Comparing recommended practices outlined in the NIST documents and drawbacks

Whitman, in his book, (Management of Information Security), sees Security best practice as "efforts that seek to provide a superior level of performance in the protection of information”. The Federal agency best security practices recommend a high-level procedure for Audit trails to track user activity  also, the Sample Generic Policy. The NIST further recommended controls to protect against viruses (Data Integrity) and how the incidents are responded to using for instance the Agency Computer Incident Response Guide or Computer Virus Incident Response form.

In real life application of these Best Security Practice (BSP), an article on Znet by Ken Hess recommended these Best Security practice which full in line with the NIST BSP. In the article, he listed 10 security best practices, which includes: Data Encryption, Data certification, Data Auditing, Removable Media Policy, Malware Security, Spam filter, end point security solution, Security patches maintenance and User Education. When compared to the NIST BSP, there are a lot of similarities. The NIST Best Security Practice can be seen as a "Rule of Thumb" to an information security expert looking to setup a good security policy for his/her firm.

 Five drawbacks to adopting the recommended practices for a typical business.

Some of the disadvantages of FASPs include

1. Data loss occasioned by frequent editing of data during Audit trail

2. Most analysis and data on Data security in the Data integrity section of the FASPs are old and needs update as new viruses are popping up.

3. The FASPs documents are too complex for a layman to understand.

4. Under the Logical Access control, unauthorized access can cause a devastating effects as the systems can become subjected to malicious activities.

5. There’s potential for conflict of interest occasioned with the signing on of a risk analysis to perform a risk assessment and lastly, Security Awareness, Training and Education is less effective when the organization is less security aware.

References

NIST Web Archive, (2015). FASP archive. Retrieved from: http://csrc.nist.gov/groups/SMA/fasp/archive.html

Responsible use of Wireless/LAN Technology Policy

This document is intended for internal use only.

OMA Technology is an ISP provider with the mission of providing high quality and affordable internet service to its constituents.

Scope

The policy stated in this document is intended for the safe use of OMA Wireless Technologies. The policy addresses the safe use of the company's hardware, software, and protocols associated with WLANs. This document is intended for authorized users within OMA Technologies only. This document is not meant for external consumption. Authorized users are defined as anyone with granted access to OMA Technologies infrastructures.

Policy

The use of devices including laptops, Smartphones, Flash drive are permitted, are allowed with prior approval from management to use such device within the facility of OMA Technologies. Internet access is restricted to job use only; any personal use is not permitted. First trade retains the right to access any data transmitted within its network. Any private use of OMA internet service must be approved before such use. Use of non-standard devices including hardware, software and protocols are strictly forbidden by OMA Technologies. Accessing unauthorized websites, emails, downloading, copying or pirating software and electronic files that are copyrighted or without authorization is extremely prohibited.  In the event of inappropriate use of OMA wireless technologies, OMA reserves the right to take whatever steps necessary for the particular situation including, but not limited to, termination of employment and legal action.

Disclaimer

OMA assumes no liability for unauthorized acts that violate legal local, states or federal laws. In the event of such laws being violated, OMA holds the right to terminate its relationship with such employee or violator and will provide no legal assistance in such instances.

EMPLOYEE ACKNOWLEDGEMENT FORM

I have received, read and understand the Information Security Policy. I understand that it is my responsibility to comply with it.

Printed name: ___________________________________________

Signature:  _____________________________________________

Date: __________________________________________________

References

GFI Software, (2016). Sample of internet usage policy. Retrieved from: http://www.gfi.com/pages/sample-internet-usage-policy

Whitman, E., & Mattord, J., (2010). Management of Information Security (Page 183). Cengage Textbook. Kindle Edition.

IT contingency Planning

The Special publication on IT contingency Planning mainly focuses on the methodology of creating a good contingency plan in the eventuality of a Risk. IT contingency plan in term of Risk Management has two vital functions, which are identifying the threats and vulnerability of the system so as a proper control of the Risk will be in place and Identifying Residue Risk for which contingency plan must also be in place. 

Contingency planning is seen as an element of Risk Management. A risk assessment identifies the system vulnerability to attack which necessitates a proper assignment of a Risk level; Either high, Medium, or Low. The publication found that there is a strong correlation between IT system and Business process it supports.  A proper coordination between plans is necessary to fine tune the Planning process with the Firms' business strategy.

Contingency Planning involves; Business Continuing Planning (BCP); which keeps the company in operations after an event or disaster. Continuity of Operations Plan; which focuses on restoring the organizational operations. IT Contingency Plan, Crisis Communication Plan; which deals with effective and efficient mode of communication after a crisis, Disaster Recovery plan and Occupant Emergency Plan.

The publication also investigated system architecture and line of succession. The organization's line of succession deals with reorganizing t decision-making hierarchy in the event of a crisis.

The Ashley Madison Security Breach

The now infamous Ashley Madison website has had a successful run at helping its clientele be disloyal. So perhaps some would view it as poetic justice if the website became one of the most scandalous breaches in history at the hands of one of its own

After thorough "IT security analyst John McAfee, who noted recently, "yes, it is true." The website was not hacked by an outsider but rather by an insider.  The article stated that there is a strong indication that the website data were stolen. There has always been strong believe by organizations that most threats to security are external, though empirical evidence has always supported the fact that most attacks to security are from sources outside the firm's immediate environment. In most cases, external attacks are motivated by the desire to profit from either by selling the information in the black market or by blackmailing the firm.

The article focuses on new trends of threats either by disgruntled, unsatisfied or disengaged employees in stealing sensitive data from their employers. Furthermore, the article also gave another instant "where four former Gillette Company employees", where accused of disclosing confidential information and trade secrets to direct competitor. The trend shows that more and more firms are subjective to an insider attack.

In many cases, when we talk insider threat, the person may no longer be with the company – so if you add that piece to the definition you can see why it becomes pretty big; much bigger than people probably think about

More attention is being paid to activities within the organization; from negligence employees to suspicious activities y employees. In retrospect, to mitigate against security breach from employees, the articles noted that changes in employee behavior could be a good pointer in spotting a potential rogue employee.

References

Weldon, D., (2015). Are your biggest security threats on the inside? Retrieved from:

http://www.cio.com/article/2985790/security/are-your-biggest-security-threats-on-the-inside.html