAP to their medium sized system.

Part 1 (Weeks 1-4)

You have already completed the following:

  • Section 1 Company Overview
  • Section 2 – Federal and State Regulations, Directives, and Acts
  • Section 3 Compliance Plan
  • Section 4 – Acceptable Use Policy
  • Section 5 – Certification and Accreditation

Part 2- Finalize your Key Assignment

  • Summarize DIACAP and ISO27002’s framework and history.
  • Choosing either DIACAP or ISO27002, update your plan to include the following:
    • Describe how and where the framework could be applied.
    • Include a discussion about how and if the concepts could be applied to a government or public company or is there a potential for overlap.
    • Using the framework, show how it can be applied to a medium-sized system.

Add the discussion about the frameworks and their application to the section titled: Preparing for Certification.

At this point the Key Assignment Template is Complete. Ensure to incorporate any feedback previously received from the instructor and peer reviews:

  • Title Page
  • Table Of Contents (Updated to reflect correct page numbers)
  • Section 1 – Company Overview
  • Section 2 – Federal and State Regulations, Directives, and Acts
  • Section 3 – Compliance Plan
  • Section 4 – Acceptable Use Policy
  • Section 5 – Certification and Accreditation
  • Section 6 – Preparing for Certification
  • References

Name the document CSS441_LastName_Final.doc.

Unformatted Attachment Preview

Running head: GOODWILL SECURITY 1 Goodwill Security Student Institutional Affiliation Teacher Date GOODWILL SECURITY 2 Table of Contents Federal and State Regulations ....................................................................................................................... 3 Sarbanes-Oxley Act .................................................................................................................................... 10 Monitoring and Enforcing Compliance ...................................................................................................... 13 Certification and Accreditation ................................................................................................................... 17 Preparing for Certification(TBD) ................................................................................................................. 21 References .................................................................................................................................................. 22 GOODWILL SECURITY 3 Federal and State Regulations Section 1 – Company Overview The company, Goodwill of North Georgia deals with the operation of stores, donation centers, career centers and also offers diverse employment and job training services across North Georgia. It has also another organization called Goodwill Industries of North Georgia, that has speciality in managing facilities and protective services. Goodwill of North Georgia seeks to provide employability services to the unemployed struggling to find work, people who want a change of careers and ones who seek to start in entrepreneurship. With the it’s support, the people are empowered for employment challenges that come as a result of physical, emotional and developmental limitations, among other challenges. Goodwill donates household goods, clothes and even books in stores across North Georgia and the proceeds are used to support the mission of employing people. Goodwill has an integrated security infrastructure that consists of video cameras, monitored alarms, access control systems, endpoint protection devices that include mobile devises, web filtering, email protection, remote access solutions and training on end-user security awareness • Video cameras(CCTV) are installed in every corner of a room and outside the premises all round used to stream in live feeds to the security team’s smartphone, desktop or tablet to help them keep track of everyone’s activities including any suspicious activity in any part of the company. • The monitored alarms are used to detect and identify specific areas breached in the organization. They do this by emitting audible noises that can be heard by anyone in the organization especially the security personnel. GOODWILL SECURITY 4 • The access control systems are used to restrict entry to special areas in the organization. The company uses photo identification systems and access cards depending on the areas or sections being accessed. The security team ensures that they are well placed and working to ensure the employees and clients are protected from such tragedies. Section 2 – Federal and State Regulations, Directives, and Acts on Security Compliance The laws and regulations of the federal government give industry guidelines on the significant security and privacy impact guidelines. The Sarbanes Oxley Act It requires companies a seven-year maintenance of financial records by companies. Enacted in 2002, after the Enron and WorldCom scandals as a preventive law. The Sarbanes-Oxley Act protects investors and the public through the increase of the reliability and accuracy of corporate disclosures. The Securities and Exchange Commission is mandated to implement it by defining what records and audits businesses should keep and the period. This act affects U.S. public company boards, management and public accounting firms which Goodwill falls under. This act has the following requirements and is organized in 11 key titles which are; Public Company Accounting Oversight, Auditor Independence, Corporate Responsibility, Enhanced Financial Disclosures, Analyst Conflicts of Interest, Commission Resources and Authority, Studies and Reports, Corporate and Criminal Fraud Accountability, White-Collar Crime Penalty Enhancements, Corporate Tax Returns and Corporate Fraud Accountability. The Gramm-Leach-Bliley Act (GLB) Act of 1999 GOODWILL SECURITY 5 Also the Financial Modernization Act of 1999. This act has guidelines protecting the personal financial information of users that financial entities hold. It has three basic parts that include; Safeguards Rule, the pretexting provisions and Financial Privacy Rule. This act covers financial institutions and organizations that provide financial services and products to consumers such as financial advice or settlement services as Goodwill does. Goodwill handles job seekers and advises entrepreneurs on the best way forward and provides financial advice to its clients, therefore, knowledge of this act is critical to its operations. Payment Card Industry Data Security Standard (PCI DSS) The PCI DSS covers the requirements needed to enhance the security of the data of a customer account. It was developed to help in the facilitation of a global adoption of data security measures consistently. Its founders include; American Express, MasterCard Worldwide and Visa, JCB International, Discover Financial Services who form the PCI Security Standards Council. It focuses on areas of policies in security management , procedures in software design, and network architecture. Its regulations are geared towards the reduction of fraud and protection of the information on consumer credit cards. This is quite appropriate to retailers, and companies that handle credit card data such as credit card companies. Since the company sells clothes to other clients through thrift shops and other avenues and the customers may use credit cards to purchase these clothes. The Electronic Fund Transfer Act, Regulation E This was implemented in 1978 and is implemented to ensure the protection of any consumer who engages in electronic fund transfer against fraud or any errors. It helps in establishing the rights, responsibilities, and liabilities of consumers and financial institutions that GOODWILL SECURITY 6 use and offer EFT services. These transfers include ATM services, direct deposits, the point of sale transfers among others. The use of electronic funds transfer is inevitable for shoppers at Goodwill, therefore due diligence is required to ensure the protection of their data by the organization. The Children's Online Privacy Protection Act This act addresses the collection of data on children below the age of thirteen online. Federal Trade Commission (FTC) monitors this act and dictates the limits on collection and the disclosure of the children’s data. They, therefore, determine the contents of a websites privacy policy and the process of receiving consent from parents and the operator’s responsibility. Goodwill’s services also include settlement services that may need information on children, thus they must be keen to ensure this act is not broken. Identify and describe 2 State Regulations Massachusetts 201 CMR 17 (aka Mass Data Protection Law) This law implemented in 2010 seeks to protect the Massachusetts residents against fraud and identity theft cases. It has a requirement that any institution storing personally identifiable information about any of this state’s resident have a written and a plan that is regularly audited to protect the information. Its main aim is to mitigate any risk to the security of information. Businesses such as Goodwill that use information from residents of Massachusetts for purposes of providing various services or products or employment are affected. Nevada Personal Information Data Privacy Encryption Law NRS 603A GOODWILL SECURITY 7 This law was passed to ensure the data security of any data stored of a consumer’s personal information through encryption. Goodwill may sell their services to a resident of Nevada and may need personal data of a Nevada resident; therefore, it should adhere to this law. Section 3 - Compliance Plan For Goodwill Company, the compliance plan seeks to explain the roles and responsibilities of different personnel in the IT infrastructure security, information classification, marking and handling, security categorization of the information systems, the security control requirements, and contingency planning among others. Describe Policies, Standards, Processes, and Guidelines The Chief information officer of Goodwill is responsible for the development and maintenance of the company’s information security program and works with the systems security officer ensures the operational security posture maintenance for all information systems and programs. Discuss the relationship between Controls and Audits Controls refer to all the planning by an organization to safeguard all the assets of an organization while ensuring that information is reliable and consistent to ensure efficient and effective operation so as to enable compliance to the set rules and regulations. Audits help in ensuring controls are executed by assessing and evaluating all the activities in a company or organization. Section 4 – Acceptable Use Policy GOODWILL SECURITY 8 The Goodwill Acceptable Use Policy(AUP) addresses the issues of safeguarding the user’s access to their services. It entails the description of prohibited activities, responsibility on systems security, enforcement of the UAP, changes and reporting of any breaches to the UAP The Goodwill company uses Safe Harbor principles that ensure that the customers are notified of the purposes of the data collected and used. The company also ensures it discloses to the client if the data they take will be disclosed to a third party, whether the purposes will be the same or incompatible. This comes with the choice of the clients, especially when collecting their data for employability purposes opting out of the agreement if they do not wish that their data be used by third parties. Goodwill also ensures that the third party adheres to the same terms of use. In case of data breaches, the company already has mechanisms to counter these. Acceptable Use Policy and Enforcement Ethics Goodwill of North Georgia has no guarantee for no breach of data. It however believes in two basic principles; privacy and protection of client data. It is therefore unethical and illegal for any of its employees to cause breaches of these data. Section 5 – Certification and Accreditation DIACAP The Goodwill of North Georgia looks forward to ensuring that it complies with the Department of Defense’s(DOD) certification process to ensure it applies risk management to its information systems through the DoD Information Assurance Certification and Accreditation Process (DIACAP) GOODWILL SECURITY 9 The company has already begun the process of ensuring it gets this certification and is currently at the third phase of the process which is decision-making process of certification determination and accreditation. ISO27002 Goodwill Company has the ISO27002 certification and has a clear guideline for its information security as an organization. This includes guidelines for the controls in selection, implementation, and management based on its information security risk environment. The organization has already implemented information security controls that are commonly accepted. It has also developed its own information security management guidelines. Section 6 - Preparing for Certification The organization has already implemented information security controls that are commonly accepted. It has also developed its own information security management guidelines in preparation for its certification. GOODWILL SECURITY 10 Sarbanes-Oxley Act The Goodwill of North Georgia is a non-profit organization that deals with matters to do with providing services when it comes to taking people through hands-on skill training, writing resumes and cover letters for those job hunting. They also aid in helping them access job opportunities as well as receiving donations which are then sold to help finance the job hunting activities as well as the training programs they hold. The Sarbanes Oxley Act of 2002 is to be applied in all the private and public companies or organizations, especially when it comes to financial practice regulation as well as the regulation of corporate governance. This is important in the case of the Goodwill of North Georgia in the case of corporate governance seeing that it is an organization that requires coordination for the goals of the organization to be met without fail. The organization relies on donations and sales of the donations to make a financial commitment to the activities for which it engages. This also means that the organization has to provide financial reports that are accurate in terms of what goes through the staff's hands. These two activities ought to be conducted according to the Sarbanes Oxley Act of 2002 which provides accurate guidance as for how they ought to be accomplished and how financial matters ought to be handled. The act greatly encourages transparency in the corporate world and more so in this company, Goodwill of North Georgia on how their financial resources are put into use, how they are spent and how much is recovered from the sales made from the donations provided by the people (http://www.soxlaw.com). There are various incidents for which the enactment of the Sarbanes Oxley Act is considered important, like in the case of Goodwill of North Georgia. One of the incidents it to aid in ensuring that indeed the only statements detailed in the financial reports of the organization are true statements. Any misleading information would be defrauding and this will GOODWILL SECURITY 11 mean that the organization went to this extent to hide information important to the public as well as to the authorities involved in the process. This means that the responsibility for the organization and those in charge of the financial matters ought to be keen and clear on all matters about financials of the organization and the numbers have to be right and according to the organization's spending. This encourages transparency so that nothing is missed from the report. The second incident that calls for the enactment of the Sarbanes Oxley Act is the evaluation of the internal controls within the set previous ninety days and then having the information reported or put into a report (Fletcher & Plette, 2008). The evaluation of the internal controls calls for the identification of all kinds of inefficiencies related to the organization. The inefficiencies also account for the fraudulent cases by the employees of the organization so that it is all in the record and it can be accounted for in the financials of the organization. All the information regarding the internal controls relates to the internal activities of the organization and that about the financials. It is also important to provide extra information on the internal controls in terms of the changes that might occur especially if they are significant enough to be of negative impact. This means that the internal activities of the organization will also be significantly affected to extents of even reflecting on the financial reports or financial statements of the organization. Last but not least, the other incident that is important in matters regarding the enactment of the act is the organization, through its accountant, being able to provide information on the financial reports' procedures as well as the internal control structure effectiveness. This helps show the adequacy of the financial statements and internal controls adopted by the organization. This helps prove the competence of the financial accountant for the organization. GOODWILL SECURITY 12 The act's importance to the organization is seen in the best industry practices, that is, in financial practice regulations. It also helps with the address of the problems as well as issues that may arise from financial statements and reports from the organization. In this case, the financial governance comes into play. When it comes to personal management liability issues, the act also plays the role of addressing such and being the defining regulation behind corporate responsibility (ABA Coordinating Committee on Nonprofit Governance, 2005). The act specifically focuses on the financial practice regulations as well as corporate governance and in this case, the governance of the organization which is a non-profit. In matters to do with financial governance, the organization is expected to give accurate financial statements that detail clearly on matters to do with how the financial resources are put into use within the organization and for the good of the end users. This helps instill discipline and bring transparency to the organization and among its staff members so that misuse and fraudulent cases are dealt with in good time. The act, therefore, is meant to send a warning to all companies involved, including non-profit organizations that fail to provide true statements on their financials may lead to such acts being declared criminal and action being taken against them. At the same time, failing to reveal that some of the organizational employees have been involved in fraudulent cases or those who may be considered illegal, also calls for inclusion of the authorities since there ought to be some form of accountability in every matter of the organization which then calls for the enactment of the act especially when it comes to corporate governance and financial practice regulations (The U.S. Sarbanes Oxley Act et al. 2007). GOODWILL SECURITY 13 Monitoring and Enforcing Compliance Question 1 Acceptable Use Policy 1. Overview Goodwill of North Georgia is committed to having a culture of openness, integrity and trust among its staff and management. The company is committed to having its partners, employees and customers protected from any kind of damage. This enables effective security to be provided to the parties involved. 2. Purpose The purpose of this policy is to identify the acceptable use of the organization’s resources and thus reduce the amount of risk that would otherwise be experienced in its absence. 3. Scope The policy herein applies to the organization’s resources, whether financial or in terms of the donations received from well-wishers that helps with the conducting of the organization’s business. The business of the organization is that of assisting people acquire hands-on training, professional cover letter writing and provide ways of getting jobs. All staff and contractors are required to adhere to the regulations in the policy and do so through sound judgment. Goodwill of North Georgia has this policy targeting all internal and external parties that work with the organization to realize its end goals (Calder, 2005). 4. Policy 4.1 General use and ownership GOODWILL SECURITY 14 4.1.1 All information contained on Goodwill of North Georgia in any electronics found within the organization’s premises remains its property for as long as it remains in the running of the organization. The proprietary information should, therefore, remain in protection following the Data Protection Standard. 4.1.2 All the staff of the Goodwill of North Georgia have the responsibility of reporting any theft, unauthorized access or loss of any kind within the organization’s premises. 4.1.3 Information of the organization can only be accessed by authorized personnel and up to the extent which the organization allows based on the person’s duties within the organization. 4.1.4 All employees are expected to exercise sound judgment as they go about engaging in activities within the premises on personal use. 4.2 Security and Proprietary Information 4.2.1 All personal devices belonging to staff working within the organization’s premises and brought in are subject to security checks. 4.2.2 All the devices that the staff put to use should have passwords and have restriction to certain information based on the personnel handling the devices. 4.3 Unacceptable Use 4.3.1 The organization’s staff is prohibited from violating any activities related to the responsibilities that they hold within the organization. 4.3.2 Unauthorized access of unauthorized sites and copying of material belonging to the organization are violations of the organization’s right to privacy policy. 4.3.3 Committing any fraudulent within or without the organization’s policies calls for authoritative action and penalties or punishment by related laws. GOODWILL SECURITY 15 4.3.4 Interference of any organizational business by the organizational staff is prohibited and is punishable by the organization’s laws and regulations. 4.3.5 Providing misguided direction to the organization’s customers is a violation of the organization’s laws and regulations and may attract a penalty that is best suited to the situation (Northcutt & Northcutt, 2004). 5. Policy Compliance 5.1 The verification of compliance of this policy will be conducted by way of audits conducted internally and externally, reports from the organization’s business and feedback to the governing committee. 5.2 Exceptions are made for unique situations with the basis being made on the unique situation. 5.3 Non-compliance of the policy may be punishable by penalty or according to the extent of the situation, and it may also attract termination from organization. Question 2 Investigation into a matter that affects the organization internally especially if it has to do with violations should call for responsiveness from the part of the employer. The investigation should be undertaken fast to prevent the same from happening again or even to prevent the costs from rising. Ensuring confidentiality is the first step so that the employees or staff under investigation is not aware since this might trigger change of behavior. The accuser should then be put under interim protection thus preventing them from getting hurt further which may call for seeking legal action and coming up with a solution for them. The investigator is then selected, who should be detail-oriented, skillful, non-bias, has the right temperament for interview GOODWILL SECURITY 16 conducting, should have interpersonal skills that are strong and they should not have stake in the outcome realized. The investigator will then come up with a plan based on the accusations made. The interview questions for all those involved should then be developed in an open-ended manner. The interviews will then be conducted where all involved are informed of this investigation, importance of confidentiality and have the process well detailed out to them (Harwood, 2011). The decision is then made based on the outcome of the investigation. The actions warranted are then decided by the employer with consideration of all involved. The investigation is then closed after the damages have been quantified, the remedy, whether training is important in this case, whether workplace policies have o be changed and whether a review of the investigation and complaint resolution is important. The final step is developing a written summary of the results from the just concluded investigation. Everything done during the investigation of the internal environment of Goodwill of North Georgia should be documented. Question 3 In this case, the ethical considerations of the acceptable use policy narrows down to the fairness of the policy itself. Fairness in this case focuses on the rules of behavior attached in the policy on matters to do with allowance of the access to the organization’s resources as well as restriction to their access. There occurs a contradiction when the organization limits their access but still needs work done through access of the same resources. The general guidelines in the policy help provide guidance to users on the acceptable use, restrictions and prohibitions on use. The policy helps keep the staff responsible for what happens to the resources but should still show fairness by not putting all the blame on the staff. The rules provide direction to staff but can always be amended based on the organization’s changing needs (IRMA, 2015). GOODWILL SECURITY 17 Certification and Accreditation Difference between Certification and Accreditation Basically, certification entails conformance to characteristics of an individual, an organization or an object. More often, an audit, assessment, education or external review may provide this conformance (Grama, 2012). It is a comprehensive process of evaluation of an event, a process, a product or a system which is classically measured against a standard or a norm that exists (In Jahankhani, et al., 2016). A body which is independent may provide certification in the form of an assurance which is written that indicates such a system, service or product meets specified requirements. Certification programs are often created for the purposes of testing or evaluating the skills of specific performing services within an area of interest of an entity. Generally, certification is a form of verification that an organization or an individual has attained a particular compliance level in a specific area. It is indicative that some essential steps in receiving a specified designation have been met. As an official measure used to demonstrate to clients or an employer possession of the capability in a specific area as confirmed by an organization which is reputable, it demonstrates that the services or products are in line with consumers’ expectations (In Jahankhani, et al., 2016) A perfect example can be illustrated by governmental agencies certifying that an organization adheres to regulations that exist within a specific sector. Another example is by laboratories that are used for testing certifying that particular products meet the standards that are pre-established. In contrast, accreditation is considered to be a formal declaration by a third party that a certification program is administered in an approach which meets the appropriate standards of a certification program(Grama, 2012). This hierarchy of accreditation is mostly overseen by the European Accreditation Forum and the International Accreditation Forum (IAF) (In Jahankhani, GOODWILL SECURITY 18 et al., 2016). These forums have the role of approving and accrediting the National Accreditation Body that exists in every nation with possess the relevant arrangements to operate a National Accreditation Board. Increased globalization has inspired the existence of several accreditation bodies to address the needs in accreditation according to market segments or specific industry. Description of At least 3 Industry/ International Certification Frameworks Used to Evaluate the Security of an Application System A framework for information security refers to a series of documented processes which are used in the description of procedures and policies in an ongoing and implementation of controls in information security within an environment (In Jahankhani, et al., 2016) The purpose of such a framework is to build programs in information security where risks can be well managed and vulnerabilities reduced. In most instances, frameworks are customized to solve particular problems in information security. Examples include; NIST SP 800 Series, COBIT and ISO 27000 series. NIST SP 800 Series The United States National Institute of Standards and Technology has the responsibility of establishing collective standards of information technology and documenting best practices. Its first special publication which was the 800 series was published in the year 1990 and has advanced to ensure advice is provided in most aspects that deal with information security (Grama, 2012 Other models that have emerged for the NIST 800 series is the NIST 800-53 which has inspired the evolvement of other frameworks for government agencies in the United States so that they can comply with the 200 requirements of the Federal Information Processing Standards (Grama, 2012 ISO 27000 Series GOODWILL SECURITY 19 The International Standards Organization developed the ISO 27000 Series. This series guarantees a detailed framework for information security which can efficiently be applied to different types of organizations. It is can also be considered to be an equivalent to ISO 9000 information security quality standards in the manufacturing sector (In Jahankhani, et al., 2016). The ISO 27000 series has different sub-standards whose definitions are strictly based on content. For instance, the ISO 27001 describes program requirements and ISO 27002 describes the relevant operational steps for a program in information security. Several best practice standards are existent in the ISO 27000 series. For instance, organizations that seek compliance with the HIPAA Act could adopt the ISO 27799 which describes information security in the health sector (In Jahankhani, et al., 2016). Besides, the ISO 27000 Series provides a broad range of advice in the collection of digital evidence, security of storage systems and cloud computing. COBIT COBIT is the initial for Control Objectives for Information and Related Technology (COBIT) and it is an information security framework that was established in the mid-90s by ISACA)(Grama, 2012). ISACA is an independent organization that governs professionals in the field of IT. Currently, two certifications are provided by ISACA which are; Certified Information Security Manager (CISM) and the Certified Information System Auditor (CISA) (Grama, 2012). The primary focus to the beginning of this certification was to ensure a reduction in the technical risks that existed in organizations. However, in the recent times, it has evolved with COBIT 5 to comprise alignment of the strategic goals of a business with Information Technology (In Jahankhani, et al., 2016). For most financial institutions and other organizations that look forward to achieving compliance with the Sarbanes-Oxley act, it is the most common framework that is used. GOODWILL SECURITY 20 Description of Common Criteria as One of the Frameworks Common criteria is considered to be an international set of specifications and guidelines that were developed for the evaluation of the products in information security to ensure that these products meet the security standards that are agreed upon for governmental deployments (Higaki, 2014). From a formal perspective, it is referred to as the Common Criteria for Information Technology Security Evaluation. It is made up of two core constituents; Evaluation Assurance Levels and Protection Profiles (Higaki, 2014). Protection files define sets of standards for security requirements on a given type of a product while Evaluation Assurance Levels define the security levels that a product went through in the evaluation process. It consists of scales labeled 1-7 whereby, a higher evaluation implies that a product went through more tests as compared to a product with a lower evaluation (Higaki, 2014). It is mandatory for vendors to complete a security target description where the security features of a product are overviewed as well as a thorough evaluation on the potential security threats a product may face. Additionally, vendors perform a self-assessment on a product; to highlight how such a product conforms to relevant Evaluation Assurance Level and Protection Profile that a vendor tests against (Higaki, 2014). Lastly, the laboratory has to test a product and verify its security features besides performing an evaluation to ascertain how it adheres to defined specifications in a protection profile (Higaki, 2014). Should an evaluation be successful, an official product certification is provided. In such a manner, the common criteria certification is basically an assurance to customers that products being purchased have undergone a thorough evaluation and that the claims of a vendor have clearly been verified by a neutral third party vendor. GOODWILL SECURITY 21 Preparing for Certification(TBD) GOODWILL SECURITY 22 References Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-usepolicy Retrieved from http://acqnotes.com/acqnote/careerfields/dod-information-assurancecertification-and-accreditation-process-diacap Information Security Compliance: Which regulations relate to me? (2018, January 18). Retrieved from https://www.tcdi.com/information-security-compliance-whichregulations/ ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for information security controls. (n.d.). Retrieved from https://www.iso.org/standard/54533.html Relationship Between Internal Control, Internal Audit, and Organization Commitment With Good Governance: Indonesian Case. (2012). China-USA Business Review, 11(09). doi:10.17265/1537-1514/2012.09.006 Staff, C. (2012, December 19). The security laws, regulations and guidelines directory. Retrieved from https://www.csoonline.com/article/2126072/compliance/compliance-thesecurity-laws-regulations-and-guidelines-directory.html#Childrens-Online-Privacy Suyono, Eko & Hariyanto, Eko. (2012). Relationship Between Internal Control, Internal Audit, and Organization Commitment With Good Governance: Indonesian Case. China-USA Business Review. 11. 1237-1245 ABA Coordinating Committee on Nonprofit Governance. (2005). Guide to nonprofit corporate governance in the wake of Sarbanes-Oxley. Chicago, Ill: Section of Business Law, American Bar Association. GOODWILL SECURITY 23 Fletcher, W. H., & Plette, T. N. (2008). The Sarbanes-Oxley Act: Implementation, significance, and impact. New York: Nova Science Publishers. http://www.soxlaw.com/ The U.S. Sarbanes Oxley Act 2002 and Corporate Governance. Big Brother is watching you?. (2007). München: GRIN Verlag. Calder, A. (2005). A business guide to information security: How to protect your company's IT assets, reduce risks and understand the law. London: Kogan Page. Harwood, M. (2011). Security strategies in Web applications and social networking. Sudbury, MA: Jones & Bartlett Learning. Information Resources Management Association. (2015). Business law and ethics: Concepts, methodologies, tools, and applications. Northcutt, S., & Northcutt, S. (2004). IT ethics handbook: Right and wrong for IT professionals. Rockland, MA: Syngress Pub. Grama, J. (2012). Corporate Information Security and Privacy Regulation. In Legal issues in information security (pp. 181-204). Sudbury, MA: Jones & Bartlett Learning. Higaki, W. H. (2014). Successful common criteria evaluations: A practical guide for vendors. North Charleston: Createspace. In Jahankhani, H., In Carlile, A., In Emm, D., In Hosseinian-Far, A., In Brown, G., In Sexton, G., & In Jamal, A. (2016). Global Security, Safety and Sustainability - The Security Challenges of the Connected World: 11th International Conference, ICGS3 2017, GOODWILL SECURITY 24 London, UK, January 18-20, 2017, Proceedings. Cham: Springer International Publishing.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

At...


Anonymous
Nice! Really impressed with the quality.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags