American Public Week 8 Information Assurance Reflection Response Paper

1. Need 500 Word Response and two Cited references

A) There are many methods, mechanisms, and practices discussed for the management of security. Discuss what you deem is the most effective security management framework for your organization and why. Peers in your responses, I encourage you to respectably rebut their selection and or point out the gaps/vulnerabilities?

2. Need 250 word response 1 cited reference to this peer response

Good evening,

It is week 8! Hope everyone had a great weekend. For the United States Air Force, I believe the Risk Management Framework (RMF) along with defense in depth is the best security management framework for the organization. With hundreds of thousands of users using both unclassified and classified systems, an effective management strategy is incredibly important to safeguard information critical to national security. First, using RMF allows the organization to categorize different systems based on level of criticality. This helps define what types of control measures are put in place to safeguard the asset. Next, defense in depth objectives consist of layering security measures that can be broken down into three categories; physical, technical, and administrative.

Physical security controls aim to protect the physical environment. For the military, the front gate, fences, building doors, safes, and vaults are physical security measures to protect assets. Next, technical security controls such as firewalls, cryptography, and multi-factor authentication are methods to guard against adversaries. Finally, administrative security controls include security clearance requirements, separation of duties, and policy management.

User training, as I have mentioned in previous posts, is pivotal to guarding against exploits. Despite the amount of controls regardless of categories is irrelevant if a user does something like click a malicious link or use a Peer to Peer (P2P) sharing site and opens an attack vector. Currently, a yearly interactive computer-based training provides different scenarios to hit the security concepts home. However, equally as important, if these policies are not enforced then the requirement is pointless.

Scott

3. Need 250 word response 1 cited reference to the peer response

Dr. McCracken and Classmates,

It seems hard to believe that 8 weeks have passed so quickly. The course has covered a wealth of material on information assurance. I am looking forward to the next 2courses in the IA series and I hope to study with many of my classmates again in the November session. I greatly appreciate all your contributions to my learning and wish everyone the best in their future endeavors.

The nature of my organization’s business activities is rather different in that we provide accounting and audit services to other local businesses. We are subject to the Federal Trade Commission Rule that requires us to implement a formal security plan to protect client information. We’ve taken a defense in depth approach to security which has layered our security measures into physical, technical, and administrative areas. Guidance on developing a robust security framework has come from our industry organization, the American Institute of Certified Public Accountants (AICPA). Our greatest security need is to safeguard client information in both paper and electronic form. Our physical security controls seem adequate. Client and company paper documents are stored in fire-resistant locked file cabinets in a secure document room with controlled access. The building management provides for perimeter and interior security with security guards and controlled access. We maintain a comprehensive insurance policy that covers both malpractice and business continuity and includes cyber coverage. Our biggest concern is with cybersecurity. The number of cybersecurity incidents continues to grow and the COVID pandemic has just added fuel to the fire. It’s no comfort knowing that there are those that have been hacked and those that will be hacked. So in the area of cyber protection we have adopted the AICPA’s cybersecurity risk management framework. It blends element from COBIT with NIST’s Cybersecurity Framework and the Cloud Security Alliance’s Cloud Controls Matrix. Although we do not prepare individual income tax returns, we do comply with IRS security and privacy standards. Coalfire provides a great summary of “IRS Publication 1345 requirements:

1. Minimum encryption standards for data transmission
   1. Have a valid and current Extended Validation SSL Certificate using SSL 3.0 / TLS 1.0 or later
   2. Have minimum 1024-bit RSA and 128-bit AES
2. External vulnerability scans
   1. Contract with an independent third-party vendor that is certified by the Payment Card Industry (PCI) Security Standards Council (SSC) and listed as a current Approved Scanning Vendor (ASV)
   2. Execute weekly external network vulnerability scans of all system components according to PCI Data Security Standard (DSS) requirements
   3. If the firm system(s) are hosted by another organization, that organization must also comply with PCI DSS requirements
3. Information privacy and safeguard policies
   1. Policies should be developed to satisfy the following statement: “We maintain physical, electronic, and procedural safeguards that comply with applicable law and federal standards”
   2. Firm compliance with these policies must be certified by a privacy seal vendor acceptable to the IRS
4. Website challenge-response test
   1. Implement an effective challenge-response protocol (e.g., CAPTCHA)
   2. No data is to be collected, transmitted, or processed until successful completion of the test
5. Public domain name registration
   1. Provider website must be registered with a domain name registrar that is in the United States and accredited by the Internet Corporation for Assigned Names and Numbers (ICANN)
   2. Domain name must be locked and not private
6. Report security incidents
   1. Incidents include the unauthorized disclosure, misuse, modification, or destruction of taxpayer information
   2. Report security incidents to the IRS no later than the next business day
   3. If the website is the proximate cause of the incident, cease collecting taxpayer information via the website immediately and until the underlying cause/s of the incident are successfully resolved
   4. Follow the IRS instructions for reporting website security incidents” (Cook, 2019).

Regards, SueT

References

Cook, J. (2019, April) Tax Time Again: IT Security for Accounting Firms. Coalfire. Retrieved from https://www.coalfire.com/the-coalfire-blog/april-2019/tax-time-again-it-security-for-accounting-firms

4. Complete a one page reflection essay on this course.

(Course Syllabus) Information Assurance

The course analyzes computer and systems security measures by examining a model for information assurance; it also examines the components of a comprehensive Information Assurance plan. Topics included are: asset identification, human factors, compliance with regulations, personnel security, risk assessment and ethical considerations, IA policy, as well as computer and network security tools.