3.4.1 Control Methods
Security controls include the utilization of technical and nontechnical strategies (NIST, 2002). Technical controls are protections that are consolidated into PC hardware, programming, or firmware such as access control mechanisms, ID, encryption techniques and intrusion detection program or software). Nontechnical controls on the other hand are administration and operational controls that includes security approaches; operational methodology; and physical and environmental security NIST, 2002). SunTrust Bank should implement technical controls with respect to how information and data are being encrypted, what program is being utilized to identify any intrusion to their network and system and how customers/clients are being verified. Concerning nontechnical control, SunTrust administration should provide appropriate security controls for every resources and assets in the organization.
3.4.2 Control Categories
NIST classified both technical and nontechnical control techniques as either preventive or detective. Preventive controls restrain attempts by the attackers to damage security strategy and policy such as access control authorization, encryption, and validation (NIST, 2002). Detective controls, however, should caution of "violation or attempted violations of security such as audit trails, intrusion detection methods, and checksums" NIST 2002, p.20). Hence, SunTrust bank should endeavor to enhance their intrusion detection system or IDS for
| “Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information” (NIST SP 800, 2009). The control allows the organization to efficiently mitigate the risk coming from the use of information System (IS) to conduct business operations and processes.
internal and external users to whom access to the organization’s network, data or other sensitive
Technical controls involves the use of technology and expertise to mitigate risk. An administrator who installs and configures a firewall and IDS to prevent attacks on the network is implementing a technical security control. Management controls use planning and assessment ways to reduce risk. Conducing risk assessment, vulnerability assessment and penetration testing. Lastly. Operational controls are implement by people. Having awareness training and having a contingency plan is a way of implementing operation controls (Darril
Technical Safeguards: They control the access to the computer systems and safeguards the electronically transmitted PHI information when transmitting over the network.
4.When thousands of employees telecommute and work in virtual offices, there are benefits to the environment. Discuss the environmental impact of the Cisco telecommuting and virtual offices solution.
For example a clerk will only be able to access a limited amount of information, such as inventory at each store. The limitations will be different for an accountant or the mangers. All information will be protected with several different layers of security. The first layers will be simple hardware protection for access to the network; from there the security will increase with password protection and restrictions to users. (Merkow & Breithaupt 2006)
In the past, academic and administrative computer systems were isolated, either for security reasons or as a result of limited interconnectivity with other computers. Today, nearly any information that an administrator, teacher, student or parent might is available through a network connection. Course lectures are presented are viewed and students submit their assignments via the internet school class shell. Student and parents can view their grades online, administrative paperwork and other information can be shared through a variety of systems. The internet is an awesome and convenient way to communicate, but it introduces
While this is a daunting task, by breaking these controls down into larger groups the basis for policies and procedures are outlined and framed. The key areas that must be met initially are the establishment of a system security plan that describes we are implementing as well as the security control requirements for the
The Technical safeguard provisions consist of five broad categories Access Controls, Audit Controls: Integrity Controls, Person or Entity Authentication and Transmission Security (Sayles, 2013). All of these safeguards are purposed to protect and secure sensitive data.
Information security enabled by technology must include the means of lowering the impact of intentional and unintentional errors entering the system and to prevent unauthorized internally or externally accessing the system actions to reduce risk data validation, pre-numbered forms, and reviews for duplications. It is crucial that the mission plan include the provision of a disaster recovery and business continuity plan. On the other hand, there is much more intrusion activity today than ever before. Obviously, there is an increased concern for attacks through companies’ network in an effort to either commit malice or affect the integrity of an organization’s most valuable resource. Therefore, it is important that companies do not get complacent in their IT infrastructure security. The fact of the matter, there is no perfect system; however, it behooves organizations to protect their information by way of reducing threats and vulnerabilities. Moreover, Whitman and Mattord (2010) said it best, “because of businesses and technology have become more fluid, the concept of computer security has been replaced by the concept of information security. Companies
Preventive controls can be as simple as locks and keys to access sensitive areas of a building, clearances to access classified data, or the use of complex passwords with encryption. Detective controls can be as simple as cameras or motion detector systems in a building, or, as complex as a network intrusion detection system (NIDS) on the network. Corrective controls, usually combined with preventive and detective controls, help reduce the damage once a risk has manifested. This can be done by performing regular backups in the event of a system crash. Below is an illustration (Figure 4-1) of the three main types of security
With the increase in threats over the past few years it is no longer acceptable for an organization to feel data is protected
Identify what you see as the main purpose of security management and discuss what is meant by the statement that ‘security measures must be commensurate with the threat’.
Customer Needs- Security systems are required by people to0 keep their homes safe, it gives them a sense of safety for their personal belongings, when they are away from their home.
The purpose for an IT security policy is to provide “strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure” ("Cyberspace policy RevIew", 2016).