Introduction
The purpose of this paper is to review State of Maryland information security program documentation and to determine the security standards used to create the program in order to protect confidentiality, integrity and availability of agency operations, organizational assets or individuals which is the main agenda of State of Maryland Department of information technology. We will also discuss about other standards that can be useful for the State of Maryland Information technology and compare and contrast the standards.
Standards
“The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347)” ("FIPS PUB 199," 2004). In this paper, FIPS PUB 199 has been chosen as the security standard used by State of Maryland Department of information technology. This standard addresses to develop standards for categorizing information and information systems. On the other hand, ISO/IEC 27001 is the other standard not used by State of Maryland which has been discussed as a contrast standard. Points of Analysis
FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems is the current
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.
After careful review of the current Service Level Agreement(SLA) “A Service Level Agreement for Provvision of Specified IT Services Between Finman Account Management, LLC, Datanal, Inc., and Minertek, Inc.” we have determined that standard Information Technology security measures have not been addressed fully. Following are the recommended changes highlighted in the specific sections that need to be addressed. These changes are being recommended to protect Finman’s data and intellectual property. Established standards such as Best
To summarize “Internal use only “data is restricted so anyone not working for the company would not be able to access it. To have access of any company information off site you would need to be assigned company authorization like username and password to logon. We do not want our infrastructure breached by outside threats to the system. This will briefly describe three of the seven domains within the IT infrastructure that are affected by this standard.
The purpose of this paper is to research and evaluate the legislative drivers for information security programs of State of Maryland in order to improve the information security policy to prevent loss of the confidentiality, integrity and availability of agency operations, organizational assets or individuals with new amendments in legislation. This paper elaborates the objectives of five proposals that would impact the information security policy of the State of Maryland upon becoming legislation.
Some include administrative, physical and technical safeguards. In administrative safeguards it allows the reader to understand the security management process to reduce risk and vulnerabilities. Security personnel responsible for developing and implementing security policies. Information access management minimum access to perform duties. Physical safeguard is about the limit of physical access to facilities, and how workstation and device security policies and procedure covering transfer, removal, disposal, and reuse of electronic media. Finally, technical safeguard is about the access control that restricts access to authorized personnel’s. Audit controls for hardware, software, and transitions. Integrity controls to ensure data is not altered or destroyed. Transmissions security to protect against un authorized access to data transmitted on network and via email. Moreover, there are three pillars of data security confidentiality, availability, and integrity. Confidentiality refers to the prevention of data loss, and is the category most easily identified with HIPAA privacy and security within healthcare environments. Usernames, passwords, and encryption are common measures implemented to ensure confidentiality. Availability refers to system and network accessibility, and often focuses on power loss or network connectivity outages. Integrity describes the trustworthiness and permanence of data, an assurance that the lab results or personal medical history of a patient is not modifiable by unauthorized entities or corrupted by a poorly designed process. Database best practices, data loss solutions, and data backup and archival tools are implemented to prevent data manipulation, corruption, or loss; thereby maintaining the integrity of patient
The purpose of the system security plan (SSP) is to provide an overview of federal information system security requirements and describe the controls in place or planned to meet those requirements for the Department of Health and Human Services. Each SSP is developed in accordance with the guidelines contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, and applicable risk mitigation guidance and standards. Through
Federal Information Security Management Act (FISMA) – This refers to a U.S. law that was enacted in 2002 to lay down a comprehensive framework on how government information are protected. This also relates to operations and assets against natural or man-made threats. This act assigns responsibilities to federal agencies that re responsible for system and data protection, ensuring that all elements of FISMA are complied to, and integration of security measures throughout federal agencies in cost-effective, timely and efficient manner (. FISMA regulations require that inspection of the agencies be done annually through an independent evaluation (Gibson, 2010, pg. 59). The evaluation seeks to test the effectiveness of policies and practices in agencies and compile a report that identifies the state of compliance of that agency.
The essential legal policies for instituting an information security policy for any organization, regardless of tax status, such as commercial, non-profit entity or a federal agency and how those policies, both governmental and organizational, can impact an organization’s ability to ensure the integral information security triad of confidentiality, integrity and availability.
The security plan is formulated to protect the information and important resources from a wide variety of potential threats. This will promote business continuity, reduce business risks and increase the return on investment together with business opportunities. The security of information technology is attained by executing a suitable set of control, efficient policies, processes, organization structures, software and the hardware. These given controls ought to be formulated, put into action, assessed, analyzed and developed for productivity, where necessary. This will allow the explicit security and business objectives of the United States Department of health and Human Services to be accomplished (Easttom, 2006, p.32).
The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source
For the healthcare industry it is important to have an Information Security Policy Framework within the organization to protect information that is accessed across the network by staff personnel and patients. In accordance with ISO/IEC 27799:2008, we begin to define the guidelines to support the interpretation and implementation of healthcare information protection. ISO/IEC 27799:2008 references the basic controls and guidelines of ISO/IEC27002:2005 will provide the minimum protection necessary to meet organizational needs. Healthcare organizations that
Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of IDI which must be managed with care. All information has a value to IDI. However, not all of this information has an equal value or requires the same level of protection. Access controls are put in place to protect information by controlling who has the rights to use different information resources and by guarding against unauthorised use. Formal procedures must control how access to information is granted and how such access is changed. This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.
Overview The City of Chicago (City) intends to manage its information technology and information assets to maximize their efficient, effective, and secure use in support of the City‘s business and its constituents. This document, the Information Security Policy (Policy), defines the governing principles for the secure operation and management of the information
Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which