Information Systems Homework Help


Questions

# Description Question
19671

write 2 page paper that discusses what policies were missing in the particular case. Do additional research than what was provided in the text.

Use APA format

Cite your sources.

 

  •Understand differences in framework components, policy, standard, procedures guidelines and definitions • 

•What Is a information security framework? •

 •What are information systems security policies? 

Why are they needed? •

 •What is a standard? What information is included in a standard? • 

•What are procedures? What information is included in procedures? •

 •What are guidelines? 

What information is included? 

•Understand the steps in the Information Security Lifecycle 

operation security
19668

Pick a topic( <a> Windows and the Threat Landscape <b> Security in Microsoft Windows OS <c> Access Controls in Microsoft Windows <d>  Microsoft Windows Network Security  ) relevant to the information  any of the articles presented(    https://technet.microsoft.com/en-us/library/dd277411.aspx

INTRODUCTION

  • State the topic you are attempting to cover
  • State the issues involved
  • State why we should be concerned with resolving whatever issues are involved
  • State how answering the issues will help us
  • State the implications and consequences of dealing with or resolving the issues involved

REVIEW OF THE LITERATURE (2 sources minimal, at least 1 needs to be peer-reviewed)
Identify who has tried to answer the question before by doing the following:

  • Summarize how each of the sources presents and deals with the subject
  • Explain how each source presents and deals with its findings or results
  • Explain the relevancy of each source to your topic
  • State what you learned from each of your sources
  • State in what way(s) each source contributes to answering your issues

DISCUSSION

  • State your answer to your issue
  • State how and elaborate on how, explain how, illustrate how each of the sources you previously reviewed help you answer your issue
  • State what questions about your topic you still have that your sources may not have answered

CONCLUSIONS

  • Indicate how each of the sources have contributed to your conclusions (and clearly, accurately, correctly document those sources within your text)
  • State the implications of your conclusions
  • State what might be the possible consequences of your conclusions
  • State the significance these implications and consequences might have in the information technology / information security realm 

DOCUMENTATION

  • On a separate page, include a section labeled References which provides the full publication information for all the sources you used in your paper
  • You should have a MINIMUM of three (2) sources for your paper, at least 1 source needs to be peer-reviewed
  • Not meeting this minimum requirement of three (2) sources will lead to a lower evaluation of your paper for each missing source
  • Use APA format for documenting your sources

-For APA help: Purdue OWL
-For more details on journal types, refer to this link:  Rutgers Library

Mini Research paper
19643

Pick a topic( <a> Windows and the Threat Landscape <b> Security in Microsoft Windows OS <c> Access Controls in Microsoft Windows <d>  Microsoft Windows Network Security  ) relevant to the information  any of the articles presented(    https://technet.microsoft.com/en-us/library/dd277411.aspx

INTRODUCTION

  • State the topic you are attempting to cover
  • State the issues involved
  • State why we should be concerned with resolving whatever issues are involved
  • State how answering the issues will help us
  • State the implications and consequences of dealing with or resolving the issues involved

REVIEW OF THE LITERATURE (2 sources minimal, at least 1 needs to be peer-reviewed)
Identify who has tried to answer the question before by doing the following:

  • Summarize how each of the sources presents and deals with the subject
  • Explain how each source presents and deals with its findings or results
  • Explain the relevancy of each source to your topic
  • State what you learned from each of your sources
  • State in what way(s) each source contributes to answering your issues

DISCUSSION

  • State your answer to your issue
  • State how and elaborate on how, explain how, illustrate how each of the sources you previously reviewed help you answer your issue
  • State what questions about your topic you still have that your sources may not have answered

CONCLUSIONS

  • Indicate how each of the sources have contributed to your conclusions (and clearly, accurately, correctly document those sources within your text)
  • State the implications of your conclusions
  • State what might be the possible consequences of your conclusions
  • State the significance these implications and consequences might have in the information technology / information security realm 

DOCUMENTATION

  • On a separate page, include a section labeled References which provides the full publication information for all the sources you used in your paper
  • You should have a MINIMUM of three (2) sources for your paper, at least 1 source needs to be peer-reviewed
  • Not meeting this minimum requirement of three (2) sources will lead to a lower evaluation of your paper for each missing source
  • Use APA format for documenting your sources

-For APA help: Purdue OWL
-For more details on journal types, refer to this link:  Rutgers Library

Mini Research paper
19634

As the new manager of a convenience store, you have noticed issues with the manual method of tracking sales using paper sales tickets and spreadsheets, as well as, shortages on some of the more popular items carried in the store.

Present your case for upgrading to a database driven solution for tracking sales and inventory to the store owners. They are concerned about the cost and want to know what this upgrade would entail.

Include the following:

  • How a system could improve efficiency
  • How a system could improve accuracy
  • How sales of individual items would be entered
  • How the database would store the data compared to the current spreadsheet method
  • How monitoring of inventory levels based on sales using the database would work

Choose one of the following presentation deliverables:

  • An 8- to 10-narrated slide presentation, with appropriate graphics
  • A written business proposal (approximately two pages)
  • Another deliverable approved by your faculty member
Individual: Automating Sales and Inventory
19633

Part 1: Team Leadership

As a group, review at least four (6) academically reviewed articles on Team Leadership. Develop power presentation based on the articles. Support your presentation with appropriate references. Use APA format throughout.

Part 2: Discuss your learning outcomes:

As a group, present a discussion of your learning outcomes from the article review. Present your learning outcomes using power points.

 

Specific Instructions:

1.Develop power points. You power points should contain a minimum of 20 slides (excluding the cover page and reference page.

2. Use APA format throughout.

Team Leadership
19618

Using an organization of your choice: 

Develop a Complete Disaster Recovery Plan to be submitted to the executive board of your company.

Please note that this is a formal writing, all references (peer-reviewed) mostly must be cited appropriately within the text and clearly avoid plagiarism. The paper should have a minimum of 10 pages, 1.5 spacing and Times New Roman font. A minimum of 5 peer review references must be provided. Reference style is APA. You can also have some web references alongside the stated requirement.

Disaster Recovery- Information Management Systems
19613

 Part 1: Team Leadership

As a group, review at least four (6) academically reviewed articles on Team Leadership. Develop power presentation based on the articles. Support your presentation with appropriate references. Use APA format throughout.

Part 2: Discuss your learning outcomes:

As a group, present a discussion of your learning outcomes from the article review. Present your learning outcomes using power points.

 

Specific Instructions:

1.Develop power points. You power points should contain a minimum of 20 slides (excluding the cover page and reference page.

2. Use APA format throughout.

Team Leadership
19589

Part 1: Sharpening the Team Mind: Communication and Collective Intelligence

A.    What are some of the possible biases and points of error that may arise in team communication systems? In addition to those cited in the opening of Chapter 6, what are some other examples of how team communication problems can lead to disaster?

B.      Revisit communication failure examples in Exhibit 6-1. Identify the possible causes of communication or decision-making failure in each example, and, drawing on the information presented in the chapter, discuss  measures that might have prevented problems from arising within each team’s communication system.

Part 2: Team Decision-Making: Pitfalls and Solutions

A.    What are the key symptoms of groupthink? What problems and shortcomings can arise in the decision-making process as a result of groupthink? 
 

B.    Do you think that individuals or groups are better decision-makers? Justify your choice. In what situations would individuals be more effective decision-makers than groups, and in what situations would groups be better than individuals?

Instructions

Use research from at least 3 academically reviewed journal articles to support your responses. No internet and other non academic articles should be used for these discussion questions. Be sure to support your work with specific citations from this week's Learning Resources 

Your initial post is due on Friday of Week 8 by 11:59pm EST, your secondary post is due on Sunday of Week 8 by 11:59pm EST. All late submissions will receive a zero grade (NO EXCEPTIONS)

Specific Instructions
 

Read a selection of your colleagues' postings.

Respond to at least 3 your colleagues' postings in one or more of the following ways:

• Ask a probing question, substantiated with additional background information,  research from academically reviewed journal articles.

• Share an insight from having read your colleagues' postings, synthesizing the information to provide new perspectives.

• Offer and support an alternative perspective using readings from the classroom or from your own research in the Campbellsville University Library

• Validate an idea with your own experience and additional research.

• Make suggestions based on additional evidence drawn from readings or after synthesizing multiple postings.

• Expand on your colleagues' postings by providing additional insights or contrasting perspectives based on readings and evidence.

Return to this Discussion several times to read the responses to your initial posting. Note what you have learned and/or any insights you have gained as a result of the comments your colleagues made.

Important Note: You need to participate in class discussions and activities each week. Your participation is an evidence that you are attending classes in order to continue to maintain your F1 visa status. Simply logging in and do nothing is not enough to meet this requirement. Consistent absence and lack of participation will result to automatic withdrawal from the course.

Late submissions will receive a zero grade

Communication and Team Decision Making
19585

Please answer the question below with 250 words or more. Thank you

 

Question1. 

Give an example of a project that is driven by each of the following needs. (Each need should have a different project described.)

Marketing Demand

Business Need

Customer Request

Technological Advance

Legal Requirement

Social Need

 

Question 2. 

IT projects are particularly challenging as we are frequently asked for cost and time estimates before we do the Requirements Phase.  Write about how IT professionals can attempt to estimate time and cost when we don't know the requirements yet.  (This is a real issue that many of you have faced.  Feel free to provide examples, etc.)

Please answer the question below with 250 words or more
19584

Using Microsoft Project or other similar software create a GANTT chart for a hypothetical project that involves at least 7 tasks, and two milestones.  In your posting, include enough support material to describe the project, each of the tasks, and to identify the critical path.  Be sure to include linkages between tasks other than finish-to-start.  (If you absolutely cannot get MS Project to work, you can use another tool to produce your Gantt chart but I would prefer to see it in MS Project.)  Create your own Main Topic using your name.  Provide supporting documentation in the text box, and a copy of your MS Project or other type of file printed as a pdf so all can read.

Information Systems Analysis
19573

Privacy Policies of Zuger Law Office, PLLC

 

Executive Summary

 

This section of the Course Paper, which may be named whatever you like (e.g., “Executive Summary,” “Introduction,” “Preamble,” etc.), should only be a handful of sentences; certainly no more than a page. Here, your team will describe the nature of your business. You should explain what your firm does, who your customers are, and briefly mention any other key stakeholders in light of privacy concerns. This is also the place to list your team members. And, finally, in this section, you should explain to your audience—i.e., your company’s staff—why privacy is important in your business. Essentially, this is where you “sell” your audience on the fact that they must abide by your company’s privacy policies.

 

Policy Statements

 

Policy 1.1 Policy Statement Section Overview

This is where you organize and list each applicable privacy policy statement. These are the rules that govern your company’s actions, and those of your staff. You need to determine an organization schema. Look around online to find examples of a useful style. Or, you may choose to use your current workplace documentation as a go-by.

 

Policy 1.2 Policy Statements Contents

The contents of these policies should contain at least the following features:

·         The policy, itself, such as “Reasonable Expectation of Privacy for Employees.”

·         The laws, regulations, or standards that relate to the policy at issue.

·         An example, when applicable, that helps your audience understand the policy.

·         Directions on how to effect the policy. For example, if your company processes payments by credit or debit cards, and your policy is something like “Anyone who processes payments via payment cards must conform their actions to PCI DSS standards related to privacy.” then you may want to insert a link to those standards. Or, perhaps, incorporate examples as mentioned directly above.

This list is not exhaustive. Depending on the set of facts, you may need to include more.

 

Policy 1.3 Comprehensive Policy Statements

The Policy Statements must be a comprehensive body. Do not omit the discussion of laws that may apply to your business. This means that you must understand what your business does, and its privacy implications. Every company has employees, so employees’ privacy must be addressed. While it is debatable, I have discussed that any HRIS, or a company’s personnel records kept otherwise, has the propensity to contain medical information that we now know to refer to as “PHI.” Thus, you should have some policy that governs handling those data vis-à-vis privacy. Could your company be known as a “financial institution?” If so, you must discuss GLB Act privacy policies.

 

The point is that in three to five pages you must tell your employees everything they need to know about maintaining appropriate privacy while conducting your business.

 

Policy 2.1 Scoring the Course Paper

The Course Paper is worth 100 points. I will give up to ten points for the submission's form and format. That includes its organization, page count and team size, and grammar and spelling. The form and format is important because if a policy document is disorganized, contains typographical errors, or is hard to read otherwise, employees will not respect or even use it as the guidance it is meant to be. Consider a numbering or another outline styled structure to identify policy clauses.

 

I will give up to ten additional points for the introductory section, and whether you included all of the required information.

 

I will give up to 80 points for the policy statements. Questions I will have in mind when reviewing your policy statements include, Did the team incorporate what we've learned about privacy? Can the document be read and understood by all levels of an organization? Are the policies concise, or vague and wordy?

 

Policy 2.2 Writing Assistance

Writing assistance is available by emailing a copy of your file to the International Academic Services office (yes, even if you are not an international student) at [email protected]. I highly recommend that you give the IAS Team at least two or three business days to review your work. Take into consideration the fact that you will likely need to respond to their efforts with some rewriting of your own, and you can start to calculate how much in advance of April 23 you should be planning on sending them a draft.

 

Policy 3.1 Cautionary Tales From Prior Submissions

Here are some of the ways that students have lost points in prior years:

·         Teams and pages. Do not submit as an individual; you must be part of a team. Do not exceed the page count. Only use Microsoft Word (.doc or .docx) or Adobe PDF format. Each team member must individually submit a copy of the team’s work. You cannot rely on one member’s submission. And, when two team members submit dissimilar work, it evinces a non-functioning team.

·         This is not a website privacy policy document. While one of your company’s policies, assuming you have a website, should be that your websites must include the proper policy statements, this is not an assignment on writing a website policy statement. If you are submitting a “Terms of Use” or “Privacy Notice,” you are not following the requirement that your policies must govern your business. Website Privacy Statements are aimed at users of your website.

·         Don’t skip the obvious. If you are an insurance company, and fail to draft a policy that addresses HIPAA privacy, that’s a big omission. If children may access your website, you better include some acknowledgement of COPPA and CIPA’s privacy laws. See, Policy 1.3, above.

·         Get going now. While having up to five people working on this can make it very easy to accomplish, you cannot wait until the end of the course to start.

·         Perfect the writing. Spelling errors, syntax and grammar issues, and other poor English writing artifacts all take away from the credibility of your policies. When your company does not care enough to write well, your employees will not care enough about privacy to help you avoid risks.

·         This is a policy document. In some prior examples, valuable paper “real estate” was wasted on describing marketing plans, or a company’s history, or other immaterial data. The introductory section is important, but it is not the crux of this learning objective.

There are other ways that students have lost points, so please consider the entire body of instructions and requirements. These, in my opinion, came up often enough, or were easy enough to avoid, to include for your benefit.

Course Paper Team Information

 

Use the table, below, to present information about your team. Please input names exactly as they appear in the iLearn Grade Center. As you learn more during this course, the section about why privacy is important to your company will evolve. At this early stage, think about why privacy would be important to your business based on your own experiences, and what type of business you are conducting.

 

Business Name

 

 

Company Officer Names

1.

2.

3.

4.

5.

 

Describe the nature of the business.

 

 

List three reasons why privacy is important to your company.

1.

2.

3.

 

 

Course paper
19529

I have 3 questions that need to be completed. The first 2 are 300-350 words and the 3rd is 250 words. The need to be high quality and include references. Thanks

Part 1: 250-300 words with reference

Review the key roles involved in the design of a dimensional model such as data modeler, business analyst, business intelligence application developer, data steward, ETL developer, database administrator, security manager, data warehouse administrator.   Select a role and define the tasks that this person performs.  

Part 2: 250-300 words with reference

Loshin (2003) identified that high quality data is the most important factor for the success of a data warehouse. Review 2-3 issues regarding data quality regarding data warehouses.  Please provide reference and examples.

Loshin, David. (2003). Business Intelligence. San Francisco: Morgan Kaufmann Publishers.

Part 3: 400 words with reference (Use references and justification to support your point of view.)

Describe one unique and specific example of market basket analysis or DNA sequence analysis where data mining can help.  Explain how it would help the retailer or sponsor of the data mining effort.

IT Questions WK3
19527

A timeline of cybercrime was discussed in class and can be found under the Course Materials. Research one of the crimes from the timeline and research article or case study discussing a cybercrime case that has happened after 2009 where the timeline stopped.  (It would be a good idea to research something related to the timeline). You must write a 2 page paper discussing your research. You will also need to have three questions prepared for the class on your research. Please remember, that you must follow APA guidelines for citing and referencing sources. You need to be prepared to discuss your article in class. Be sure to have 3-5 questions prepared to ask the class. Please include the questions with your assignment. 

 

You may not discuss the following topics: 

- Target

- Neiman Marcus

- TJ Maxx

- Sony Playstation

- Gonzalez

- Stuxnet

- RSA Security

- Sony

- Ashley Madison

- Home Depot

- OPM

- Anthem

- Equifax

Digital
19525

Assignment:

Write an 8-page APA formatted paper on a business problem that requires data mining, why the problem is interesting, the general approach you plan to take, what kind of data you plan to use, and finally how you plan to get the data. You should describe your problem, approach, dataset, data analysis, evaluation, discussion, references, and so on, in sufficient details, and you need to show supporting evidence in tables and/or figures. You need to provide captions for all tables and figures.

Your paper should include an abstract and a conclusion and a reference page with 3-5 references.

 

Sections

The following sections should be outlined as Headers in the paper. The Title and Table of Contents are not counted as part of the eight pages.

Introduction

Background
Discussion
Conclusion
References

All written reports should be submitted in MS Word.

term paper on CUSTOMER CHURN PREDICTION IN VARIOUS BUSINESSES USING DATA MINING
19513

You have just installed a new computer with the Windows operating system and want to be sure that it is protected from the threat of viruses, so you ask two of your friends to help research computer viruses, virus prevention, and virus removal.

In a team of three people, each person should choose a topic (computer viruses, virus prevention, and virus removal) to research.

Create a Word document that contains steps to properly safeguard a computer from viruses, ways to prevent viruses, as well as the different ways to remove a virus should your computer become infected.

You made several decisions while searching Windows help and Support for this assignment. What decisions did you make? What was the rationale behind these decisions? How did you locate the required information about viruses in help?

 

Note: Assignment should contain Abstract and must have an introduction with a clear thesis statement, a body discussing the three main points and a conclusion with minimum of 3 references.

Subject: Computer and Office Applications
19501

Create a 6–8 page evaluation of biometric products and make recommendations on how they fit within the organization detailed in the case study. 

 

 

Assessment Instructions

Preparation

Refer to the Mega-Corp Case (attached alongwith)

 

You have been tasked with evaluating existing biometric products and making a recommendation to the board as to how biometrics will fit with the authentication strategy for the organization.

Deliverable

Write a 6–8 page evaluation and recommendation in which you complete the following:

  • Evaluate the advantages and disadvantages of integrating physical and logical authentication procedures using biometrics.
  • Identify the authentication options that are available through the use of various biometrics (for example, face, thumb, and palm).
  • Analyze the effectiveness of the various biometric options available for authentication.
  • Explore how the use of injected RFID relates to biometric vs token based options for authentication.
  • Describe the barriers to successful implementation of an enterprise level biometric authentication system.
  • Recommend a specific biometric authentication option.

Additional Requirements

  • Written communication: Written communication is free of errors that detract from the overall message.
  • APA formatting: Resources and citations are formatted according to current APA style and formatting.
  • Length: 6–8 pages, excluding the references page.
  • Font: Times New Roman, 12 point.
Biometrics
19500

Assessment Instructions

In this assessment, you will design and code a Java console application that takes as input five integer values and produces as output the lowest and highest values of these five integer values. The application uses Java looping constructs to implement its functionality.

Your program output should look like the sample output provided in the "Find Highest & Lowest of Five Integers Using Java Loops Instructions" course file resource. Full instructions for successfully completing this assessment are included in this resource. Use the submission template (WeekXSolutionSubmissionTemplate.docx).

Your assessment will be scored according to the following criteria:

  1. Design a program that meets Java looping statements requirements.
  2. Code an application that exercises looping constructs.
  3. Test the application and document that testing.
  4. Explain the approach taken to develop the application and the major decisions made.
  5. Identify relevant fundamental constructs in a submitted program.
  6. Communicate efficiently, effectively, and in an appropriate manner for an IT professional.
  7. Name:
    Date:
    Class: IT2249
    Unit:

     

    Insert here a copy of your zip file of all of your NetBeans project files so that it could be unzipped, loaded and run in another NetBeans:

     

     

     

     

    Insert here a copy of your *.java source code text that you used here (copy and paste source code here, do not simply insert *.java files):

     

     

     

     

    Insert here a screenshot showing the result of testing your application as directed by the assignment:

     

     

     

     

    Explain your approach you took to complete this assignment and the major decisions you made:

     

     

     

     

     

     

Find Highest and Lowest of Five Integers Using Java Loops
19458

ISY2001 Assignment 1 Semester 2 2018.doc

image1.jpg

Unit Name/Code

ISY2001 – System Analysis and Design

Assessment Type:

Report

Assessment Number

3

Assessment Name

Case Study

Unit Learning Outcomes Assessed

LO 1, LO 2, LO 3, LO 4, LO 5, LO 6

Due Date and Time

Week 10, 21st September, 2018 by 5:00PM via Moodle, Turnitin

Weighting

20% (20 Marks)

Assessment Description

 

System Requirement

FastFit is a local gym. FastFit is looking to develop a system that would provide online booking for customers to book into various fitness workshops that the gym provides.

Currently, Gym has got many weekly workshops like “Zumba”, “Pilates”, “Yoga ”etc. Every class has a day(s) of the week that it runs, Start time, End time and Rates (Per class price and Pre-Pay 10 class pass price). Currently FastFit caps the size of every lesson to 20 people maximum per session.

FastFit has considered developing a simple website for an online booking System with the capability to enable Customers access from their mobile devices and to book a lesson or pre-pay for 10 classes to get a pass that is valid for 6 months after the date of purchase. The system should allow them to buy up to 9 individual lessons and a maximum of 2 pre-pay pass per customer.

At the time of their first booking, Customers should be able to enter their details with their address into an online form, along with their credit card details. However, Customers can also have an account with FastFit and for any subsequent bookings, they can log in to their own account and make a booking for Lesson(s).

Assume you have been assigned to design and develop the system for FastFit. You are given three weeks to come up with a blueprint of the system design and present the design to a team of consultants.

The online booking System should be able to perform a number of activities such as adding or creating a new customer, checking for available classes requested by the customer, Providing them other days and times if the same class run for any other day or time, receipt and processing all bookings transactions. You may add any other possible functions that you deem necessary for this system to function in this business case.

Task

You are required to design a system that can perform the above activities and maintain a database containing data relevant to those activities. Carry out “process modelling” and “data modelling” to achieve this purpose.

Your tasks in this project include: -

Provide a justification of why this system needs to be developed and ensure that you are

professionally convincing to senior management.

Provide a description of the business case and justification about the business benefits from implementing this system.

image2.jpg

Australian Institute of Higher Education

CRICOS Provider Code: 03147A

Level 3 & 4 545 Kent Street Sydney NSW 2000 Australia

T: +612 9020 8050 W: www.aih.nsw.edu.au

image3.jpg

image4.jpg

Describe the project scope and provide a brief cost and schedule analysis.

Identify the major functions in the system that will be required in order to meet the business

needs.

Conduct the TCO of this system in Excel; add your full name and student ID in Excel in row 1. Embed the TCO part from Excel into the Word document, which is your assignment file. Ask the

teacher to show you how to embed this if you are not sure.

Develop data flow diagram (DFD level 0 and Context Diagram with at least 2 different

processes).

Prepare entity relationship diagram , to model the data requirement relevant to this system. Create 3 screen interfaces a (main menu, an input screen and the monthly sales report) that

will be used in the system designed by your group.

The marking will be based on the design; it is not necessary to implement the system.

Referencing and Plagiarism

It is essential to use IN TEXT referencing. If you are using the exact words from a reference then you must use quotation marks.

Use Harvard style, which is more verbose. http://www.citethisforme.com/harvard- HYPERLINK "http://www.citethisforme.com/harvard-referencing" referencing .

Remember that this is a Turnitin assignment and plagiarism will be subject to severe penalties. Please refer to the AIH Academic Misconduct Policy: http://www.aih.nsw.edu.au/content/1-home/8-more-info-tabs/3-official- HYPERLINK "http://www.aih.nsw.edu.au/content/1-home/8-more-info-tabs/3-official-policies/academic-misconduct-policy.pdf" policies/academic-misconduct-policy.pdf

Detailed Submission Requirements

Before submission, you ensure the submitted work satisfies the following requirements:

Submit as a PDF or MS Word file through the Turnitin assignment submission tool on Moodle.

Include a cover sheet that has your name, subject, date, report title.

 

Australian Institute of Higher Education

CRICOS Provider Code: 03147A

Level 3 & 4 545 Kent Street Sydney NSW 2000 Australia

T: +612 9020 8050 W: www.aih.nsw.edu.au

 

 

Marking Criteria Items Description:

Items

Description

Marks

1.

Clear business case and

at least 4 main business benefits in points form

2

justification

   

2.

Project scope statement

Clear and measurable scope statement

1

3.

Cost and schedule

Brief cost and schedule analysis done in Excel then copied

3

   

to the Word document (assignment doc)

 

4. TCO clear and complete

Correct, clear and complete list of TCO items ID + Name

3

   

inserted before embedding into the Word document

 

5.

Data Flow Diagrams

Correct use of symbols, eliminate all common errors and

3

   

reflect logical analysis of the system

 

6.

ER-Diagram

Correctly show the relationships between essential

3

   

entities, indicate attributes for each entity and identify

 
   

primary keys

 

7.

Screen Interfaces

Conform to the guidelines for designing forms and reports,

3

   

headings, meaningful content, appealing and business-like

 

8.

Document Presentation

Clear structure and format, contains table of content, title

2

   

page, good grammar and free of spelling and proofreading

 
   

errors, work is original and shows understanding of the

 
   

system design concepts, etc.

 
   

Total

20

 

Australian Institute of Higher Education

CRICOS Provider Code: 03147A

Level 3 & 4 545 Kent Street Sydney NSW 2000 Australia

T: +612 9020 8050 W: www.aih.nsw.edu.au

ISY2001 Assignment 1 Semester 2 2018.doc
19432

Project #3: IT Security Controls Baseline for Red Clay Renovations

To ensure compatibility with existing policy and documentation, Red Clay Renovations’ IT Security policies, plans, and procedures will continue to use the following security control classes (management, operational, technical), as defined in NIST SP 800-53 rev 3 (p. 6).


Security Controls Baseline

Red Clay Renovations Security Controls Baseline shall include the security controls listed below.  Security control definitions and implementation guidance shall be obtained from the most recent version of NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.

1.       AC: Access Controls (Technical Controls Category)

AC-1

Access Control Policy and Procedures

AC-1

AC-2

Account Management

AC-2 (1) (2) (3) (4)

AC-3

Access Enforcement

AC-3

AC-4

Information Flow Enforcement

AC-4

AC-5

Separation of Duties

AC-5

AC-6

Least Privilege

AC-6 (1) (2) (5) (9) (10)

AC-7

Unsuccessful Logon Attempts

AC-7

AC-8

System Use Notification

AC-8

AC-11

Session Lock

AC-11 (1)

AC-12

Session Termination

AC-12

AC-14

Permitted Actions without Identification or Authentication

AC-14

AC-17

Remote Access

AC-17 (1) (2) (3) (4)

AC-18

Wireless Access

AC-18 (1)

AC-19

Access Control for Mobile Devices

AC-19 (5)

AC-20

Use of External Information Systems

AC-20 (1) (2)

AC-21

Information Sharing

AC-21

AC-22

Publicly Accessible Content

AC-22

2.     AT: Awareness and Training (Operational Controls Category)

AT-1

Security Awareness and Training Policy and Procedures

AT-1

AT-2

Security Awareness Training

AT-2 (2)

AT-3

Role-Based Security Training

AT-3

AT-4

Security Training Records

AT-4

 

3.     AU: Audit and Accountability (Technical Controls Category)

AU-1

Audit and Accountability Policy and Procedures

AU-1

AU-2

Audit Events

AU-2 (3)

AU-3

Content of Audit Records

AU-3 (1)

AU-4

Audit Storage Capacity

AU-4

AU-5

Response to Audit Processing Failures

AU-5

AU-6

Audit Review, Analysis, and Reporting

AU-6 (1) (3)

AU-7

Audit Reduction and Report Generation

AU-7 (1)

AU-8

Time Stamps

AU-8 (1)

AU-9

Protection of Audit Information

AU-9 (4)

AU-10

Non-repudiation

Not Selected

AU-11

Audit Record Retention

AU-11

AU-12

Audit Generation

AU-12

 

4.     CA: Security Assessment and Authorization (Management Controls Category)

CA-1

Security Assessment and Authorization Policies and Procedures

CA-1

CA-2

Security Assessments

CA-2 (1)

CA-3

System Interconnections

CA-3 (5)

CA-5

Plan of Action and Milestones

CA-5

CA-6

Security Authorization

CA-6

CA-7

Continuous Monitoring

CA-7 (1)

CA-9

Internal System Connections

CA-9

 

5.     CM: Configuration Management (Operational Controls Category)

CM-1

Configuration Management Policy and Procedures

CM-1

CM-2

Baseline Configuration

CM-2 (1) (3) (7)

CM-3

Configuration Change Control

CM-3 (2)

CM-4

Security Impact Analysis

CM-4

CM-5

Access Restrictions for Change

CM-5

CM-6

Configuration Settings

CM-6

CM-7

Least Functionality

CM-7 (1) (2) (4)

CM-8

Information System Component Inventory

CM-8 (1) (3) (5)

CM-9

Configuration Management Plan

CM-9

CM-10

Software Usage Restrictions

CM-10

CM-11

User-Installed Software

CM-11

 

 

6.     Contingency Planning (Operational Controls Category)

CP-1

Contingency Planning Policy and Procedures

CP-1

CP-2

Contingency Plan

CP-2 (1) (3) (8)

CP-3

Contingency Training

CP-3

CP-4

Contingency Plan Testing

CP-4 (1)

CP-5

Withdrawn

---

CP-6

Alternate Storage Site

CP-6 (1) (3)

CP-7

Alternate Processing Site

CP-7 (1) (2) (3)

CP-8

Telecommunications Services

CP-8 (1) (2)

CP-9

Information System Backup

CP-9 (1)

CP-10

Information System Recovery and Reconstitution

CP-10 (2)

 

7.     IA: Identification and Authentication (Technical Controls Category)

IA-1

Identification and Authentication Policy and Procedures

IA-1

IA-2

Identification and Authentication (Organizational Users)

IA-2 (1) (2) (3) (8) (11) (12)

IA-3

Device Identification and Authentication

IA-3

IA-4

Identifier Management

IA-4

IA-5

Authenticator Management

IA-5 (1) (2) (3) (11)

IA-6

Authenticator Feedback

IA-6

IA-7

Cryptographic Module Authentication

IA-7

IA-8

Identification and Authentication (Non-Organizational Users)

IA-8 (1) (2) (3) (4)

 

8.     IR: Incident Response (Operational Controls Category)

IR-1

Incident Response Policy and Procedures

IR-1

IR-2

Incident Response Training

IR-2

IR-3

Incident Response Testing

IR-3 (2)

IR-4

Incident Handling

IR-4 (1)

IR-5

Incident Monitoring

IR-5

IR-6

Incident Reporting

IR-6 (1)

IR-7

Incident Response Assistance

IR-7 (1)

IR-8

Incident Response Plan

IR-8

 

9.     MA: Maintenance (Operational Controls Category)

MA-1

System Maintenance Policy and Procedures

MA-1

MA-2

Controlled Maintenance

MA-2

MA-3

Maintenance Tools

MA-3 (1) (2)

MA-4

Nonlocal Maintenance

MA-4 (2)

MA-5

Maintenance Personnel

MA-5

 

 

 

 

10.  MP: Media Protection (Operational Controls Category)

MP-1

Media Protection Policy and Procedures

MP-1

MP-2

Media Access

MP-2

MP-3

Media Marking

MP-3

MP-4

Media Storage

MP-4

MP-5

Media Transport

MP-5 (4)

MP-6

Media Sanitization

MP-6

MP-7

Media Use

MP-7 (1)

 

11.  PE: Physical and Environmental Protection (Operational Controls Category)

PE-1

Physical and Environmental Protection Policy and Procedures

PE-1

PE-2

Physical Access Authorizations

PE-2

PE-3

Physical Access Control

PE-3

PE-4

Access Control for Transmission Medium

PE-4

PE-5

Access Control for Output Devices

PE-5

PE-6

Monitoring Physical Access

PE-6 (1)

PE-8

Visitor Access Records

PE-8

PE-9

Power Equipment and Cabling

PE-9

PE-10

Emergency Shutoff

PE-10

PE-11

Emergency Power

PE-11

PE-12

Emergency Lighting

PE-12

PE-13

Fire Protection

PE-13 (3)

PE-14

Temperature and Humidity Controls

PE-14

PE-15

Water Damage Protection

PE-15

PE-16

Delivery and Removal

PE-16

PE-17

Alternate Work Site

PE-17

 

12.  PL: Planning (Management Controls Category)

PL-1

Security Planning Policy and Procedures

PL-1

PL-2

System Security Plan

PL-2 (3)

PL-4

Rules of Behavior

PL-4 (1)

PL-8

Information Security Architecture

PL-8

 

13.  PS: Personnel Security (Operational Controls Category)

PS-1

Personnel Security Policy and Procedures

PS-1

PS-2

Position Risk Designation

PS-2

PS-3

Personnel Screening

PS-3

PS-4

Personnel Termination

PS-4

PS-5

Personnel Transfer

PS-5

PS-6

Access Agreements

PS-6

PS-7

Third-Party Personnel Security

PS-7

PS-8

Personnel Sanctions

PS-8

 

 

14.  RA: Risk Assessment (Management Controls Category)

RA-1

Risk Assessment Policy and Procedures

RA-1

RA-2

Security Categorization

RA-2

RA-3

Risk Assessment

RA-3

RA-5

Vulnerability Scanning

RA-5 (1) (2) (5)

 

15.  SA: System and Services Acquisition (Management Controls Category)

SA-1

System and Services Acquisition Policy and Procedures

SA-1

SA-2

Allocation of Resources

SA-2

SA-3

System Development Life Cycle

SA-3

SA-4

Acquisition Process

SA-4 (1) (2) (9) (10)

SA-5

Information System Documentation

SA-5

SA-8

Security Engineering Principles

SA-8

SA-9

External Information System Services

SA-9 (2)

SA-10

Developer Configuration Management

SA-10

SA-11

Developer Security Testing and Evaluation

SA-11

 

16.  SC: System and Communications Protection (Technical Controls Category)

SC-1

System and Communications Protection Policy and Procedures

SC-1

SC-5

Denial of Service Protection

SC-5

SC-7

Boundary Protection

SC-7   

SC-8

Transmission Confidentiality

SC-8

SC-18

Mobile Code

SC-18

SC-19

Voice Over Internet Protocol

SC-19

SC-28

Protection of Information at Rest

SC-28

SC-39

Process Isolation

SC-39

 

17.  SI: System and Information Integrity (Operational Controls Category)

SI-1

System and Information Integrity Policy and Procedures

SI-1

SI-2

Flaw Remediation

SI-2 (2)

SI-3

Malicious Code Protection

SI-3 (1) (2)

SI-4

Information System Monitoring

SI-4 (2) (4) (5)

SI-5

Security Alerts, Advisories, and Directives

SI-5

SI-7

Software, Firmware, and Information Integrity

SI-7 (1) (7)

SI-8

Spam Protection

SI-8 (1) (2)

SI-10

Information Input Validation

SI-10

SI-11

Error Handling

SI-11

SI-12

Information Handling and Retention

SI-12

SI-16

Memory Protection

SI-16

 

 

 

18.  PM: Program Management (Management Controls Family)

PM-1

Information Security Program Plan

all

PM-2

Senior Information Security Officer

all

PM-3

Information Security Resources

all

PM-4

Plan of Action and Milestones Process

all

PM-5

Information System Inventory

all

PM-6

Information Security Measures of Performance

all

PM-7

Enterprise Architecture

all

PM-8

Critical Infrastructure Plan

all

PM-9

Risk Management Strategy

all

PM-10

Security Authorization Process

all

PM-11

Mission/Business Process Definition

all

PM-12

Insider Threat Program

all

PM-13

Information Security Workforce

all

PM-14

Testing, Training, and Monitoring

all

PM-15

Contacts with Security Groups and Associations

all

PM-16

Threat Awareness Program

all

 

Project #3: System Security Plan

WARNING: YOU MUST PARAPHRASE INFORMATION USED IN THIS ASSIGNMENT. Copy/Paste is only allowed for the names and designators of security controls and/or control families. All other information used in this assignment must be rewritten into your own words.

Company Background & Operating Environment

Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things” technologies while maintaining period correct architectural characteristics. Please refer to the company profile (file posted in Week 1 > Content > CSIA 413 Red Clay Renovations Company Profile.docx) for background information and information about the company’s operating environment. In addition to the information from the company profile, you should:

·         Use the Baltimore field office as the target for the System Security Plan

·         Use Verizon FiOS as the Internet Services Provider (see http://www.verizonenterprise.com/terms/us/products/internet/sla/ )

Policy Issue & Plan of Action

A recent risk assessment highlighted the need to formalize the security measures required to protect information, information systems, and the information infrastructures for the company’s field offices. This requirement has been incorporated into the company’s risk management plan and the company’s CISO has been tasked with developing, documenting, and implementing the required security measures. The IT Governance board also has a role to play since it must review and approve all changes which affect IT systems under its purview.

The CISO has proposed a plan of action which includes developing system security plans using guidance from NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems. The IT Governance board, after reviewing the CISO’s proposed plan of action, voted and accepted this recommendation. In its discussions prior to the vote, the CISO explained why the best practices information for security plans from NIST SP 800-18 was suitable for the company’s use. The board also accepted the CISO’s recommendation for creating a single System Security Plan for a General Support System since, in the CISO’s professional judgement, this type of plan would best meet the “formalization” requirement from the company’s recently adopted risk management strategy.

Your Task Assignment

As a staff member supporting the CISO, you have been asked to research and then draft the required system security plan for a General Support System. In your research so far, you have learned that:

·         A general support system is defined as “an interconnected set of information resources under the same direct management control that shares common functionality.” (See NIST SP 800-18)

·         The Field Office manager is the designated system owner for the IT support systems in his or her field office.

·         The system boundaries for the field office General Support System have already been documented in the company’s enterprise architecture (see the case study).

·         The security controls required for the field office IT systems have been documented in a security controls baseline (see the controls baseline attached to this assignment).

 

 

Section 13 of this document will take you the most time to research and write because it requires the most original writing on your part. You must write a description for EACH CONTROL CATEGORY (managerial, operational, and technical). Then, paste in the table from the Security Controls Baseline. THEN, write a descriptive paragraph explaining how these specific controls will work together to protect the Red Clay Renovations IT Infrastructure for the Baltimore Field Office.

 

 

URLs for Recommended Resources For This Project

Title

Type

Link

Service Level Agreement (SLA) Internet Dedicated Services | Verizon Enterprise

Web Page

http://www.verizonenterprise.com/terms/us/products/internet/sla /

NIST SP 800-100 Information Security Handbook: A Guide for Managers

PDF

https://doi.org/10.6028/NIST.SP.800-100

NIST SP 800-12 R1: An Introduction to Information Security

PDF

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf

NIST SP 800-18: Guide for Developing Security Plans for Federal Information Systems

PDF

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

PDF

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

 

Research:

1.       Review the information provided in the case study and in this assignment, especially the information about the field offices and the IT systems and networks used in their day to day business affairs.

2.       Review NIST’s guidance for developing a System Security Plan for a general support IT System.  This information is presented in

a.       NIST SP 800-12 R1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf Pay special attention to Chapter 2 and Section 5.4

b.      NIST SP 800-18. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf Pay special attention to the Sample Information System Security Plan template provided in Appendix A.

3.       Review the definitions for IT Security control families as documented in NIST SP 800-12 R1 Chapter 10. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf

4.       Review the definitions for individual controls as listed in Appendix F Security Control Catalog in NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf You should focus on those controls listed in the security controls baseline provided with this assignment.

Write:

1.       Use the following guidance to complete the System Security Plan using the template from Appendix A of NIST SP 800-18.

a.       Sections 1 through 10 will contain information provided in the assigned case study. You may need to “interpret” that information when writing the descriptions.  “Fill in the blanks” for information about the company or its managers which is not provided in the case study, i.e. names, email addresses, phone numbers, etc.). Make sure that your fictional information is consistent with information provided in the case study (name of company, locations, etc.).

b.      Section 11 should contain information about the field office’s Internet connection Do not include the table. Use the business Internet Services Provider listed at the top of this assignment file. Describe the system interconnection type in this section and service level agreement.

c.       Section 12 should contain information derived from the case study. You will need to identify the types of information processed in the field office and then list the laws and regulations which apply. For example, if the case study company processes or stores Protected Health Information, then this section must include information about HIPAA. If the company processes or stores credit card payment information, then this section must include information about the PCI-DSS requirements.

d.      Section 13 of the SSP will take the most research and writing time. You MUST provide the required descriptive paragraphs for the three categories AND the explanations as to how the security controls within the control families will be used to secure the IT infrastructure. You MUST use the selected security control families and security controls as provided security controls baseline.

                                                               i.      Create 3 sub sections (13.1 Management Controls, 13.2 Operational Controls, and 13.3 Technical Controls). You must provide a description for each category (see the definitions provided in Annex 11.B Minimum Security Controls in NIST SP 800-100 Information Security Handbook: A Guide for Managers).

                                                             ii.      Using the information provided in the security controls baseline, place the required control families and controls under the correct sub section.

                                                            iii.      Use the exact names and designators for the security control families and individual security controls. BUT, you MUST paraphrase any and all descriptions. Do NOT cut and paste from NIST documents.

e.      Section 14: use the due date for this assignment as the plan complete date.

f.        Section 15: leave the approval date blank. You will not have any other text in this section (since the plan is not yet approved).

2.       Use a professional format for your System Security Plan. Your document should be consistently formatted throughout and easy to read.

3.       You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count. 

4.       Common phrases do not require citations. If there is doubt as to whether or not information requires attribution, provide a footnote with publication information or use APA format citations and references.

5.       You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.   

6.       Consult the grading rubric for specific content and formatting requirements for this assignment.

Submit For Grading

Submit your System Security Plan in MS Word format (.docx or .doc file) for grading using your assignment folder. (Attach the file.)

 

1. Information System Name/Title:

• Unique identifier and name given to the system. [use information from the case study]

 

2. Information System Categorization:

• Identify the appropriate system categorization [use the information from the case study].

 

3. Information System Owner:

• Name, title, agency, address, email address, and phone number of person who owns the system. [Use the field office manager]

 

4. Authorizing Official:

• Name, title, agency, address, email address, and phone number of the senior management official designated as the authorizing official. [Use the company’s Chief Information Officer.]

 

5. Other Designated Contacts:

• List other key personnel, if applicable; include their title, address, email address, and phone number. [include the CISO, the ISSO, and other individuals from the case study, if appropriate]

 

6. Assignment of Security Responsibility:

• Name, title, address, email address, and phone number of person who is responsible for the security of the system. [use the case study information]

 

7. Information System Operational Status:

• Indicate the operational status of the system. If more than one status is selected, list which part of the system is covered under each status. [Use the case study information.]

 

8.0 Information System Type:

• Indicate if the system is a major application or a general support system. If the system contains minor applications, list them in Section 9. General System Description/Purpose. [use the case study information]

 

9.0 General System Description/Purpose

• Describe the function or purpose of the system and the information processes. [use the case study information]

 

10. System Environment

• Provide a general description of the technical system. Include the primary hardware, software, and communications equipment.

 

[use the case study information and diagrams. Add brand names, equipment types as required (if not provided in the case study)]

 

11. System Interconnections/Information Sharing

• List interconnected systems and system identifiers (if appropriate), provide the system name, owning or providing organization, system type (major application or general support system) … add a fictional date of agreement to interconnect, and the name of the authorizing official.

 

12. Related Laws/Regulations/Policies

• List any laws or regulations that establish specific requirements for the confidentiality, integrity, or availability of the data in the system.

 

13. Minimum Security Controls

 

Use the security controls baseline as provided for this assignment. Include descriptive paragraphs for each section. Cut and paste the tables from the provided security controls baseline to add the individual security controls under each section. Use the sections and sub-sections as listed below.

 

13.1 Management Controls

 

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

 

13.1.1 [first control family]

 

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

 

13.1.2 [second control family]

 

…………

 

13.2 Operational Controls

 

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

 

13.2.1 [first control family]

 

13.2.2 [second control family]

 

…………..

 

13.3 Technical Controls

 

[provide a descriptive paragraph – DO NOT COPY TEXT FROM OTHER DOCUMENTS]

 

13.3.1 [ first control family]

 

13.3.2 [ second control family]

 

…………

 

Example:

 

 

14. Information System Security Plan Completion Date: _____________________

• Enter the completion date of the plan.

 

15. Information System Security Plan Approval Date: _______________________

• Enter the date the system security plan was approved and indicate if the approval documentation is attached or on file.

 

 

 

 

 

 

 

Project 3: IT Security Plan for Baltimore Field Office

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Information System Security Plan for Baltimore Field Office

1. Information System Name/Title: Red Clay Renovation’s Baltimore Field Office

 

2. Information System Categorization: MODERATE

 

3. Information System Owner:

            Erica Kniesel, Office Manager & ISSO, Baltimore Field Office

            Red Clay Renovations

            200 Commerce Street, Suite 450

Baltimore, MD 21201

[email protected]

443-555-2900

 

4. Authorizing Official:

            Erwin Carrington, CIO & Director IT Services

            Red Clay Renovations

12209 Red Clay Place

Owings Mills, MD 21117

[email protected]

667-555-6260

 

5. Other Designated Contacts:

            Eric Carpenter, CISO / Deputy CIO

            Red Clay Renovations

12209 Red Clay Place

Owings Mills, MD 21117

      [email protected]

      667-555-6370

 

6. Assignment of Security Responsibility:

Erica Kniesel, Office Manager & ISSO, Baltimore Field Office

            Red Clay Renovations

            200 Commerce Street, Suite 450

Baltimore, MD 21201

[email protected]

443-555-2900

 

7. Information System Operational Status: OPERATIONAL

 

8.0 Information System Type: GENERAL SUPPORT SYSTEM

 

9.0 General System Description/Purpose

The Baltimore field office provides smart home architecture designs and is interconnected to Red Clay Renovations operations center through an Internet connection through Verizon FiOS. A Virtual Private Network is used to link the field sites to headquarters and use internally both wired and wireless connections for their systems.

 

10. System Environment

The Baltimore field office utilizes the following systems for its infrastructure:

·         CISCO Switch

·         CISCO Router

·         CISCO Wireless router

·         RJ-45 wall jacks

·         100BASE-T Ethernet cable

·         Cat 5 cable

·         Alcatel Private Brach Exchange system

·         Dell laptops and desktops (Windows 10 Enterprise)

·         Dell servers (Windows server 2012)

·         Symantec Endpoint Protection

 

11. System Interconnections/Information Sharing

Verizon FiOS with Service Level Agreement provides the Baltimore field office with an average of 45 milliseconds transmission latency speeds between regional Verizon hub routers within the United States. Data crossing to other countries average at 90 milliseconds. Network service shall be provided 100% of the time.

 

12. Related Laws/Regulations/Policies

·         Computer Fraud and Abuse Act of 1984

·         Federal Information Security Management Act of 2002

·         Federal Information Processing Standards Publication  (FIPS) 199

·         Sarbanes-Oxley, Section 404

·         Payment Card Industry Data Security Standard

 

13. Minimum Security Controls

 

13.1 Management Controls

Management Controls are security safeguards of data within an organization’s systems with an emphasis on managing risks relating to information system security. Management control families are detailed under FIPS 200.

           

13.1.1 Security Assessment and Authorization

Red Clay Renovations are to intermittently create assessments of the security controls that are emplaced to analyze its effectiveness. Establish plans of action to minimize potential vulnerabilities. Approve the function of all connected information systems. The controls also require monitoring of the system controls to ensure its effectiveness.

 

CA-1

Security Assessment and Authorization Policies and Procedures

CA-1

CA-2

Security Assessments

CA-2 (1)

CA-3

System Interconnections

CA-3 (5)

CA-5

Plan of Action and Milestones

CA-5

CA-6

Security Authorization

CA-6

CA-7

Continuous Monitoring

CA-7 (1)

CA-9

Internal System Connections

CA-9

 

 

13.1.2 Planning

Red Clay Renovations will develop and establish security plans for information systems. The system details the security controls that are to be implemented and the proper usage of the computer systems by the users.

 

PL-1

Security Planning Policy and Procedures

PL-1

PL-2

System Security Plan

PL-2 (3)

PL-4

Rules of Behavior

PL-4 (1)

PL-8

Information Security Architecture

PL-8

 

13.1.3 Risk Assessment

Red Clay Renovations will intermittently analyze potential risks to daily operations and assets. Information systems affected would be involved in the processing and storage of data retrieved by Red Clay Renovations’ business transmissions.

 

RA-1

Risk Assessment Policy and Procedures

RA-1

RA-2

Security Categorization

RA-2

RA-3

Risk Assessment

RA-3

RA-5

Vulnerability Scanning

RA-5 (1) (2) (5)

 

13.1.4 System and Services Acquisition

Red Clay Renovations will distribute enough resources to efficiently protect the organization’s computer systems. Develop a system lifecycle plan to rotate out old equipment and software. Create restrictions on certain usage practices and installations.

 

SA-1

System and Services Acquisition Policy and Procedures

SA-1

SA-2

Allocation of Resources

SA-2

SA-3

System Development Life Cycle

SA-3

SA-4

Acquisition Process

SA-4 (1) (2) (9) (10)

SA-5

Information System Documentation

SA-5

SA-8

Security Engineering Principles

SA-8

SA-9

External Information System Services

SA-9 (2)

SA-10

Developer Configuration Management

SA-10

SA-11

Developer Security Testing and Evaluation

SA-11

           

13.2 Operational Controls

 

Operational Controls are security safeguards implemented by information systems’ users instead of by the system itself. Operational control families are detailed under FIPS 200.

 

13.2.1 Awareness and Training

Red Clay Renovations will establish proper awareness and operating training to utilize organization’s computer systems. The security risks will be made well known and all procedure will be properly documented on company policies.

 

AT-1

Security Awareness and Training Policy and Procedures

AT-1

AT-2

Security Awareness Training

AT-2 (2)

AT-3

Role-Based Security Training

AT-3

AT-4

Security Training Records

AT-4

 

13.2.2 Configuration Management

Red Clay Renovations will create a baseline of arrangements and maintain them on the information systems. The company is to also administer the security settings by all technology products utilized by the company.

 

CM-1

Configuration Management Policy and Procedures

CM-1

CM-2

Baseline Configuration

CM-2 (1) (3) (7)

CM-3

Configuration Change Control

CM-3 (2)

CM-4

Security Impact Analysis

CM-4

CM-5

Access Restrictions for Change

CM-5

CM-6

Configuration Settings

CM-6

CM-7

Least Functionality

CM-7 (1) (2) (4)

CM-8

Information System Component Inventory

CM-8 (1) (3) (5)

CM-9

Configuration Management Plan

CM-9

CM-10

Software Usage Restrictions

CM-10

CM-11

User-Installed Software

CM-11

 

13.2.3 Contingency Planning

Red Clay Renovations must implement an emergency response plan and recovery for company data and systems. The plan enforces the availability of critical data sources and the continuity of business operations.

 

CP-1

Contingency Planning Policy and Procedures

CP-1

CP-2

Contingency Plan

CP-2 (1) (3) (8)

CP-3

Contingency Training

CP-3

CP-4

Contingency Plan Testing

CP-4 (1)

CP-6

Alternate Storage Site

CP-6 (1) (3)

CP-7

Alternate Processing Site

CP-7 (1) (2) (3)

CP-8

Telecommunications Services

CP-8 (1) (2)

CP-9

Information System Backup

CP-9 (1)

CP-10

Information System Recovery and Reconstitution

CP-10 (2)

 

13.2.4 Incident Response

Red Clay Renovations will create standard for incident handling for the company. The capability must include proper detection, investigation, controls, and recovery. All action must be documented to be reviewed by Red Clay management.

 

IR-1

Incident Response Policy and Procedures

IR-1

IR-2

Incident Response Training

IR-2

IR-3

Incident Response Testing

IR-3 (2)

IR-4

Incident Handling

IR-4 (1)

IR-5

Incident Monitoring

IR-5

IR-6

Incident Reporting

IR-6 (1)

IR-7

Incident Response Assistance

IR-7 (1)

IR-8

Incident Response Plan

IR-8

 

13.2.5 Maintenance

Red Clay Renovations periodically will conduct information system maintenance. The proper tools and techniques must be readily available to all personnel performing the maintenance.

 

MA-1

System Maintenance Policy and Procedures

MA-1

MA-2

Controlled Maintenance

MA-2

MA-3

Maintenance Tools

MA-3 (1) (2)

MA-4

Nonlocal Maintenance

MA-4 (2)

MA-5

Maintenance Personnel

MA-5

 

13.2.6 Media Protection

Red Clay Renovations will establish security protocols that protect and all forms of media, digital and hardcopy. Only authorized users are to be allowed to access sensitive information. Proper sanitization and destruction procedures will be used when the information is no longer needed.

 

MP-1

Media Protection Policy and Procedures

MP-1

MP-2

Media Access

MP-2

MP-3

Media Marking

MP-3

MP-4

Media Storage

MP-4

MP-5

Media Transport

MP-5 (4)

MP-6

Media Sanitization

MP-6

MP-7

Media Use

MP-7 (1)

 

13.2.7 Physical and Environmental Protection

Red Clay Renovations will allow only authorized personnel access to company areas and equipment. The proper utilities will be provided to protect information systems and company infrastructures from the environment.

 

PE-1

Physical and Environmental Protection Policy and Procedures

PE-1

PE-2

Physical Access Authorizations

PE-2

PE-3

Physical Access Control

PE-3

PE-4

Access Control for Transmission Medium

PE-4

PE-5

Access Control for Output Devices

PE-5

PE-6

Monitoring Physical Access

PE-6 (1)

PE-8

Visitor Access Records

PE-8

PE-9

Power Equipment and Cabling

PE-9

PE-10

Emergency Shutoff

PE-10

PE-11

Emergency Power

PE-11

PE-12

Emergency Lighting

PE-12

PE-13

Fire Protection

PE-13 (3)

PE-14

Temperature and Humidity Controls

PE-14

PE-15

Water Damage Protection

PE-15

PE-16

Delivery and Removal

PE-16

PE-17

Alternate Work Site

PE-17

 

 

 

13.2.8 Personnel Security

Red Clay Renovations will fully evaluate every individual with a position of responsibility to dictate trustworthiness with sensitive information. Create minimization procedures during certain personnel action and when there is non-compliance with certain protocols by the individual.

 

PS-1

Personnel Security Policy and Procedures

PS-1

PS-2

Position Risk Designation

PS-2

PS-3

Personnel Screening

PS-3

PS-4

Personnel Termination

PS-4

PS-5

Personnel Transfer

PS-5

PS-6

Access Agreements

PS-6

PS-7

Third-Party Personnel Security

PS-7

PS-8

Personnel Sanctions

PS-8

 

13.2.9 System and Information Integrity

Red Clay Renovations will respond in a timely manner to errors within the company’s information systems. The company must report then correct the flaws to identify what protections are needed to patch the vulnerability. Follow up by monitoring the system for potential security alerts.

 

SI-1

System and Information Integrity Policy and Procedures

SI-1

SI-2

Flaw Remediation

SI-2 (2)

SI-3

Malicious Code Protection

SI-3 (1) (2)

SI-4

Information System Monitoring

SI-4 (2) (4) (5)

SI-5

Security Alerts, Advisories, and Directives

SI-5

SI-7

Software, Firmware, and Information Integrity

SI-7 (1) (7)

SI-8

Spam Protection

SI-8 (1) (2)

SI-10

Information Input Validation

SI-10

SI-11

Error Handling

SI-11

SI-12

Information Handling and Retention

SI-12

SI-16

Memory Protection

SI-16

 

 

13.3 Technical Controls

 

Technical Controls are security safeguards solely implemented by the information systems’ hardware, firmware, or software mechanisms. Technical control families are detailed under FIPS 200.

           

13.3.1 Access Controls

Red Clay Renovations will limit access to information systems to only authorized company users. Access extends to also the processes every individual is allowed to perform on company systems.

 

AC-1

Access Control Policy and Procedures

AC-1

AC-2

Account Management

AC-2 (1) (2) (3) (4)

AC-3

Access Enforcement

AC-3

AC-4

Information Flow Enforcement

AC-4

AC-5

Separation of Duties

AC-5

AC-6

Least Privilege

AC-6 (1) (2) (5) (9) (10)

AC-7

Unsuccessful Logon Attempts

AC-7

AC-8

System Use Notification

AC-8

AC-11

Session Lock

AC-11 (1)

AC-12

Session Termination

AC-12

AC-14

Permitted Actions without Identification or Authentication

AC-14

AC-17

Remote Access

AC-17 (1) (2) (3) (4)

AC-18

Wireless Access

AC-18 (1)

AC-19

Access Control for Mobile Devices

AC-19 (5)

AC-20

Use of External Information Systems

AC-20 (1) (2)

AC-21

Information Sharing

AC-21

AC-22

Publicly Accessible Content

AC-22

 

13.3.2 Audit and Accountability

Red Clay Renovations will create an auditing system for all information processes done on company systems. The monitoring allows for the analysis for potential misuse or unauthorized access to sensitive data. Every computer system should trace back to its user to be held liable for their activities.

 

AU-1

Audit and Accountability Policy and Procedures

AU-1

AU-2

Audit Events

AU-2 (3)

AU-3

Content of Audit Records

AU-3 (1)

AU-4

Audit Storage Capacity

AU-4

AU-5

Response to Audit Processing Failures

AU-5

AU-6

Audit Review, Analysis, and Reporting

AU-6 (1) (3)

AU-7

Audit Reduction and Report Generation

AU-7 (1)

AU-8

Time Stamps

AU-8 (1)

AU-9

Protection of Audit Information

AU-9 (4)

AU-10

Non-repudiation

Not Selected

AU-11

Audit Record Retention

AU-11

AU-12

Audit Generation

AU-12

 

13.3.3 Identification and Authentication

Red Clay Renovations will provide a system that identifies the proper user to each information system. An authentication method will be in place to ensure the each personnel only has access to authorized information.

 

IA-1

Identification and Authentication Policy and Procedures

IA-1

IA-2

Identification and Authentication (Organizational Users)

IA-2 (1) (2) (3) (8) (11) (12)

IA-3

Device Identification and Authentication

IA-3

IA-4

Identifier Management

IA-4

IA-5

Authenticator Management

IA-5 (1) (2) (3) (11)

IA-6

Authenticator Feedback

IA-6

IA-7

Cryptographic Module Authentication

IA-7

IA-8

Identification and Authentication (Non-Organizational Users)

IA-8 (1) (2) (3) (4)

 

 

13.3.4 System and Communications Protection

Red Clay Renovations will protect company communications through monitoring and specific controls. Communication transiting to and from the company must be monitored to preserve the integrity of the information systems within the company.

 

SC-28

Protection of Information at Rest

SC-28

SC-39

Process Isolation

SC-39

 

14. Information System Security Plan Completion Date: _23 April 2017________

 

15. Information System Security Plan Approval Date: _____TBD_____________

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

REFERENCES

 

Bemen, A. (2004, February). Standards for Security Categorization of Federal Information and Information Systems. Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

Bowen, P., & Hash, J. (2006, October). Information Security Handbook: A Guide for Managers . Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf

Gallagher, P. (2009, August). NIST Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations. Retrieved from http://delivery.acm.org/10.1145/2210000/2206266/sp800-53-rev3-final_updated-errata_05-01-2010.pdf?ip=71.178.254.12&id=2206266&acc=OPEN&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E6D218144511F3437&CFID=754315343&CFTOKEN=20587130&__acm__=1492968707_6f683f741b13128748d7a1a305f4e608

Gallagher, P. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Jeffrey, W. (2006, March). Minimum Security Requirements for Federal Information and Information Systems. Retrieved from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

William, J. (2006, February). Guide for Developing Security Plans for Federal Information Systems. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

 

Project #3: IT Security Controls Baseline for Red Clay Renovations
19425

PART 2.  40 points (Write atleast 1 page - double spaced).

 

You are a student who drives every day to school. Think, about, all the instances where you would

 

a) Interface with a computing system or a digital information system.

 

b) A database

 

Document what you think might be happening with all the data you are creating as an individual.

Also document, what are the possibilities with this database at the level of the university (considering FIU has 52000 students).

ism3011
19424

This is a continuation of building a new folder/website. see attachment for old reference. 

 

Microsoft word documents is the new assignment that is due. Please follow instructions