How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Steve Herrod Your Own Question

Steve Herrod
Steve Herrod, Masters Degree
Category: Homework
Satisfied Customers: 2397
Experience:  BA (Hons) & MA Qualifications
Type Your Homework Question Here...
Steve Herrod is online now
A new question is answered every 9 seconds

HI steve

Resolved Question:

HI steve
Submitted: 9 months ago.
Category: Homework
Expert:  Steve Herrod replied 9 months ago.

Steve Herrod :

Hi

Customer:

I need help with an assignment.


Security Analysis Findings and Recommendations


Overview – For the first project, you researched the impact of legislation on your selected organization information security program. For the second project, you researched information security standards used by your selected organization. For the third project, you created a sample cyber security profile addressing the security posture of your selected organization. This final project incorporates the results from the first three projects into a final security analysis. For this final project, you will create an executive summary presentation describing your selected organization's security posture and your recommendations for improvement. You will also write a memorandum outlining your findings and your recommendations. Think of this assignment in terms of your own job. Apply the same standards and professionalism you would use for your superiors.


 


Learning Objective – After completing this project, students will be able to create an executive level presentation, 2) write an executive level memorandum, and 3) combine seven weeks of learning material into a final product.


 


Media - Students will use the Internet, Microsoft PowerPoint, and Microsoft Word. Students will utilize their first three projects and all learning material from the past seven weeks.


 


Deliverables – There are two (2) deliverables for this project. Submit your presentation and memorandum to the appropriate assignment area by the due date.


 


1. Your final presentation should be between 15 – 20 pages. Your executive summary presentation, at a minimum, should 1) cover the impact of legislation on your organization (3-4 slides), describe the information security standards applicable to your organization (3-4 slides), and 3) summarize the key elements of your organization's cyber security profile (findings/recommendations) (3-4 slides). You should also have a cover slide, an agenda slide, a summary/conclusion slide(s), and a reference slide (using proper APA guidelines). Use the notes pages to complete the slides. Your presentation and notes pages should stand alone so that you do not have to "present" the slides for the reader to understand your intent.


 


2. Your executive summary memorandum should be a least two (2) full pages, double-spaced, 1-inch margins, and New Times Roman 12-Pitch font. Memorandums not meeting the two full-page minimum will lose points. Your memorandum should, at a minimum, include a summary of the three (3) major areas of your executive presentation (see above).


 


 
































































Rubric – Project #4: Security Analysis Findings and Recommendation



Qualities & Criteria



Poor (1-2)



Good (3-4)



Excellent (5)



Executive Summary Presentation: Security Analysis Findings



Impact of legislation; Information Security Standards; Cyber Security profile



 



weight: 15% of assignment grade



 



a. The presentation does not describe any findings.



b. The presentation includes less than two (2) findings and/or family controls are not describe accurately.



c. Text is repetitious.



d. Information seems to be disorganized and has little to do with the main topic.



 



a. The presentation includes a description of less than three findings and/or the description of the findings are not accurate.



b. The presentation includes less than three findings and/or not described accurately.



c. Ideas are clear, but there is a lack of extra information.



d. Information relates to main topic. Details and amount of information are sparse.



 



a. The paper includes an accurate description of all three findings.



b. The paper includes three findings and they are accurately described.



c. Ideas are clear, original, and focused. Main idea stands along with details.



d. Sufficient information included. Information clearly relates to the main relates to the main thesis. It includes several supporting details and/or examples.



Executive Summary Presentation: Format



Number of slides; other slides



Weight: 5% of assignment grade



· Presentation uses 15-20 slides



· Presentation contains less than 3 slides for each of the three areas. Less than 3 areas are covered.



· Presentation has 3 or more missing: cover, agenda, summary and reference slide



· Presentation uses 15-20 slides



· Presentation contains at least 3 slides for only two of the three areas



· Presentation has 1-2 missing: cover, agenda, summary and reference slide



· Presentation uses 15-20 slides



· Presentation contains at least 3 slides for each of the three areas



· Presentation has a cover, agenda, summary and reference slide



Executive Summary Memo: Introduction



Title; Objective or Thesis; Problem statement; Topic.



 



weight: 5% of assignment grade



 



a. There is no reference to the topic, problem, or audience.



b. There is no statement of thesis or objective of the research.



c. The title is inappropriate and does not describe the topic.



a. The writer makes the reader aware of the overall problem, challenge, or topic to be examined.



b. Thesis is stated but clarity and/or focus could be better.



c. The title does not adequately describe the topic.



a. The writer introduces the topic and its relevance to (1) the discipline; and (2) the chosen audience. The introduction lays groundwork for the direction of the assignment.



b. Thesis or objective is clearly stated and appropriately focused.



c. Main idea stands along with details.



d. The title is appropriate and adequately describes the topic.



Executive Summary Memo: Security Analysis Findings



Structure; Flow; Organization and Development



 



weight: 15% of assignment grade



 



a. The paper does not describe any controls.



b. The paper includes less than two (2) findings and/or not described accurately.



c. Text is repetitious.



d. Information seems to be disorganized and has little to do with the main topic.



e. Sentences and paragraphs do not clearly or effectively relate to the assignment.



f. Examples are either lacking or ineffective; i.e., do not relate to the main idea in the assignment or paragraph



a. The paper includes a description of less than three findings and/or the description of the two are not accurate.



b. The paper includes less than three findings and/or one or mode findings are not described accurately.



c. Ideas are clear, but there is a lack of extra information.



d. Information relates to main topic. Details and amount of information are sparse.



e. Sentences and paragraphs generally though not always relate to the thesis or controlling idea.



a. The paper includes an accurate description of all three findings.



b. The paper includes three findings and they are accurately described.



c. Ideas are clear, original, and focused. Main idea stands along with details.



d. Sufficient information included. Information clearly relates to the main relates to the main thesis. It includes several supporting details and/or examples.



e. Sentences and paragraphs clearly and effectively relate to and support the thesis.



Executive Summary Memo: Conclusions



Synthesis of ideas.



 



weight: 10% of assignment grade



 



a. There is little or no indication that the writer tried to synthesize the information or draw conclusions based on the literature under review.



a. The writer provides concluding remarks that show an analysis and synthesis of ideas and information. Some of the conclusions, however, are not supported in the body of the review.



a. The writer makes succinct and precise conclusions based on the review of literature.



b. Insights into the problem/topic are appropriate.



c. Conclusions are strongly supported within the assignment.



Executive Summary Memo: Research and Analysis



Weaving together literature through assignment that provide exploration/explanation



 



weight: 35% of assignment grade



 



a. The writer has omitted major sections of pertinent content or content runs on excessively.



b. The writer quotes other material excessively.



c. The ideas presented have little significance to the discipline and/or the audience.



d. Text is repetitious



e. There is no central theme.



f. Ideas in the assignment are irrelevant or not worthy of the reader’s consideration.



a. The writer includes all the sections of pertinent content, but does not cover them in as much depth or detail as the audience/reader expects.



b. The writer cites sources when specific statements are made.



c. The significance to the discipline is evident.



d. Ideas are clear, but more information is needed.



e. Ideas in the assignment are mostly (but not all) relevant and worthy of the reader’s consideration.



 



a. The writer covers the appropriate content in depth without being redundant.



b. The writer cites sources when specific statements are made.



c. The significance of quotes, when used, is apparent.



d. The length is appropriate.



e. Ideas are clear, original, and focused. Main idea stands out, along with details.



f. Ideas in the assignment are compelling, even original; they are not self-evident.



Clarity and Correctness of the Writing



 



weight: 10% of assignment grade



 



a. It is difficult for the reader to understand what the writer is trying to express.



b. Writing is convoluted.



c. Assignment contains more than 20 spelling and/or grammatical errors as well as improper punctuation.



d. The writing is vague or it is difficult to understand what the writer is trying to express.



e. Mistakes in grammar, spelling, and/or punctuation cause confusion and show lack of concern for quality of writing.



f. Writing rambles; the assignment appears hastily written.



a. The writing is generally clear, but unnecessary words are occasionally used. Meaning is sometimes hidden.



b. Paragraph or sentence structure is repetitive.



c. Much of the writing is generally clear, but meaning is sometimes hidden.



d. There are between 10 and 20 mistakes in grammar, spelling, and/or punctuation, but they do not cause confusion; they suggest negligence, not indifference.



e. Writing might ramble; the assignment is not carefully written.



a. The writing is clear and concise.



b. There are less than 10 mistakes in grammar, spelling, and/or punctuation.



c. The writing does not ramble; the assignment is carefully written and edited.



Sources & Citations & Proper APA Format



 



weight: 10% of assignment grade



 



a. The writer does not include in-text citations for statements made in the review.



b. References that are included in the Reference list are not cited in the text.



c. An insufficient number of sources are cited and/or not accurately documented.



d. The assignment is not written in APA style.



e. No attention is given to people-first, non-discriminatory language.



f. Scholarly sources are not cited in text and reference list.



g. Sources are primarily from the popular press and/or the assignment consists primarily of personal opinions.



a. The writer cites sources within the body of the review and includes a corresponding References list. Some formatting problems exist or some elements are missing.



b. Less than three (3) sources are cited. All sources are accurately documented, but some are not in the desired format.



c. Assignment is in APA style but with some errors.



d. The body of the assignment consists of a review of the literature.



e. There is evidence of attention to people-first, non-discriminatory language.



f. Most sources are scholarly and cited, but with some errors.



g. Personal opinions are kept to a minimum though may not be delayed in the assignment.



a. The writer includes at least three (3) citations in the body of the review.



b. The references in the list match the in-text citations and all are properly cited in APA style.



c. Numerous sources are cited. All sources are accurately documented.



d. Accurately adheres to APA style in formatting, organization, and construction, including full review of relevant literature.



e. There is consistent use of people-first, non-discriminatory language.



f. The majority of sources are scholarly and cited correctly in both text and reference list.



g. Personal opinions are delayed and stated succinctly in the conclusion.



 

Customer:

I see that you have written on this assignment in the past. can you help me?

Steve Herrod :

should be able to - when is it needed?

Customer:

ASAP, The assignment is due Sunday but I need time to review and edit it as fit. The main part I need help in writing is the summary,

Steve Herrod :

Ok - I can have the summary with you early tomorrow

Customer:

also I need the summary to be orginal and not from a previous work

Steve Herrod :

ok

Customer:

Do you need my previous 3 assignments on the subject to write the paper?

Steve Herrod :

yes - that would be helpful

Customer:

ok, i'll send them to you now.

Steve Herrod :

thanks

Customer:

Legislation is regarded as one of the three main functions of government, which are often distinguished under the doctrine of the separation of powers. It can have many purposes such as to regulate, to authorize, to prescribe, or to provide instructions. Legislation refers to the preparation and enactment of laws by a legislative body through its lawmaking process. The legislative process includes evaluating, amending, and voting on proposed laws and is concerned with the words used in the bill to communicate the values, judgments, and purposes of the proposal. An idea becomes an item of legislative business when it is written as a bill. A bill is a draft, or tentative version, of what might become part of the written law. The Department of Veterans Affairs (VA) is a government run military veteran benefit system with Cabinet-level status. It is an extremely large government agency operating within the Department of Defense. Creating effective administrative, technical and physical safeguards to protect personal information at the VA and developing and implementing an Information Security Program for the VA, while conforming to congressional laws is vital to its system security policy. The aim is of this paper is to identify several legislation that will has Impacted the Department of Veterans Affairs (VA) information security program.


There exist many legislative laws passed by congress that has affected the VA in one way or another. According to the VA, “ The VA operates the nation's largest integrated health care system, with more than 1,700 hospitals, clinics, community living centers, domiciliary, readjustment counseling centers, and other facilities” (U.S. Dept. of VA, 2007).


The Veterans Benefits, Health Care, and Information Technology Act of 2006 is one piece of legislation that strengthened security procedures at the VA and it is aim to attract and retain individuals with advanced skills in information security. According to the Government Accountability Office, “This Act requires the VA to implement agency-wide information security procedures to protect the VA's sensitive personal information and the VA’s information systems. The Act was enacted to respond to the May 2006 breach of the personal data of 26.5 million veterans caused by the theft of a VA employee’s hard drive from his home” (GAO, 2006). The Act requires that in the event of a data breach of sensitive personal information processed or maintained by the VA Secretary, the Secretary must ensure that as soon as possible after discovery that either a non-VA entity or the VA’s Inspector General conduct an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information. In addition this Act also requires the VA to include data security requirements in all contracts with private-sector service providers that require access to sensitive personal information. All contracts involving access to sensitive personal information must include a prohibition of the disclosure of such information unless the disclosure is lawful and expressly authorized under the contract; and the condition that the contractor or subcontractor notifies the Secretary of any data breach of such information.


Government agencies are confronting an increasingly hazardous IT security environment, to address the growing number of threats, as well as the widespread deficiencies in security controls, the federal government enacted Federal Information Security Management Act of 2002 FISMA. This body of government was created to the audit the V.A’s information security network as well as other federal agencies. FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency such as the VA to implement policies and procedures to cost effectively reduce information technology security risks to an acceptable level. Furthermore, according to the Department of Homeland Security, “the act requires the VA to develop, document, and implement an agency wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source” (FISMA, 2009).


The impact of legislation on the Department of Veterans affairs information security plan has been crucial. The VA Claims, Operations and Records Efficiency Act are a bill that if passed; willrequire the Department of Defense to provide certified and complete electronic records to the VA within 21 days. According to Congress man Rep. Mike Michaud, D-Maine, “The impact this bill will have is it will reduce the amount of time spent waiting for Department of Defense to provide information on a claim in a timely manner” (Congress.gov, 2013).


Congressional Laws have also impacted the way that the VA does credit monitoring for all of clients. An article published in the Federal Time states “House lawmakers are calling for sweeping reforms at the Veterans Affairs Department including credit monitoring for all veterans and their dependents whose personal information resides in VA’s database following recent revelations that multiple foreign attackers have penetrated VA networks, potentially stealing unspecified amounts of veterans’ personal data” Johnson, 2014).


The VA is facing emerging cyber-security threats that are the result of increasingly sophisticated methods of attack and the blending of once distinct types of attack into more complex and damaging forms. The Cyber-security Enhancement Act or H.R. 756 is a piece of legislation that Addresses coordination in government, providing for a strategic plan to assess the cyber-security risk and guide federal cyber-research and development, it also the National Institute of Standards and Technology (NIST) responsibilities to develop security standards for federal networks and processes for agencies to follow.


The Advancing America’s networking and Information Technology Research and Development Act of 2013 or H.R. 967, seeks to update the Networking and Information Technology Research and Development (NITRD) program. NITRD is the main program for coordinating unclassified networking and information technology research and development among federal agencies.


During the last decade and a half, the United States has been seduced by phenomenal business and economic growth enabled by the effectiveness and efficiency of high performance global, networked environments. The VA faces an evolving array of cyber-based threats arising from a variety of sources. These threats can be intentional or unintentional. Unintentional threats can be caused by software upgrades or defective equipment that inadvertently disrupts systems and intentional threats can be both targeted and untargeted attacks from a variety of threat sources. Sources of threats include criminal groups, hackers, terrorists, organization insiders, and foreign nations engaged in crime, political activism, or espionage and information warfare. The impact of legislation on the VA has been profound. The number of cyber-security incidents reported by federal agencies continues to rise, and recent incidents illustrate that these pose serious risk. The Impact of Legislation on the VA has ensured that the organization has an Information Security Plans in place and ensured that the VA implements safeguards to protect confidential personal information.


 


 


 


 


















References


Depatment of Veterans Affairs. (2007). Information Security Program (pp. 1-71). Retrieved September 11, 2013, from http://www.va.gov/


Federal Information Security Management Act (FISMA). (2009, September). In Department of Homeland Security. Retrieved October 10, 2013, from https://www.dhs.gov/federal-information-security-management-act-fisma


H.R.1729 - VA Claims, Operations, and Records Efficiency Act. (2014, April 25). In Congress.gov. Retrieved October 10, 2013, from http://beta.congress.gov/bill/113th/house-bill/1729


H.R.1163 - Federal Information Security Amendments Act of 2013. (2013, April 6). In Congress.gov. Retrieved October 10, 2013, from http://beta.congress.gov/bill/113th/house-bill/1163


Johnson, N. B. (2013, June 14). Lawmakers call for IT security reforms at VA. In Federal Times. Retrieved October 10, 2013, from http://www.federaltimes.com/article/20130614/DEPARTMENTS04/306140005/Lawmakers-call-security-reforms-VA


Veterans Benefits, Health Care, and Information Technology Act of 2006. (2009, December 18). In Goverment Accountability Office. Retrieved October 9, 2013, from http://www.gao.gov/assets/100/96510.html


 

Customer:

that was assignment one

Steve Herrod :

got it

Customer:

Is there a way that I send a document to you?

Steve Herrod :

if you e-mail them XXXXX@XXXXXX.XXX

Steve Herrod :

for my attention

Steve Herrod :

and include a link to this thread

Steve Herrod :

I will get them

Customer:

HI steve are you there?

Steve Herrod :

yes, am here

Steve Herrod :

can you send assignments 2 and 3?

Customer:

sure I can send them now

Steve Herrod :

thanks

Customer:

Below is Assignment 2

Customer:

Information security plays an important role in protecting the assets of an organization. As no single formula can guarantee 100% security, there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained, resources are used efficiently, and the best security practices are adopted. Information security policies and standards can provide an organization with an accurate security baseline and the tools to strengthen its security posture. With increasing regulatory norms being enforced for companies to ensure the confidentiality, integrity and availability of vital information assets, information security compliance has become one of the most important factors in protecting information. The Department of Veterans Affairs has/have in place standards for protecting information over its network servers. Every organization must consider the mandatory and recommended practices when creating their information security program and/or security policies. The Department of Veterans Affairs is no exception to this rule. The purpose of this paper is to discuss and compare the International Organization for Standardization International Electro-technical Commission (ISO/SEC 27002) to the VA system security plan standard, 800-53.


There are numbers of standards available which can be used by organization depending on the nature of their business to protect their vital assets. Some of the standards are FISMA, HIPAA, FIPS 200, and ISO 27002.


Two of the well-known security frameworks considered by organizations are ISO/IEC 27002 and NIST Special Publication 800-53. ISO/SEC 27002 is an information security standard, it provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems. It also provides recommendations and general principles for initiating, implementing, maintaining, and improving information security management in an organization. According to ISO/IEC 27002 it “gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment” (Information Technology, 2013).


The Security Policy Management of ISO/IEC 27002 establishes an information security policy. It also requires an organization to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. Not all of the 39 control objectives are necessarily relevant to every organization; there are instances where an entire category of a control may not be necessary. The standards are also open ended in the sense that the information security controls are suggested leaving the door open for users to adopt alternative controls if they wish, just so long as the key control objectives relating to the mitigation of information security risks, are satisfied. This helps keep the standard relevant despite the evolving nature of information security threats, vulnerabilities and impacts, and trends in the use of certain information security controls.


As stated in ISO/IEC 2007, “Access control requires Users of corporate IT systems; networks, applications and information must be individually identified and authenticated. Also user access to corporate IT systems, networks, applications and information must be controlled in accordance with access requirements specified by the relevant Information Asset Owners, normally according to the user's role” (ISO/IEC, 2005).


NIST Special Publication 800-53 is used for Certification & Accreditation of Federal Information Systems or FISMA. NIST incorporates controls from ISO 27002 with other government and non-government frameworks. The VA system security plan standard was written from and in accordance to NIST Special Publication 800-53, it covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. Controls exist in this security plan, these controls are the management, operational, and technical safeguards or counter-measures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. According to NIST, “NIST Special Publication 800-53 provides automated remediation or remediation guidance of misconfigurations across heterogeneous IT infrastructure, continuously monitors IT configurations and detects high-risk changes with prioritized, actionable real-time alerts and it demonstrates, through real-time dashboards and automated reports, current, historical and trending compliance (Dept of V.A, 2013). One major issue corporate security teams such as the V.A has will encounter when trying to base a program on the NIST Special Publication 800-53 Risk Management Framework is that publicly traded organizations are not bound to the same security assumptions and requirements as government agencies.


In closing, the increase in government regulation over the confidentiality, integrity and availability of sensitive information has drastically affected the operating requirements of security departments. Both the ISO/IEC 27002 and NIST Special Publication 800-53 security plans are implanted in the V.A. These new requirements have the V.A. Security department to spend an increasing amount of time collecting, organizing, monitoring and reporting on event logs to detect and manage control-related activity.


 


 


 




















References


Depatment of Veterans Affairs. (2007). Information Security Program (pp. 1-71). Retrieved September 11, 2013, from http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=56


 


Information technology -- Security techniques -- Code of practice for information security controls (2013, May). In ISO. Retrieved October 8, 2013, from http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=54533


International Standards. (2005, June 15). In ISO/IEC 27002. Retrieved October 8, 2013, from http://webcache.googleusercontent.com/search?q=cache:dKNu3KspACoJ:www.slinfo.una.ac.cr/documentos/EIF402/ISO27001.pdf+&cd=1&hl=en&ct=clnk&gl=us


Customer:

Below is Assignment 3

Customer:

The Department of Veterans Affairs (V.A.) has implemented an Information Security Policy for all of its major and minor information systems. The V.A. team prepared this Security Assessment Summary Report in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-53A Rev 1, Risk Management Guide for Information Technology Systems. The purpose of this document is to explain security categorizations that are in place as well as explain management, technical and operational controls that are in use to protect the confidentiality, integrity, and availability of the system, as documented in the System Security Plan.


Security categorizations


NIST Special Publication 800-53A Rev 1 states that ”security categorization serves as the starting point for the selection of security controls for an agency’s information system controls that are commensurate with the importance of the information and information system to the agency” (NIST 800-53 rev 1, 2010).


The Federal Information Processing Standard Publication 199 (FIPS 199) is a United States Federal Government standard that establishes security categories of information systems used by the Federal Government, one component of risk assessment. This document requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability. According to Publication 200 “FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability” (FIPS200, 2006).


The security categories are based on the potential impact on the V.A. in case certain events occur which jeopardize the information and information systems needed by the V.A to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.


Security Controls


The authoritative framework published as part of ISO 27001 and 27002 lists numerous controls, many of which are relevant to enterprises looking to manage information security risks. NIST Special Publication 800-53 Revision 3 states that “Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information”(NIST 800-53 rev3, pg. 9, 2009). Controls are also for the safeguards or countermeasures to avoid, counteract or minimize security risks relating to personal property, or computer software. By utilizing these controls the V.A. is able to project the security risks put security protocols in place. The following security controls are in place by the V.A. for an analysis.



Management Controls. This type of security controls are for an information system that focus on the management of risk and the management of information system security.


Operational Controls. These types of controls are controls that are concerned with security topics and are managed by people rather than systems.


Technical Controls. Technical Controls consist of hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications. By utilizing these controls the V.A will be able determine risk(s) to its network system and ensure that the confidentiality, integrity,
and availability of its systems are addressed. The V.A. System Security Plan has implemented the following security controls for an analysis.


Management Controls:


Security Assessment


CA-2.1


 


The system managers and information system management, in close coordination with the ISO, are responsible for ensuring that SSPs developed, reviewed annually, and maintained for each system within their area of responsibility.


 


 


Plan of Action and Milestone


CA-5.1


 


The Department continues to face significant challenges in complying with the requirements of FISMA due to the nature and maturity of its information security program k, Including the Plan of Action and Milestone. Successfully remediating high-risk system security issues in its Plans of Action and Milestones, and use that process to improve VA’s information security posture.


Continuous Monitoring


CA-7.1


 


Establishing effective processes for evaluating information security controls via continuous monitoring and vulnerability assessments needs to be addressed by the V.A. FISMA audits continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.


 


Configuration Management Policy


CM-1.1


 


Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide.


 


Baseline Configuration


CM-2.1


 


Improvements to the baseline configuration was noted, the VA has not fully developed and implemented components of its agency-wide information security risk management program to meet FISMA requirements.


 


Security Impact and Analysis


CM-4.1


 


VA has not ensured that its information security controls are effectively monitored on an ongoing basis to include documenting significant changes to the system, conducting security impact analyses for system changes, and reporting system changes to designated organizational officials.


 


Technical Controls: The Government Accountability Office (GAO) states that, “Technical security standards should provide consistent implementing guidance for each computing environment. Because security policies are the primary mechanism by which management communicates its views and requirements, it is important to develop and document them” (GAO, 2007).


Access Control Policy and Procedure


AC-1.1


 


According to the last audit conducted on the V.A. Specifically, its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4)security awareness and training, (5) tests and evaluations of control effectiveness, (6)remedial actions, (7) incident handling, and (8) continuity of operation. However the V.A. system security policy does recognize the roles and responsibilities of all individuals.


Account Management


AC-2(1).1


 


Organizations accomplish this objective by designing and implementing electronic controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, and information.


 


Assessment Procedures


AC-4.1


 


Organizations secure their networks, in part, by installing and configuring network devices that permit authorized network service requests, deny unauthorized requests, and limit the services that are available on the network. The department had not yet fully implemented its information


Security program.


 


Least Privilege


AC-6.1


 


Did not consistently configure network services and devices securely to prevent unauthorized access to and ensure the integrity of computer systems operating on its networks.


 


Unsuccessful Login Attempts


AC-7(2).1


V.A. network did not adequately control user accounts and passwords to ensure that only authorized individuals were granted access to its systems. Passwords for key VA network domains and financial applications were not consistently configured to comply with agency policy.


Security Attributes


AC-16.1


 


The department did not effectively implement physical controls. These weaknesses in physical security increase the risk that unauthorized individuals could gain access to sensitive computing resources and data and inadvertently or deliberately misuse or destroy them.


 



Operational Controls:


Assessment Procedures


AT-1.1


 


Company did not always sufficiently segregate computer functions. For example, some software developers had full access to both development and production software libraries. Testing of contingency plans for financial management systems at selected facilities was not routinely performed and documented to meet the requirements of VA policy.


Security Awareness


AT-2(1).1


VA’s progress in fully implementing the information security program required under FISMA and following the policies issued by OMB has been mixed. For example, from 2006 to 2009, the department has reported a dramatic increase in the percentage of systems for which contingency plan was tested in accordance with OMB policy. The department continues to face challenges in


Resolving long-standing weaknesses in its information security controls and in fully implementing the information security program required under FISMA.


 


Security Training Records


AT-4.1


 


Personnel are provided training in their incident response roles and will receive refresher training annually. The incident response capability is tested at least annually using tests and exercises to determine the incident response effectiveness. The testing is also documented.


 


Audit and Accountability Policy and Policy and Procedure


AU-1.1


 


Each Operating Unit regularly review s/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.


 


Auditable Events


AU-2.1


 


The Operating Unit of the V.A employs automated mechanisms, when applicable, to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. Each Operating Unit also periodically reviews changes to access authorizations.


 


Content of Audit Records


AU-3(2).1


 


System Auditing: System audit logs must record sufficient information to establish what events occurred, the sources, and outcomes of the events. Additional details such as type, location, and subject are also required for moderate and high risk systems. Audit logs will be maintained


In Summary, This policy is aligned with the standards of NIST to achieve the highest possible levels of measurement quality and productivity. This policy includes security categorizations and list three security controls which are: Management, Operational and Technical, and it described how the V.A implemented the controls. The V.A.’s Cyber Security Policies supports real-time decision-taking for information system cyber security and will improve efficiency and the confidentiality, Integrity, and Availability of all security measures.


 


 


 


 


 



















References


Guide for Assessing the Security Controls in Federal Information Systems and Technology 800-53A Rev 1. (2010, January). In National Institute of Standards and Technology . Retrieved September 27, 2013


Minimum Security Requirements for Federal Information and Information Systems. (2006, March). In FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS 200). Retrieved September 27, 2013, from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf


Recommended Security Controls for Federal Information Systems and Organizations. (n.d.). In NIST Special Publication 800-53 Revision 3. Retrieved August 29, 2009, from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf


Standards for Security Categorization of. (2004, February). In FIPS PUB 199. Retrieved September 25, 2013, from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf


 


 


 


 


Customer:

Assignment 3

Steve Herrod :

thanks - got them

Customer:

The Department of Veterans Affairs (V.A.) has implemented an Information Security Policy for all of its major and minor information systems. The V.A. team prepared this Security Assessment Summary Report in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-53A Rev 1, Risk Management Guide for Information Technology Systems. The purpose of this document is to explain security categorizations that are in place as well as explain management, technical and operational controls that are in use to protect the confidentiality, integrity, and availability of the system, as documented in the System Security Plan.


Security categorizations


NIST Special Publication 800-53A Rev 1 states that ”security categorization serves as the starting point for the selection of security controls for an agency’s information system controls that are commensurate with the importance of the information and information system to the agency” (NIST 800-53 rev 1, 2010).


The Federal Information Processing Standard Publication 199 (FIPS 199) is a United States Federal Government standard that establishes security categories of information systems used by the Federal Government, one component of risk assessment. This document requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability. According to Publication 200 “FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability” (FIPS200, 2006).


The security categories are based on the potential impact on the V.A. in case certain events occur which jeopardize the information and information systems needed by the V.A to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.


Security Controls


The authoritative framework published as part of ISO 27001 and 27002 lists numerous controls, many of which are relevant to enterprises looking to manage information security risks. NIST Special Publication 800-53 Revision 3 states that “Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information”(NIST 800-53 rev3, pg. 9, 2009). Controls are also for the safeguards or countermeasures to avoid, counteract or minimize security risks relating to personal property, or computer software. By utilizing these controls the V.A. is able to project the security risks put security protocols in place. The following security controls are in place by the V.A. for an analysis.



Management Controls. This type of security controls are for an information system that focus on the management of risk and the management of information system security.


Operational Controls. These types of controls are controls that are concerned with security topics and are managed by people rather than systems.


Technical Controls. Technical Controls consist of hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications. By utilizing these controls the V.A will be able determine risk(s) to its network system and ensure that the confidentiality, integrity,
and availability of its systems are addressed. The V.A. System Security Plan has implemented the following security controls for an analysis.


Management Controls:


Security Assessment


CA-2.1


 


The system managers and information system management, in close coordination with the ISO, are responsible for ensuring that SSPs developed, reviewed annually, and maintained for each system within their area of responsibility.


 


 


Plan of Action and Milestone


CA-5.1


 


The Department continues to face significant challenges in complying with the requirements of FISMA due to the nature and maturity of its information security program k, Including the Plan of Action and Milestone. Successfully remediating high-risk system security issues in its Plans of Action and Milestones, and use that process to improve VA’s information security posture.


Continuous Monitoring


CA-7.1


 


Establishing effective processes for evaluating information security controls via continuous monitoring and vulnerability assessments needs to be addressed by the V.A. FISMA audits continued to identify significant deficiencies related to access controls, configuration management controls, continuous monitoring controls, and service continuity practices designed to protect mission-critical systems.


 


Configuration Management Policy


CM-1.1


 


Weaknesses in access and configuration management controls resulted from VA not fully implementing security control standards on all servers and network devices. VA also has not effectively implemented procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms, and Web applications VA-wide.


 


Baseline Configuration


CM-2.1


 


Improvements to the baseline configuration was noted, the VA has not fully developed and implemented components of its agency-wide information security risk management program to meet FISMA requirements.


 


Security Impact and Analysis


CM-4.1


 


VA has not ensured that its information security controls are effectively monitored on an ongoing basis to include documenting significant changes to the system, conducting security impact analyses for system changes, and reporting system changes to designated organizational officials.


 


Technical Controls: The Government Accountability Office (GAO) states that, “Technical security standards should provide consistent implementing guidance for each computing environment. Because security policies are the primary mechanism by which management communicates its views and requirements, it is important to develop and document them” (GAO, 2007).


Access Control Policy and Procedure


AC-1.1


 


According to the last audit conducted on the V.A. Specifically, its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4)security awareness and training, (5) tests and evaluations of control effectiveness, (6)remedial actions, (7) incident handling, and (8) continuity of operation. However the V.A. system security policy does recognize the roles and responsibilities of all individuals.


Account Management


AC-2(1).1


 


Organizations accomplish this objective by designing and implementing electronic controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, and information.


 


Assessment Procedures


AC-4.1


 


Organizations secure their networks, in part, by installing and configuring network devices that permit authorized network service requests, deny unauthorized requests, and limit the services that are available on the network. The department had not yet fully implemented its information


Security program.


 


Least Privilege


AC-6.1


 


Did not consistently configure network services and devices securely to prevent unauthorized access to and ensure the integrity of computer systems operating on its networks.


 


Unsuccessful Login Attempts


AC-7(2).1


V.A. network did not adequately control user accounts and passwords to ensure that only authorized individuals were granted access to its systems. Passwords for key VA network domains and financial applications were not consistently configured to comply with agency policy.


Security Attributes


AC-16.1


 


The department did not effectively implement physical controls. These weaknesses in physical security increase the risk that unauthorized individuals could gain access to sensitive computing resources and data and inadvertently or deliberately misuse or destroy them.


 



Operational Controls:


Assessment Procedures


AT-1.1


 


Company did not always sufficiently segregate computer functions. For example, some software developers had full access to both development and production software libraries. Testing of contingency plans for financial management systems at selected facilities was not routinely performed and documented to meet the requirements of VA policy.


Security Awareness


AT-2(1).1


VA’s progress in fully implementing the information security program required under FISMA and following the policies issued by OMB has been mixed. For example, from 2006 to 2009, the department has reported a dramatic increase in the percentage of systems for which contingency plan was tested in accordance with OMB policy. The department continues to face challenges in


Resolving long-standing weaknesses in its information security controls and in fully implementing the information security program required under FISMA.


 


Security Training Records


AT-4.1


 


Personnel are provided training in their incident response roles and will receive refresher training annually. The incident response capability is tested at least annually using tests and exercises to determine the incident response effectiveness. The testing is also documented.


 


Audit and Accountability Policy and Policy and Procedure


AU-1.1


 


Each Operating Unit regularly review s/analyzes audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.


 


Auditable Events


AU-2.1


 


The Operating Unit of the V.A employs automated mechanisms, when applicable, to integrate audit monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities. Each Operating Unit also periodically reviews changes to access authorizations.


 


Content of Audit Records


AU-3(2).1


 


System Auditing: System audit logs must record sufficient information to establish what events occurred, the sources, and outcomes of the events. Additional details such as type, location, and subject are also required for moderate and high risk systems. Audit logs will be maintained


In Summary, This policy is aligned with the standards of NIST to achieve the highest possible levels of measurement quality and productivity. This policy includes security categorizations and list three security controls which are: Management, Operational and Technical, and it described how the V.A implemented the controls. The V.A.’s Cyber Security Policies supports real-time decision-taking for information system cyber security and will improve efficiency and the confidentiality, Integrity, and Availability of all security measures.


 


 


 


 


 



















References


Guide for Assessing the Security Controls in Federal Information Systems and Technology 800-53A Rev 1. (2010, January). In National Institute of Standards and Technology . Retrieved September 27, 2013


Minimum Security Requirements for Federal Information and Information Systems. (2006, March). In FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS 200). Retrieved September 27, 2013, from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf


Recommended Security Controls for Federal Information Systems and Organizations. (n.d.). In NIST Special Publication 800-53 Revision 3. Retrieved August 29, 2009, from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf


Standards for Security Categorization of. (2004, February). In FIPS PUB 199. Retrieved September 25, 2013, from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf


 


 


 


 


Customer:

Did you receive Assignment 2 and 3?

Steve Herrod :

yes, got them

Customer:

I just sent assignment 3 in a file, are you able to view it?

Steve Herrod :

yep, have all of them now

Customer:

I see that you are responding to my question but for some reason i'm not able to view anything you say. i'm going to log out and log back in ok

Steve Herrod :

ok

Customer:

hi steve

Customer:

i'm been trying to contact you, do you receive my 3 assignments

Steve Herrod :

Yes - just finishing the written memorandum

Customer:

GREAT!!!!!!!!!!!

Customer:

Thank you, is it orginial?

Steve Herrod :

yes

Steve Herrod :

worked from your assignments to create one

Customer:

thank you, XXXXX XXXXX in a bonus also

Customer:

ok, thank you, XXXXX XXXXX you later

Steve Herrod :

This is the file

Steve Herrod :

Cheers

Steve Herrod :

Steve

Customer:

Thank you Steve, Great job. Are you going to put it on a Powerpoint slide also?


Deliverables – There are two (2) deliverables for this project. Submit your presentation and memorandum to the appropriate assignment area by the due date.


 


1. Your final presentation should be between 15 – 20 pages. Your executive summary presentation, at a minimum, should 1) cover the impact of legislation on your organization (3-4 slides), describe the information security standards applicable to your organization (3-4 slides), and 3) summarize the key elements of your organization's cyber security profile (findings/recommendations) (3-4 slides). You should also have a cover slide, an agenda slide, a summary/conclusion slide(s), and a reference slide (using proper APA guidelines). Use the notes pages to complete the slides. Your presentation and notes pages should stand alone so that you do not have to "present" the slides for the reader to understand your intent.

Customer:

I see where you have already done this for someone else in the past. I will pay extra.

Steve Herrod :

Yes, can add it to a PowerPoint and have ready in a few hours

Customer:

ok, i'll be ok standby. thank you again.

Steve Herrod :

No problem

Steve Herrod :

Here is the presentation file

Steve Herrod :

Cheers

Steve Herrod :

Steve

Customer:

Great Job!! Thank you Steve, bonus will be included.

Steve Herrod :

No problem, you're welcome!

Steve Herrod, Masters Degree
Category: Homework
Satisfied Customers: 2397
Experience: BA (Hons) & MA Qualifications
Steve Herrod and 12 other Homework Specialists are ready to help you

JustAnswer in the News:

 
 
 
Ask-a-doc Web sites: If you've got a quick question, you can try to get an answer from sites that say they have various specialists on hand to give quick answers... Justanswer.com.
JustAnswer.com...has seen a spike since October in legal questions from readers about layoffs, unemployment and severance.
Web sites like justanswer.com/legal
...leave nothing to chance.
Traffic on JustAnswer rose 14 percent...and had nearly 400,000 page views in 30 days...inquiries related to stress, high blood pressure, drinking and heart pain jumped 33 percent.
Tory Johnson, GMA Workplace Contributor, discusses work-from-home jobs, such as JustAnswer in which verified Experts answer people’s questions.
I will tell you that...the things you have to go through to be an Expert are quite rigorous.
 
 
 

What Customers are Saying:

 
 
 
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C. Freshfield, Liverpool, UK
< Last | Next >
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C. Freshfield, Liverpool, UK
  • This expert is wonderful. They truly know what they are talking about, and they actually care about you. They really helped put my nerves at ease. Thank you so much!!!! Alex Los Angeles, CA
  • Thank you for all your help. It is nice to know that this service is here for people like myself, who need answers fast and are not sure who to consult. GP Hesperia, CA
  • I couldn't be more satisfied! This is the site I will always come to when I need a second opinion. Justin Kernersville, NC
  • Just let me say that this encounter has been entirely professional and most helpful. I liked that I could ask additional questions and get answered in a very short turn around. Esther Woodstock, NY
  • Thank you so much for taking your time and knowledge to support my concerns. Not only did you answer my questions, you even took it a step further with replying with more pertinent information I needed to know. Robin Elkton, Maryland
  • He answered my question promptly and gave me accurate, detailed information. If all of your experts are half as good, you have a great thing going here. Diane Dallas, TX
 
 
 

Meet The Experts:

 
 
 
  • Manal Elkhoshkhany

    Tutor

    Satisfied Customers:

    4520
    More than 5000 online tutoring sessions.
< Last | Next >
  • http://ww2.justanswer.com/uploads/BU/BusinessTutor/2012-2-2_115741_Kouki2.64x64.jpg Manal Elkhoshkhany's Avatar

    Manal Elkhoshkhany

    Tutor

    Satisfied Customers:

    4520
    More than 5000 online tutoring sessions.
  • http://ww2.justanswer.com/uploads/LI/lindaus/2012-6-10_04811_IMG20120609164157.64x64.jpg Linda_us's Avatar

    Linda_us

    Finance, Accounts & Homework Tutor

    Satisfied Customers:

    3121
    Post Graduate Diploma in Management (MBA)
  • http://ww2.justanswer.com/uploads/ComputersGuru/2010-02-13_051118_Photo41.JPG LogicPro's Avatar

    LogicPro

    Engineer

    Satisfied Customers:

    3035
    Expert in Java C++ C C# VB Javascript Design SQL HTML
  • http://ww2.justanswer.com/uploads/lanis/2009-4-1_233717_phput9xef_c1pm.jpg Lani S.'s Avatar

    Lani S.

    Tutor

    Satisfied Customers:

    2457
    Registered Nurse, Internet Researcher, Private Tutor
  • http://ww2.justanswer.com/uploads/chooser77/2009-08-18_162025_Chris.jpg Chris M.'s Avatar

    Chris M.

    M.S.W. Social Work

    Satisfied Customers:

    2341
    Master's Degree, strong math and writing skills, experience in one-on-one tutoring (college English)
  • http://ww2.justanswer.com/uploads/JawaadAhmed/2009-6-27_12137_SIs_SHadi.jpg F. Naz's Avatar

    F. Naz

    Chartered Accountant

    Satisfied Customers:

    1975
    Experience with chartered accountancy
  • http://ww2.justanswer.com/uploads/JK/jkcpa/2011-1-16_182614_jkcpa.64x64.jpg Bizhelp's Avatar

    Bizhelp

    CPA

    Satisfied Customers:

    1873
    Bachelors Degree and CPA with Accounting work experience