StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Security and Privacy Controls for Federal Information Systems - Essay Example

Cite this document
Summary
The present essay entitled "Security and Privacy Controls for Federal Information Systems" dwells on the access control which is a security control family that consists of security controls denoted by the identifier AC and range from AC-1 to AC-22. …
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER94.6% of users find it useful
Security and Privacy Controls for Federal Information Systems
Read Text Preview

Extract of sample "Security and Privacy Controls for Federal Information Systems"

3.1 Access control Access control is a security control family that consists of security controls denoted by the identifier AC and range from AC-1 to AC-22. This control family falls under the technical class due to its characteristics. Access control policy and procedures (AC-1) is a control that is intended to produce the policy and procedures required in order to effectively implement the selected controls and control enhancements in the access control family. 3.1.2 Security control baseline AC-1: Access control policy and procedures P1 LOW AC-1 MOD AC-1 HIGH AC-1 3.2.3 Implementation status AC-1: Access control policy and procedures is assigned priority code P1 meaning that it is sequenced first hence the implementation is fully controlled. NIST SP 800-53 (2010) Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]: a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b.Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls NIST SP 800-53 (2010) Control Enhancements: None NIST SP 800-53A (2010) Control Expected Results: Determine if: (i) the organization develops and formally documents access control policy; (ii) the organization access control policy addresses: -purpose; -scope; -roles and responsibilities; -management commitment; -coordination among organizational entities; and -compliance; (iii) the organization disseminates formal documented access control policy to elements within the organization having associated access control roles and responsibilities; (iv) the organization develops and formally documents access control procedures; (v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; and (vi) the organization disseminates formal documented access control procedures to elements within the organization having associated access control roles and responsibilities 2.3.2 Implementation of Access control a) Internal Revenue Service (IRS) developed a documented access control policy that addressed the purpose, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to all rules and regulations. b) We also developed and documented procedures to facilitate the implementation of the access control policy and associated access controls including risk management. c) These procedures and rules will be reviewed and updated at a specified period of time. 3.2.1 Account management Account management is a control within the Access control family. It is denoted by identifier AC-2: This control enables the organization to manage information systems accounts including identifying account types, establishing conditions or membership, identifying authorized users of the information system and specifying user privileges. 3.2.2 Baseline and Implementation status P1 LOW AC-2 MOD AC-2(1)(2)(3)(4) HIGH AC-2(1)(2)(3)(4) Implementation status This control is assigned priority code P1 meaning that it is sequenced first hence the implementation is fully controlled. NIST SP 800-53 (2010) Control: The organization manages information system accounts, including: a. Identifying account types (examples: individual, group, system, application, guest and temporary); b. Establishing conditions for group membership; c. Identifying authorized users of the information system and specifying access privileges; d. Requiring appropriate approvals for requests to establish accounts; e. Establishing, activating, modifying, disabling, and removing accounts; f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to­ know/need-to-share changes; h. Deactivating temporary accounts that are no longer required and accounts of terminated or transferred users; i. Granting access to the system based on: (i) a valid access authorization (ii) Intended system usage; and (iii) Other attributes as required by the organization accounts [Assignment: organization-defined frequency]. NIST SP 800-53 (2010) Control Enhancements: None NIST SP 800-53A (2010) Control Expected Results: Determine if: The organization manages information system accounts by: i. Identifying account types such as: -individual, -group, -system -application - guest and - temporary ii. Establishing conditions for group membership iii. Identifying authorized users of the information system and specifying access privileges iv. Requiring appropriate approvals for requests to establish accounts v. Establishing, activating, modifying, disabling, and removing accounts vi. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts vii. Notifying account managers when temporary accounts are no longer required and when information system users are terminated transferred, or information system usage or need-to­ know/need-to-share changes. viii. Deactivating: - temporary accounts that are no longer required; and - accounts of terminated or transferred users ix. Granting access to the system based on: - a valid access authorization; -intended system usage; and -other attributes as required by the organization or associated missions/business functions; and -Reviewing accounts. 3.3.3 Implementation of Account management 1. Internal revenue service (IRS) is an organization that deals with a wide range of users who will include: individuals, groups, the system administrators, guests and temporary users. 2. We set an automated mechanism which evaluates conditions for membership for each user: a) Any individual member must be at least 18 years of age. b) Each member must provide a national ID. No. or passport no. for registrations. c) Each group must comprise of at least five members 3. We also set up an automated mechanism to authorize the users of the information system and specify access privileges for each member. a) Individual users can modify and update their details and also view their Revenue details. b) Groups can also modify and update their details and also view their Revenue details. c) System administrators can login into the system and access all the available information any time they are require doing so. d) Guests may only be able to access general information regarding IRS. e) Temporary users will only be able to access minimal information awaiting authorization of individual accounts. 4. The system will create a temporary account for each member who applies for membership immediately their details are received. The information system will audit the details submitted by each applicant and verify the authenticity of the data then create an account or decline to create depending on the outcome of the verification process. The member will be supplied with a login ID and a password which they can modify. 6. Any time a member wishes to access the system, he will be required to enter his login ID and password and permission will be granted. 7. Any inactive account for a period of 6 months will be deactivated and deleted from the system. 8. All member accounts will be reviewed by IRS every 12 months to authenticate the information within them. References NIST Special Publication, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. National Institute of Standards and Technology Federal Information Processing Standards Publication 188, Standard Security Labels for Information Transfer, Sept 1994. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Security and Privacy Controls for Federal Information Systems Essay”, n.d.)
Security and Privacy Controls for Federal Information Systems Essay. Retrieved from https://studentshare.org/information-technology/1642080-system-security-plan
(Security and Privacy Controls for Federal Information Systems Essay)
Security and Privacy Controls for Federal Information Systems Essay. https://studentshare.org/information-technology/1642080-system-security-plan.
“Security and Privacy Controls for Federal Information Systems Essay”, n.d. https://studentshare.org/information-technology/1642080-system-security-plan.
  • Cited: 0 times

CHECK THESE SAMPLES OF Security and Privacy Controls for Federal Information Systems

Managing Email Security in Organizations

hellip; The author states that security measures include the management, technical, operations, and countermeasures undertaken to enhance the protection of companies information systems.... ISO 27001 provides information about standards used for Email security systems (ISO 27001).... To protect the information it is necessary to select control measures.... The information security system helps to protect the integrity, confidentiality availability and credibility of the information being received and sent via the internet....
4 Pages (1000 words) Assignment

Importance of Information Security and Privacy

Although there are several methods to prevent unauthorised access; users occasionally are able to get through the security systems, and it is therefore essential for organizations to also be capable f detecting intruders.... As computer systems assist heavily in running businesses and store many f the organizations private data it is easy to see why organizations need to secure their computer systems or it will cost them.... Networks are built in order to allow users to share, however it also allows other users the possibility to obtain information and other data that are not meant for them....
6 Pages (1500 words) Essay

Developing Security Policy

On the other hand, if there is an absence of a security policy guiding the decision makers, then decisions will be made on ad-hoc bases, by the individuals developing, installing, and maintaining computer systems, and this will result in a disparate and less than optimal security architecture being used or implemented (Weise & Martin, 2001).... Moreover, this is accomplished by listing a variety of alternatives that can be used A security policy specifically is the imperative foundation on which a valuable and complete security program can be developed....
9 Pages (2250 words) Essay

Medical Errors and Losing Information of Patients

They must document the use of patient information, share with patient about security and privacy issues as well as reporting any information loss.... Such information includes lab tests results, allergies, medications and other forms of clinical information stored in computers or physical files.... Similarly, patients have the right to ensure that their personal health information is protected and can only be shared on certain circumstances....
7 Pages (1750 words) Assignment

The Growing Importance of Information Security

This coursework "The Growing Importance of Information Security" focuses on maintaining the security of information systems that have proved to be the greatest challenge for the management today.... The information security work of NIST is carried out in the Information Technology Laboratory (ITL) and it “develops tests, metrics, and guidance for building trust and confidence in the IT systems that are now pervasive in the nation's economy, its organizational, governmental, scientific and technological infrastructure....
5 Pages (1250 words) Coursework

Security Options

In the paper “Security Options” the author analyzes the Computer Security concentration, which focuses on basic security matters that occur in the design, study, and execution of distributed systems.... The primary cause for most institutions to create written policies is to lessen the risk of responsibility because of a breach or loss of customer information.... nbsp;Yet another significant reason to establish policies is to organize the multifaceted tasks of information security....
8 Pages (2000 words) Assignment

The Implementation of the Security Plan

o develop security measures and programs that will ensure that the employees and information regarding the assets of the company are safeguarded from outside threats and vulnerabilities and that will provide the bank with retaliatory programs in terms of preventing penetration to the banking information systems.... This case study "The Implementation of the Security Plan" focuses on the action plan that is to beef up the information security in the banks and ensure that all threats and vulnerabilities are reduced to a minimum....
7 Pages (1750 words) Case Study

Personal Computing Situation Security Assessment

… The paper “Personal Computing Situation Security Assessment”  is an exciting example of an essay on information technology.... The paper “Personal Computing Situation Security Assessment”  is an exciting example of an essay on information technology.... An assessment will also be done on the network used at home and the cloud data space used to back up information.... he home computer, laptop, and SmartphoneThese three items can be classified as computing devices due to there ability to collect data, process the data, and store it as information....
8 Pages (2000 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us