ISSC 680 Information Security Management Discussion
Questions:
Think about systems you currently utilized or have utilized in the past that were deployed to the enterprise, Discuss the similarities or opportunities for improvement based on this weeks readings. What approach do you think may be the most effective and why.
2 Peers:
Student one:
Information systems security management within my Organization covers a broad spectrum of security concerns of vulnerabilities, risks, and threats. Considering that from a security enterprise planning and implementation process, managing the following risks within the Seven IT Domains (user domain, workstation domain, remote access domain, LAN domain, LAN-to-WAN domain, WAN domain, and system/application domain) according to policy, regulation and following an excellent reliable framework is a good start in the right direction (Weiss and Solomon, 2016). With that said, The systems my Organization utilizes daily varies from Voice over Internet Protocol (VoIP), laptops, tables, multifunctional printers and scanners, etc. All information systems traverse over an enterprise IP network – known as DoDIN (Department of Defense Information Network.My Organization's network consists of two enclaves with different classifications. Each classification must meet the Department of Defense (DoD) STIG (Security Technical Implementation Guides), which is the DoD cybersecurity standards and protocols for enforcing security measures within Computers, servers, networks, and various information systems. For example, DoD STIG provides security measures on how to configure a LAN and WAN devices and the implementation of network protocols when connecting to a DoD enterprise network. In addition, STIG security controls, policies, and standard of operation (SOP) are put in place to prevent threats and to reduce risks of unauthorized access or compromise of data and personal identifiable information (PII) (Layton, 2006). Based on this week's reading and how security applies to my Organization's physical and network infrastructure, are both according to Army Regulation, policy, and guidelines. The Army's physical and network security is stringently enforced down to the user level. For instance, network diagrams, Authorization to Connect (ATC) documentation, and physical security building accreditation and inspections are all streamlined through checks and balances to ensure network and physical security are implemented according to cybersecurity policies and STIGs.ReferencesLayton, T. P. (2006). Information Security. Design, Implementation, Measurement, and Compliance. Auerbach Publications. Retrieved from: http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956.Weiss, M., & Solomon, G. (2016). Information Systems Security & Assurance. Auditing IT infrastructures for compliance. Jones & Bartlett Publications.Student two:There have been many different enterprise systems that I currently utilize or have utilized in the past. Different systems were there for different tasks or tracking different items. With having two different jobs in the Air Force now, first being Aerospace Ground Equipment in Maintenance and the second being an Education and Training Manger, I have worked with some of the same systems but with different access. The system that I have used in both jobs was for tracking training. At first, I pretty much had basic user rights to update and maintain trainees and trainers that were assigned to me. Now being an Education and Training Manager, or Unit Training Manager, my rights have been moved to a more advance role to manager multiple workcenters or sections. This system uses a role-based access control. This means that access control is based the users job description (Peltier, 2014, p. 208). At first, I was just assigned the role of a trainee, then once I gained rank and training, I then received the roles of trainer and supervisor. There was also a role called certifier that my career field did not require, so I was not assigned that. Now being a Unit Training Manager, I have also been granted the role of Unit Training Manager. Each of these roles are based off a job description and different required training. Trainers can sign off tasks that trainees assigned to them have completed. Supervisors can monitor and maintain different aspects of their subordinate. While the Unit Training Manager, can see and manage all members within the units that the Unit Training Manager is assigned. The access control of this system seems to work as required. The rights that each role has is also outlined in the systems user guide and user policy letters.V/r,Reference:Peltier, T. R. (2014). Information Security Fundamentals. Retrieved from https://ebookcentral.proquest.com/lib/apus/reader.action?docID=1375200