Research Paper: Federal Information Security Management Act

Pages: 12 (3414 words)  ·  Bibliography Sources: 10  ·  Level: Doctorate  ·  Topic: Business - Management  ·  Buy This Paper


[. . .] Once this understanding and awareness is created, the damage that could be inflicted to the company if a criminal were able to access company information through an unprotected end-user's desktop / laptop computer would be explained such as unauthorized systems access can result in theft and damage of vital information assets. The employees should thus use strong passwords for all accounts and commit passwords to memory. If not possible, store all passwords in a secure location (i.e., not on a sticky note affixed to your monitor or the underside of your keyboard). The computer should be protected with a password-protected screen saver and the password should not be told under to anyone under any circumstances.

Session comprehension and evaluation questionnaire:

Immediately after delivering ISATP security awareness content, organizations would evaluate whether the personnel comprehended the addressed topics. Additionally, personnel primarily responsible for the daily ISATP development activities should enable personnel to evaluate the effectiveness and other considerations regarding the ISATP security awareness session. These two objectives would be addressed by developing a session comprehension and evaluation questionnaire. Topics addressed in the evaluation portion of the questionnaire would include effectiveness of the instructor, effectiveness of the content, perceived value of the session and learning material.

Training program:

Perspectives on information security vary greatly depending upon the roles and responsibilities being fulfilled by each IT and business unit. Therefore, unlike the ISATP security awareness content, which commonly consists of content that is to be consumed by the entire workforce, several distinct ISATP security training sessions will need to be developed for each target ISATP audience.

Target Audience: IT security staff

Focus Area: The basis for each organization's Information Security Management Framework is business and security drivers, regulatory security requirements the organization is subject to, and best practice security standards; all of which will drive the security controls to be implemented by the organization. Ultimately, the implementation of these Security Controls as part of the Information Security Management Framework will lead the organization toward regulatory compliance.

Learning Objective: To derive an understanding of the Business drivers for information security,

Performance of knowledge audit,

The security systems that need to be in place,

The conduct of security audit to ensure all security systems are working effectively.

Learning Material:

There are several business drivers for information security, including:

The ability to securely facilitate new business initiatives.

Protecting the brand or image of the organization.

Protecting customer confidence in the security of your product or the ability to conduct business securely.

Reducing costs and improving productivity by implementing and maintaining security following a robust security plan or program.

Enhancing service levels by ensuring secure operations.

The direction of new or growing security technologies or technologies that require secure operation and implementation.

Regulatory compliance has emerged as the biggest and most important driver of information security initiatives and spending.

The Information Security Management Framework is comprised of:

Information Security policies, procedures, and processes to support the organization's entire security environment, including people, process, and technology.

A security organization and a formal governance program for information security.

The implementation of Security Controls.

The implementation of appropriate and sufficient security tools such as performance of knowledge and security audit and technologies supporting these Security Controls.

The Information Security Management Framework is a continuous and on-going effort. As business requirements and direction changes; regulatory security objectives are added or changed; and technology improves and changes -- the framework must be reviewed, checked, and updated to accommodate the changing security environment.

The knowledge audit would be useful in this case. Knowledge audit is a systematic examination and evaluation of organizational knowledge health, which examines organization's knowledge needs, existing knowledge assets/resources, knowledge flows, future knowledge needs, knowledge gap analysis as well as the behavior of people in sharing and creating knowledge. In one way, a knowledge audit can reveal an organization's knowledge strengths, weaknesses, opportunities, threats and risks. In order to transform an organization into a learning organization and ensure an effective knowledge management strategy, a knowledge audit should be conducted, which will provide a current state of knowledge capability of the organization and a direction of where and how to improve that capability in order to be competitive in this fast changing knowledge era.

By conducting a knowledge audit an organization can find out where it stands in terms of information security and can assess the level of learning within an organization. The organization can then identify security needs and implement security control accordingly.

The following security systems need to be implemented within an organization. An explanation of their purpose and usage is also made (Todd, M.A. And Guitian C, 1989).

Security Policy: This is a set of security objectives for the organization. This policy must be agreed upon and approved by upper management.

Security Organization and Governance: Involves assigning security responsibilities and accountability including a management forum for setting and approving security objectives.

Asset Management: Asset management, including identification, classification, and control, of information, hardware, and software assets needs to be done so as to easily identify frauds and thefts.

Data Protection: Data protection is concerned with use of effective controls such as password protection and use by authorized personnel only for protecting the confidentiality, integrity, and availability of information and information resources.

Personnel Security: This would entail management of staff; terms of employment; hiring, disciplinary, and termination processes; security inclusion in job descriptions and performance reviews; and security training and awareness so that organization is prevented from security threats of personnel.

Physical and Environmental Security: This is security system for the human and system physical environment, including entry access controls, fire and power controls, and cable and rack security

Communications and Operations Management: This involves securing the key aspects of managing network and system components and includes: backups, anti-virus, patches, media and laptop security

Access Control: The objective of this security control system is effective control of logical, physical, and remote access to information and resources. This includes the implementation of: identification and authentication, authorization, and password and user management security controls on all applications, operating systems, and within the networks (U.S. Department of Energy, 1992)

Logging and Monitoring: This security system is meant for the collection, aggregation, normalization, correlation, mining, and tracking of security events.

Vulnerability Management: Performance of risk, threat, and vulnerability assessments is done through this security system.

Incident Management: Detection, reporting, recording, handling, response, review, and management of security incidents is done in order to take immediate action for any possible threats to management security.

Software and System Acquisition, Development, and Maintenance: Development and maintenance of software and systems for on-going secure operation is highlighted within this security system.

Business Continuity Management: This is concerned with planning and defining of response in the event of a disaster or disruption in business to ensure continuity of operations.

Compliance: This system is kept in place to ensure compliance with security and privacy legislative requirements (Burns, n.d).

The use of security audit:

A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions. When an employee performs a security audit it is important to look beyond the IT systems and consider also the human interface to IT. The IT system may be perfectly secure, but users may be involved in practices that compromise the security of the IT systems in place. As a result any audit must attempt to identify all the possible risks. The IT systems are at risk from compromise from number of sources, including poorly-managed or badly-configured systems, internal users, external users and external attackers (sometimes known as crackers or hackers).

The actual audit involves performing interviews with staff members and talking to people in a more informal manner. This element is often overlooked and it is quite important. Employees need to determine usage patterns, and whether users have seen and read the security policy. The technical investigation stage is the active testing of the systems. Tools such as ISS, NESSUS and Cyber Cop offer a series of tests that have the potential to cause "Denial of Service" (DoS) attacks. The idea is to determine exactly how good those defenses are that have been implemented. If the employee manages to run through all these tests without causing any machine to fail it's a good sign. However before performing these tests an employee should decide if they are really necessary, as some of the tests can potentially cause actual damage. If employee chooses to perform the tests then he/she needs to make sure that the systems are fully backed up and that the backups are usable.

An employee should:

Review the system logs for all systems being audited; look for usage patterns, sites which disallow or restrict user access, and possible suspicious use. It is important to check systems against know vulnerability advisories from groups such as CERT, bugtraq, NTBugtraq another alternative groups such as L0ph. Groups like L0pht are the so-called "white hat" hacker groups; these people spend… [END OF PREVIEW]

Four Different Ordering Options:

Which Option Should I Choose?

1.  Buy the full, 12-page paper:  $28.88


2.  Buy + remove from all search engines
(Google, Yahoo, Bing) for 30 days:  $38.88


3.  Access all 175,000+ papers:  $41.97/mo

(Already a member?  Click to download the paper!)


4.  Let us write a NEW paper for you!

Ask Us to Write a New Paper
Most popular!

Automating Compliance With Federal Information Security Requirements Case Study

Electronic Security Information Documentation Term Paper

Security Policy Dr. Fossett's Dental Office Term Paper

Management Development Process Has Been Adopted Term Paper

Managing Homeland Security Essay

View 1,000+ other related papers  >>

Cite This Research Paper:

APA Format

Federal Information Security Management Act.  (2011, September 8).  Retrieved June 25, 2019, from

MLA Format

"Federal Information Security Management Act."  8 September 2011.  Web.  25 June 2019. <>.

Chicago Format

"Federal Information Security Management Act."  September 8, 2011.  Accessed June 25, 2019.