How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Gnaritas Your Own Question

Gnaritas
Gnaritas, Bachelor's Degree
Category: Writing Homework
Satisfied Customers: 1380
Experience:  I am skilled at writing papers from reports to research, also short essays.
Type Your Writing Homework Question Here...
Gnaritas is online now
A new question is answered every 9 seconds

hello i have a similar project due Saturday but with the department

Customer Question

hello i have a similar project due Saturday but with the department of health and human services will you be able to help me?
Submitted: 9 months ago.
Category: Writing Homework
Expert:  Josie-Mod replied 9 months ago.

Hello,

I'm Josie and I'm a moderator for this topic.

We have been working with our professionals to try to help you with your question. Sometimes it may take a bit of time to find the right fit.

I was checking to see if you had already found your answer or if you still need assistance from one of our professionals.

Please let me know if you wish to continue waiting or if you would like for us to close your question?

Also remember that JustAnswer has a multitude of categories to help you with all your needs from Pet to Legal.

Thank you,

Josie~Moderator

Customer: replied 9 months ago.

 


Project #4: Security Analysis Findings and Recommendations


 


Overview – For the first project, you researched the impact of legislation on your selected organization information security program. For the second project, you researched information security standards used by your selected organization. For the third project, you created a sample cyber security profile addressing the security posture of your selected organization. This final project incorporates the results from the first three projects into a final security analysis. For this final project, you will create an executive summary presentation describing your selected organization's security posture and your recommendations for improvement. You will also write a memorandum outlining your findings and your recommendations. Think of this assignment in terms of your own job. Apply the same standards and professionalism you would use for your superiors.


 


Deliverables – There are two (2) deliverables for this project. Submit your presentation and memorandum to the appropriate assignment area by the due date.


 


1. Your final presentation should be between 15 – 20 pages. Your executive summary presentation, at a minimum, should 1) cover the impact of legislation on your organization (3-4 slides), describe the information security standards applicable to your organization (3-4 slides), and 3) summarize the key elements of your organization's cyber security profile (findings/recommendations) (3-4 slides). You should also have a cover slide, an agenda slide, a summary/conclusion slide(s), and a reference slide (using proper APA guidelines). Use the notes pages to complete the slides. Your presentation and notes pages should stand alone so that you do not have to "present" the slides for the reader to understand your intent. Every slide should have audio.


 


2. Your executive summary memorandum should be a least two (2) full pages, double-spaced, 1-inch margins, and New Times Roman 12-Pitch font. Memorandums not meeting the two full-page minimum will lose points. Your memorandum should, at a minimum, include a summary of the three (3) major areas of your executive presentation (see above).


 































































Rubric – Project 4: Security Analysis Findings and Recommendation


 



Qualities & Criteria



Poor (1-2)



Good (3-4)



Excellent (5)



Executive Summary Presentation: Security Analysis Findings


Impact of legislation; Information Security Standards; Cyber Security profile


weight: 15% of assignment grade



a. The presentation does not describe any findings.


b. The presentation includes less than two (2) findings and/or family controls are not describe accurately.


c. Text is repetitious.


d. Information seems to be disorganized and has little to do with the main topic.


e. There is no audio.



a. The presentation includes a description of less than three findings and/or the descriptions of the findings are not accurate.


b. Ideas are clear, but there is a lack of extra information.


c.Information relates to main topic. Details and amount of information are sparse.


d. The audio is accurate but the presentation does not stand on its own OR the audio is not accurate.



a. The presentation includes an accurate description of all three findings.


b. The presentation includes three findings and they are accurately described.


c. Ideas are clear, original, and focused. Main idea stands along with details.


d. Sufficient information included. Information clearly relates to the main relates to the main thesis. It includes several supporting details and/or examples.


e. The audio is accurate and enables the presentation to completely stand on its own.



Executive Summary Presentation: Format


Number of slides; other slides


Weight: 5% of assignment grade



 


Presentation uses 15-20 slides


Presentation contains less than 3 slides for each of the three areas. Less than 3 areas are covered.


Presentation has 3 or more missing: cover, agenda, summary and reference slide


Presentation does not use audio or notes pages.


 



 


Presentation uses 15-20 slides


Presentation contains at least 3 slides for only two of the three areas


Presentation has 1-2 missing: cover, agenda, summary and reference slide


Presentation uses audio OR notes pages but not both


 



 


Presentation uses 15-20 slides


Presentation contains at least 3 slides for each of the three areas


Presentation has a cover, agenda, summary and reference slide


Presentation uses audio and notes pages.


 



Executive Summary Memo: Introduction


Title; Objective or Thesis; Problem statement; Topic.


weight: 5% of assignment grade



a. There is no reference to the topic, problem, or audience.


b. There is no statement of thesis or objective of the research.


c. The title is inappropriate and does not describe the topic.



a. The writer makes the reader aware of the overall problem, challenge, or topic to be examined.


b. Thesis is stated but clarity and/or focus could be better.


c. The title does not adequately describe the topic.



a. The writer introduces the topic and its relevance to (1) the discipline; and (2) the chosen audience. The introduction lays groundwork for the direction of the assignment.


b. Thesis or objective is clearly stated and appropriately focused.


c. Main idea stands along with details.


d. The title is appropriate and adequately describes the topic.



Executive Summary Memo: Security Analysis Findings


Structure; Flow; Organization and Development


weight: 15% of assignment grade



a. The paper does not describe any controls.


b. The paper includes less than two (2) findings and/or not described accurately.


c. Text is repetitious.


d. Information seems to be disorganized and has little to do with the main topic.


e. Sentences and paragraphs do not clearly or effectively relate to the assignment.


f. Examples are either lacking or ineffective; i.e., do not relate to the main idea in the assignment or paragraph



a. The paper includes a description of less than three findings and/or the description of the two are not accurate.


b. The paper includes less than three findings and/or one or mode findings are not described accurately.


c. Ideas are clear, but there is a lack of extra information.


d. Information relates to main topic. Details and amount of information are sparse.


e. Sentences and paragraphs generally though not always relate to the thesis or controlling idea.



a. The paper includes an accurate description of all three findings.


b. The paper includes three findings and they are accurately described.


c. Ideas are clear, original, and focused. Main idea stands along with details.


d. Sufficient information included. Information clearly relates to the main relates to the main thesis. It includes several supporting details and/or examples.


e. Sentences and paragraphs clearly and effectively relate to and support the thesis.



Executive Summary Memo: Conclusions


Synthesis of ideas.


weight: 10% of assignment grade



a. There is little or no indication that the writer tried to synthesize the information or draw conclusions based on the literature under review.



a. The writer provides concluding remarks that show an analysis and synthesis of ideas and information. Some of the conclusions, however, are not supported in the body of the review.



a. The writer makes succinct and precise conclusions based on the review of literature.


b. Insights into the problem/topic are appropriate.


c. Conclusions are strongly supported within the assignment.



Executive Summary Memo: Research and Analysis


Weaving together literature through assignment that provide exploration/explanation


weight: 35% of assignment grade



a. The writer has omitted major sections of pertinent content or content runs on excessively.


b. The writer quotes other material excessively.


c. The ideas presented have little significance to the discipline and/or the audience.


d. Text is repetitious


e. There is no central theme.


f. Ideas in the assignment are irrelevant or not worthy of the reader’s consideration.



a. The writer includes all the sections of pertinent content, but does not cover them in as much depth or detail as the audience/reader expects.


b. The writer cites sources when specific statements are made.


c. The significance to the discipline is evident.


d. Ideas are clear, but more information is needed.


e. Ideas in the assignment are mostly (but not all) relevant and worthy of the reader’s consideration.



a. The writer covers the appropriate content in depth without being redundant.


b. The writer cites sources when specific statements are made.


c. The significance of quotes, when used, is apparent.


d. The length is appropriate.


e. Ideas are clear, original, and focused. Main idea stands out, along with details.


f. Ideas in the assignment are compelling, even original; they are not self-evident.



Clarity and Correctness of the Writing


weight: 10% of assignment grade



a. It is difficult for the reader to understand what the writer is trying to express.


b. Writing is convoluted.


c. Assignment contains more than 20 spelling and/or grammatical errors as well as improper punctuation.


d. The writing is vague or it is difficult to understand what the writer is trying to express.


e. Mistakes in grammar, spelling, and/or punctuation cause confusion and show lack of concern for quality of writing.


f. Writing rambles; the assignment appears hastily written.



a. The writing is generally clear, but unnecessary words are occasionally used. Meaning is sometimes hidden.


b. Paragraph or sentence structure is repetitive.


c. Much of the writing is generally clear, but meaning is sometimes hidden.


d. There are between 10 and 20 mistakes in grammar, spelling, and/or punctuation, but they do not cause confusion; they suggest negligence, not indifference.


e. Writing might ramble; the assignment is not carefully written.



a. The writing is clear and concise.


b. There are less than 10 mistakes in grammar, spelling, and/or punctuation.


c. The writing does not ramble; the assignment is carefully written and edited.



Sources & Citations & Proper APA Format


weight: 10% of assignment grade



a. The writer does not include in-text citations for statements made in the review.


b. References that are included in the Reference list are not cited in the text.


c. An insufficient number of sources are cited and/or not accurately documented.


d. The assignment is not written in APA style.


e. No attention is given to people-first, non-discriminatory language.


f. Scholarly sources are not cited in text and reference list.


g. Sources are primarily from the popular press and/or the assignment consists primarily of personal opinions.



a. The writer cites sources within the body of the review and includes a corresponding References list. Some formatting problems exist or some elements are missing.


b. Less than three (3) sources are cited. All sources are accurately documented, but some are not in the desired format.


c. Assignment is in APA style but with some errors.


d. The body of the assignment consists of a review of the literature.


e. There is evidence of attention to people-first, non-discriminatory language.


f. Most sources are scholarly and cited, but with some errors.


g. Personal opinions are kept to a minimum though may not be delayed in the assignment.



a. The writer includes at least three (3) citations in the body of the review.


b. The references in the list match the in-text citations and all are properly cited in APA style.


c. Numerous sources are cited. All sources are accurately documented.


d. Accurately adheres to APA style in formatting, organization, and construction, including full review of relevant literature.


e. There is consistent use of people-first, non-discriminatory language.


f. The majority of sources are scholarly and cited correctly in both text and reference list.


g. Personal opinions are delayed and stated succinctly in the conclusion.



Expert:  Josie-Mod replied 9 months ago.
Hello

Thank you, XXXXX XXXXX continue to look for a professional to assist you. Please let me know if I can be of any further assistance while you wait.

Best,
Josie~Moderator
Customer: replied 9 months ago.

project 1


 


LEGISLATION IMPACTS ON THE DEPARTMENT OF HEALTH & HUMAN SERVICES



1. Introduction.



The Department of Health and Human Services (HHS) is responsible for protecting and providing all Americans essential human services (HHS, 2013). On February 24, 2006, the Government Accountability Office filed report number GAO-06-267[ALH1] “Information Security: Department of Health and Human Services Needs to Fully Implement Its Program” to the Chairman on Finance, U.S. Senate. The report outlined numerous deficiencies within the Health and Human Services Department, and specifically reported that they had the foundation for a successful program yet failed to fully implement a department-wide information security program (GAO, 2006). This paper will explore key points such as? in the 2011 Cyber Security Legislative Proposal and the proposed Cyber Security Act of 2012 (CSA2012) and investigate whether or not these two legislative pieces would have provided adequate legal guidance to HHS during their GAO examination.



2. Points of Analysis



a. Point of Analysis #1



Mr. Jim Gosler is the founding director of the Central Intelligence Agency’s information technology office and is a fellow at Sandia National Laboratories. His estimate is that the federal government currently needs “10,000 to 30,000” skilled cyber security professionals, yet estimates that the government only has approximately 1,000 employees that that hold all the right skills to be an effective cyber expert in the government (NSCI, 2011). Mr. Gosler foresees that the government needs to revise its hiring process if the expectation to fill government vacancies in cybersecurity and information technology fields isare serious (NSCI, 2011).


“Personnel Authorities Related to Cybersecurity Positions” is part of the 2011 Cyber Security Legislative Proposal that establishes authority to the Secretary of Homeland Security for the creation of cybersecurity jobs (NSCI, 2011). Under Section 3702 General Provisions, the Secretary determines the eligibility of an employee who is working in the information technology field and considered highly skilled by his or her current employer. This employee would be expected to assume increased responsibilities as part of this legislation (The White House, 2011). Compensation for the cybersecurity expert will be set at no less than the GS-11 (or equivalent) and meet the requirements of the E-Government Act of 2002 Section 209(b) (The White House, 2011).


In order to assist employees in obtaining degrees or certificates in information assurance and cybersecurity fields, the Secretary has the authority to award scholarships (NSCI, 2011). Under the proposed legislation, the Secretary of Homeland Security may award scholarships to civilian personnel under section 2200a of Title 10, United States Code (The White House, 2011).


The problem with the legislation is that it is vague. In the 2011 Cyber Security Legislative Proposal, it is never specified exactly what degrees and what certifications constitute a qualified information assurance/security expert (NSCI, 2011). The botXXXXX XXXXXne is that the legislation needs more definitive guidance on what degrees, certifications and technical skills are required to fulfill the government’s huge position gap in the cybersecurity field (NSCI, 2011).



b. Point of Analysis #2



Due to the sensitive nature of the data that HHS handles, data breaches are a serious concern. These events can occur in various ways, and may cause financial loss to the department. More importantly, these events may be responsible for the loss of sensitive PII and PHI. According to the 2006 GAO report, HHS had numerous information security failures that could have easily led to multiple data breaches. While a failure to properly implement technological security measures may be to blame for numerous information security failures, improper security awareness and security training is also responsible for numerous failures. CSA2012 includes provisions that require departments to implement security awareness training as part of their cybersecurity program. Effective training creates an environment that fosters security-aware thinking and prevents the possibility of data breaches and may thwart other attacks.


Social engineers operate by attacking a resource that has no antivirus or firewall: people. Effective social engineers can pose as individuals from an organization’s IT department, an organization’s officer, or even as a repair person. This deception can be accomplished over the phone or face-to-face, and often exploits individuals who are not security-aware. The costs of these exploits can be staggering, with incidents costing between $25,000 and $100,000 on average. (Schwartz, 2011) In addition to social engineering attacks, individuals who are not security aware run the risk of falling prey to phishing and whaling. This can result in a data breach as well as the possibility of the individual’s identity being stolen.



c. Point of Analysis #3



In order to combat the constantly rising number of cyber threats and attacks, proper assessment of these threats is crucial. Organizations must develop and conduct targeted risk assessments and operational evaluations. These risk assessments must be conducted with the express intent to explore threats, vulnerabilities, risks, and the probability of a catastrophic incident across all critical infrastructure sectors (Cybersecurity Act of 2012, p.12[ALH2] ). The goal is to determine which section of infrastructure is facing the greatest immediate risk. It is necessary to utilize various threat models, simulations, and analysis techniques to determine the possible weak areas of an organization. The assessments should include the following areas of evaluation: the assessed threats, the adversary’s capabilities, impact, and the organization’s overall preparedness. The evaluation will explore the threat’s possible impact on national security, economy, public health, and other critical infrastructure located in and outside of the United States. How prepared an organization is to take on threats and attacks depends on risk assessments and evaluations. Risk assessments and evaluations will help subject matter experts within the organization or from the Department of Homeland Security (DHS) in designing the most effective and comprehensive incident response plan. Risks assessments can reduce incident response time and help to rapidly secure the infrastructure from further damage and save human lives. The completed evaluations of risk assessments will help federal agencies rate the effectiveness of the organization’s security policy and incident response plan. Additionally, this legislation may assist ensuring the effectiveness of the organization’s continuity plan.



d. Point of Analysis #4



As part of the effort for the Department of Health and Human Services to implement CSA2012, the department has enforced a new policy called Information Sharing Environment (ISE) Privacy Policy in May 2013. “As part of efforts to bolster national cybersecurity, the Department of Health and Human Services is collaborating with healthcare industry groups in sharing information about threats, vulnerabilities and remedies, says Kevin Charest, HHS' chief information security officer” (McGee, 2013, para. 1). Having a collective database to share information with other agencies can help in deterring cybersecurity threats while also protecting personal information. Within health care organizations policies are incorporated in order to maintain security and protect privacy information. Although policy requirement may differ between organizations, interoperability of shared information will aid in keeping PII secure.


The Intelligence Reform and Terrorism Prevention Act of 2004 defines the term Information Sharing Environment as “an approach that facilitates the sharing of terrorism information” (IRTPA, pg 29). IRTPA is the driving force behind HHS’s new policy. The purpose of this policy HHS prepared is to provide guidance for computer systems where terrorism information may reside which may require protection. “Collaboration efforts between federal, state, local and tribal agencies and entities, help to detect, prevent, disrupt, and mitigate the effects of terrorism on the United States” (ISE Privacy Policy, 2013, pg. 3).



3. Research and Analysis



Research the impacts of your points of analysis on your selected organization's information security program and then describe how your selected organization’s security program would change should the points of analysis become legislation.



a. Impact #1



According to the Government Accountability Office (GAO) Report to the Chairman, Committee on Finance, U.S. Senate regarding the Department of Health and Human Services (HHS), they identified numerous vulnerabilities related to passwords, user accounts, and network management (GAO, 2006). Additionally, the GAO report identified weaknesses in the organization’s ability to conduct suitable background investigations (GAO, 2006). Had the May 2011 Cyber Security Legislation been passed, these identified weaknesses would have easily been averted or at least lessened due to having adequately trained and certified cyber security experts working at HHS.


Specifically, network weaknesses identified include the lack of adequate restrictions on the system administrator’s access, some services were unnecessarily available on numerous network devices, anti-virus software was not used consistently and was not up to date, insecure network devices, certain information traveling along their networks was not being , and patches were not implemented throughout their operating divisions in a timely manner (GAO, 2006). Approximately 25 percent of the tested systems at one operating division did not have up-to-date patches.


The GAO report found easy to guess passwords and vendor-default passwords were a critical weakness in HHS’s information security program (GAO, 2006). Other weaknesses were found including 28 service account passwords that were set to never expire, firewall administrators sharing the administrator account, and the minimum password XXXXX in one operating division was set to zero (GAO, 2006). According to HHS Rules of Behavior, this policy if properly implemented would have prevented these discrepancies. Specifically, this policy states that an employee shall not use another person’s account or password, and to ensure that passwords are complex containing a minimum of eight alphanumeric characters and at least one uppercase/one lower case letter, one number, one special character, and will not contain common words (HHS, 2013).


The Government Accountability Office identified that background investigations were not always performed (GAO, 2006). The investigation concluded that HHS did not follow their policy finding weaknesses in background investigations conducted on contractors, non-adherence to policies, to not consistently performing background investigations at all (GAO, 2006). In accordance with HHS Acquisition Regulation Part 304, it is a requirement to conduct background checks/investigations on employees and contractors of HHS (HHS, 2013).



b. Impact #2



The 2006 GAO report was rife with information security failures, some of which were directly related to people failing to think in a security-aware fashion. Examples include financial data that was transferred in “a privately owned vehicle and an unlocked container”, over four hundred individuals with access to a data center that they had no need to access, and individuals with access to a data center without management approval. (GAO, 2006, p. 12) The principle of least privilege was violated frequently, with examples including the ability for most users to access system configuration data and start-up scripts, as well as users having access to mainframe data at a contractor facility. (GAO, 2006) Furthermore, a failure to properly implement information security meant that “6 of 15 employees reviewed retained access privileges to the local area network after their separation from the department.” (GAO, 2006, p. 10) These examples demonstrate a significant failure to properly enforce information security, likely stemming from an environment that fails to encourage security-aware mindsets.


By making security awareness training a federally mandated requirement for federal agencies and departments, it is likely that there would be a greater number of attacks thwarted. Security awareness training would cost HHS up-front, but the pay-offs would likely be great. Security awareness training can produce a mindset that is more likely to identify attacks in progress and stop them. However, it can also shape employee and contractor behaviors to avoid actions that could result in possible security breaches.



c. Impact #3



HHS deals with sensitive information and information systems. The overall failure to ensure confidentiality, integrity, availability has caused impact on patients and health information of all Americans. While healthcare information isn’t the main target for hackers, it was identified to be the most vulnerable according to GAO reports (White, 2013). The vulnerability didn’t come from the attack itself but rather compromised data due to human error. In the event of unforeseen information or HHS property theft ill-prepared response and recovery procedures could increase the damage. Failure to implement or properly perform risk assessments and evaluations will create unforeseen risks, uneconomical loss of resources, ineffective security policy, and failure to remain in compliance with federal standards. According to the 2012 HITTRUST analysis, the average two year period was $2.4 million, a 15 percent increase since 2010 (White, 2013). Overall, failure to conduct risk assessments and evaluations properly will result in ill-prepared incident response plan and an ineffective information security policy as a whole.



d. Impact #4 (if used)



The sharing of information is considered a step towards the hindrance of any kind of cybersecurity threat. It allows the collection of personal information by threat indicators outlined in the Cyber Security Act of 2012 Section 708. (6). Some threat indicators are justifiable in the collection of information order detect possible cyber threats. Indicators can provide recommendations on possible insider threats and external entities. This policy has provided guidance to HHS personnel on how to examine and respond to “both terrorism-related information and protected information” (ISE Privacy Policy, 2013, pg. 3).



4. Conclusion



The importance of the Department of Health and Human Services (HHS) cannot be underestimated. As the principle agency for protecting the health of all Americans and providing essential human services (HHS, 2013), establishing and maintaining an effective information assurance program is critically important to protecting the Confidentiality, Integrity, and Availability of protected information for all Americans. The Government and Accountability Office report GAO-06-267 identified several factors that, if the proper legislation had been in place, would have provided a substantially better legal framework for the HHS to follow. This paper identified several areas which were what? that would have saved the Department several thousand dollars had the legislation been in place that would have regulated legal responsibilities within the HHS. The main weakness noted, failure to implement their established program, is inexcusable at any management level.


 



REFERENCES



Cybersecurity Act of 2012, S. 2105, 112th Congress. (2012). Retrieved from http://www.gpo.gov/fdsys/pkg/BILLS-112s2105pcs/pdf/BILLS-112s2105pcs.pdf



HHS Information Sharing Environment (ISE) Privacy Policy (2013). Retrieved from: http://www.hhs.gov/ocio/policy/hhs-ocio-policy-2013-0002.pdf



Intelligence Reform and Terrorism Prevention Act. (2004). Retrieved from: http://www.gpo.gov/fdsys/pkg/PLAW-108publ458/pdf/PLAW-108publ458.pdf



McGee, Marianne. (February 26, 2013). HHS Collaborates on Cybersecurity. Retrieved from: http://www.databreachtoday.com/hhs-collaborates-on-cybersecurity-a-5540



National Security Cyberspace Institute (NSCI). (2011). A Review of the Cybersecurity Legislative Proposal. Retrieved from http://www.nsci-va.org/WhitePapers/2011-06-15-Federal%20Cyber%20Legislative%20Proposal%20Whitepaper-K%20Stephens.pdf



Schwartz, Mathew. (September 21, 2011). Social Engineering Attacks Cost Companies. Retrieved from http://www.informationweek.com/security/vulnerabilities/social-engineering-attacks-cost-companie/231601868



The White House. (2011). Complete Cybersecurity Proposal: Law Enforcement Provisions Related to Computer Security. Retrieved from http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/law-enforcement-provisions-related-to-computer-security-full-bill.pdf



The White House. (2011). Fact Sheet: Cybersecurity Legislative Proposal. Retrieved from http://www.whitehouse.gov/sites/default/files/fact_sheet-administration_cybersecurity_legislative_proposal.pdf



United States Government Accountability Office (GAO). (2006). INFORMATION SECURITY Department of Health and Human Services Needs to Fully Implement Its Program (GAO Publication No. GAO-06-267). Washington. DC: U.S. Government Accountability Office. Retrieved from http://www.gao.gov/assets/250/249101.pdf.



U.S. Department of Health & Human Services (HHS). (2013). About HHS. Retrieved from http://www.hhs.gov/.



White, B. (24 April, 2013). Cyber attacks and security breaches in healthcare. Retrieved from http://networkingexchangeblog.att.com/enterprise-business/cyber-attacks-and-security -breaches-in-healthcare/






[ALH1]It is better to use italics to show emphasis rather than quotation marks as the reader may think these are direct quotes.






[ALH2]Since this is not a direct quote you do not need a page number.


 


project 2


 


INFORMATION SECURITY STANDARDS FOR AN ORGANIZATION



1. Introduction.


The Federal Information Processing Standards Publication (FIPS) 140-2 and International Organization for Standardization (ISO/IEC) 19790:2012 bearsbear numerous similarities and some differences[DFM1] .[JM2] The latest revision of FIPS 140-2 was issued May 25, 2001 and ISO/IEC 19790:2012 was released in 2012. The basic premise of these two standards is to provide a framework for cryptographic module requirements that are used to protect sensitive but unclassified information within a security system (FIPS, 2012). This paper will explore the similarities and differences within the two policies in the areas of roles, services and authentication methods, multi-chip cryptographic modules, operational environment, security levels and random number generation.


2. Standards


As a government department that handles a great deal of PII and PHI, HHS needs to ensure that the technologies employed within the department are secure. FIPS 140-2 accomplishes this, as its stated objectives include “correctly implement[ing] the Approved security functions for the protection of sensitive information” (FIPS, 2001, p. 11). FIPS 140-2’s objective is ensuring a cryptographic module is secure against unauthorized access, attack, and free from errors (FIPS, 2001).


The first revision of ISO/IEC 19790:2012 was based on FIPS 140-2, so it’sit is clear that the documents share some similarities (NIST, 2013). As ISO/IEC 19790:2012 covers much of the same ground as FIPS 140-2, ISO/IEC 19790:2012 has many of the same objectives as FIPS 140-2. Due to these factors, it’sit is reasonable to compare these two documents and consider the differences and how incorporating these two standards may affect HHS’s cryptographic security program.


3. Points of Analysis


a. Point of Analysis #1 Roles, Services, and Authentication Methods


Cryptographic services is defined by the services, functions, or operations performed by a cryptographic module. Three services are required to be performed by a cryptographic service: show status, perform self-test, and perform approved security function (FIPS, 2001). Show status yields the current status of the module, perform self-test initiates self-tests which are specified in section 4.9 of FIPS 140-2, and perform approved security function performs at least one approved security function as delineated in section 4.1 of FIPS 140-2 (FIPS, 2001).


All cryptographic modules should support roles for operators within an organization. A single operator may assume multiple roles. If an operator is required to maintain multiple roles, then it is required that the module maintains the role separation internally; the operator is not required to assume the authorized role to perform services where CSPs and cryptographic keys are not substituted, modified or disclosed (FIPS, 2001). There are three required operator roles for FIPS 140-2. They are the user role, crypto officer role, and the maintenance role (FIPS, 2001). The user role performs common security services, the crypto officer role performs cryptographic initialization or management functions, and the maintenance role is used to accomplish physical and/or logical maintenance services (FIPS, 2001).


A cryptographic module may require an authentication mechanism when an operator is required to access a module. The authentication verifies that the operator is authorized to shoulder the responsibilities of the role that he or she is requesting (FIPS, 2001). FIPS 140-2 identifies two types of authentication. Role-based authentication requires one or more roles are selected by the operator and authentication is assumed on the selected role (FIPS, 2001). Identity-based authentication requires the operator to be individually identified and will authenticate the identity of the operator and the selected role or roles (FIPS, 2001). The roles, services, and authentication standards for ISO/IEC 19790:2012 are general and are similar to FIPS 140-2 (Keller, 2012).


b. Point of Analysis #2: Physical Attribute[DFM3] [JM4] of Cryptographic module


The standards and requirements for cryptographic modules presented in both FIPS 140-2 and ISO/IEC 19790:2012 share many similarities with each other. While both publications present four levels of security requirements, the uniqueness of the ISO/IEC cryptographic module is its internationalized design (Pattinson, 2012). As the ISO/IEC standard was based on FIPS 140-2, the standard’s descriptions were modified to suit the overall perspective of international organizations. Any terminology or technical expression that applied directly to US legislation was replaced. The United States, Canada, and the United Kingdom are currently utilizing FIPS 140-2 cryptographic module as their security backbone, while Japan and Korea currently utilize the ISO/IEC 19790:2012 cryptographic module (Pattinson, 2012). This is because the ISO/IEC 19790:2012 allow freedom to use a nation’s own specifications regarding algorithm suite, protection profiles, random number generators, and key establishment techniques (Pattinson, 2012).


FIPS 140-2 defines requirements separately for single, multi-chip, and multi-chip stand alonestand-alone. Each security level uses different enclosure materials, protective casings, protective mechanisms, and zeroing circuitry features (FIPS, 2001). Cryptographic complexity modules are dictated by each security level[JM5] . For example, in comparing ISO/IEC 19790:2012 requirements with FIPS 140-2, the cryptographic module specifications are exactly the same. ISO/IEC 19790:2012 also dictates tamper detection, strong enclosures and coatings, and protection and probing from electronic fault protection (EFP) that is dependent on each security level.


c. Point of Analysis #3[DFM6] Operational Environment


The operational environment of cryptographic modules is defined in FIPS 140-2 as the management of the hardware components, software, and firmware in order for the module to function correctly (FIPS, 2001). An operation environment may be non-modifiable, which contains firmware in ROM and/or software in a computer with I/O devices disabled. This is a key component of the operating environment.


There are several different levels of operational environments. They are: general-purpose operational environments, limited operational environments, and modifiable operational environments (FIPS, 2001). ISO/IEC 19790:2012 requirements for a cryptographic module provide guidance for the derived test requirements and separate the list of algorithms that which allows the approval authority to be defined (Keller, 2012).


d. Point of Analysis #4 Security Levels


FIPS 140-2 and ISO/IEC 19790:2012 are both used to verify cryptographic modules to 1 of 4 security levels. Both documents have roughly the same scope, but they vary in what requirements are made for each security level. Both standards share the following security requirement areas: cryptographic module specification, cryptographic module (ports and) interfaces; roles, services, and authentication; finite state model, physical security, operational environment, self-tests, and mitigation of other attacks. For the most part, these areas are quite similar between the two standards. In addition, there are a few sections that are not shared between these standards.


It is important to analyze the similarities and differences between these standards as they inform the day-to-day operations of numerous agencies and organizations. FIPS 140-2 is used in various nations including the United States of America and Canada. ISO/IEC 19790:2012 is used by the Korean and Japanese government among others as the basis for their cryptographic module-testing program. As of this writing, FIPS 140-2 has not been updated for over 12 years, whereas ISO/IEC 19790:2012 was last updated in 2012. While ISO/IEC 19790:2012 has been updated more recently than FIPS 140-2, it’sit is also worth noting that the ISO/IEC standards are developed throughout the international community (ISO, n.d.). Additionally, ISO/IEC 19790:2012 has a number of supporting documents thatwhich includes: ISO/IEC 17825, ISO/IEC 29128, and ISO/IEC 30104 (Pattinson, 2012).


e. Point of Analysis #5 Random Number Generation


When discussing cryptographic modules, it’sit is important to discuss random number generation. Many software and hardware devices utilize random numbers as part of key generation. However, computers are generally considered to be poor true random number generators due to their decidedly non-random design architecture (Rubin, 2011). Therefore, most computers can only function as a pseudo-random number generator. Poor pseudo random number generation in a cryptographic module can be exploited if an attacker can recognize the pattern. For example, a popular website used poor random number generator practices and was vulnerable to an attack, which allowed a computer cracker to take on the identity and privileges of another user (Graham-Cumming, 2013).


3. Compare and Contrast


a. Impact #1


The notable differences between FIPS 140-2 and ISO/IEC 19790:2012 are found in security levels three and four. Security Level 1, FIPS 140-2 and ISO/IEC 19790:2012 require a logical separation of required and optional roles and services (FIPS, 2001) (Keller, 2012). Security level 2 in both standards requires role-based OR identity based operator authentication. FIPS 140-2 requires identity-based operator authentication for security levels 3 AND 4 (FIPS, 2001). ISO/IEC 19790:2012 requires identity-based operator authentication for security level 3 and multi-factor authentication for security level 4 (Keller, 2012).


b. Impact #2:


The specifications for cryptographic modules defined in each security level in both documents are basically identical. The hardware specifications are clearly defined in each security level. Both standards focus on security features embedded in devices in each security level 1 through 4. It does not matter if it is a single or multi-chip cryptographic module. Both documents focus strictly on security features thatwhich are the most important. On the other hand, each document tailored their description of cryptographic module requirements to the different needs of the organizations that would utilize it. The ISO/IEC 19790:2012 standard allows flexibility for an organization to dictate tailored algorithms and protection profiles, whereas FIPS 140-2 is tailored to the US legislation. This dissimilarity separates the ISO/IEC 19790:2012 standard from FIPS 140-2 (Pattinson, 2012). This difference is comparable to the difference between metric units of measurement and SI units of measurement. Both units of measurement accomplish the same objective, but the results are expressed differently. All in all, as long as an organization can fulfill its cryptographic physical security needs regardless of different geographical setting, FIPS 140-2 and ISO/IEC 19790:2012 standards can be a beneficial contribution to their organization.


c. Impact #3[DFM7]


The biggest differences between the ISO/IEC 19790:2012 and FIPS 140-2 cryptographic module standards are the unique specifications. Security levels 1 and 2 both have the same requirements: non-modifiable, limited, or modifiable, and control of SSP[ALH8] [JM9] s for level 1. Level 2 requirements are modifiable, role-based or discretionary access control and audit mechanism. Security levels 3 and 4 are where the differences begin. References that pertained to US legislation were removed and reliance on the US algorithm suite was also modified so that an authority could specify their own preferred set of algorithms, protection profiles, random number generators, and key establishment techniques (Keller, 2012). FIPS 140-2 security level 3 and 4 offer more security than ISO/IEC 19790:2012. ISO/IEC 19790:2012 does not show security requirements for levels 3 and 4 but state their requirements on the operational environment are to be tested and configured independently by the laboratory (Keller, 2012). FIPS 140-2 has protection profiles and CC[JM10] assurance levels.


Due to HHS requirements of patient confidentially with HIPAA[DFM11] [JM12] , it is imperative that they have cryptographic modules in place to protect security data and personal identity. Without proper security implementation, HHS can be vulnerable to both internal and external threats.


d. Impact #4


Due to the sensitive nature of the data that HHS handles, it is clear that utilizing secure cryptographic modules is imperative in ensuring the security and privacy of the information they handle. Like all non-military government agencies and contractors, HHS is subject to the requirements outlined in FIPS 140-2 (FIPS, 2001). While the similarities between FIPS 140-2 and ISO/IEC 19790:2012 are undeniable, it is the differences thatthe differences may have the greatest effect on HHS. For example, one of the requirements of ISO/IEC 19790:2012 which is not shared with FIPS 140-2 is the development section. The development section requires software and firmware to be annotated or fully documented in the interest of ensuring that the cryptographic module is secure.


ISO/IEC 19790:2012 also calls out a specific section of requirements regarding software and firmware security. This section defines a number of requirements for validating and verifying the state of software and firmware and assigns the security level accordingly. FIPS 140-2 does not appear to have a similar requirement, so this may be one of its shortcomings.


e. Impact #5


In the case of FIPS 140-2, there are multiple requirements for random number generators. FIPS 140-2 has tests for random number generators including a continuous test and a cryptographic algorithm test. Additionally, FIPS 140-2 contains an annex with approved random number generators and specifications for the use of approved commercial nondeterministic random number generators. ISO/IEC 19790:2012 also contains guidelines pertinent to random number generation, but ISO/IEC 19790:2012 lists its own guidelines and algorithms for random number generators to be more relevant to the international community (Pattinson, 2012).


Due to the fact that ISO/IEC 19790:2012 and FIPS 140-2 are quite similar in regards XXXXX XXXXX number generators, it is likely that there is no appreciable difference in HHS’s selection of cryptographic technologies. However, since ISO/IEC 19790:2012 has been updated more recently than FIPS 140-2, it may be reasonable that the ISO/IEC 19790:2012 standard contains more updated information related to random number generation.


4. Conclusion


This paper explored FIPS 140-2 and ISO/IEC 19790:2012 standards and examined security levels, roles, services and authentication methods, multi-chip cryptographic modules, operational environment, security levels and random number generation. Both standards conclusively outline physical security of each device in accordance with security levels one through four. The requirements are exactly the same, whether if it’s single or multi-chip cryptographic modules. Keller noted that the ISO/IEC 19790:2012 standard was not widely utilized and was missing a central approving authority but recognized that there IS collaboration in the international community on this standard (Keller, 2012). Keller also points out that FIPS 140-2 is the most commonly used standard but DOES NOT have a lot of support in the international community (Keller, 2012). Ultimately, FIPS 140-2 is the premier computer security standard for cryptographic modules but is not quite a 100% solution that would be accepted as the international standard.


 


 


REFERENCES



Federal Information Processing Standards Publication (FIPS). (2001). Security Requirements for Cryptographic Modules. Retrieved from http://www.nist.gov/customcf/get_pdf.cfm?pub_id=902003


Graham-Cumming, John. (2013, September 13). Why secure systems require random numbers [Weblog post]. Retrieved from http://blog.cloudflare.com/why-randomness-matters


International Organization for Standardization (ISO). (2012). Information technology—Security techniques—Security requirements for cryptographic modules. Retrieved from http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=52906


International Organization for Standardization (ISO). (n.d.). How does ISO/IEC develop standards? Retrieved from http://www.iso.org/iso/home/standards_development.htm


Keller, Matt. (2012). Common criteria for crypto? Retrieved from http://www.yourcreativesolutions.nl/ICCC13/p/Cryptography/Matthew%20L.%20Keller%20-%20Common%20criteria%20on%20crypto_.pdf


National Institute for Standards and Technology (NIST). (2013, August 13). FIPS PUB 140-2 Effective 15-Nov-2001. Retrieved from http://csrc.nist.gov/groups/STM/cmvp/standards.html


Pattinson, Fiona. (2012, October 7). ISO/IEC’s Cryptographic Module work [Weblog post]. Retrieved from http://atsec-information-security.blogspot.com/2012/10/isos-cryptographic-module-work.html


Rubin, Jason M. (2011, November 1). Can a Computer Generate a Truly Random Number? Retrieved from http://engineering.mit.edu/live/news/1753-can-a-computer-generate-a-truly-random-number






[DFM1]This sentence is a little unclear.






[JM2]Better?






[DFM3]Should we all label our headings like this? Might be a good idea.






[JM4]Agree






[JM5]Need a better sentence…






[DFM6]This is Edna’s section. It needs APA formatting cleaned up. I’ll do it if you don’t want to.






[DFM7]Also Edna’s section. Same as her POA section, needs work.






[ALH8]Spell out






[JM9]What is a SSP?






[JM10]What is “CC”?






[DFM11]In her first draft, this read “HIPA.”






[JM12]HIPAA= Health Insurance Portability & Accountability Act


 


project 3


 


The Federal Information Security Management Act (FISMA) made it mandatory for organizations to create standards that comply with federal regulations. In response to FISMA, Federal Information Processing Standards Publication (FIPS) 199 and FIPS 200 were established to create standards for organizations to determine the security category of their information system(s) (National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, 2009). To apply the personalized security categorizations from FIPS-200, NIST SP 800-53 is used to apply a baseline security control.


This security profile will examine the Department of Health and Human Services Internal Information Security Network by applying a Security Awareness and Assessment Management Control, Access Control Technical Control, and Awareness and Training Operational Control. Good introduction.


 


SYSTEM IDENTIFICATION/SCOPE OF Assessment

1.1 System Name/Title/Unique Identifier


System Name: Department of Health and Human Services (HHS) Internal Network



1.2 Security Categorization


Based on FIPS 199 Security Categorization, the categorization for HHS Internal Network has been categorized as HIGH based on the loss of the confidentiality, integrity, or availability could be expected to have a severe/catastrophic adverse effect on HHS individuals, operations, or organizational assets (FIPS 199, 2004).


SC Internal Network = {(confidentiality, HIGH), (integrity, HIGH), (availability, HIGH)}


 


1.2.1.1 Information System Type


The HHS Internal Network is classified as a Major system based on the HIGH Security Categorization established from FIPS Publication 199.



1.2.1.1 Scope of Assessment


This report will focus on three selected controls and two family (sub) controls implemented in place to examine security awareness and training as countermeasures against cyber threats currently exists. These three controls will be based on the current needs of HHS and will reflect controls in the management, technical, and operational families.



2. Management Control you should describe what this is.

2.1 Selected Control – Security Assessment and Authorization


Management controls are designed to put into place procedures and policies that enable an organization to operate in a secure fashion from the top levels down. The Security Assessment and Authorization family controls focus on creating and maintaining a security plan, establishing individuals responsible for information systems and their security, and developing plans of action and establishing milestones for the security program.



2.1.1.1 Family Control #1: CA-2 – Security Assessments You should have description of what this family control is.


Implementation Status: Needs Fully Implemented (GAO, 2006)















NIST SP 800-53 Control: This control requires the organization to develop and implement a plan to fully assess the security program of the organization. This plan must be tailored to match the expected security level of each of the organization’s areas of focus. Additionally, this control requires the organization to create a report that contains the findings and suggestions for improvement within the organization and delivers it to the relevant authority within the organization. Relevant FISMA guidelines should be followed and relevant controls should also be reviewed in the creation of a security assessment plan.




NIST SP 800-53 Control Enhancements: This control has provisions that include independent (third-party) assessments of the organization’s security plan and provisions for in-depth security plan assessments such as penetration tests.



NIST SP 800-53A (2010) Control Expected Results: Once fully implemented, this control will ensure that security is appropriately established and maintained from the top level down for all information systems.




Implementation of Control: HHS’s implementation of this control is incomplete as of the 2006 GAO report. Why is the control not implemented? Or what parts are not implemented? A great deal of the failings documented in the GAO report is a result of this fact. As HHS fully implements this control there will be greater security throughout the organization.



2.1.1.1 Family ConrolControl #2: CA-6: Security Authorization Control - Ditto


Implementation Status: Needs Fully Implemented (GAO, 2006)












NIST (2007) SP 800-53 Control: This control defines an official senior-level manager and assigns this person responsibilities and procedures that they must follow when implementing an information system. This individual is responsible for all risks and any other consequences that may arise from the implementation of an information system. This control includes the documents and procedures that are established within other portions of the CA family of Management controls.



NIST SP 800-53 Control Enhancements: None listed.



Implementation of Control: Similar to CA-2, this control was not fully implemented in HHS. A lack of responsibility and no authorizing individual has resulted in an ineffective security plan. By establishing an individual responsible for overseeing the information systems of the organization, HHS can realize improvements in information security. Good.


 


3. Technical CONTROL[JM1] You need to describe/define technical controls.

3.1 Selected Control: Access Control


Applies to an organizations ability to limit information systems to only authorized users, the processes acting on behalf of an authorized user, or devices and applies to the types of transactions and processes that an authorized user is permitted to exercise (FIPS 200, 2006). There are 22 separate Access Family Controls.


 


3.1.1.1 Family Control #1: AC-1 Access Control Policy and Procedures


This control is intended to produce the policy and procedures for the organization and required for the effective implementation of the selected security controls and enhancements.



Implementation Status: In Place












NIST (2007) SP 800-53 Control: Create a formal, documented access control policy. This policy should address purpose, scope, roles, management commitment, responsibilities, and compliance. Also, must be a formal, documented procedure that enables the employment of the access control policy and related access controls.



NIST SP 800-53 Control Enhancements: None





Implementation of Control:


Access control procedures are included as general information in the HHS Information Security Policy. The HHS implements information security accounts based on user roles throughout the organization.


 


3.1.1.2 Family Control #2: AC-2 Account Management


This control specifies specific access controls for various users and complies with other security measures outlined in this plan (NIST SP 800-53, 2009).



Implementation Status: In Place















NIST (2007) SP 800-53 Control: Ten controls. (1) Identify account type based on individual, group, system, application, guest/anonymous, temporary. (2) Establish group membership conditions. (3) Specify access privileges for identified authorized users. (4) Appropriate approvals are required to establish accounts. (5) Establishing, activating, modifying, disabling, and removing accounts. (6) Specifically authorize and monitor the use of guest/anonymous and temporary accounts. (7) When temporary accounts are no longer needed, users are terminated, transferred, notify account managers. (8) Deactivate temporary accounts no longer needed and accounts of users that were terminated or transferred. (9) Grant system access based on authorization, intended system usage, other attributes that fit the mission/business function. (10) Review accounts at a specified organization based frequency.




NIST SP 800-53 Control Enhancements: Seven Control Enhancements. (1) Employ automated mechanisms to support the management if information system accounts. (2) Automatically terminate temporary and emergency accounts after an organization based time period. (3) Automatically disable inactive accounts after an organization based time period. (4) Automatically audit account creation, modification, disabling, and termination actions and notification of appropriate individuals as required. (5) Require users log out when account is not being used; determine system account normal time of day usage; monitor atypical account usage; report atypical account usage to designated officials/management. (6) Information system will dynamically manage user privileges and associated access authorizations. (7) Establish and administer user account privileges in accordance with role-based access scheme; track/monitor privileged role assignments.



NIST SP 800-53A (2010) Control Expected Results: None.




Implementation of Control:


HHS implements AC-2 establishing specific roles for information security users. Specific time frames to automatically terminate temporary and emergency accounts is set to 30 days once accounts are disabled. Accounts are disabled automatically at 1800 on the last day of contract. Inactive accounts are disabled after 30 days of inactivity. Individual accounts will automatically be locked when the account has been opened but inactive for a period of 30 minutes for unclassified networks and 15 minutes on classified networks. All user accounts will be audited on the first Monday of each quarter, Role based privileges will be audited on the fourth Monday of each quarter. Good


 


4. Operational CONTROL[JM2]

Operational controls address security procedures designed and enforced by human beings (not systems). Unlike system controls, this control is in place to improve security measures on the system. This control requires management and technical controls to function as an effective system.


 


4.1 Selected Control: Awareness and Training


This section describes the operational control in security awareness and training requirement. It is important to understand the importance of security awareness training. It is foundation of safety to personal and organization. What are the requirements of awareness and training?


 


4.1.1.1 Family Control #1: AT-2 Security Awareness


This section describes security awareness section.


Implementation Status: In Place












NIST (2007) SP 800-53 Control: The organization ensures that all users including role-base users (Executive, IT Administrators, and Managers) completes the annual fiscal year awareness training (1 October to 30 September). They will ensure completion of required information security awareness training prior to accessing any information system (HHS, 2013).




NIST SP 800-53 Control Enhancements: None




Implementation of Control:


The organization provides continuously updated and effective information security awareness training as approved by Office of the Chief Information Officer. All roles and responsibilities regardless of position are required to complete self-paced training and power point type briefing (HHS, 2013). To successfully complete training course, all employees will completely fill out and submit certificate of completion forms to FISMA POC for STAFFDIV (HHS, 2013). Contractors will fill out and submit certification of completion form to COTR (HHS, 2013).



4.1.1.2 Family Control #2: AT-3 Security Training


This section describes appropriate security training as defined by their significant roles and responsibilities.


Implementation Status: In Place












NIST (2007) SP 800-53 Control: The organization identifies personnel with significant information system security role and responsibilities. Their training will be properly documented and appropriate information system security training updated annual fiscal year (1 October to 30 September) or as required prior to be given permission to accessing any information system (HHS, 2013).



NIST SP 800-53 Control Enhancements:




Implementation of Control:


The organization provides different information security training based on different roles and responsibilities as approved by the Office of the Chief Information Officer. Role Based Training position such as Executives, IT Administration, and Managers will be required to complete additional information security training in accordance with 800-53 Control. Users in one of these three positions will complete the required additional information security training. To successfully complete training course, all employees will completely fill out and submit certificate of completion forms to FISMA POC for STAFFDIV (HHS, 2013). Contractors will fill out and submit certification of completion form to COTR (HHS, 2013). Good.



5. CONCLUSIONS/RECOMMENDATIONS

5.1 Results of Assessment


The operational controls standards that the organization has implemented met the minimum requirement for security awareness and training and information security training. The standards states that if users do not complete or fail to stay active on their training will results in denied access with the HHS information system. Since HHS exclusively deals with Personal Identifiable Information (PII), users must be aware of current threats poses to the organizations.


The technical control family Access Control provided controls AC-1 and AC-2 as controls to implement throughout HHS. Implemented appropriately, these two family controls outline requirements for creating an organization security policy (AC-1) and implementing specific controls such as user role based access, group access, and account termination (AC-2).


In line with the findings of the 2006 GAO report, HHS is not compliant with the management controls outlined in this security policy assessment. Many of the security failings found in the GAO report could stem from a failure to assess HHS’s security program and the lack of an authority figure overseeing the security operations. Security must start at the top for an organization and HHS must implement these management controls to be compliant and ensure that the organization is secure due to the large amount of PII and Protected Health Information (PHI) that it handles.


 


5.2 Recommendations


(1) The organization should reassess their information awareness training and security training. The power point based training is sufficient however; the presentation would not be as effective as other agencies simulation or interactive type awareness and security training. (2) Incorporate interactive quiz’s throughout the training. This would ensure users retain information. A certificate should be included after successfully passing the quiz and not downloadable and printable directly off the organization website.


(3) Create a access control policy that specifically addresses purpose, scope, roles & responsibilities, management commitment, coordination among other organizational entities and compliance. The establishment of a formal policy provides guidance for users, administrators and management on proper implementation of access control security protocols throughout the organization (AC-1) (NIST SP 800-53, 2009).


(4) Establish specific organizational time frames for termination of user accounts. This will ensure when an employee leaves HHS or transfers, the mechanism is in place to ensure that a confidentiality, integrity, or availability compromise is mitigated should the termination be non-voluntary (AC-2) (NIST SP 800-53, 2009).


(5) Require an automatic computer lock should a user be inactive on an unclassified machine for 30 minutes or an automatic lock out of 15 minutes on classified machines. This will prevent an unauthorized user to access these machines and compromise a Role Based Access Control (RBAC) Violation from a least privileged intrusion (AC-2) (NIST SP 800-53, 2009).


(6) HHS’s security program must be updated regularly. The security program must be reviewed regularly to ensure that it is effective and applies to current technologies. This applies to all aspects of the security program from technological measures to physical ones.


(7) A senior-level individual must be appointed to take responsibility for and authorize any information system technologies within HHS. This individual must be responsible for reviewing and researching technology for any potential risks and vulnerabilities, and then take responsibility for overseeing these systems.


References

Federal Information Processing Standards Publication (FIPS) 199. (2004). Standards for Security Categorization of Federal Information and Information Systems. Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf


Federal Information Processing Standards Publication (FIPS) 200. (2006). Minimum Security Requirements for Federal Information and Information Systems. Retrieved from http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf


Government Accountability Office. (2006). Department of Health and Human Services Needs to Fully Implement Its Program. Retrieved from http://www.gao.gov/new.items/d06267.pdf


National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 3. (2009). Information Security. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf






[JM1]John’s Section






[JM2]Srun’s Section










Expert:  Josie-Mod replied 9 months ago.
Hello again :)

We are still working with our professionals to find you the best possible match. But I wanted to touch base to see if you were still needing our professionals' assistance.

Please let me know if you would like to continue to wait or if you would like to cancel your question at this time. We sincerely XXXXX XXXXX the extended wait time.

Thank you,

Josie~Moderator
Customer: replied 9 months ago.

Yes, this project was once answered back in june 2013

Customer: replied 9 months ago.

i've started the ppt slides which i've attached

Expert:  Gnaritas replied 9 months ago.

Hello are you being assisted? If not please answer the following questions:

What day and time is the project due?

How many pages or words are required?

How many references are required?

APA?

Is there any additional information required to complete the assignment?

Customer: replied 9 months ago.


it's due on saturday, i've already started the ppt. which i can attach. the summary memo must be 2 full pages and APA. as far as references i would say at least 5 and i can add additional ones. the slides must reflect projects 2 and 3. where you able to see the ppt?

Expert:  Gnaritas replied 9 months ago.
No, I was not able to see the PowerPoint. For clarification what time on Saturday (morning, afternoon, or evening). Your part of the project is how many pages? The project is about health. Is there anything else I need to know to complete it?
Customer: replied 9 months ago.

Attachment: 2013-10-09_180354_security.ppt

saturday evening and it's about the department of health and human services and how it relates to cybersecurity. i must have 3 impact of legislation, 3 information security standards which is all detailed in the rubics. do you have an email address which i can send you the ppt?

 

i was able to attach the ppt.

Expert:  Gnaritas replied 9 months ago.

Okay, I'm on it. I'll contact you periodically when I have questions.

Customer: replied 9 months ago.

Thank you

Expert:  Gnaritas replied 9 months ago.
You are welcome.
Customer: replied 8 months ago.

Hey are you are unable to answer the homework?

Expert:  Gnaritas replied 8 months ago.
Gnaritas, Bachelor's Degree
Category: Writing Homework
Satisfied Customers: 1380
Experience: I am skilled at writing papers from reports to research, also short essays.
Gnaritas and other Writing Homework Specialists are ready to help you
Customer: replied 8 months ago.

hi, i wasn't try to rush you, I had gotten an email stating my question couldn't be answered.

Customer: replied 8 months ago.

hi, i wasn't try to rush you, I had gotten an email stating my question couldn't be answered.


 


this is awesome work, thank you so much, I will recommend you personally for any future work.

Expert:  Gnaritas replied 8 months ago.

Thank you very much, glad I could help.

JustAnswer in the News:

 
 
 
Ask-a-doc Web sites: If you've got a quick question, you can try to get an answer from sites that say they have various specialists on hand to give quick answers... Justanswer.com.
JustAnswer.com...has seen a spike since October in legal questions from readers about layoffs, unemployment and severance.
Web sites like justanswer.com/legal
...leave nothing to chance.
Traffic on JustAnswer rose 14 percent...and had nearly 400,000 page views in 30 days...inquiries related to stress, high blood pressure, drinking and heart pain jumped 33 percent.
Tory Johnson, GMA Workplace Contributor, discusses work-from-home jobs, such as JustAnswer in which verified Experts answer people’s questions.
I will tell you that...the things you have to go through to be an Expert are quite rigorous.
 
 
 

What Customers are Saying:

 
 
 
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C. Freshfield, Liverpool, UK
< Last | Next >
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C. Freshfield, Liverpool, UK
  • This expert is wonderful. They truly know what they are talking about, and they actually care about you. They really helped put my nerves at ease. Thank you so much!!!! Alex Los Angeles, CA
  • Thank you for all your help. It is nice to know that this service is here for people like myself, who need answers fast and are not sure who to consult. GP Hesperia, CA
  • I couldn't be more satisfied! This is the site I will always come to when I need a second opinion. Justin Kernersville, NC
  • Just let me say that this encounter has been entirely professional and most helpful. I liked that I could ask additional questions and get answered in a very short turn around. Esther Woodstock, NY
  • Thank you so much for taking your time and knowledge to support my concerns. Not only did you answer my questions, you even took it a step further with replying with more pertinent information I needed to know. Robin Elkton, Maryland
  • He answered my question promptly and gave me accurate, detailed information. If all of your experts are half as good, you have a great thing going here. Diane Dallas, TX
 
 
 

Meet The Experts:

 
 
 
  • verbsrule

    Bachelor's Degree

    Satisfied Customers:

    435
    8 yrs teaching experience in English and history. Writing consultant.
< Last | Next >
  • http://ww2.justanswer.com/uploads/VE/verbsrule/2013-3-25_232622_MamaandEllie.64x64.jpg verbsrule's Avatar

    verbsrule

    Bachelor's Degree

    Satisfied Customers:

    435
    8 yrs teaching experience in English and history. Writing consultant.
  • http://ww2.justanswer.com/uploads/SP/spherrod/2012-6-6_174244_1000852.64x64.JPG Steve Herrod's Avatar

    Steve Herrod

    Master's Degree

    Satisfied Customers:

    419
    Masters in Literature and a Bachelors Degree in French with Management
  • http://ww2.justanswer.com/uploads/GY/gypsydust1/2012-3-31_71657_me3a.64x64.jpg DXJ Writer's Avatar

    DXJ Writer

    Master's Degree

    Satisfied Customers:

    350
    Research writer, educator, tutor with 20+ years experience.
  • http://ww2.justanswer.com/uploads/ST/stayathomemomof2/2012-3-20_152711_cameracleanup362012653.64x64.JPG stayathomemomof2's Avatar

    stayathomemomof2

    Bachelor's Degree

    Satisfied Customers:

    198
    Freelance writer.
  • http://ww2.justanswer.com/uploads/ED/educatortech/2012-6-7_1256_williams4.64x64.jpg Mr. Gregory White's Avatar

    Mr. Gregory White

    Master's Degree

    Satisfied Customers:

    173
    M.A., M.S. Education / Educational Administration
  • http://ww2.justanswer.com/uploads/JU/judybailey61/2012-6-23_23846_Resized.64x64.jpg judybailey61's Avatar

    judybailey61

    Bachelor's Degree

    Satisfied Customers:

    158
    Two years writing expert with justanswer.
  • http://ww2.justanswer.com/uploads/MB/MBJC11/2012-6-6_171228_1837551861548780869311000007725919373587357549561n.64x64.jpg Eric M.'s Avatar

    Eric M.

    Master's Degree

    Satisfied Customers:

    148
    Five years in academia, over a dozen peer-reviewed publications, multiple best paper awards, working toward PhD.