C841 Legal Issues in Information Security PA Task 2 PDF

Preview

Summary

example for C841 Task 2...

Description

C841 Legal Issues in Information Security Performance Assessment Task 2

C841 LEGAL ISSUES IN INFORMATION SECURITY IHP1 Performance Assessment Task 2 Ethics and Cybersecurity Awareness

C841 Legal Issues in Information Security Performance Assessment Task 2

Contents A. Ethical issues for cybersecurity................................................................................................................2 B. Ways to mitigate problems and build security awareness.......................................................................3 C. Cited Sources...........................................................................................................................................5

C841 Legal Issues in Information Security Performance Assessment Task 2

A. Ethical issues for cybersecurity A1. Most holders of official certifications sign and are required to abide by a set of ethics or a code of conduct. Mr. Jack Hudson, an employee of TechFite and member of the Business Intelligence unit is a member of the Strategic and Competitive Intelligence Professionals (SCIP). The SCIP has a set of ethics that certified members sign and agree to conduct themselves by. As a certified member and subject to the SCIP Code of Ethics, Mr. Hudson understands the requirements and how to distinguish between ethical and unethical practices. Within many organizations, there are guidelines and a “chain of authority” to discuss situations that are in the “grey area”. If Mr. Hudson had found himself faced with a dilemma such as the one he has allegedly committed, he should have sought out guidance from departments such as Human Resources or the dedicated team at TechFite if available. At most companies and governmental agencies, the employer will have a saying such as “If you see it, report it” or something to that effect. This lets employees know and understand that if they see and report something, even if it is against their supervisor, the report will be taken seriously, investigated, and no retaliation will be taken against them. Other standards in place within industry are the ISO 9001:2015 standards for a quality management system. These standards ensure that policies and procedures are not just written into a document. The standards are for the documentation to be created, policies and procedures put into place, and an active monitoring of the processes to make sure they are being completed and performed by the required personnel within the company. TechFite has documented policies and procedures but has not completed any of the required quality checks to verify adherence to said policies. If policies and procedures were followed as directed, such as the auditing of accounts or network monitoring, the misuse of elevated privileges, network scanning, and attempted penetration attacks would have surely been discovered. Service Organizational Control reports and audits are another way that helps to validate services provided by an organization. These reports verify that an organization is following industry best practices. One of the reports, a SOC II, looks at non-financial controls relating to processing confidentiality, availability, security and the privacy of an organizational system (https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html). A1a. The Senior Analyst for the Business Intelligence (BI) unit, Sarah Miller created an environment that promoted unethical behavior. Logs have shown that she was committing unauthorized scanning and attempted penetration into other company networks and computers. She is also responsible for giving directions to subordinates such as Jack Hudson and Megan Rogers to do the same. Other companies such as Google (“Google”, n.d.), Microsoft (“Microsoft”, n.d.), and governmental agencies have policies that insist that if an employee sees or knows of an illegal of unethical action taking place, they have an ethical responsibility to report it. If TechFite has a program like Google (“Google”, n.d.), Microsoft (“Microsoft”, n.d.), and governmental agencies, then Mr. Hudson and Ms. Rogers may have filed a report against their supervisor. If the TechFite had this program and provided employee training, this may lead to other cases that report illegal and unethical behavior within the company. Having a training program and reporting procedures in place that is managed by senior staff members and audited on a frequent basis will ensure that these acts do not go unchecked or unnoticed. 2

C841 Legal Issues in Information Security Performance Assessment Task 2

ISO 9001:2015 guidelines (https://www.iso.org/standard/62085.html) are very important as they require policies and procedures to be performed, documented, and audited to remain compliant. A company that advertises that it is ISO 9001:2015 compliant showed its clients and partners that it is one that possesses high quality controls, assurances, and process improvement. Because of the Plan, Do, Check, Act (ISO 9001:2015) baseline of this certification, clients are ensured that processes are in place to provide quality. The SOC II report shows that customer confidentiality, security, and privacy concerns are monitored with controls in place to safeguard information. SOC2 reports are controlled by the American Institute of CPAs (AICPA) and focuses on client confidentiality and security. Due to the allegations against TechFite, the company should reevaluate and allocate new processes and procedures, audit to show compliance of the processes and build maturity within their programs, and seek to have a SOC II report completed to assure future clients of data confidentiality. If this process would have been completed prior to these allegations, then TechFite would possibly be able to mitigate and respond to the issues face with currently. A2. Reports provided to the TechFite Chief Information Security Officer (CISO) and reviewed by a Security Analyst; Nadia Johnson did not provide in-depth analysis of the internal auditing of the Business Intelligence (BI) department. The reports showed that no issues or concerns were found that would impact the company. Topics that were omitted from the report were subjects such as account auditing, verification of user privilege, network traffic analysis, and any types of Data Loss Prevention (DLP) to prevent proprietary or confidential data transmission across an unsecured network. It was found that Ms. Johnson received raises because Mr. Carl Jaspers would provide positive reviews to her supervisor. A search of Nadia’s social media accounts displayed social events that she would attend held by Mr. Jaspers and gifts that she had received from him. A3. The Business Intelligence (BI) unit has complete administrative access and privileges on all of their user accounts. The Information Technology department has not set restrictions on accounts for least privilege. There has been no user training documented and proper auditing and reporting procedures have not been followed. TechFite lack of separation of duties and proper security control policies are the main factors that lead to the lax behavior of ethics. Because of the lack of policies or policy enforcement, employees have authority to work on multiple stages of a project and have access to data outside of their departments. Proper auditing and reviews conducted by management is not occurring and therefore, employees are able to perform activities deemed unethical without repercussions within the company.

B. Ways to mitigate problems and build security awareness B1. There are two security policies that I will discuss, the policy of Least Privilege and the policy known as the Bell-LaPadula Model (BLM) (“Bell-LaPadula”, n.d.). Applying the principal of Least Privilege to created user accounts within a company allows the user the abilities to perform what is required of their position. Official requests for additional access or abilities must be routed and approved prior to receipt. The BLM (“Bell-LaPadula”, n.d.) is a policy that focuses

C841 Legal Issues in Information Security Performance Assessment Task 2

on mandatory and discretionary access control. Sharing secret data is only with those necessary and only when it is required. This policy is normally enforced by individuals on separate projects and for separation between different departments. The Information Technology (IT) department of TechFite created user accounts with elevated privileges (Administrative) for personnel that did not require such privilege. They also had no routing and approval policies for account creation. Accounts were created at the request of Carl Jaspers for non-existent personnel. These accounts had access to other departments such as Payroll and Human Resources. Using the Least Privilege and Bell-LaPadula = methods would have prevented users masquerading as other users and company/client data would have retained confidentiality. B2. Security Awareness Training and Education (SATE) is a key component of success within a company. Normally, prior to receiving a company user account, a user must accept and sign an Acceptable Use Policy (AUP). But if the employee does not understand all of the terms listed on the policy, they may unintentionally violate the policy. User training helps to mitigate this. For a program of user training to be successful, it must be structured to the needs of the organization, the needs and level of knowledge of the employees (students). Security awareness training must provide some sort of proficiency quiz or examination (i.e. verbal question and answer period, written examination, hands-on performance exercises or examination) and the training must be engaging. Security awareness training must also be provided by an experienced person, at frequently scheduled (example: quarterly), with attendees from the management to user levels. Various structures can be created to account for user level, mid-grade management, senior management and executive personnel to ensure the proper level of training to the appropriate audience. All scheduled training sessions should be documented, reviewed, and audited. Review and audit procedures will ensure the intent was achieved and provide documented evidence of employee understanding. If retraining must occur for an employee after training attendance, it should happen quickly with a more thorough question and answer session to facilitate correct understanding of the subject. B2a. Security training must occur to prevent incidents. Departments such as Payroll, Supply & Logistics, and Human Resources will normally require additional training in the protection of Personally Identifiable Information (PII) and the protection of financial data. As with many IT issues, user error is one of the highest number of problems faced. A properly structured training program that is geared toward all employees is key to success within TechFite’s SATE program. Security awareness training should be conducted on a quarterly basis and documentation reviewed at the quarterly management review. Preferably, the quarterly management review should be conducted a few days prior to training. This is to provide management the ability to review the previous quarter’s training and address any issues. The practice of providing the training, reviewing the results, and addressing any concerns prior to upcoming training event will lead to a structured, sound training program. Having the training at these intervals will also keep employees aware and up-to-date with processes, procedures, and best practices of the company and possibly prevent or mitigate future incidents. B2b. Currently at TechFite, Security Awareness Training and Education is not being conducted. There is no documentation that they have the program in place. Training and education for each

C841 Legal Issues in Information Security Performance Assessment Task 2

level of employee should be analyzed, developed, scheduled, and audited. Creating training for each specific company level will provide a structured security awareness program and may create more employee participation as it will relate toward their level of responsibility. Many departments will also have different security requirements and therefore, a need for specialized training may be necessary as well. Training must be clear, concise, understandable, and relatable to the target audience. Maintaining attendance rosters and performance records should be reviewed. Holding training at specified intervals, for specified levels, will provide senior management the ability to hold employees responsible for their actions. Once training and assessments have occurred, employees should be monitored for compliance. Department supervisors and members of the security department should do both formal and informal inspections or “walk arounds” to ensure employees are following correct procedures. Auditing should be conducted of user accounts, internal and external network traffic, and other requirements of the systems security plan by at least two personnel that are “firewalled” off from each other. Having more than one analyst perform audits will assist with result validation and compliance to company policies and procedures.

C. Cited Sources Policies (n.d) Retrieved November 11, 2020, from https://workspace.google.com/learnmore/security/security-whitepaper/page-2.html; https://www.microsoft.com/enus/corporate-responsibility/privacy SOC II Report https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html ISO 9001:2015 https://www.iso.org/standard/62085.html Bell-LaPadula - Computer Security - A brief look. (n.d.). Retrieved November 11, 2020, from https://sites.google.com/site/cacsolin/bell-lapadula...