IT Security Measures Based on: Defense-in-Depth, Protections and Secured Channels: From: Miss. Bayo Elizabeth Cary, AA, BA, MLIS Oct. 22, 2017
10-22-2017
Defense-in-Depth US Government Mandated Security Measures: Methods of IT Security and How They Relate To:
Channels of Communication
Miss. Bayo Elizabeth Cary, AA, BA, MLIS
Capella University, MS Program, IAS5002
Instructor: Dr. Susan Ferebee
Miss. Bayo Elizabeth Cary, AA, BA, MLIS
1215 NW 4th Street,
Gainesville, FL 32601
Email: bai_o@yahoo.com
bayo_caryg1@yahoo.com
10-22-2017
From: Miss. Bayo Elizabeth Cary, AA, BA, MLIS
Unit 2 Final Assignment Page 1 "Defense in Depth" and
Communication Channels Security Controls
Assignment: Scenario: The overarching goal of the Information Assurance and Security organization is to protect the company's electronic, physical, intangible, and people assets. You are the IAS analyst for XYZ company and have been tasked to develop and communicate a "defense-in-depth" strategy using various channels.
Assignment: Part I: Define Defense-in-Depth: A "defense-in-depth" strategy, according to Wikipedia, can be defined as "multiple layers of security controls (defense)" that are embedded throughout the information technology environment.
An effective "defense-in-depth," security plan, begins with a thorough threat analysis-to test the IT systems security-that are already in place (Smith, 2005, p. 13). The "defense-in-depth" is a strategy that increases barriers, between the It systems, and the information that your company is attempting, to protect, and a cyber attack-and, in doin soo, the additional security barriers, ". . .raising the costs. . ." exponentially, of a terror attack-against the business and IT organization (Paul, 2001, p. 75). Defense-in-depth, security control measures, are divided into thre basic areas:
⦁ Physical (Gaurd, Gate, Fence, Wall, Secured Entrance, Double-Locked Door, etc.;
⦁ Technical (Firewall, MacFee Computer Security Systems, Server and Offline Back-Up), and;
⦁ Administrative (Policy, Rules, Laws, Procedure).
Assignment: Part II: Define "Rich" verses "Lean" Communication Channels: Using Figure 2.5, "Comparing Rich and Lean Communication Channels" (page 43 in Essentials of Business Communications), write a 3รข€“4 page summary evaluating each type of the communication channel and the corresponding "defense-in-depth" security control method.
Assignment: Part III: Explain the Method of Security Control and the Selected Channel:
Guffey (n.d.), in her text: Essentials of Business Communications, presents information regarding various communications channels, and how they are defined: "Rich," or "Lean," based on, how: reliable, personable, and facilitative the communications channel is, in relation to the delivery of message. Below, are a list of relevant factors, that provide some guidance, in which communications channel, to utilize:
Importance of the message;
Amount and speed of feedback and interactivity required;
Necessity of a permanent record;
Cost of the channel;
Degree of formality desired;
Confidentiality and sensitivity of the message, and;
Receiver’s preference and level of technical expertise.
(Guffey, n.d., p. 44)
The "Richness," of any communications channel-according to Guffey (n.d.), in text book: Essentials of Business Communications, is based on, how well the original message-is completely and fully communicated-as originally intended. Guffey (n.d.) , has provided, in: Essentials of Business Communications, a list of 10 different popular communications channels, and how she has valuated them-from: "Rich," to "Lean:"
1. Face-To-Face Communication;
2. Telephone;
3. Video Chat;
4. Email;
5. IM;
6. Letter;
7. Memo;
8. Blog;
9. Report, and;
10. Wiki. (Guffey, n.d, p. 44)
Advantage of "Rich" Communication Channels:
In my opinion, it is always preferable-and not just in the IT field, to utilize, the most reliable form, of communications. Although, it is understandable, that speaking to individuals, face-to-face-because of: long distance business arrangements, time, and money limitations, and other mitigating factors-is not always possible.
Disadvantage of "Lean" Communications Channels:
I have found, that some of the other means, of communications, listed above as relatively "Rich" means, to follow-up with both: colleagues, and clients, are not reliable enough, i.e.: email, IM, letter, Blog, and Wiki.
Assignment: Part IV: Develop and Communicate a "Defense-in-Depth" Strategy using Various Channels:
A) Defense Strategy # 1: Physical Barriers, as they Relates to Communications Channels:
"Network managers should reassess their security architectures in the overall context of 'information stewardship' --and enabling defense-in-depth is a first great step" (Johnson, 2004, p. 24). Defense-in-depth security measures, begin, with physical barriers, to keep a company or organizations, data and information safe and secure:
1. Guard;
2. Gate;
3. Fence;
4. Wall;
5. Secured Entrance, and;
6. Double-Lock Secured Door, etc.
B) Defensive Strategy # 2: Technical Barriers, as they Relate to Communications Channels:
Technical barriers, to protect the information contained, at any given IT business/organization-begins with the protective measures, that can be installed on the various computers-that, interact on the local area network (LAN). There are a number of standard, security protocols, related to software, and programming-which are designed, and updated regularly, to provide defense and protection, of information contained therein:
1. Data Encryption;
2. Authentication Controls;
3. Automated Data Loss Prevention Programming, and;
4. Data Integrity Monitoring Software Controls, etc. (Dreger, 2009, p. 34)
The overall protective services, provided by: data integrity monitoring software controls (Data Loss Prevention-DLP Software), must:
⦁ Crawl Saved and Active Data Applications and Programs for Data Discovery;
⦁ Search Through Data File Share Services;
⦁ Double-Check Email Communications for Viruses and Worms, etc.;
⦁ Sort through Data Recovery and other Hard Drive Software and Programs;
⦁ Work Independently from Software Security Provided by the Manufacturer, and;
⦁ Review Files Stored at Endpoints on Company Hard Disks, etc. (Randy, 2009, p. 40)
The final technical barrier-a certitude, for protecting vulnerable data, that must be kept: private, confidential, and secure-is: data recovery. The data recovery process, should store information securely and safely both: offline, at off site secured servers, and in virtual environment back up retention services, such as, with: "Cloud" or "Box" providers.
C) Defensive Strategy # 3: Administrative Barriers, as they Relate to Communications Channels:
New data privacy laws in the US, which are now being regulated by major US government bodies, like the: SEC-through the: Sabarnes-Oxley, are the impetus, for new and improved security measures, and the implementation, of stronger security measures (Randy, 2009, p. 39):
"As a publicly traded company, we are now under the [Sarbanes-Oxley] 404 governance umbrella," notes Sunil Seshadri, vice president, information security, IT risk management and compliance, at NYSE Group. Section 404 of the act "talks about reasonable assurance or integrity of the financial controls," which, for the NYSE Group, means having mechanisms and processes in place to ensure the confidentiality and integrity of the data in its systems, and that access is restricted to authorized people, Seshadri explains. While Archipelago Holdings was SOX 404-compliant prior to its merger. (Allen, 2007, p. 22)
New measures, regarding the: rules, laws, regulations, and procedures, that must be followed, by US companies-that hold vast amounts of: data, and client demographics, are now following under the auspices, of the US governmental, and financial regulations. To protect the US government-in light of a potential and massive information breach-which, is currently projected, by the US military, and intelligence community-as the next major terror attacked, planned against the US, that must be prevented, America's IT professionals, are tightening security controls.
References
Allen, Paul (2007). Taking Data Security To Heart: The NYSE Group adopts a 'defense-in-depth' strategy to secure sensitive data and comply with Sarbarnes-Oxley: Wall Street& Technology, 25, 1, p. 22-23.
Dreger, Richard. (2009). 5 Key Steps To Cyber Security. Information Week: Technologies like DLP, crypto, and strong access controls, help lock down information.1251, p. 34.
Guffey, Mary Ellen. (n.d.). Essentials of Business Communication. Cengage Learning, 20150101. VitalBook file. Retrieved from www.cengagebrain.com
Johnson, Johna Til. (2004). Security Today Means Playing 'defense-in-depth'. Network World, 21, 33, p. 24. Retrieved from www.nwfusion.com
Paul, Brooke. (2001). Building An In Depth Defense: Workshop Security. Network Computing, 12, 14, p. 75-77.
Randy, George. (2009). An Ounce of Prevention: Analytics Brief: Data Loss Prevention. Information Week Analytics, 1235, p. 39-40.
Smith, Randy Franklin. (2005). Core Concepts: Defense In Depth. Windows IT Security, 5, 11, . p. 13-15.
Defense-in-Depth US Government Mandated Security Measures: Methods of IT Security and How They Relate To:
Channels of Communication
Miss. Bayo Elizabeth Cary, AA, BA, MLIS
Capella University, MS Program, IAS5002
Instructor: Dr. Susan Ferebee
Miss. Bayo Elizabeth Cary, AA, BA, MLIS
1215 NW 4th Street,
Gainesville, FL 32601
Email: bai_o@yahoo.com
bayo_caryg1@yahoo.com
10-22-2017
From: Miss. Bayo Elizabeth Cary, AA, BA, MLIS
Unit 2 Final Assignment Page 1 "Defense in Depth" and
Communication Channels Security Controls
Assignment: Scenario: The overarching goal of the Information Assurance and Security organization is to protect the company's electronic, physical, intangible, and people assets. You are the IAS analyst for XYZ company and have been tasked to develop and communicate a "defense-in-depth" strategy using various channels.
Assignment: Part I: Define Defense-in-Depth: A "defense-in-depth" strategy, according to Wikipedia, can be defined as "multiple layers of security controls (defense)" that are embedded throughout the information technology environment.
An effective "defense-in-depth," security plan, begins with a thorough threat analysis-to test the IT systems security-that are already in place (Smith, 2005, p. 13). The "defense-in-depth" is a strategy that increases barriers, between the It systems, and the information that your company is attempting, to protect, and a cyber attack-and, in doin soo, the additional security barriers, ". . .raising the costs. . ." exponentially, of a terror attack-against the business and IT organization (Paul, 2001, p. 75). Defense-in-depth, security control measures, are divided into thre basic areas:
⦁ Physical (Gaurd, Gate, Fence, Wall, Secured Entrance, Double-Locked Door, etc.;
⦁ Technical (Firewall, MacFee Computer Security Systems, Server and Offline Back-Up), and;
⦁ Administrative (Policy, Rules, Laws, Procedure).
Assignment: Part II: Define "Rich" verses "Lean" Communication Channels: Using Figure 2.5, "Comparing Rich and Lean Communication Channels" (page 43 in Essentials of Business Communications), write a 3รข€“4 page summary evaluating each type of the communication channel and the corresponding "defense-in-depth" security control method.
Assignment: Part III: Explain the Method of Security Control and the Selected Channel:
Guffey (n.d.), in her text: Essentials of Business Communications, presents information regarding various communications channels, and how they are defined: "Rich," or "Lean," based on, how: reliable, personable, and facilitative the communications channel is, in relation to the delivery of message. Below, are a list of relevant factors, that provide some guidance, in which communications channel, to utilize:
Importance of the message;
Amount and speed of feedback and interactivity required;
Necessity of a permanent record;
Cost of the channel;
Degree of formality desired;
Confidentiality and sensitivity of the message, and;
Receiver’s preference and level of technical expertise.
(Guffey, n.d., p. 44)
The "Richness," of any communications channel-according to Guffey (n.d.), in text book: Essentials of Business Communications, is based on, how well the original message-is completely and fully communicated-as originally intended. Guffey (n.d.) , has provided, in: Essentials of Business Communications, a list of 10 different popular communications channels, and how she has valuated them-from: "Rich," to "Lean:"
1. Face-To-Face Communication;
2. Telephone;
3. Video Chat;
4. Email;
5. IM;
6. Letter;
7. Memo;
8. Blog;
9. Report, and;
10. Wiki. (Guffey, n.d, p. 44)
Advantage of "Rich" Communication Channels:
In my opinion, it is always preferable-and not just in the IT field, to utilize, the most reliable form, of communications. Although, it is understandable, that speaking to individuals, face-to-face-because of: long distance business arrangements, time, and money limitations, and other mitigating factors-is not always possible.
Disadvantage of "Lean" Communications Channels:
I have found, that some of the other means, of communications, listed above as relatively "Rich" means, to follow-up with both: colleagues, and clients, are not reliable enough, i.e.: email, IM, letter, Blog, and Wiki.
Assignment: Part IV: Develop and Communicate a "Defense-in-Depth" Strategy using Various Channels:
A) Defense Strategy # 1: Physical Barriers, as they Relates to Communications Channels:
"Network managers should reassess their security architectures in the overall context of 'information stewardship' --and enabling defense-in-depth is a first great step" (Johnson, 2004, p. 24). Defense-in-depth security measures, begin, with physical barriers, to keep a company or organizations, data and information safe and secure:
1. Guard;
2. Gate;
3. Fence;
4. Wall;
5. Secured Entrance, and;
6. Double-Lock Secured Door, etc.
B) Defensive Strategy # 2: Technical Barriers, as they Relate to Communications Channels:
Technical barriers, to protect the information contained, at any given IT business/organization-begins with the protective measures, that can be installed on the various computers-that, interact on the local area network (LAN). There are a number of standard, security protocols, related to software, and programming-which are designed, and updated regularly, to provide defense and protection, of information contained therein:
1. Data Encryption;
2. Authentication Controls;
3. Automated Data Loss Prevention Programming, and;
4. Data Integrity Monitoring Software Controls, etc. (Dreger, 2009, p. 34)
The overall protective services, provided by: data integrity monitoring software controls (Data Loss Prevention-DLP Software), must:
⦁ Crawl Saved and Active Data Applications and Programs for Data Discovery;
⦁ Search Through Data File Share Services;
⦁ Double-Check Email Communications for Viruses and Worms, etc.;
⦁ Sort through Data Recovery and other Hard Drive Software and Programs;
⦁ Work Independently from Software Security Provided by the Manufacturer, and;
⦁ Review Files Stored at Endpoints on Company Hard Disks, etc. (Randy, 2009, p. 40)
The final technical barrier-a certitude, for protecting vulnerable data, that must be kept: private, confidential, and secure-is: data recovery. The data recovery process, should store information securely and safely both: offline, at off site secured servers, and in virtual environment back up retention services, such as, with: "Cloud" or "Box" providers.
C) Defensive Strategy # 3: Administrative Barriers, as they Relate to Communications Channels:
New data privacy laws in the US, which are now being regulated by major US government bodies, like the: SEC-through the: Sabarnes-Oxley, are the impetus, for new and improved security measures, and the implementation, of stronger security measures (Randy, 2009, p. 39):
"As a publicly traded company, we are now under the [Sarbanes-Oxley] 404 governance umbrella," notes Sunil Seshadri, vice president, information security, IT risk management and compliance, at NYSE Group. Section 404 of the act "talks about reasonable assurance or integrity of the financial controls," which, for the NYSE Group, means having mechanisms and processes in place to ensure the confidentiality and integrity of the data in its systems, and that access is restricted to authorized people, Seshadri explains. While Archipelago Holdings was SOX 404-compliant prior to its merger. (Allen, 2007, p. 22)
New measures, regarding the: rules, laws, regulations, and procedures, that must be followed, by US companies-that hold vast amounts of: data, and client demographics, are now following under the auspices, of the US governmental, and financial regulations. To protect the US government-in light of a potential and massive information breach-which, is currently projected, by the US military, and intelligence community-as the next major terror attacked, planned against the US, that must be prevented, America's IT professionals, are tightening security controls.
References
Allen, Paul (2007). Taking Data Security To Heart: The NYSE Group adopts a 'defense-in-depth' strategy to secure sensitive data and comply with Sarbarnes-Oxley: Wall Street& Technology, 25, 1, p. 22-23.
Dreger, Richard. (2009). 5 Key Steps To Cyber Security. Information Week: Technologies like DLP, crypto, and strong access controls, help lock down information.1251, p. 34.
Guffey, Mary Ellen. (n.d.). Essentials of Business Communication. Cengage Learning, 20150101. VitalBook file. Retrieved from www.cengagebrain.com
Johnson, Johna Til. (2004). Security Today Means Playing 'defense-in-depth'. Network World, 21, 33, p. 24. Retrieved from www.nwfusion.com
Paul, Brooke. (2001). Building An In Depth Defense: Workshop Security. Network Computing, 12, 14, p. 75-77.
Randy, George. (2009). An Ounce of Prevention: Analytics Brief: Data Loss Prevention. Information Week Analytics, 1235, p. 39-40.
Smith, Randy Franklin. (2005). Core Concepts: Defense In Depth. Windows IT Security, 5, 11, . p. 13-15.
Comments
Post a Comment