Fluent Essays

Project 3: Industry Comments on Proposed Cyber Standards Start Here All organizations rely on information technology to manage their data, operations, and resources. Most enterprises have a cybersecurity plan in place to handle cyberattacks, exploitations, and natural calamities, as well as damage that people cause either deliberately or accidentally. This is the third of six sequential projects in this course. In this project, you will examine your knowledge and familiarity with managerial decisions, policies, and regulations for the workplace. More importantly, it will make you reflect on how policies should grow and evolve in tandem with newer technologies and challenges in the workplace, especially when a new regulatory environment can affect your industry. There are six steps in this project. Begin below to review your project scenario. Step 1: Selection of Industry and Cyber Issues Throughout this project, you will assume the perspective from an organization in a particular industry. In order to prepare your perspective, you will complete the following: · Select a specific industry from one of the following areas: health care, finance, telecommunications, automotive, or retail upon which you will focus your oral statement. For example, you may choose to research the industry of grocery stores (retail) or hospitals (health care). Do not select a specific company; focus on the industry. · Research and write a short paragraph about the cybersecurity issues you discover for your particular industry. Once you select your industry and identify its cyber issues, submit your findings to the discussion board to get feedback from your instructor. Step 2: Project Practice - SIMTRAY Adius: Day 1 Before you begin to develop your oral statement, it is important to understand how laws and regulations can affect a particular industry. Begin by exploring the SIMTRAY titled, Adius: Find Your Way in Three Days. SIMTRAY is a simulation that presents you with scenarios that will provide insight into the origins of issues affected by major regulatory/legal concerns facing every organization or industry. While this simulation focuses specifically on the financial industry, you will find that this exercise will help you examine the regulatory concerns for your chosen industry. Some of the issues and topics addressed in this exercise include cybersecurity policies, countermeasures, SQL injection, digital evidence, cyberattacks and cyberthreats, mobile technologies, outsourcing - security threats, cloud computing, and the Gramm-Leach-Bliley Act (GLBA). The SIMTRAY will provide you with scores to give you a sense on how well you are grasping the concepts. The sections are timed for 30 minutes; however, you can run the SIMTRAY as many times as you need. Record your best score and at least one lesson learned from the exercise to include in your report at the end of the three-day simulation. Cybersecurity Policies The development and enforcement of cybersecurity policies are critical for the ability to protect networks and data. Such policies can be developed locally based on an organizations unique mission or requirements, or they can be broadly developed to accommodate a general audience. There are organizations that develop cybersecurity standards, which are then implemented via policies. The International Organization for Standardization (ISO) is such an organization. While cybersecurity policies focus specifically on data and networks, management policies are also required, in order to guide the activities of personnel, identify responsibilities and accountabilities, and ensure the effective operation of the organization. Often, an organization establishes a central policy structure to oversee the development and management of policies. Cybersecurity policies should be synchronized with the organizations mission and vision. Countermeasures Countermeasures are actions taken to minimize, mitigate, or eliminate threats to and vulnerabilities of computer systems. Countermeasures can take several forms depending on the nature and characteristics of the particular threats and how susceptible the system is to vulnerabilities. Information technology (IT) controls are a type of countermeasure that focuses on actions that can be taken to mitigate or eliminate vulnerabilities, for example, using good programming practices or restricting queries to only specific inputs. Technical countermeasures, also known as technical surveillance countermeasures (TSCMs), focus on the ability to identify or detect unauthorized electronic emanations as well as physical security vulnerabilities that put infrastructures (physical and electronic) at risk. Digital Evidence The predominance of digitization in all aspects of modern civilization has had a profound effect on evidence in criminal and civil cases—its collection, preservation, storage, and presentation. Today, investigators (and others who may intentionally or incidentally uncover digital evidence) must take a broad view of evidence to ensure its admissibility in courts of law. Law enforcement has always used systems to tightly control the chain of custody of physical evidence, and those systems remain in effect today. Using those processes, law enforcement officials can devise and implement systems for similarly protecting digital forms of data and evidence against loss, theft, sabotage, and other damage that would jeopardize the use of the evidence for prosecution of the guilty parties. Beyond simply collecting the data or other evidence in specified ways, investigators must consider the presentation of that information, assessing the likelihood of, for instance, new software rendering a particular file type unreadable. To guard against loss of usable evidence, then, requires forethought and planning. The resource below explores in depth the many factors at play for finding, collecting, evaluating, and storing evidence for criminal cases. Because digital data is virtually everywhere, in innumerable devices and contexts, current and future forensic investigators must possess a solid understanding of the concepts described here. Cyberattacks and Cyberthreats Unaddressed cyberthreats have the potential to become cyberattacks. Understanding the nature of cyberthreats, the potential to disrupt or damage networks or systems, or alter or steal data, is important to developing and implementing measures to thwart cyberattacks, which come in many forms. Many cyberattacks are carried out through the use of malware, which is malicious code designed to alter computer networks or systems. A virus is a type of malware that can infect computers, propagating to other computers to perform malicious and unauthorized acts. One way that malware is introduced into computers is through phishing and other forms of social engineering. Social engineering is the process by which actors develop and tailor communications to unwitting victims, usually via email, so that the victim believes the communications are authentic. In such cases, the victim either reveals information (i.e., passwords) that enables an actor to gain access, or the victim clicks on a hyperlink in an email that launches malware to gain access to or control of the victims computer. Denial of service is another type of attack—one that is accomplished in several different ways. One method is to use distributed denial-of-service (DDoS) attacks, which occur when an actor gains access to a group of computers and uses them to flood a victims computer so that it is unable to handle the volume of communications, disabling the computer. A SYN (synchronization) flood is another type of denial-of-service attack in which large volumes of SYN requests are sent to a victims system, consuming so much of the systems resources that the system can not respond to legitimate communications. Finally, large volumes of spam can be used to consume computer space and processing capacity, affecting the computers ability to function as intended. While there are different types of cyberattacks, there are also different motives for attacks. Attackers could be criminals, could be focused on making political statements, could be consumed with the thrill of hacking, or could be interested in stealing data for financial gain. Cyberthreat actors can also be disgruntled or motivated insiders with accesses that could be used to alter or steal data, or provide unauthorized access to others. The insider threat is real, and with the uptick in instances of insiders causing significant damages, it is important to consider all potential avenues of threats and potential attacks. Mobile Technologies The past few years have seen an explosion in the range of devices used to wirelessly access the internet. In addition to forever altering the landscape for users, this revolution has had tremendous implications for network administrators and other computing professionals. Easy and frequent access to the internet arrives with a price: a marked increase in threats and vulnerabilities. To ensure acceptable levels of security and privacy, policies must reflect the realities of the current situation. Now more than ever, users are bringing their own digital devices into the workplace and using them on enterprise networks. Rather than restricting users to a limited set of devices—an approach that inevitably results in reduced compliance—administrators must successfully anticipate and accommodate the various sets of challenges presented by the wide range of current and future options. Complicating matters is the fact that there is no longer a clear distinction between personal and workplace devices. Today, it is infeasible to implement a policy that allows only company-owned devices to access internal networks, particularly since companies no longer issue cell phones and other mobile devices on a regular basis. The attached resources provide some perspective by summarizing the recent past and the near future of mobile technologies. They also outline a general approach network experts should adopt to analyze and accommodate the rapid pace of change while protecting the assets of enterprises and their users. Cloud Computing Cloud Computing Source: Microsoft Cloud computing refers to the use of remote servers over the internet (instead of via local servers or devices) for the purpose of sharing resources. According to the National Institute of Standards and Technology (Mell & Grance, 2011): Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (p. 2) There are several advantages to cloud computing, including ease of use and upgrades, low capital expenditure, remote access capabilities from several locations, higher security/better data recovery, and optimized use of resources. Cloud computing servers offer three models: software as a service, or SaaS (use of Internet-based applications through web browsers); platform as a service, or PaaS (use of cloud platforms that can be used to develop applications); and infrastructure as a service, or IaaS (use of remote infrastructure to create platforms and applications). Cloud computing is a general term for the delivery of hosted services over the internet. The use of cloud computing can increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Just a few examples of cloud services are: · Dropbox · Evernote · Mozy · Carbonite · Google Docs · Runescape References Mell, P., & Grance, T. (2011). Special publication 800-145: The NIST definition of cloud computing: Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology.  nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf Gramm-Leach-Bliley Act (GLBA) Enacted in November 1999, the Gramm-Leach-Bliley Act (GLBA) establishes a requirement for financial institutions to protect the sensitive personal information of their customers. Also known as the Financial Services Modernization Act of 1999, GLBA ...requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data (Federal Trade Commission, n.d.a). The act was authored by Senator Phil Gramm and Representatives Thomas J. Bliley, Jr. and Jim Leach. GLBA contains the Safeguards Rule, which establishes the requirement for financial institutions to protect the information they collect from their consumers. GLBA has several requirements regarding privacy protection. The first is an annual requirement for customers to receive the financial institutions privacy notice. This notice must clearly state opt-out instructions for sharing personal financial information. GLBA also puts limits on the use or redisclosure of nonpublic personal information acquired from a financial institution. And GLBA establishes requirements for securely storing personal financial information. Institutions subject to GLBA include nonbank mortgage lenders, loan brokers, some financial or investment advisors, tax preparers, providers of real estate settlement services, and debt collectors (Federal Trade Commission, n.d.b). References Federal Trade Commission. (n.d.a). Gramm-Leach-Bliley Act. https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Federal Trade Commission. (n.d.b). In brief: The financial privacy requirements of the Gramm-Leach-Bliley Act. https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act Step 3: Project Practice - SIMTRAY Adius: Day 2 In the previous step, you started to examine the SIMTRAY, Adius: Find Your Way in Three Days. In this step, continue to focus on SIMTRAY, but document the specific type of regulatory issues you encounter in your scenario since these same issues may be relevant to the industry you chose to examine for your oral presentation. Some of the issues and topics addressed in this exercise include cybersecurity policies, countermeasures, SQL injection, digital evidence, cyberattacks and cyberthreats, mobile technologies, outsourcing - security threats, cloud computing, and the Gramm-Leach-Bliley Act (GLBA). The SIMTRAY will provide you with scores to give you a sense on how well you are grasping the concepts. The sections are timed for 30 minutes; however, you can run the SIMTRAY as many times as you need. Record your best score and at least one lesson learned from the exercise to include in your report at the end of the three-day simulation. Step 4: Project Practice - SIMTRAY Adius: Day 3 In this step, you should continue to explore the scenarios within the SIMTRAY, Adius: Find Your Way in Three Days. If you have not already, you will most likely encounter the following topics in this exercise: cybersecurity policies, countermeasures, SQL injection, digital evidence, cyberattacks and cyberthreats, mobile technologies, outsourcing - security threats, cloud computing, and the Gramm-Leach-Bliley Act (GLBA). Document events that you experience in the exercise that might affect the following industries: · health care · finance · telecommunications · automotive · retail Think about how these issues will be affected by proposed regulation and begin to explore how you might be able to influence agencies to formulate appropriate standards favorable to a particular industry. The SIMTRAY will provide you with scores to give you a sense on how well you are grasping the concepts. The sections are timed for 30 minutes; however, you can run the SIMTRAY as many times as you need. Compile your recorded scores, lessons learned, and documented industry issues into a one-page report. Step 5: Assess Industry Cyber Posture and Create a Relevant Standard Now that you have chosen your industry and you are aware of the cyber issues affecting it, it is time to identify a standard to address one of the cyber issues you identified. For example, in response to the credit card fraud in the retail industry, the bank card industry adopted the chip and PIN standard for credit cards. Using feedback you received from your instructor in previous steps, create a cybersecurity standard relevant to your chosen industry. Refer to industry-specific regulations for additional background on existing regulations. Create a relevant standard and write a one-page summary documenting the standard and evaluating the impact it would have on your selected issues and business operations in your industry. This summary will be included in your written comments in the following step. Industry-Specific Regulations Industry Regulations All Cybersecurity Information Sharing Act; CISPA; CSA; EO Executive Order 13636 – Improving Critical Infrastructure Cybersecurity; Executive Order -- Promoting Private Sector Cybersecurity Information Sharing; PDD-21 Presidential Policy Directive – Critical Infrastructure Security and Resilience Telecommunications Telecommunications Act of 1996; Telecommunications Consumer Protection Act of 1991; 1 Implementing Executive Order 13616: Progress on Accelerating Broadband  Infrastructure Deployment Automotive Security and Privacy in Your Car Act; http://www.autoalliance.org/auto-issues/ Cybersecurity Retail Privacy Act of 1974, CSA Health care HIPAA, Cybersecurity Act of 2015, HITECH Finance SOX, GLBA One-Page Summary Research existing cybersecurity standards relevant to your chosen industry and issue from Step 1 as well as industry-specific regulations. Consider the feedback you received from your instructor in previous steps. Select a relevant standard and write a one-page summary identifying the standard that you are reviewing and evaluating the impact it has on your selected issues and business operations in your industry. In your summary, make sure to do the following: · Apply key points and principles in government and industry cybersecurity standards to policy recommendations. · Analyze the technologies, uses, and roles of information assurance and software protection technologies. · Prioritize current cybertechnological threats faced at the enterprise, national, and international levels. · Evaluate the procedures, policies, and guidelines used to protect the confidentiality, integrity, and availability (CIA) of information. Step 6: Submit Written Comments Develop your final written comments for presentation at the next standards body meeting. These comments should be between two and three pages, and it should include a paragraph on your thoughts about how your comments will be received and whether or not they will have an impact on the regulation/standard, etc. Update the Standards Summary from the previous step according to the feedback you received. Attach the Standards Summary to your written comments. (The Standards Summary should not be included in the length requirement of the written comments.)