C841 LEGAL ISSUES IN INFORMATION SECURITY

C841 Legal Issues in Information Security Performance Assessment Task 2 on mandatory and discretionary access control. Sharing secret data is only with those necessary and only when it is required. This policy is normally enforced by individuals on separate projects and for separation between different departments. The Information Technology (IT) department of TechFite created user accounts with elevated privileges (Administrative) for personnel that did not require such privilege. They also had no routing and approval policies for account creation. Accounts were created at the request of Carl Jaspers for non-existent personnel. These accounts had access to other departments such as Payroll and Human Resources. Using the Least Privilege and Bell-LaPadula = methods would have prevented users masquerading as other users and company/client data would have retained confidentiality. B2. Security Awareness Training and Education (SATE) is a key component of success within a company. Normally, prior to receiving a company user account, a user must accept and sign an Acceptable Use Policy (AUP). But if the employee does not understand all of the terms listed on the policy, they may unintentionally violate the policy. User training helps to mitigate this. For a program of user training to be successful, it must be structured to the needs of the organization, the needs and level of knowledge of the employees (students). Security awareness training must provide some sort of proficiency quiz or examination (i.e. verbal question and answer period, written examination, hands-on performance exercises or examination) and the training must be engaging. Security awareness training must also be provided by an experienced person, at frequently scheduled (example: quarterly), with attendees from the management to user levels. Various structures can be created to account for user level, mid-grade management, senior management and executive personnel to ensure the proper level of training to the appropriate audience. All scheduled training sessions should be documented, reviewed, and audited. Review and audit procedures will ensure the intent was achieved and provide documented evidence of employee understanding. If retraining must occur for an employee after training attendance, it should happen quickly with a more thorough question and answer session to facilitate correct understanding of the subject. B2a. Security training must occur to prevent incidents. Departments such as Payroll, Supply & Logistics, and Human Resources will normally require additional training in the protection of Personally Identifiable Information (PII) and the protection of financial data. As with many IT issues, user error is one of the highest number of problems faced. A properly structured training program that is geared toward all employees is key to success within TechFite’s SATE program. Security awareness training should be conducted on a quarterly basis and documentation reviewed at the quarterly management review. Preferably, the quarterly management review should be conducted a few days prior to training. This is to provide management the ability to review the previous quarter’s training and address any issues. The practice of providing the training, reviewing the results, and addressing any concerns prior to upcoming training event will lead to a structured, sound training program. Having the training at these intervals will also keep employees aware and up-to-date with processes, procedures, and best practices of the company and possibly prevent or mitigate future incidents. B2b. Currently at TechFite, Security Awareness Training and Education is not being conducted. There is no documentation that they have the program in place. Training and education for each Downloaded by denis munene () lOMoARcPSD|