CSS-454 information Security Assurance CAPSTONE

IAS CAPSTONE
(I.S.A. - Legal, Regulations, Compliance & Investigations)
Author: Mark L. Simon II
CSS450-1604A-01
Security (CAPSTONE)
Instructor: Gary Lieberman
November 06th, 2016
Colorado Technical University

IAS CAPSTONE 1
Table of Contents
Table of Contents............................................................................................................................ 1
Abstract ........................................................................................................................................... 4
Section 1 – Policies, Procedures, Roles, and Responsibilities........................................................ 5
Introduction................................................................................................................................. 5
Policies........................................................................................................................................ 6
Policy Structure....................................................................................................................... 6
Standards & Procedures.............................................................................................................. 8
Guidelines ................................................................................................................................... 9
Roles and Responsibilities ........................................................................................................ 10
Chief Executive Officer. ....................................................................................................... 11
Chief Information Officer. .................................................................................................... 11
Chief Information Security Officer....................................................................................... 12
Authorizing Official (AO). ................................................................................................... 12
Information Systems Owner. ................................................................................................ 13
Information Owner................................................................................................................ 14
Information Systems Security Officer (ISSO). ..................................................................... 14
Certification Agent................................................................................................................ 15
User Representatives............................................................................................................. 16
Conclusion ................................................................................................................................ 16
Section 2 – Data Governance........................................................................................................ 18
Introduction............................................................................................................................... 18
History of Data Governance ..................................................................................................... 18
Data Governance....................................................................................................................... 21
Data Governance Applicability & Needs.................................................................................. 21
Data Governance Policy & Compliance ................................................................................... 23
Data Governance & Operational Policy.................................................................................... 25
The Policy Guidance............................................................................................................. 26
Data Classification Policy..................................................................................................... 27
Data Governance & Legal, Regulatory and Forensic Compliance. ...................................... 29
Conclusion ................................................................................................................................ 30

IAS CAPSTONE 2
Section 3 – Network Security ....................................................................................................... 31
Introduction............................................................................................................................... 31
Network Security History ......................................................................................................... 32
Legal, Regulatory Compliance, and Integration of Network Policy ........................................ 32
Due Care and Diligence of Network......................................................................................... 34
Network Security Solutions ...................................................................................................... 35
Layered Defense Strategy......................................................................................................... 37
Defense in Depth....................................................................................................................... 38
Physical Security................................................................................................................... 39
Environmental and Physical Defense Strategies................................................................... 40
Technical Related Threats..................................................................................................... 41
Technical Defense Strategies. ............................................................................................... 42
Human Related Threats......................................................................................................... 46
Human Related Defense Strategies....................................................................................... 47
Conclusion ................................................................................................................................ 48
Section 4 – Asset Security Management ...................................................................................... 49
Introduction............................................................................................................................... 49
Asset Management.................................................................................................................... 50
Risk Identification..................................................................................................................... 51
Risk Methodology..................................................................................................................... 52
Risk Assessment ....................................................................................................................... 53
Stage-1 / System Categorization:.......................................................................................... 53
Stage-2 / Threat Identification .............................................................................................. 54
Stage-3 / Identify Vulnerabilities:......................................................................................... 54
Stage-4 / Analyzing Controls:............................................................................................... 54
Stage-5 / Likelihood of Determination ................................................................................. 55
Stage-6 / The Analysis Impact:............................................................................................. 55
Stage-7 / Determining Risk:.................................................................................................. 56
Stage-8 / Threat Control Recommendations:........................................................................ 56
Stage-9 / Documentation:...................................................................................................... 56
Stereotypical Risks.................................................................................................................... 57

IAS CAPSTONE 3
Implementing Asset Security through Communication............................................................ 62
Conclusion ................................................................................................................................ 63
Section 5 – Compliance with Security Regulations...................................................................... 64
Introduction............................................................................................................................... 64
Cyber Related Laws.................................................................................................................. 64
Sarbanes Oxley (SOX).......................................................................................................... 66
Gramm-Leech-Bliley Act (GLBA)....................................................................................... 66
Payment Card Industry-Data Security Standard (PCI-DSS) ................................................ 67
Health Information and Portability Protection Act (HIPAA) ............................................... 69
Associate Laws and Statues .................................................................................................. 69
Certification and Accreditation................................................................................................. 70
Conclusion ................................................................................................................................ 74
References..................................................................................................................................... 75

IAS CAPSTONE 4
Abstract
This research paper looks at Information Assurance Security (IAS) and how IAS works
with legal guidelines, regulatory requirements, compliance standards, and the investigatory and
forensic proceedings. Legal, regulatory and compliance measures, and investigative forensics are
designed through the use of policies, procedures, standards and guidelines. Thus, this assures that
data governance can be fulfilled in every portion of cybersecurity, information assurance, and
company objectives. Data governance and policies are then applied to network security where
standards and guidelines are applied to every aspect of the system. From big mainframes, down
to the individual host computer, data security and policies are being applied to ensure a standard
of security. To keep this areas secure, a continuous amount of governance, due diligence, risk
assessment, maintenance, audits, automated patching, upgrades, and various other daily
operations, need to be monitored and controlled. This is done through risk management, change
management, impact analysis, disaster management, backup and recovery, and many other system
associated managements, which monitor and control the very core of the system for vulnerabilities
and exploitations. This is known as asset management. Finally, some of the actual legal,
regulatory, and compliance acts will be discussed, which drive the overall process of information
security assurance, and what avenues can be taken, using investigatory and forensics capabilities
to decipher the causes of network systems malfunctions, damage, exploitations and attacks. This
may aid personnel in hardening the system and catching the culprits.

IAS CAPSTONE 5
Section 1 – Policies, Procedures, Roles, and Responsibilities
Introduction
Information Assurance Security (IAS) is a wide area of knowledge and concern, as many
more individuals realize the power of media communications, and the World Wide Web. IAS is
built into almost every aspect of computer enterprise operations security. This piece will reflect
directly on the legal, federal regulation, compliance measures and investigational procedures
associated with information security assurance. However, there are multiple areas information
security assurance that might be addressed, throughout this research that parallel or coincide
directly with the chosen IAS legal, regulatory and investigatory compliance research endeavors.
Areas of association could involve infrastructure and design, access controls, physical and
environmental security, risk management, change management, business continuity, disaster
recovery, cryptography and operational security. This is by no means, all encompassing, but does
address the potential areas, which may or will parallel and associate themselves with the segmental
area of legal, federal regulatory, compliance, and investigational procedures, associated with
information security assurance. In order to ensure there is assurance of these areas of concern; an
enterprise, organization, or company needs to incorporate sets of rules, measures, methods, and
frameworks, which will be followed, to ensure the ultimate credibility, availability and integrity
(CIA Triad) of the network, in order for it to be maintained. Thus, policies, standards, procedures
and guidelines need to be created to provide a roadmap, which will assist the company or enterprise
in fulfilling its operational, technical, and legal obligations. The roles and responsibilities of
creating and applying these measures will also need to be reviewed, to assess the proper
applicability’s for the groups or individuals creating these compliance measures.

IAS CAPSTONE 6
Policies
A policy, by its very core definition, is the act of creating compliance and governance
strategies, of actions or principles, which will be adopted by a government, specific party,
enterprise, business, company, group, or individual, for the purpose of prescribing a set of
conditions, to guide current and future decisions (Merriam-Webster, 2016). Personal experience
has dictated that creating and designing a policy takes an immense amount of time, as the policy
has to run a gambit of checks and verifications, to make sure everything is reviewed, which will
cover the areas provided by the policy. The policy is usually generated at the very top of the
enterprise, organization, or institution. This is usually done by a Board of Directors or Executive
Committee. In information security assurance, this is known as information security assurance
high-level governance. One of the key components of the executive policy is that an enterprise
must develop its executive policies in accordance with federal mandates and associated regulatory
acts. These factors can make the enterprise’s policy particularly unique to that individual
company. The company or enterprise must also look at the overall diversity of the enterprise and
the enterprise’s IT architectural synergy, objectives, and goals associated with running the
operational and production environments (Grama , 2011).
Policy Structure. The structure of the policy should be designed with due care and due
diligence. The elements may vary, depending upon the type of company and who is creating the
policy, but there are common-core elements that should be addressed, in almost every policy
being designed. A good place to start looking at the elements of creating a policy, is the National
Institute of Standards and Technology Special Publication 800-12. This publication gives a
concentrated understanding of what is really needed for a policy, based on where and how it is
going to be integrated into an enterprise. SP800-12 directs the reader to the type of policy being

IAS CAPSTONE 7
design and how to design it, based on whether the policy will be program policy directed or
issue-specific related. Knowing this helpful information will be a great first step in initiating the
policy (NIST, 1997).
The policy should require certain elements within the document heading, body and
conclusion. Usually, a policy opens with a statement and purpose, which exemplifies the expected
actions, outcomes, responsibilities and behaviors, required for the policy in question. It will state
what is willing to be permitted and what is illicit. The policy will have an exclusion statement,
which addresses those, who are not viably bound to the parameters of the policy. This will be
followed by the rationale of why the policy is being mandated, due to legal, regulatory, or federally
mandated means. A definitions segment is added for technically challenging wording, or if the
verbiage has special meaning, within the body of the document. The next area relates to “who” is
affected by the policy, in relation to the rules, designated responsibilities, procedures, guidelines
and standards, which they must follow, to be in compliance with the policy. These areas will also
have the added compliance verbiage, which enforces the aspects of all the rules, mandates, and
other legal parameters associated with the given policy. In other words, if an employee fails to
abide by the parameters of the policy, they may be subjected to loss in pay, demotions, fines, and
even jail time, if the incident is severe enough. The policy will always have associated documents,
which relate, or refer to the current policy. These associated documents might have more precise
instructional procedures and guidance, which supplement the main executive / program policy.
The final areas of the policy will have information on the author of the document and verbiage on
how to contact them, if anything needs to be changed, altered, or amended. If this is done, the
policy will have a designated history block for the changes, which have occurred to the document,
and a date the policy was amended or altered (Grama , 2011). The executive policies are

IAS CAPSTONE 8
considered living documents, like the standards and procedural policies, but they require less
continual modifications, as the standards and procedural documents, which directly supports the
main policy, are more frequently reviewed for changes, alterations and amendments.
Standards & Procedures
Standards and procedures can be considered more of an “issue-specific” or system
specific” type policy. These documents are subject to quarterly, bi-annual and annual changes,
depending upon the volatility of the changes within the specific enterprise, business, or corporation
environment. Due to the fact that these issue-specific and system-specific policies describe the
standards and procedures, in a more granular detail, they should be labeled more in the aspect of
an “Operational Compliance Policy” towards specific and issue related compliance measures. The
guidelines are more directed to advisory ways of complying with the procedures and standards.
For example, posting safety fliers on what to do if they see a safety violation and how to report it.
NIST Special Publication 800-14 specifically outlines the structure of what an “executive policy”
is, versus the more granular “operational policy” (issue or system specific policy) contains
(Swanson & Guttman, 1996).
As was noted above, in earlier descriptions, the executive policy lays out a general
expectations, but the standards and procedures policies outline specific compliance details, on
what is expected, and how it is expected to be done. This is also known as the “base-line” aspect
(Grama , 2011). The “issue-specific” standards policy looks specifically towards the organization’s
situational declaration or statement, how it applies to procedural concept, the roles and
responsibility of groups or individuals within a certain department, and the particular point of
applicability concerns, which the employees need to specifically comply with. This is normally

IAS CAPSTONE 9
written into something like an “Acceptable User Policy”. It may detail what can and can’t be
communicated across emails, what types of “bring your own device” can be used on enterprise
systems, internet etiquette, password structure and complexity and so on (Swanson & Guttman,
1996).
System-specific policy standards work more in the area of protecting actual systems during
user interactions, proper management of the system, risk analysis, impact analysis, and so on.
These style of policies are generally created by the middle management to guide the
implementation and configuration of new technologies being integrated, security requirements for
current technologies, how managerial intent will be conducted, prohibited usage of equipment, and
other single task perspectives. The issue-specific documentation also provides for indemnity
against liability, inefficiency and uncertainty (Yang, 2005). Most importantly the issue-specific
documents establish the rules on who can do what (read, write, alter, delete) with data, what they
are responsible for, access control configurations based on role or individual user and the types of
data accessible, and encryption standards for the transference of data (Swanson & Guttman, 1996)
Guidelines
Guidelines are the least stringent and most flexible of the policy hierarchy. Guidelines
promote encouragement to adopt best practices for doing a task, create an educational
understanding of the procedures and standards, and encourage the employees to take action in
areas that the upper management areas might not be privy to, due to absence by company or
enterprise upper management, or they need the employee to have highly imaginative self-
motivation and charisma to complete tasking’s, which promote good attitude and enterprise goals
and success. It’s basically asking the employee to take ownership of their area.

IAS CAPSTONE 10
Roles and Responsibilities
Information Security Assurance has many hats when it comes to the people, who are
actively involved in ensuring the goals are met, in relation to credibility, integrity and availability
of data. Many federal acts dictate that an information assurance program, will be defined and
implemented, with any enterprise, company, organization, entity, or institute, dealing with
personally identifiable information. This includes such areas as medical facilities, schools,
publicly traded companies, banks, federal government entities, and many others. The laws
defining the initiation of the IAS program range from Sarbanes-Oxley (SOX), Gramm-Leech-
Bliley (GLBA), Health information portability and Accountability Act (HIPAA), HITECH,
Children’s Internet Protection Act (CIPA), Family Educational Rights and Privacy Act (FERPA),
Federal Information Processing Standard (FIPS), and many others. The underlying federal act,
which seems to perpetuate all the other compliance Acts, is the Federal Information Security
Modernization Act (FISMA), which primarily outlines the Information Assurance program and
who is responsible for IAP, and their roles within IAP (Young, 2012).
Interestingly, there is a widely diversified categorization of terms, of who is responsible
for what. At the upper executive levels, the oversite committee can be designated in many terms.
They can be termed Board of Directors, Data Trustees Board, the General Counsel, and the
information security review Board. Whatever the designation may be, these groups and
committees have the following responsibilities in addressing the information Assurance program.
These groups primary responsibility is to provide oversite and general direction in association with
information security programs and assurance. They will oversee and monitor the development,
implementation and design, maintenance of the security plan, enforcement of all policies, handle
requests for exemptions to policy, and ensure compliance requirements are addressed in relation

IAS CAPSTONE 11
to privacy, security and regulatory means. These groups also ensure programs are in place for
dealing with risk assessment and mitigation, monitoring and control processes, disaster recovery
and incident handling for security incidents, as required (Blake, 2016). Even though these groups
and committees have their roles and responsibilities, the roles and responsibilities roll downhill
with different responsibilities being applied, dependent upon the role, which the individual may
hold. According to the federal information assurance program.
Chief Executive Officer. The Chief Executive Officer (CEO), who may be part of the
groups or committees, is responsible for the information assurance plan and is oversees
implementation and design, in accordance with regulatory and enterprise objective and
compliances. The CEO negotiates allocations of receivable assets, to foster assurance, to the IAP
success. The CEO manages the Chief Information Officer (CIO), the Chief Information Security
Officer (CISO) who he/she will appoint. In addition, the CEO also appoints personnel as
Authorizing Officials (AO’s) and Information System Owners (ISO) for each information system
(Young, 2012).
Chief Information Officer. The Chief information Officer (CIO) is responsible for the
execution of the whole IAP and delegates certain aspects to the CISO for management of the
information assurance plan and program. The CIO is responsible for integrating updates into the
policy program and also creating a training environment, from which employees are properly
trained in information and data usage and compliance measures in accordance with federal
mandates, policies, standards, procedures and guidelines. The CIO also coordinates with the CEO
to provide annual reports to the groups or committees (Young, 2012).

IAS CAPSTONE 12
Chief Information Security Officer. Like the CIO, the CISO is also responsible for the
areas that the CIO is, but also works towards acquisition of newer security assurance measures and
strategies to shore up the information assurance program. This is done by creating a centralized
reporting matrix of security-related activities, which assists in hardening the operational dynamics
of continual usage. The CISO is also responsible for defining issue and system-specific security
requirements, hardware and software tools, checklists, and templates to support the security plan.
The CISO also works in training personnel in specialized positions, assists other senior
management personnel in their security requirements, ensures privacy and security practices are
implemented and maintained under FISMA and other federal requirements, monitors and assists
in security incidents, manages the IT audits, program reviews, and assists investigations by law
enforcement and audit personnel. The CISO also creates reports to the CIO for submittal of the
annual report to the committee or review groups (Young, 2012).
Authorizing Official (AO). The authorization official is another CEO appointed position
and assumes the responsibility of system operation with an acceptable level of risk. The
authorization official is also responsible for the day-to-day operations of the network system and
maintains the oversite of the budgetary needs of the system. The authorization official approves
local security plans, which address memorandums of agreement and understandings
(MOA/MOU’s), as well as plan of actions and milestones (POAM’s). The authorization official
has the power to completely shut down the system for unmanageable or unacceptable risks, and
deny use of the system by whoever the (AO), so chooses. The (AO) will monitor the operational
status of the system, ensuring security is maintained. They review security reports to ensure the
risk remains acceptable. If it isn’t acceptable, or a breach occurs from an unacceptable risk, the
(AO) will assist in security incident responses and privacy breaches. The (AO) can delegate and

IAS CAPSTONE 13
designate an individual to follow through with daily security responsibilities, when the need arises,
or the enterprise can just permanently assign an assistant, on permanent status, of security
monitoring for the (AO) (Ross, et al., 2004).
Due to the Authorizing Official having such a broad work load with their daily
responsibilities, the authorizing official designated representative (AODR) will work more closely
with the Information Systems Owner on matters like the certification and accreditation process.
The AODR also primarily works on the MOA/MOU’s, security plans, and supportive authorizing
official, duties.
Information Systems Owner. The ISO is appointed by the CEO and is responsible for
the fully encompassed areas of operations & maintenance, procurement, development, integration
and modifications of the network systems. The actual systems security plan should be overseen
and developed by the information systems owner, as this person has direct access to the “ins” and
“outs” of the system. This ensures that when the system is deployed, it will abide by the systems
security, as developed by the ISO. The ISO will decide who does and does not have authorization
to access the security system and sets the access controls and privileges for user, who do have
access and authorization levels. However, before any employee or support personnel are
authorized and privileges set for use, they must be orientated and trained, in system security
assurance and associated security measures. The ISO will notify all pertinent personnel when
systems are required to have certification and accreditation evaluations conducted. The ISO will
supply all the C&A supporting documentation and associated resources for when the C&A is
actually conducted. The ISO is the primary responsibility in following through after the C&A is
completed. The ISO will take the report of the certification survey, mitigate and alleviate all
possible vulnerabilities, exploits and attack vectors. Once this is completed that ISO will create a

IAS CAPSTONE 14
report, which will be sent to the executive group for reporting and review. The chain of command
dictates that this report will first go through the hands of the Authorizing Official, before elevating
it on up (Ross, et al., 2004).
Information Owner. The information owner can be classified as someone, who generates,
processes, disseminates, collects, and disposes of information. The owner has the overall choice
of who can look at, manipulate, alter, write to, and delete the owner’s data. The owner is primarily
responsible for setting the type of security and controls, which each piece of data will align to,
based on classification and sensitivity of the data. An information system might have multiple
owners residing and using their information on the same information system. This gives them the
unique authority to let the system information owners know, what type of security is expected, for
their information to be used, stored, and transmitted, on the system. For example, this may be an
issue with cloud security, where users of Amazon and Google web services have data stored.
These two companies are the system owners, but they must align the security controls and access
requirements, of their systems, with the expectations of the controls and access requirements of
the information owners (Ross, et al., 2004).
Information Systems Security Officer (ISSO). The ISSO reports directly to the
Authorizing Official, Information Systems Owner, or to the Chief Information Officer. The
security workings and posturing of the system, is primarily monitored and maintained by the ISSO.
If any discrepancies or other issues come up, the ISSO will advise the aforementioned three
personnel of the situations involving the security postures, and workings of the system. Since the
ISSO is directly hands-on, within the system, on a day-by-day basis; the ISSO will be in charge of
monitoring physical security, incident handling, security training and awareness, and personnel
security. The ISSO is considered the subject matter expert of the system and may be identified to

IAS CAPSTONE 15
create operational policies, to ensure compliance of system security, at the local level. The ISSO
also is required to be a direct participant in designing and updating the system security plan, change
management planning and execution, and the risk management plan for assessing new and
continual vulnerabilities and exploitations, which require hardening strategies. The ISSO will
follow up the assessment and impact hardening, by penetration testing, after mitigation and
alleviation procedures are completed. This is all reported to the three upper echelon personnel.
Certification Agent. These folks inspect the system to ensure it is compliance with federal
regulations and laws, for which the company or enterprise must abide by. Normally, certification
agents are part of bigger third party enterprise entities, who are called into an enterprise, to certify
or accomplish accreditation of the system, under federal regulatory requirements and compliances.
This is usually done by an Agent of Certification Authority (ACA), who belongs to Information
Systems Audit and Control Association (ISACA), the National Commission for Certifying
Agencies (NCCA), the International Certification Accreditation Council (ICAC), the NIST
Certification and Accreditation program, the American National Standards Institute (ANSI), and
many others (ISACA, 2016). These groups or individuals, are responsible for conducting
comprehensive assessments of the operational areas, management, technical and administrative
controls, to ensure everything is in compliance with federal mandates, implemented correctly, are
operating to intended standards, and are producing the desired out comes of the obligatory
requirements of federal laws. A third-party certification agent should always be used if the
enterprise has a moderate to high impact potential. Smaller companies may use and in house self-
assessment activity if the impact, assets or agency operations are considered low impact of risk
(Young, 2012).

IAS CAPSTONE 16
User Representatives. This is anyone, who uses the system to conduct daily operations
on a network system. They are responsible for keeping abreast of current security policies,
standards and guidelines for acceptable use of the systems. All of these personnel should have
received security awareness training to aid in the security of operational interest of the mission and
objectives of production. They can partake in the certification and accreditation process by
ensuring requirements are followed in day-to day operations, a defined in the systems security plan
(Ross, et al., 2004)
There are many areas in a business, enterprise, or organization, where personnel fill the
roles and responsibilities of carrying out tasks, missions, and duties, to ensure system security is
maintained and assurance is achieved. This is a list of the most common roles and responsibilities
as guided by the NIST and ISO frameworks. Depending on the size and nature of the company,
other roles may arise to defray the adverse effects of systems security vulnerabilities and
exploitations.
Conclusion
This segment has looked over the ways in which policies and procedures are created at the
top level and then brought down to the operational level. At the top levels, they are known as the
executive policies and are based on general expectations. As these are deployed to the operational
levels, they become more specific, and separate into system-driven and issue-driven standards,
procedures and guidelines, on how to handle individual taskings and duties, in particular areas, but
are still considered a policy. The key difference being that they are “operational” policy and not
“executive” policy. Policies then form how each of the given fields within an enterprise will
establish their responsibilities in their respective roles. Each role has a specific set of

IAS CAPSTONE 17
responsibilities to follow through with and are driven by the policies, which were introduced at the
implementation of the systems design. By using this framework, an enterprise, company,
organization, or institution creates a roadmap for its objectives and goals, to security assurance,
certification, and accreditation of the business. It also creates an atmosphere, which everyone
knows, has a finite structure for information Security governance.

IAS CAPSTONE 18
Section 2 – Data Governance
Introduction
Information, is one of those valuable assets, which helps to lubricate every operational
function in life. Data is basically anything, which is collected for the purpose of creating a flow
of events, which occur with a final outcomes. We collect data off meters connected to water,
electrical, gas, weather conditions, volcanoes, earth tremors, bank transactions, scientific research,
development research, for buying and registering a car, personal health information and many
other aspects, so that other flow events can be processed and completed. Data can be considered
a flowing peripheral chain, to operational life progression. To manage all this data, we have
created a framework, which assists in monitoring, controlling and providing decisions on how it
will be used, once it is collected. This is where the area of data governance comes into the picture.
Data governance has been developed over the past half century, in order to assist, companies,
enterprises, organizations, institutions, entities, and anyone else, who might collect, preserve, use
and dispose of data. Polices and standards, roles, responsibilities, data strategies, architectural
planning, compliance measures, management issues, data asset evaluation, and communications
transference, all fall under an organizations framework for data governance. This is not to say that
this is all data governance covers. It covers any program or issue that involves data. The process
of strategically formulating this process has come out of many years of implementation and
failures of data governance research.
History of Data Governance
The seriousness that is now placed on data, wasn’t always the case. Data management or
governance, has been going on since the introduction of punch cards. Some believe the first

IAS CAPSTONE 19
generation was Mesopotamia, with five additional eras, while others have stated there are only
four historical eras of change. Of course, it depends on how far back we go on the historical
perspective of data management and governance. We’ll keep the cuneiform record keeping, of the
Mesopotamian civilization out of the lineup, and keep historical management to the nineteenth and
twentieth century (Editorial Board, 2014). The earliest known adaptation of current data collection
was in 1896, when Herman Hollerith created the Tabulating Machines Company and used punch
cards to conduct recording, accounting and archiving functions. This company is now
International Business Machines (IBM). In early years of data collection and archiving, this is
what was used to conduct the US census (Gray, 1996). This lasted until around 1955, when whole
floors of buildings were now loaded with punch card data.
In 1951, UNIVAC-1 was delivered to the US Census Bureau and ran on COBOL and RPG.
Application packages also emerged to handle general ledgers, inventory control, banking, payroll,
document libraries, and subscription management. By the 60’s and 70’s, every bit of information
was being stored on drums, disks and tape reels, and could be accessed through terminals. Data
was being a massed so quickly that they had to find a way to make all of it relational. Hence,
hierarchical network data came into being, using logical and physical schema with data
interdependence. This solved many concurrent data transactions being performed at the same time.
This gave rise to the more notable relational data base management systems in the 80’s and 90’s.
Using the structured query language (SQL), companies were able to relate data sets as groups,
applying operators to produce whole records, as a result (Gray, 1996).
By the 90’s, multimedia databases had come onto the scene. No longer was it just
spreadsheets, with numbers and letters. It was now music, video, and mapping. Object-Orientated
programming assisted in this process, by placing data into classes, which could be called upon,

IAS CAPSTONE 20
when needed, and compiled into the needed data, by the user (Gray, 1996). This was also known
as the application era. Data governance was also being looked at during this era. However, small
and feeble attempts of unauthorized access, were relatively mute, or so they thought. Thus, data
was looked at, as a byproduct of doing business. Some corporations tried enterprise data modeling,
which was primarily driven by IT, but due to inadequate or negative support and authority of the
organization, and rigidity of the applications, these attempts ended up more as failures than success
(Chen, 2010).
The Enterprise Repository Era, at the turn of the century, brought upon new challenges.
Decision making relied more heavily on data analysis. Data was exploding at an exponential rate
and had to be integrated into data warehouses. However, enterprises are finding that master data
warehouses have become a risky and expensive venture. It wasn’t until the last decade or so that
all this data enlightened the users, that all data is not the same, and needs different levels of
protection. By 2010, companies realized there was a need for strong data governance and created
strong business orientated data governance committees and groups to manage the core sets of
sensitive and critical data bases, which are used in the companies.
In particular, companies took to creating policies, standards, procedures, and guidelines to
approach the failures occurring on data modeling, quality standards, data security and privacy and
life cycle security and privacy. Enterprises also realized they have to be major players and owners
in this venture of data governance, as it gives the companies more consistency and control of the
data, as well as affords a wider flexibility of system design for information technologies personnel
(Chen, 2010).

IAS CAPSTONE 21
Data Governance
Data governance can be also termed as data management, as it addresses a lot of issues
with the management of data and uses the specifications of creating and making decisions on
issues, which effect the organization in encouraging desirable outcomes of behavior in the
evaluation, design and creation, use, storage, archiving and removal of information. Data
governance also includes developing processes, work roles, policies, standards and matrices that
verify that information is being used in an effective and efficient manner so the enterprise is able
to fulfill the objectives of the company and achieve success. Data governance combines different
area themes, as a basis for the frame, to include policies and procedures, data security
implementation and adaptation, IT and architectural management, business continuity and process
management, organizational integration of new architectural, security and data application designs,
the concepts of risk, disaster and recovery management, and data warehouse and business
intelligence, which may use a problem/solution framework. Data governance also incorporates
master data management, which incorporates all of a company’s critical and sensitive data into a
single document of file, which will provide a common point of reference. An example of this may
be in the form of a single sign-on file for entering various authorized areas with a single password
concept (Chalker, 2014).
Data Governance Applicability & Needs
Data governance is not a “one size fits all” methodology. The frameworks can be quite
similar and even have some of the same processes, but may still have dynamically different
operational objectives and purposes. The reason there is not a blanket methodology in data
governance, is that data governance is applicable to different approach mechanisms, based on the

IAS CAPSTONE 22
organizations decisions on creating and enforcing the rules of policies, standards and guidelines.
Data governance applicability is primarily driven by the concerns and views of the stakeholders.
Some are concerned about data analysis, decision-making and reporting mechanisms. Some
concern themselves with the quality of their data being compromised. Others have become
frustrated with the architectural inadequacies, which keep users from sorting, filtering and linking
up the data sets or data warehouses. Some find the need to “Fort-Knox” the security data, so that
only a chosen few have access, while their counterparts want to increase the ability to acquire and
share data, documents, reports and content. The data governance framework helps in taking these
stakeholder issues and helps them to organize and think alike about to approaching issues, which
are confusing, complicated and ambiguous (Thomas, 2009).
Other drivers of data governance include outside elements having to be considered. New
sources of data, which are being combined with pioneering and diversified sources of new
information are pushing the need for new types of data governance and dynamic and aggressive
new management methodologies for information and data. This includes external data usage,
social media, new “Big Data” quality and controls, mobile data platforms with limitations on data,
regulatory coordination in adapting to new technologies, and on-demand data management for
when data is requested in reporting, and control of the master report library for new sources of data
(Chalker, 2014).
Due to these newer needs arising, there is also a need to keep abreast of creating solutions
to go along with the diversity of needs. This is where enterprises and organizations need to pull
out new solutions by implementing best practices, which are already in effect, and researching best
practices to new technologies, which may adapted to their own enterprise or business. One of the
most thorough orientated solutions frameworks is the Control Objectives, or IT Processes (CobiT)

IAS CAPSTONE 23
framework on data governance and Enterprise IT (COBIT 5 Task Force, 2013). The CobiT
solutions framework works to deliver solutions to any data governance issues by utilizing a four-
step approach to creating solutions. This four step approach is based on the premise of plan and
organize strategies, tactics and concerns, acquire and implement IT strategies to identify solutions
for implementation and integration of solutions into the enterprise, conducting actual delivery and
support of the solutions, which include security and continuity management, solutions support for
users and solutions management for data, in the operational facilities. The last step in the solutions
CobiT process, is to monitor and evaluate the process solutions over time, and the quality,
compliance, and control requirements. The last process also injects full governance of IT,
regulatory compliance, data security, privacy and usage (Pierce, 2011). This solution process
also supplements the CobiT domains and collaboration controls, which are only online and can be
used to add parameters within each of the solutions spectrum. This site (
http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Discussions-landing-page.aspx )
will point directly to the actual sub areas of the four step process. In addition to the CobiT
framework, many data governance methodologies have been created in software applications to
aid in streamlining solution for data governance. Companies like Terra-Data, Cap-terra, and
Collibra focus on creating automated data management and data governance process applications,
which provide enterprise focused applications that help collaborate and create an ease-of–use
framework for data governance (Collibra(STARLabs), 2009).
Data Governance Policy & Compliance
In section one of this document, research was conducted on the aspects of what a policy is
and how it applies to the aspects of driving the enterprise. A policy was described as the act of
creating compliance and governance strategies, of actions or principles, which will be adopted by

IAS CAPSTONE 24
a government, specific party, enterprise, business, company, group, or individual, for the purpose
of prescribing a set of conditions, to guide current and future decisions (Merriam-Webster, 2016).
The design and creation of the policy takes an immense amount of time, as the policy has to run a
gambit of checks and verifications, to make sure everything is reviewed, which will cover the areas
provided by the policy. So too, is the case when creating and designing the specific data
governance policy, which is needed to align the specifications, required by legal, regulatory and
investigatory guidance in situations relating to data governance (Grama , 2011). In the case of
data governance policy, there are certain legal aspects, which are required and “must be” attached
to the format of the data governance policy. This is highly dependent on the background of the
company and the objectives and operational outcomes for the enterprise, company, or entity
(Salido & Voon, 2010).
For example, the Health information Portability and Accountability HIPAA Act requires
personally identifiable information (PII) and electronic personal health information (e-PHI) be
protected in accordance with the law, security and privacy regulations. The Gramm-Leech-Bliley
Act requires all banking institutions to ensure all customers PII is secured and kept private. This
is also the same law which covers the credit card industry PCI-DSS institute regulatory
requirements (Salido & Voon, 2010).
To comply with these measures and standards, many enterprises have adapted policies
reflecting the control of these data types, through the use of data governance policies, change
management, and control policies. Two great sources of policy implementation have been
provided by the International Organizations Standards (ISO) ISO27000 series (Change
Management and Control Policy) template, in the ISO 27000 toolkit (Hinson, 2012), and by the
British Columbia First Nations’ Data Governance Initiative (BCFNDGI) (MIS Inc., 2015). Both

IAS CAPSTONE 25
resources have templates for creating data governance policies, change management and control
policies, which are highly important in the areas of data governance with compliance and legal
and regulatory mandates. Each of these policies clearly defines acceptable and unacceptable
behaviors, in relation to data confidentiality, integrity and availability, privacy, and security.
These documents also outline the specific roles and responsibilities of each level of stewardship,
which uses a metrics approach; the types of decisions the stewards of the data will make, and who
approves the decision of each steward, with relation to data governance decisions, which the
initiating steward initially made. The policy also covers data quality, data standards, change
management, data sharing and linking, awareness and training, data flows and data classifications.
This is particularly important, as a key part of data governance in evaluating the classification of
the data that is being secured.
Data Governance & Operational Policy
A key component of data governance, can come in the form of human interaction, and use
of data. In fact, the human element is the most volatile and unreliable constant, in the protection,
security and privacy of data. This is why many companies and enterprise infrastructures place so
much emphasis on “Data Stewardship Policy” (DSP). The outline for this policy includes the
needed and required areas of compliance, and has applicable standards, guidelines and procedures
created in the document, to ensure a strict and specific set of obligations and principles are adhered
to in reference to the roles and responsibilities of data stewards.. A DSP will generally be set up
in seven general areas and proceed in the following manner. This outline can be easily retrieved
from the SANS Institute (SANS Staff, 2014). Another policy, which may be of importance in data
governance is the implementation of a “Data Classification Policy”. Both policies should be
considered part of the “Operational Policy” realm, as the hold standards and procedural functions.

IAS CAPSTONE 26
The Policy Guidance
A policy should start with the intended “heading”, which includes the department it is
designed for, the approval date, the actual title, and source document, which the implementing
policy may be related to. Once the heading has the required labels, the following areas should
follow in sequential suit. The “purpose” of the policy outlines a brief summary of the contents
of the policy and creates the objectives the policy will point out. The purpose may also point out
who is and is not affected by the implementation of the policy. Following the purpose of the paper,
the “definitions” section gives the reader adequate content meaning, for areas that may appear
confusing, thereby enabling the reader a better understanding and knowledge base, to readily
comprehend the contents of the policy. Once the reader can identify with obscured areas, the main
base of the policy is revealed. The main “policy” section is considered the main expert subject
matter of the document and is considered the governing principle, plan, regulatory compliance and
understanding of what legally guides the reader’s actions for acceptable and unacceptable
behavior. This section should state what is expected and what is to be done, but not how it is done.
However, it won’t necessarily outline the actual acceptable behavior in a procedural format. This
is indoctrinated into the “procedures” section (UCDavis Chancellor & Provost, 2011).
The procedures section is more of the steps of the required actions, that will be taken to
ensure acceptable behaviors and actions are achieved. They accurately and clearly describe the
processes, roles, and responsibilities for accomplishing the duties, as prescribed and required by
legal, legislative and regulatory requirements with the policy. The procedures will also address
issue-specific and system specific, step-by-step specifications for specific situations. The
procedures should also be accompanied with guideline measures, which can suggest methods for
accomplishing specific duties, which are outlined in the policy requirements. The roles and

IAS CAPSTONE 27
responsibilities of the individuals, who the policy is applicable to, should have the taskings
addressed within listings, within the policy that will show what must be completed by an individual
or section of personnel (UCDavis Chancellor & Provost, 2011).
After all the required procedural, standardized and guideline criteria have been integrated
into the body of the policy, the “additional information” area is created to identify the office or
individual responsible for the development and distribution of the policy. The additional
information area should also include phone numbers, emails, web addresses to individuals, and
who may be able to assist, in clarifying questionable areas of the document. The additional
information area should also contain enforcement actions for individuals and groups, who find it
permissible to divulge unacceptable behaviors, in the midst of data governance and compliance.
For this reason, explanations should be placed in the policy, which mandates certain monitoring
controls for compliance, through the use of matrices and related key performance gauges. As with
any document, the idea did not just pop up in the writer’s head. Most of this material has been
developed over time, or by regulatory and legal means, and needs to have references defining its
source (UCDavis Chancellor & Provost, 2011).
Data Classification Policy. Policy has a pretty basic format, but enterprises might also
have to look at having a policy, which references a data classification policy, as the policy in
question, might have to deal with sensitive, or critical information. Sensitivity, privacy,
confidentiality and criticality of data has been a continually growing concern, as the decades have
passed on. Thus, enterprise and company-wide policies have been indoctrinated, to ensure data is
maintained with a level of privacy and security, to match the volatility of the data being used,
stored, and transmitted. The data classification policy does just that. Data classification sets the
legal, regulatory, and compliant requirements, to ensure the maximum level of security controls

IAS CAPSTONE 28
and protection levels, are assigned, to meet the sensitivity, privacy, criticality and volatility of data,
whether it is top secret, secret, confidential, classified, for official use only, or publically viewable.
Every piece of data, which does fall under any of these categories, should have classification
tagging placed on that data, as it is only good sense. This schema should be applied to both
unstructured and structured data, within the enterprise environment (Salido & Voon, 2010). In
simplified effects for data classifications, most data governance entities classify data on sensitivity
and impact to a business, and correlate a simplified label to the data.
It will be tagged, either as “Restricted”, “Private Data”, or “Public Data”. Figure 2-1
gives a simple metrics, which visualizes the equation of evaluating data confidentiality, integrity,
sensitivity, and impact of compromised data (Evans, Bond, & Bement, 2004). As is noticeable in
Figure 1-2

IAS CAPSTONE 29
the graph, the impact of data will tend to move to the private classification as the threat impact
goes to a high status. Additionally, specific laws should be addressed and orientated to any data
in the private, confidential, or restrictive type environment. The National Institute of Standards
and Technologies (NIST) has created SP800-60 Vol. II, which provides a guideline a data
classification atmosphere metrics to quickly identify the classifications of certain types of data,
and provides Presidential directives, executive orders, case law, statues, and acts, to enforce the
specifications, of data classification decisions (Stine, et al., 2008).
Data Governance & Legal, Regulatory and Forensic Compliance. Though, most of
this sections facts on standards, guidelines, procedures and methodologies have been discussed on
the privacy and security of data governance; one of the key aspects, which was being presented
through the entire delivery, was the fact that every policy and procedure for a policy, has different
compliance mandates, to direct the function of a policy. If we think about it, legal ramifications
drive the way that every policy is written. As was portrayed in the classification policy, certain
directives, executive orders, federal acts, federal and state statues, memorandums, case law and
federal acts, all drive the purpose, content, and compliance measures, of every policy in an
enterprise. NIST SP800-60 vol.-2 specifically outlines numerous legalities and legal document
references, which pertain to different types of operational driven policies. There is standards,
procedures and guideline guidance specifically dictated, dependent upon the policy to be designed,
and implemented (Stine, et al., 2008). Legal, regulatory and forensic compliance are all part of IT
governance. Data governance is an area, which compliments IT governance. An analogy of the
two has been portrayed in IT governance being the pipeline on a water system and the data
governance being the water in the pipes. Information technologies governance focuses on
infrastructure performance objectives and managing and evaluating risks associated with that

IAS CAPSTONE 30
infrastructure. Data governance works to align the management of the data, with the enterprise
objectives, to be an additional regulatory support compliance mechanism, for compliance and
manage vulnerabilities, risk, and exploitations, which are specific to relate to the actual data
(Salido & Voon, 2010).
Conclusion
Data governance is another wide area of informational frameworks, which build on a
system of methodologies and architectures to protect data, ensure compliance of operation and
support actual IT governance. AS seen through most of this section, data governance parallels the
methodologies and framework of IT governance. This is because IT governance works more
holistically, on the actual structural infrastructure of the networks, in enterprises, but doesn’t really
look at how the data will align to the security and privacy concepts of operational infrastructures.
Data governance takes up the slack, where IT governance trails off in security and privacy reliance
and assurance. It closes the holes on data security, data management and data compliance. As the
old adage of the pipeline goes. You need a pipeline, in order to have water, but you also need
water, in order to have a pipeline (Salido & Voon, 2010). Bottom line, IT governance needs Data
governance and vice-versa.

IAS CAPSTONE 31
Section 3 – Network Security
Introduction
When someone is asked about network security, they think about what is normally
associated with anyone who is running a computer on a network. There is likely some sort of
software on their computer, which defends against viruses, Trojans, worms, spy-bots, and other
malware. They don’t even realize that updating a computer with patches and updates, is part of
the security. Neither, do they realize that setting strong passwords according to set policies,
ensuring certain programs are turned off or removed, or letting others access their computers, all
tend to be part of layered network security, or lack thereof. Network security is all of these areas,
and a lot more. Network security is the capability to control undesired intrusions into the network,
the unauthorized use of network services, or damage and exploitation of the distributed system,
within an enterprises network. This includes watching for users, who may be, or are abusing the
system, scanning for protocols that are not properly configured, blocking attempts at unauthorized
transmissions, and responding to incidents, as they may occur. The primary objectives of network
security are to support the company’s mission objectives and goals, ensuring no misuse is being
conducted within the company’s digital resources, and ensuring the distributed system is
maintaining the CIA triad of confidentiality, integrity and availability (Stewart, 2014). The scary
fact of networks today, is that companies spend more in resource security protection, in the matters
of time, money, and efforts, securing the resources, than they initially did, to originally set up the
system. These threats, facing most companies today, are coming from external and internal
sources. This calculates to creating a more layered type of response, in the network realm. Of
course, this wasn’t always the case, as we take a look back in history, to see what catapulted
network security into its current perspective framework and configurations of layered security.

IAS CAPSTONE 32
Network Security History
Enterprise networks have not always had security, as part of their frameworks. In fact, it
wasn’t until the 1960’s that the term “Hacker” was actually coined, by two M.I.T. students.
Nothing pertaining to real security became apparent until the 1980’s. A group, known as the “414
Gang” was undergoing a nine day hacking spree to crack open, top secret sites, but were taken
down by the FBI. In 1986, Ian Murphy was the directly responsible for the initiation of the
“Computer Fraud and Abuse Act” when he decided to infiltrate Department of Defense computers.
After Ian Murphy was taken down, Robert Morris released the “Morris Worm’, which took down
over 600 computers on the Internet. This resulted in the federal government initiating the
Computer Emergency Response Team (CERT). Their primary responsibility was to alert users of
the Internet, of any security issues. By the 1990’s Internet use had exploded exponentially, with
approximately 950 million users cruising around the Internet. Along with this, was the increase
of daily attacks occurring on individuals and enterprises alike. Estimates placed daily attacks at
around 225 attacks a day, which were causing many security breaches, monetary losses, and
damage to enterprise and individual resources. Therefore, security implementation had begun to
emerge (Daya, 2008).
Legal, Regulatory Compliance, and Integration of Network Policy
Since the history of network penetration became an apparent problem, many institutions,
organizations, enterprises, small businesses, and the government, all realized there was a legal and
regulatory need to apply punitive penalties, for penetrating network systems. Laws and other acts
began to immerge to deter the effects of cyber hacking. The Federal Security Information
Management Act (FISMA) is referred to as one of the major supporting references for any and all

IAS CAPSTONE 33
procedures, guidelines, and standards pertaining to information and network security assurance
(Fischer, 2014). If a reader were to go to the National Institute of Standards and Technology and
pull up any of the special publications, a reader would see that almost every single special
publications is in accordance to the FISMA law. For this reason, policies and compliance of NIST
standards will trickle down into the implementation of policies, when designing and creating
networks, operations functions and objectives, life cycles, and retiring of network components.
Therefore, before writing any policy for network security, the designer must first address
the issue of regulatory compliance measures relating to the business or industry, which entails the
hardening and shoring up of the security, for a particular network. If it is banking, it will be
Gramm-Leech-Bliley, medical will be HIPAA, and any publically traded company is SOX
(Avolio, 2007). These are the major acts that many companies must follow when researching the
policy design.
Once the appropriate federal, state, and municipal compliance standards have been
researched, the Root Network policy can be established. This compliance policy should have the
following areas integrated to include, acceptable use of resources, password authentications
practices and enforcement, email transmission and encryption standards, proper web use, mobile
computing with portable storage with “Bring Your Own Device” (BYOD) standards, proper
compliance to remote access protocols, Internet-facing gateway configuration standards, wireless
management access protocols, standards for server security operations that entails testing,
development, production, and enabled or disabled services. The network policy will also have all
the other usual factors, such as the scope of the policy, penalties for ignoring or breaking the rules,
who can enforce the policy, who is susceptible to the policy, and individuals or groups responsible
for the network policy (Avolio, 2007).

IAS CAPSTONE 34
Most of the mechanism within the network, which are part of the layered security approach,
will have certain elements applied to create a compliance perspective. The policy should be able
to be utilized as a standardization guide installation of the hardware, for the configuration of the
hardware, as a mechanism to assist in troubleshooting problems, as a go-to source for detecting
changes and differences from the initial base-line, and a source for configuring consistent filtering,
packet monitoring, signature assessments, authorizations and authentications, auditing and
controls and any other configuration associated with security standards (Stewart, 2014).
Due Care and Diligence of Network
One of the things that an organization must continually monitor, throughout the life cycle
of the network, the daily operations of the network, and the proper disposal of aging network
components, is the liability associated with these concepts and practices. A company or enterprise
must enforce strong ethical behaviors, to ensure employees are following the ethics and mandated
laws, with which the company is obligated to follow. If an employee decides, or the company
decides to not behave ethically, by the mandates, regulatory requirements, and laws, this can create
immense liability for the enterprise. Liability often extends passed normal legal and contractual
obligations, if an employee decides to be unethical, and without authorization of company policy
and required legal mandates. This can have massive monetary and financial burdens placed on the
company (Whitman & Mattord, 2010).
Therefore, due care and due diligence needs to be recognized and implemented, to ensure
employees follow the aspects of policy compliance and governance. Due care standardization is
achieved when an enterprise verifies that the employees know the acceptable behaviors and
unacceptable behavior, and are being held accountable to the standards, legal requirements and

IAS CAPSTONE 35
consequences, when they are not within acceptable means. Due diligence compliments the due
care concept, in that the enterprise is ultimately responsible to establish and maintain a concerted
effort, to protect those individuals and resources, which could be legally and financially wronged
by the enterprise. This diligence must be maintained at a performance and standards level, which
is continual and without deviation (Whitman & Mattord, 2010).
In ascertaining a certain level of security within the network, the enterprise may need to
use these concepts to achieve the desired objective and acceptable outcomes for the enterprise.
This way, if the enterprise has to commit to a legal defense, they can provide a legal conception of
what they have done, to prove they have done, what is morally prudent by any other company,
which is facing the same scenario. This is commonly known as the “standard of due care”. Due
diligence ensures that the implemented standards are maintained in good standing without
deviation, to meet security objective of data security and privacy. This is particularly significant
in areas where an enterprise or entity maintains data about their customers, like the medical
industry, stores like Target, Home Depot, and Amazon. It also applies to anyone handling
personally identifiable information (Whitman & Mattord, 2010).
Network Security Solutions
Security configuration solutions can be a useful tool for better comprehending component
makeup configurations in the IT network environment. Creating a security solution framework
for the network, will give all members a clearer base-line foundation of which security
management sectors should be considered, in addition to the security amenities and framework
architectures, for which they will rely on. Network security solutions will create guidance for
better understanding the relations between the network security services and the actual framework

IAS CAPSTONE 36
architecture of the system. Solution patterns can also aid in the assessment of the overall scope on
various projects and the individual stages they may be in the process of. This will help create a
more comprehensive understanding of external and internal dependencies, at higher levels
(Buecker, et al., 2011). By utilizing this functional solutions framework creation, the designer can
better adapt all aspects of the network, to create a network system, capable of abstaining attacks,
in the long term.
There are two key reasons why network solutions are an integral part of creating a secure
and privacy related network. First, the “cost-benefit” of initiating and maintaining network
security has to outweigh the risk of not implementing network security at all. In many aspects,
this is just an absurd thought. Vulnerabilities, threats, and exploitations to network systems now
dictates that cost of proper security protection, will definitely outweigh the benefits of not having
security. Enterprises have too much vested in their assets, whether they are tangible or intangible.
Secondly, creating an environment, which maintains the concepts of confidentiality, integrity, and
availability (CIA) of the network system is paramount to the objectives, missions, and production
of a company, who uses a network system to function (Barker, et al., 2013).
Two other areas that parallel the solutions of network security are “change management”
and “configuration management”. These managerial fields are necessary for the proper
integrations of new technologies into the network, and how they can create the needed legal,
regulatory, and forensic standards needed, to provide oversite for the operational objectives of
network security. The purpose of the change management policy is to ensure the procedures and
standards are addressed and followed, when modifications need to be done to the network
infrastructure. This can be anything from new compliance regulatory legislation, updating new
and existing software and hardware, and implementing entirely new hardware or software.

IAS CAPSTONE 37
Without the ability to properly monitor and control change management, a company might find
itself in a predicament, because the upgrades weren’t monitored, in accordance to monitoring and
control requirements, which are mandated by law. Onthe other hand, a configuration management
policy makes sure the proper controls, standards and procedures, are in effect, to consider the
effects of change management, and verifies there is minimal impact on the system and surrounding
environment. Configuration management ensures the presence of baseline compliance measures,
for hardware and software, prior to any changes and maintains an accurate record of all changes
within that system, from cradle to grave (Whitman & Mattord, 2010). The configurations
management policy should also establish the type of configuration the network will be, describe
the control processes for the configuration, and also identify a schedule for configuring audits of
the network system. These can now be part of the layered defense strategy for which most network
systems must operate to align themselves with enterprise goals and objectives (Whitman &
Mattord, 2010).
Layered Defense Strategy
Creating a workable and viable strategy, to ensure vulnerabilities, exploitations, brute force
attacks, distributed denials of service, phishing attacks and a menagerie of other black hat activities
doesn’t occur, will take much more than expecting something like Microsoft Security Essentials,
to cover the whole protective guardianship, of your system. An enterprise network needs a layered
defense, to ensure a 360 degree security grid, can be established. Therefore, many layers will need
to be integrated together, to form an overlapping protection grid. This layered grid will have the
potential of having a “redundancy of process”. For example, a network might have two firewalls
in the communications line. If one fails, and opens all ports on failure, the second firewall will

IAS CAPSTONE 38
quickly pick up the slack, until remediation efforts are established. This is only one small
component to the overall layering capability (Whitman & Mattord, 2010).
An enterprise, to be successful, should have multiple layers, to adequately create a
redundancy of protection, from perimeter, to the core of its operations. This will include the
policies and procedures, physical security, operations security, personal security, communications
security, information security, and network security. These can be related to the more notable
managements of the network systems security. The overall layering capability can be termed
Defense-in-Depth (DiD) (Whitman & Mattord, 2010).
Defense in Depth
Defense-in-Depth is considered part of the layering effect. Defense in depth, is actually a
strategy, which is used by our military, when we were defending posts and air fields, in Viet Nam,
Cambodia, Korea, and most recently, the operations in Southwest Nausea (Iraq and Iran) and in
U-pick-a-Stan (Afghanistan, Kirgizstan, and Kazakhstan). By adding more layers of security, an
enterprise is actually building progressive blocks of protection, between the outside world, and the
inner workings of the company. This isn’t only the network itself. It is everything combined,
which protects the data, from the perimeter of the enterprise, to the core of the enterprise, or
business. As is seen above, defense-in-depth security is more of the management types of security.
Defense in depth looks more at the issue-specific and systems-specific aspects of security, to go
along with executive layered operational security. It is kind of like the argument of executive
policy versus operational policy. One gives basic guidelines, while the other is more in the realm
of issue and systems-specific guidance. This is where the overlapping layers will cover the short

IAS CAPSTONE 39
comings, of the other layers. If a system fails, there is another taking its place, until remediation is
conducted (Shamim & Fayyaz, 2014).
Defense in depth covers eight layers of protection. It looks at the policies and procedures,
like layered defense. Defense in depth also looks at physical security objectives, network and
perimeter security, hardware and software mechanisms, tools to monitor and log events, types of
security on host computers, session security during online and network activity, application
associated security that deals with PII, data encryption procedures, and data leakage defense
(Shamim & Fayyaz, 2014). When deciding how much security should be applied, an enterprise
needs to conduct a “risk assessment and evaluation”, to evaluate and assess the level of security
needed, dependent upon the sensitivity and criticalness of the data being secured. By addressing
each defense-in-depth area, we can see what will actually be involved, in the actual defense
mechanisms, which makeup the defense layer. It is easier to work from the external side of the
company and move inward, to peel away the layers. Therefore, we will start with the physical
security (Shamim & Fayyaz, 2014).
Physical Security. Working in this area of security, can amount to many different
scenarios, which apply to the success of the other security management concepts. Physical security
outlines three issue- specific driven areas. There are the environmental threats, technical threats,
and human related threats, which can break down barriers, to compromise security with and
enterprise. “Environmental threats” are comprised of tornadoes, hurricanes, earthquakes, ice
storms, blizzards, floods and lightening (Vacca, 2009). Under this guise, enterprises need to look
at risk management of a facility, and if the location is suitable for their business objectives and
mission needs. Inappropriate humidity and temperatures can also affect the way a network runs.
Too much humidity can damage components and heat can fry components. Another natural

IAS CAPSTONE 40
occurring threat is fire. It can start inside a building from human error, electronic malfunctions,
or from the natural environment. The facility may also be subject to nuclear, chemical and
biological conditions. A prime example of this, is the local school, which has a pretty impressive
network system (Vacca, 2009). Not 200 yards to the North, is a highway, which drives nuclear
and biological wastes Eastbound, over the road, each and every day. This could subject the school
campus to contaminants, rendering it unsuitable for learning purposes, for quite a long time. Dust
and infestations are also contenders, of natural physical threats, to a network system.
Environmental and Physical Defense Strategies. There are a number of ways to shore
up physical security, so only authorized personnel are granted access to a secured facility. The
facility is usually structured to withstand the natural environmental elements. In some cases,
structures have been developed, out of reinforced concrete, and can be up to 30 feet thick.
Facilities have been placed on stilts, to defray flooding, and some facilities are under ground to
defray nuclear, biological and chemical attack vectors. The windows may be bullet proofed,
smoked, or shielded, to prevent people from looking in. Some facilities are placed in areas, known
as “stand-off” locations. This gives the facilities visible space, so that no one can easily come up
next to the facility, without being noticed by some other physical security monitoring asset. Stand-
off perimeters can be as much as 300 meters from the facility, to the outer perimeter. The perimeter
fence is usually composed of 12-guage, chain link fence, with outriggers and barbed wire. These
fences can have cameras along the perimeter and corners, which are all being monitored from the
security control room, somewhere within the facility. The perimeter can also be outfitted with
perimeter and area lighting and physical automated infrared and volumetric sensors, to pick up any
movement (D.A.V., 2015).

IAS CAPSTONE 41
The perimeter will also have physical access controls, where there can be an entry control
point system, for both an individual and a vehicle. These are known as vehicle and personnel
traps. These locations are used for identifying the individual, and inspecting and searching the
vehicle, for potential threat items. The entry control will be manned with security personnel, who
may check the individual in via an authorization list, or by using single and dual badge
authentications. This might sound like it is a little extreme, but depending on the level of secrecy,
sensitivity, and volatility of information, this can all be present, and more (Whitman & Mattord,
2010).
This is just what it takes to get into the facility. Inside a facility, there are internal controls
monitoring personnel, including cameras, biometric and magnetic card readers for access, and
regular keys and locks to access other rooms. Some rooms may be set with magnetic locking
mechanisms or cypher locks, which only allow authorized personnel who know the combination,
access. For example, the main client-server room may have a trap door system and a biometric
door system on it. This means that the technician might have to scan his or her card, and then be
recognized by the security personnel, viewing a camera in the trap area. The security personnel
will then allow the technician in after verification of badge is done to the control center at the
second door. Protection measures might be installed to ensure fire doesn’t destroy the server room.
This could be a halon fire system, which sucks all the oxygen out of the room. This also defrays
damage to the servers in that it is not water (Weaver, Weaver, & Farwood, 2014).
Technical Related Threats. Technical threats can stem more towards electrical related
entities. For example, there is an immense amount of heat in the environment, making the
electrical lines hard pressed to deliver power. This can cause brown outs and black outs. The UPS
battery supply, is only able to sustain a network environment, for a limited time. Without a

IAS CAPSTONE 42
generator as a redundancy, the battery backup is cooked in a matter of a couple of hours.
Electromagnetic interference from the sun and other sources can also wreak havoc on network
systems. EMP’s can also cause a fair amount of disruption and damage. If the system is in an area
where sun visibility is strong, this can be expected and without shielding on transmissions lines,
there is no telling how safe a network can be.
Technical Defense Strategies. Dealing with the technical threats, brings in a different
pattern of physical and digital dynamics, to network security. However, one of the concepts, which
is the same, is identifying the threats, through the use of risk assessments. Technical defense
strategies incorporate the use of policies, legal and regulatory mandates, just like the physical
security aspect do, to adjust the security of the network and its security level. Each devise in an
enterprise network, will most likely have some sort of security layer, which it is responsible for.
This is what provides the depth of security inside the actual network systems. When a transmission
is sent to the enterprise, whether it is a file, an email, a simple message, personal information, or
any other form of data, it has to go through a menagerie of pathways, to get to the recipient. This
is done using both hardware and applications software.
The message begins by connecting from the Internet, to either a firewall, or router. This
again, is dictated by the level of security needed for the particular organization, for which the data
is being sent to. It also depends on whether a firewall is within a router, or is a standalone
component, within the security pipeline. Atypically, the first component that data will have to
navigate through, is the firewall. Firewalls process five different modes of information, when data
is streaming through them. The most common is hybrid, but firewalls can be set independently
to just monitor media access control (MAC) addresses, application gateways, circuit gateways and
packet filtering. A firewall can be set to packet-filtering mode, which monitors the signatures and

IAS CAPSTONE 43
headers of individual packets, to ensure they are in compliance with firewall rules and are not in
violation of the mandated rules. A firewall can selectively filter the packet, based on header
information and decide whether it is acceptable for the destination address, if it is from the proper
source address, and if the packet is the proper size according to the header of the packet. If the
packet matches any restrictions, the firewall will toss the packet. Packet filtering firewalls also
present sublayers of stateful inspection, dynamic filtering and static filtering. In a nutshell, the
firewall is basically automated to recognize changes and adapt to potential threats as they may
occur (Whitman & Mattord, 2010). If a packet of data does comply with the standards and
configurations of the firewall, it will be sent on to the router. One other aspect of the firewall, is
its ability to create a demilitarized zone (DMZ), outside the purview of the internal network. The
CMZ will sit on a subnetwork and may even run on its own DNS server, to help resolve public
domains and IP addresses (Weaver, Weaver, & Farwood, 2014).
The router can be set with various access control list configurations, which will either
permit or deny packets, based on either source and destination address, the specified port of entry
and exit, or protocols based in the packet header. The router also controls the flow of traffic and
can be tweaked to only allow certain users access to sensitive network segments, in the enterprise
(Weaver, Weaver, & Farwood, 2014). Just behind the router and the firewall, is the intrusion
detection and prevention system.
The intrusion detection and prevention system (IDS/IPS) is like a burglar alarm for your
home. It will sound the alarm when an attack or malicious packets enter the network. The IDS/IPS
then gives you possible countermeasures, which can be taken to stop the attack. Nice thing about
the IDS/SPI is it can be automated to take care of the attack for you. The nice thing about the
IDS/IPS is that it complements the firewall for prevention, and also works to detect attacks, or

IAS CAPSTONE 44
intrusions. The IDS/IPS is actually three devices or applications in one. IDS/IPS will prevent,
detect and respond to any and all malicious activities, which may be trying to circumvent the
network system through properly configured means. The IDS/IPS will also log every event, which
does not match definitions and signatures of packets migrating on the network. Finally, by having
an IDS/IPS present, the enterprise is showing governance and due diligence, to abide by the legal
and regulatory mandates, as dictated by federal and state law (Weaver, Weaver, & Farwood, 2014).
The DNS Server is another area of the network, which can help in creating a hardened
approach to network security, or it can be a monumental headache, from various attack approaches.
The DNS server is prone to distributed denial of service attacks, cache poisoning style attacks,
man-in-the-middle attacks, spoofing, reflect style attacks, and advanced persistent threats. By
incorporating redundancy DNS servers as backups, and incorporating security aware DNS security
applications and add-ons, the DNS server is able to manage authoritative zone information,
manage the caching of domain names to IP names, and respond adequately to queries from
clientele. The security is now watching its resource records (RR), in the areas of signature (SIG)
resource records, encryption key (KEY) resource records, and nonexistent resource (NXT)
records. By monitoring the NXT RR and comparing the IP record to the server’s compiled list, it
can tell what packets are acceptable to traffic process, and what to deny (Davidowicz, 1999). The
DNS server can be set to limit inbound packets, limit actual number of packets by each user,
validate on recursive servers, use access control lists (ACL’s), use tools like check-zone or IP
Access management to monitor error checking of traffic, monitors and controls keyed
authentication, can routinely audit users for misconfigurations and anomalies, and can implement
ingress filtering on routers to mitigate spoofing (Davidowicz, 1999).

IAS CAPSTONE 45
Authentications and password security is another form of hardening of the network system.
The password security policy should dictate the structure of passwords, how long they should be
used, before being required to create a new password, safeguarded to prevent vulnerability
situations, and establishing auto generated notifications, to change the users’ password. Passwords
should be used for logging into the system, for remote access, in the screen saver applications, and
even on certain single files or folders. Creation of a password should be a minimum, of 12
characters, with both upper and lower case letters, numeric values, and a winging or two. Along
with passwords, authentication and verifications procedures should be used. This can be a security
question, which only the user knows. It can also be dual authentication via text message to a
phone, or even a biometric finger print, eye scan, or palm scan (Weaver, Weaver, & Farwood,
2014). In some instances, like the military. A user now has to have their military common access
card (CAC), which must be inserted to a card reader. The user is then able to logon and their CAC
card pins in the secondary authorization. This author had an 8 pin access number, which the
military required, in order for the card to be viable, for the login authentication process. In some
big enterprises, they may have a centralized server, which handles logon authentications. This
could be a remote access dial in user service (RADIUS), access controller access control system
plus (TACACS+), or even Kerberos. Kerberos creates a session encryption key for the user, for
the session they are conducting (Conklin, White, Williams, Davis, & Cothren, 2012)
Operating system patches and upgrades are another way to ensure a level of protection.
The common vulnerabilities and exploitations website post s daily vulnerabilities, attacks and
exploits, which are occurring to network systems, on a daily basis. The (https://cve.mitre.org)
website provides hotfixes and patches for many of the network componenets, in order to shore up
enterprise netwoprks (Mitre Corp., 2016). Mitercorp works hand in hand with the U.S National

IAS CAPSTONE 46
Vulnerability Database (NVD) website, to assist administrators and IT personnel in getting the
latest and greatest updates and patches for computers. NVD goes so far as to supply an automated
program called securiuty content validation automation tool, which aids in validating data streams
within the network (N.V.D., 2016). Besides the OS upgrades and patches, each individual host
computer, which is running on the network, should be equipped with some sort of endpoitn anti-
virus protection. Theis compliments the netwrok IDS/IPS (NIDS/NIPS) in mitigating possible
malicous attacks, if they should occur. Host antivurus programs continue to monitor a system for
signatures of a antivirus and will automatically delete the file, zip file, or email, if the program
detects the malicious software on the host computer. Anivirus programs also automatically updata
with the latest and greatest signatures to ensure zero-day vulnerabilities can be found and
dispatched (Conklin, White, Williams, Davis, & Cothren, 2012).
Auditing and logging is yet, another layer to the adminsitrators and IT personnel, who are
protecting the network. Audits can be conducted on databases and when personnel logon and
logoff of the system. The audit will create a log of all events, which may need to be cloased. An
audit log can be created by a host operating system, a server, an IDPS, or routers, just to name a
few. The purose of the log, is to let the systems personnel now what is going on at any given
moment and can also assist in rectifying possible vulnerabilities and real-time attack vectors
(Conklin, White, Williams, Davis, & Cothren, 2012). Logs can also be valuable in showing high
capcity times of the system.
Human Related Threats. Human related physical threats top of the physical security
threats. When an individual gets the chance to be nosey, policies just seem to go straight out the
window. They may want to put their own software on systems, listen to music on the systems,
find a door open to a place they shouldn’t be in, us their own disks and other media for transport,

IAS CAPSTONE 47
and a myriad of other unacceptable behaviors. Then we get the disgruntled worker, who has not
been removed from the system. They can remote access in and cause all sort of havoc to the system
by elevating privileges and permissions, stealing files, or damaging files to spite someone.
Therefore, physical security needs strategies to defray these areas of vulnerability and threat. This
is where physical security mechanisms can be implemented.
Human Related Defense Strategies. Humans can be the greatest risk and threat, to any
enterprise network system. The reason for this is that what people do and what they create, is
forever changing. There is no constant in this equation, to create a baseline summary to go by.
However, legal, regulatory, and forensic compliance measures have been mandated to ensure
people abide by the rules, standards and procedures, by every company or enterprise, who is
engaging in business and production of some form. This is where the policies, legal and regulatory
requirements, standards, procedures and guidelines really take hold. The primary policy of choice,
is the “Acceptable User” policy. The acceptable use policy will be designed in relation to the
enterprise, business, or entity business function. For example, it the business deals with protecting
the security and privacy of HIPAA information, there will be many parameters describing how a
patients information can be handled, stored and even how data retention must be dealt with. Data
retention is huge in the medical history and must be contended with, utilizing every protective
measure possible. This means data retention may even be part of the HIPAA acceptable user
policy, or refer to that as a separate policy.
Many acceptable use policies (AUP) layout a format, which covers general use and
ownership, responsibility of security and proprietary data, activities that are acceptable and
unacceptable on the network, email and communications practices, using network system for
personal use, blogging, bring your own data, remote access requirements, using wireless devices,

IAS CAPSTONE 48
reporting incidents, legal ramifications, public relations, assisting in forensics infestations,
responsibilities during audits, and any other issue-specific security requirement, which might deal
with the individual company. The key point of the AUP is that it must comply with legal, federal
and state law mandates, stand up in court if challenged, contribute to the objectives an
achievements of the enterprise and involve end users throughout the whole network systems
process (Yang, 2005).
In addition to the acceptable use policy. The enterprise should have a continual training
program for all aspects of the network and information. No matter how many books an individual
looks at, there will always be a sentence, which refers to the best practice to alleviating problematic
areas, is through avid training and awareness, on a continual basis. Interestingly, training and
awareness of computer and network operations is mandated, in many respects, by federal law. In
fact, requirement mandates are listed in HIPAA, FISMA, GLBA, PCI-DSS, FACTA, and various
state laws, which require any personnel interacting with computer networks, to have an acceptable
use training and awareness class conducted, before accessing terminal resources (Solove, 2013).
Bottom line is, most enterprises and companies know now, that the human element can be the most
dangerous factor in computer safety, security and privacy.
Conclusion
In this section, we reviewed the legalistic approaches to network security, what is all
involved in network security, and the ultimate outcome, if network associated security policies are
not followed to the letter, when dealing with network security. Problematic areas begin to emerge.
By using network best practices and ensuring policies are attached to every aspect of network
security, and enterprise should be able to maintain a streamlined environment.

IAS CAPSTONE 49
Section 4 – Asset Security Management
Introduction
Every enterprise has resources, which they have purchased, to start up and operate their
business ventures. In the cyber world, they have purchased main frames, telecommunications to
transport digital and voice media, endpoint hosts (desktops, laptops, tablets), media cabling like
fiber optics and Ethernet cabling, software and assorted mainframe components. These resources
aren’t only in the cyber world. There is office equipment, entire buildings and various structures,
planes, cars, delivery trucks, warehouses, and many more physical entities, which a company
considers its resources. Even people can be considered a resource. Given their technological
backgrounds and know-how, they may be a very important part of the companies or enterprise’s
objectives, business requirements, and accomplishments. As is seen, these three fields make up
all of the company assets. There are physical assets, digital assets and personnel assets. Each of
these assets must have a legal, regulatory, and investigative approaches applied, depending on the
function, and the usage of the asset. The purpose for these requirements is to ensure the assets are
not damaged, which costs the business, enterprise, or company undo incurrences of cost, within
their daily objectives and operations. Thus, relevant material will need to be addressed to show a
pattern for proper usage, within this section. There are a couple areas, which can be applied to
asset security management (ASM). Areas which can be looked at, in relation to ASM, may
vulnerability and assessment management, security risk management, security compliance and
disaster awareness and recovery. In some of these areas, information may be drilled down upon,
to reveal more areas, which are needed, as part of the asset security management. By constructing
an architecture and methodology for ASM, we can begin to create a visual expectation on how to
address and process the actual asset management field.

IAS CAPSTONE 50
Asset Management
Asset management is the management area, which looks into the respective areas of
Vulnerability Management, Risk Management, Disaster Recovery, Information Assurance,
Information Security, Security Compliance, and many other forms of management, to set
enterprise practices in motion, which combine the financial, contractual, and inventory aspects
and roles of business. These functions create a life support mechanism, for the entire life cycle
management process, which then creates a strategic decision making environment for the
information technologies environment (Mohan, 2013). In laymen’s terms, it means that it takes
financial capital to buy the resources for the company, which will then have a life expectancy.
Asset security management provides the IT personnel with the tools and procedures, to develop
complete transparency into their network, architectural, and framework inventories. This aids
them in creating an in depth understanding of existing equipment and systems, the geographical
locations of their equipment, what functions the equipment, personnel and digital resources are
performing, the cost of using the resource, the actual dates the equipment was brought into service
and if it has a life expectancy and expiration time, and how the resource impacts the productivity
and objectives of the enterprise. By having this ideology in action, it is capable of improving an
enterprise’s infrastructure, performance, and proficiency (Mohan, 2013). In order to have the
ideology or methodology, a company must look at some keys areas. These areas include asset
discovery, data capture and storage, asset tracking, asset life cycle management, and asset
reporting and alerting, which tracks warranties and system expirations.
Asset security management should also entail risk compliance measures associated with
and designated by legal, federal and regulatory mandates, as described in many different
guidelines, like CobiT, COBRA, NIST, and federal regulations. Sarbanes Oxley (SOX) and

IAS CAPSTONE 51
Gramm-Leech-Bliley Act (GLBA), set the precedence of legal compliance of asset management,
due to the fact that it surrounds the very aspect of financial management of every enterprise, and
many enterprises are publicly traded, for doing daily business operations. Thus, these areas can
be properly assessed by creating risk and vulnerability assessment methodologies.
Risk Identification
Identifying the legal risks, which apply to particular company, can result in a massive pile
of research, for the risk analysist. One risk identification and assessment design scope, does not
fit all businesses and mission orientated objectives. This is why many federal, state and municipal
laws have been enacted, to regulate disaster and recovery, building practices, emergency response
to incidents, and response planning. These legal mandates define the measures for private and
government liability, which aid in processing disaster recovery scenarios and incidents. They lay
out the established rules for civil and criminal law, for potentially immediate or current risk
incidents and the recovery of operations, in the aftermath (Council of E-Commerce Consultants,
2011). These acts are applied to ensure the security and privacy of vital records, security level
prioritization requirements, mandated risk reduction and mediation procedures and guidelines, life
preservation and safety, liability of the company in incidents of loss and damage to property,
personnel, or financial loss, business continuity, and contingency planning.
These laws are anything form Sarbanes Oxley, Gramm Leech-Bliley, Foreign Corrupt
Practices, Anti-bribery Provisions, the Health Information Portability and Accountability act, the
Federal Modernization Act, the Flood Protection Act, the Disaster Relief and Emergency
Assistance Act, the Computer Security Act, the Computer Fraud and Abuse Act, and the list
proceeds on with executive orders and other legal requirements, as well. Business and enterprise

IAS CAPSTONE 52
laws create a substantial backbone for enterprise compliance to asset security management. Not
only does the United States have a behemoth of legal acts, doctrines, and executive orders for
security asset management, but both Europe and Canada also have quantifiable lists of legal
mandates and requirements for procedural and regulatory compliance, for asset security
management. No matter where an enterprise is doing business, it must follow established legal
and regulatory laws of that particular country. Therefore, risk identification must follow the
outlines of legal mandates.
Risk Methodology
Implementing a risk methodology framework requires incorporating a six-tier strategy for
addressing and mitigating risk. The first tier to risk methodology, is look to “identify” all the risks
that and organization faces, which could affect the normal business objectives and operations.
Another way of thinking about this is described in a class dissertation, by Professor Gary
Lieberman. He placed it in laymen’s terms as, “What would you grab first, if you had only three
seconds, before a fire consumed your house?” (Lieberman, 2016). Basically, when identifying the
assets, the analyst team should figure out which assets are the most expensive, valuable, sensitive,
and would cause the most damage. The second tier goes along with risk identification. As soon as
the team has analyzed what is important, an “assessment” of value, cost of damage, sensitivity,
and impact to the business and operation, as a whole, should be conducted. This accomplishment
will drive the next tier in specifying the “priority” of each asset. These prioritizations will drive
and aid the assessment portion in establishing categories of control methods, in relation of
criticality and sensitivity of assets. The fourth tier looks into the actual “risk analysis” to define
the sources, which could create each of the identified risks. This should involve taking a look at
all the possible threat sources and factors, which may create a pathway for risk development

IAS CAPSTONE 53
towards the assets. The fifth tier emphasizes the establishment of defensive “strategies”, which
can be implemented to mitigate, avert, transfer, and accept possible risks of enterprise assets. Once
defense strategies are developed, they will define the sixth tier, which involves “implementing”
the actual strategies to mitigate, avert, transfer, or lessen the foot print to an acceptable level.
Given these methodologies of risk, we can now incorporate the actual risk assessment and
implement the required steps for an actual risk assessment (Council of E-Commerce Consultants,
2011).
Risk Assessment
Most companies have risk assessments done, due to having a great loss potential, either in
financial related assets, or sensitive and critical data assets. By conducting risk assessments, the
enterprise creates a living program of safety, security, privacy and progressive returns in business
ventures and objectives. It also mandates a standard of due diligence and due care in policy
structure and commitment. The risk assessment utilizes a nine-stage strategy for gathering and
applying the six-tiered strategy mentioned earlier.
Stage-1 / System Categorization: Each area needs to be categorized in order to identify
the circumstances, in which it operates, and the risks each category is susceptible to. This includes
software, hardware, network components, users, sensitivity and criticality, the objectives of the
system, interface mechanisms, and associated peripheral equipment. Besides the actual
components, the team may want to pull up old maintenance records, policies for the system,
manuals, security incident archives, automated scanning logs, baseline designs and environmental
design schematics. Policies should be checked continually as the enterprise is forever changing
and this could place employees and practices in jeopardy when facing audit examinations.

IAS CAPSTONE 54
Stage-2 / Threat Identification: The team is now ready to identify different threats and
threat sources. This is basically anything, which could be presumed to be a potential incident or
threat, which has the potential for harming the data or the system. A big source is human related.
It can be anything from false data entry, deletion of data, inadvertent mistakes, impersonation,
eavesdropping, user fraud and abuse, sabotage, theft, espionage, shoulder surfing, or vandalism.
There can also be technical threats such as password cracking, sniffing and scanning attempts,
data contamination, spam mail, viruses and malicious code, hijacking a session, distributed
denial of service (DDoS) attack, and system failures. These are clearly violations of company
policies not being complied with (Council of E-Commerce Consultants, 2011).
Stage-3 / Identify Vulnerabilities: Now that all possible threat agents have been
discovered, the team will want to check for any weaknesses in the operations or systems, which
could lead to exploitations. If a system is not fully developed yet, the concentration area should
focus more on policy and procedural security related standards, mandates, and organizational
system definitions and methods, which are required to expand security features in implementation.
Vulnerability assessments can be processed by using automated scanning and security testing, and
penetration applications. During vulnerability testing, security requirement checklists need to be
developed and implemented to verify the stipulated security requirements are being met by current
and future security controls.
Stage-4 / Analyzing Controls: Controls should be analyzed to ensure the reduction of
threats. There are technical, non-technical, preventative and detective controls, which safeguard,
manage, reduce attempts to violate policy, and alerts the IT personnel when violations occur.
These controls include authentication standards, identification standards, encryption standards,
IDS/IPS requirements, environmental security, security policies, access control enforcement,

IAS CAPSTONE 55
checksums, audit trails, and other procedural controls (Council of E-Commerce Consultants,
2011).
Stage-5 / Likelihood of Determination: Determining the likelihood that something will
occur, is based on a few factors. The capability and motivation of the threat basis, what
vulnerability is exposed or how weak it might be, and the ability of current control to be effective
or even exist (Council of E-Commerce Consultants, 2011).
Stage-6 / The Analysis Impact: This examination determines the overall impact that a threat will
have on a system or data. Certain factors play a key role in calculating the outcome of and impact
analysis. These factors include the system and mission objectives, system and data sensitivity and
criticality. These impact examinations are also based on hard dollar savings (Quantitative), which
analyzes the impact’s overall cost magnitude, and soft dollar savings (qualitative), which analyzes
or examines how many risks are involved within a system, or component of the system. Figure 4-
1 is a spreadsheet, which demonstrates what can constitute a high, medium, or low impact (Council
of E-Commerce Consultants, 2011).
(Council of E-Commerce Consultants, 2011)
Figure 4-1

IAS CAPSTONE 56
Stage-7 / Determining Risk: Determining the amount of risk is a crucial part of the risk
assessment and is based upon tangible and intangible dynamics. The analysts will want to examine
probability of occurrence, actual physical damage to the system, perceived damage to customer
relations and reputation, and what control measures can be used to mitigate the risk incident. This
should also be weighted with cost-benefit analysis assessments and additional resource stocks and
resources (Council of E-Commerce Consultants, 2011). The National Institute of Standards and
Technologies, Common Vulnerabilities and Exploits web site, and National Vulnerability
Database all have tools to estimate risk determinations (Mitre Corp., 2016) (N.V.D., 2016).
Stage-8 / Threat Control Recommendations: This stage is the whole purpose for
conducting a risk assessment in the first place. Once an assessment is completed, the risk teams
will implement suggestions and recommendations for control implementations of the systems,
components, and policies and procedures, based on their finding of likelihood of attack, overall
impact, sensitivity and criticality of the asset to the business objectives. All controls should be
compatible with enterprise policies and standards, meet the ratio of cost-benefits and maintain an
integrity towards personal and company safety.
Stage-9 / Documentation: The main key to any risk assessment, is ensuring that every
step has been properly documented. The documentation should have overlapping documentation
to support the main objectives of the assessment. The documentation should include decisions on
policies, procedures, any change management conducted, and operational and system management
changes.

IAS CAPSTONE 57
Stereotypical Risks
When applying legal, regulatory and investigative requirements to policies for asset
management, they need to be tested for efficiency of compliance. In some instances, like HIPAA,
a yearly inspection and certification must be conducted, to ensure compliance with HIPAA laws
(Gibson, 2015). The most notable risk to policies, regulatory requirements and investigative
compliance, is the ability for personnel to follow the compliance measures, to an exact manifesto
of responsibility. The primary purpose of policy, is to exact an ethical and acceptable behavioral
response of people working on and in systems throughout the world. Almost every law, legal
document, executive order, Act and statue created, is in response to someone committing some
sort of mayhem on a computer network or system. Could we say that we are definitely stereotyping
the human race? We could be, but that doesn’t erase the obvious. The human factor is going to
be a very typical risk in the factorization of conducting a risk assessment. This is why every
business out there has the immortal and highly living “Acceptable Use Policy” (AUP), for when
an employee starts a job, in the business. They must first read the AUP and learn all the “can dos”
and “don’t even think of it” nomenclature, which specifically dictates the rules of ethical and
acceptable behavior. Unfortunately, we know there is risk with every new hire and they will “Bend
the Rules” on occasion, while hoping that no one will be watching. Below is a list of common
risk, which the human factor normally inflicts upon a network system, which may or will be in
violation of computer and network operations (SANS Staff, 2014).
1. The Limp-Biscuit Password – Employees find it accommodating to make passwords,
which they can easily remember, like “P@$$w0rd”, password 1234, 12345678, or their
pets’ name, kids’ name, or wife and husband’s name.

IAS CAPSTONE 58
a. Safeguards -These are all easily breakable and do not comply with normal standards
of password policies in a normal AUP. To formally mandate a tolerant acceptable
password, the AUP should have information pertaining to the password being at least
a minimum of 12 alpha-numeric digits, with one or two capitalized letters, a wing ding,
and numbers throughout. The passwords will be allowed to be used for up to ninety
days and must be changed out after the expiration period. All passwords should be
automated in the system to expire and force the user to create a new password after the
ninety day limit. This should be specifically addressed in all AU policies (Barker, et
al., 2013). Any and all passwords will not be written down and stuck to the computer
for everyone to see. Finally, anyone who believes their password has been
compromised, should report it to the IT administration as quickly as possible.
2. But I Have a Second Business! - Many employees think that the enterprise business
computer is their own personal computer. Therefore, they believe they can use the system
computer for their own personal gains and may even run a second business of the
company’s time and resources. This is considered abuse of company resources and can
lead to a number of punitive actions. The worst offenders, believe it or not, are higher
echelon employees. Two personal instances revealed a Chief City Clerk and a school
Superintendent running personal businesses, on state and municipal systems.
a. Safeguards – Situations like this occur when a weak acceptable use policy isn’t
enforced from the top down. In both instances, it was the upper echelon ignoring their
own policies, which were caught by higher or non-connected sources. Emails,
applications and in one case, enterprise funds were used as if they were the individuals.
This is where stiffer compliance to the policies needed to be addressed from the tope

IAS CAPSTONE 59
down. Automated logging and monitoring controls should have been established.
Privileges and permissions were not monitored and should have been monitored and in
the case of the Superintendent, the whistle was blown and she ended up losing her
position. The same was the case for the city employee. The punitive results should
have also been enforced from the very start to defray business use in a personal fashion.
This included, not allowing personal emails, personal install of applications and
stringent acceptable use compliance from everyone involved.
3. What’s That Doing in My E-Mails?- All too often people like to send emails with jokes,
pornographic material, as SPAM, as chain letters, with embedded viruses and other
malicious components. Unfortunately, many users are not well versed in what to look for,
prior to opening an email.
a. Safeguards – The smartest approach to emails procedures, in the acceptable use policy
realm, is educating users and making them aware of these types of emails. They should
be expressly told in the AUP, what is acceptable for attachments, that email is subject
to monitoring, who may use the email system, what can get their email account
temporarily locked. Email accounts should never be allowed to synchronize personal
email accounts like Hotmail, Gmail and Outlook into business accounts. Emails cannot
be generated for non-business personal emails. Emails should have disclaimers on
them, if they are sent to non-business types emails. There are many safeguards, which
can be applied to email categories alone. The biggest safeguard is ensuring that all
personnel are all-in with email policy. If emails are sensitive, they need to have some
forms of encryption placed on them prior to transport. Punitive actions should also be
plainly described, if someone participates in any of these acts (SANS Institute, 2014).

IAS CAPSTONE 60
4. It’s Only a Thumb Drive – All too often, personal data storage devices are brought to
work with work that was done at home, and employees also think it is all right to load a
movie, a game, or some music on, to play on the computers at the office. Little do they
realize that the game, music, or file they just brought from home, carries the next zero-day
virus on it, which has now infected the office computer, when they plugged that little thumb
drive in. Transference of malware can come in the simplest forms. Music is the number
one carrier of most embedded malware infections.
a. Safeguards – Many companies are now realizing, that people are bringing their
own personal computer devises, and storage media from home. Thus, another
paragraph needs to be added to the all-important AUP, which defines the limitations
of “bring your own device” (BYOD) to work. If it is not company purchased and
specifically designated for company systems, it will not touch, or be inserted into
system components. Smart phones will not be plugged into computers, to listen to
music, play games, do personal business, or conduct phone patching conversations.
USB drives, smart phones, expansion drives, or any storage media, which is not
specifically enterprise purchased, is not allowed to be connected to enterprise
system networks, or endpoint host workstations. All business related assets are not
allowed to be inserted into any non-business components for media transfer (SANS
Institute, 2014).
5. Encryption? I’m Secretary Clinton! – Data security and privacy are becoming as
valuable as gold. Unfortunately, there are people out there, like Secretary Hillary Clinton,
who pay no attention to the importance of encryption for emails. Maybe it is due to their
positions. The fact of the matter is, that data and other information need to be protected, if

IAS CAPSTONE 61
being transmitted over open systems interconnect (OSI) media. All media becomes open
text format, when it is in transit. This is not acceptable when the data is sensitive, secret,
or personally identifiable information (PII).
a. Safeguards - There are many laws, executive orders and guidelines stipulating the
mandates and requirements to sending emails with sensitive and critical data. Thus,
emails designated as “For Official Use Only”, “In Office Use Only”, “Secret”,
“Classified”, “Confidential”, “electronic patient health information”, or personal
identifiable information, should be marked accordingly in the header of the email.
The email has to be encrypted using any small office / home office (SOHO) or
enterprise security software solutions. This is mandated under the HITECH Act,
Federal Information Process Standard (FIPS 140-2), the American Recovery and
Reinvestment Act (ARPA) and the Health information Portability Accountability
Act (HIPAA), and procedurally clarified by NIST SP800-57 part1 Rev. 4 (Barker
E. , 2016). All emails will be encrypted with MD5, SHA-1, SHA-2, SHA-256,
AES, TDEA, or any other block cipher algorithms, which are acceptable under
industry standards. All Outlook and other mail programs should be set to
automatically generate encryptions, anytime personnel send messages through an
enterprise network. Personnel suspected of tampering with or modifying
encryption standards will be subject to punitive and criminal actions, upon
discovery (Merkow & Breithaupt, 2014).

IAS CAPSTONE 62
Implementing Asset Security through Communication
The weakest link of implementing asset security and information assurance security, is by
creating a pathway, which will hinder the dissemination of proper standards and strategies to the
masses of the particular enterprise. Unfortunately, many security programs emphasis the attributes
of technical controls of the network, and leave the human element floating out in forgotten space
and time. A system can have end user firewalls, authentication standards, immense password
protocols, encryption standards, and IDS/IPS systems all crackling to catch something on the wire,
but if a naïve user gets on, and is tricked by some social engineering tactic, the technical security
layers won’t be worth a can of beans, in protecting system data.
Therefore, by providing a well-defined security asset and information assurance program,
the security managers can help reduce the effects of vulnerabilities, exploitations and attacks. The
overall objective of a good security program is to ensure the users are aware of confidentiality,
integrity and availability (CIA) of the enterprise’s information and associated assets. Not only is
the data important, but the actual physical assets, used to manipulate the data, need to have
defensive strategies applied in human interactions, as well. No matter what the attack might be,
attackers and their scanning, associated penetration techniques and applications, are aimed at
disabling one of the triad factors. This is where the importance of risk education management
starts to come forth. People need to understand the risks, which are associated to every action they
perform, on a network system. The goal of the training, is to provide the user with a more in-depth
comprehensive understanding of the system they are using, and what factors can contribute to
inadvertent and blatant interactions causing vulnerabilities, and exploitations to occur. Therefore,
educational programs should be developed to create classroom environments, one-on-one training
sessions and electronic packet education. The bottom line to security is realizing that it is

IAS CAPSTONE 63
everyone’s responsibility. Just not the information technologies department. By requiring all users
to take ownership and responsibility for their own areas and the department with which they work
in, it presents an overlapping protection of the systems. When education is complete, all users
should have follow-up sessions administered to ensure they are mentally and physically grasping
the basic elements for which they were taught. Bu conducting this simple measures, a enterprise
system stand a chance of prolonging possible attacks within the system (Russell, 2002).
Conclusion
Asset Management has many areas, which group to what asset management encompasses.
It takes implementing risk management, impact analysis, cost-benefits, information security,
information assurance, continual process improvements of security education, an knowing how to
apply it all, so that the enterprise resources maintain an acceptable life cycle, which won’t be
disrupted or shortened. By providing these frameworks for asset security management the loss of
resources won’t happen as rapidly, and public image and customer trust can be maintained at
acceptable levels with nowhere to go, but up. Bottom line … It’s worth everyone’s’ time,
commitment, and effort, as it creates buffers to mission objectives and success, happier employees,
and defrays costs in the financial realms.

IAS CAPSTONE 64
Section 5 – Compliance with Security Regulations
Introduction
Society has always been established on the precept of abiding by rules, morals and
values, which set a precedence of creating acceptable social behaviors in humanity. This was
primarily done, out of nefarious individuals, who didn’t want to abide by the rules of society, and
only accepted their own beliefs, in how things were to be accepted, as proper. This has
continued to be the case throughout history and has been compounded, throughout the centuries,
decades and years. Current legal, regulatory, investigative compliance laws, executive orders,
and directives have been enacted world-wide, to ensure compliance in all aspects of life. This
has also been adapted to the realm of how business is conducted worldwide. Laws have been
enacted, which cover acceptable and unacceptable behaviors in operations, in trade, enterprise
data, data handling, network operations and use, data at rest, data in motion, and data in use.
Laws look at how data is to be kept secret, private, secure, and with what personnel need to abide
by, when interacting with systems and data. Thus, it is advisable to look at some of these laws,
which drive of the everyday aspects of legal, regulatory and investigative means, and also
looking at some of the frameworks, which aid in developing the policies, standards, and
guidelines, which companies need to adhere with.
Cyber RelatedLaws
In 2014 Congress conducted research reviews on many laws, which applied to enterprises
associated and cyber related acts, executive orders, directives and mandates. The primary
purpose was to look at outdated laws, regulatory requirements and orders, which no longer
complied with current legal and operational compliances, certifications and accreditations, and

IAS CAPSTONE 65
mandates. In all, there were close to thirty outdated laws on the books, which needed to be
updated, due to antiquated requirements, not meeting standardizations to other current respective
parallel regulatory legal laws, orders, directives, and mandates. This document is rather unique
in that it covers a lot of the main Acts, which have driven concepts for better protection of
security and privacy, of personally identifiable information, which we now find extremely
valuable in the business sense of operational cyber security (Fischer, 2014).
These laws included Health Information Portability and Accountability Act, (HIPAA),
Federal Information Systems Management Act (FISMA), Children’s Information Protection Act
(CIPA), Family Educational Rights and Privacy Act (FERPA), Sarbanes-Oxley (SOX), Gramm-
Leech-Bliley Act (GLBA), Foreign Intelligence Surveillance Act (FISA), Identity Theft
Enforcement and Restitution Act (ITERA), the Health Information Technology for Economic
and Clinical Health Act (HITECH), the Payment Card Industry – Data Security Standard (PCI-
DSS) compliance initiative. And the National Institute of Standards and Technology Act
(Fischer, 2014). An international law, which drives anything outside the United States, is
known as Safe Harbor. We won’t go into this area, as it is more of a framework, than an actual
law. However, it does require those involved, to follow the mandates set by Safe Harbor.
Therefore, it acts like a law, but is more of a compliance mechanism outside the legislative rules
of law (FTC Staff, 2015). Safe Harbor can be confusing, but once it is understood that Safe
Harbor supplements the actual security and privacy (94/95/EC) and (02/114/EC) directives of
European Work Councils, it can be better understood (ACC- (EU), 2010). There are quite a few
more, but these are the primary laws, which designate the requirements for companies,
businesses and enterprises to script their policies from, which employees will abide by. By
having a slightly better understanding of each one of these laws, we will be able to attain better

IAS CAPSTONE 66
direction in which laws, directive and executive orders should be applied to each policy, during
its development.
Sarbanes Oxley (SOX) - At the turn of the millennium, many companies were
conducting illicit practices and reporting false profit margins to the gatekeepers (Wall Street) of
the financial world. Enron, Tyco, WorldCom, Global Crossing, Adelphia, Health Sound and
ImClone had reported profits that were non-existent and were creating offsite hedge funds to
layer the executive pockets with. This resulted in mass bankrupts of numerous high value
companies and also threatened to take upstanding corporations down with the bad ones. Due to
this instability, the 11th Congress took action and introduced the Sarbanes-Oxley Act, which
made it mandatory for all publicly traded companies to be forthcoming and transparent on all
capital ventures. This set the path for all publicly traded companies, being audited annually, by a
third party consultant firm, who are not directly related to the company’s financial ventures or
assets. Audit companies were also committing fraud in the audits, which related to database
calculations. Companies were no longer able to establish third party special purpose entities
(SPE’s), which is nothing more than fraud on a grand level (Green, 2004). Even companies, who
sorted their business off of American territories, still have to abide by the professionalism and
transparency, when dealing with reporting of actual assets. Even some banks are publicly
traded, which brought in the next compliance law.
Gramm-Leech-Bliley Act (GLBA) – This act was once known as the Glass-Steagall Act
and also as the Financial Services Act of 1999. This act involves any company presently
involved in securities and exchange firms, insurance companies, and institutional banking
systems. The purpose of the GBLA is to ensure fair competition and affiliation among banks
and other financial institutions. This act requires all financial institutions to disclose or release

IAS CAPSTONE 67
their privacy policies on the sharing on nonpublic personally identifiable information (PII) with
other banking establishments. GBLA also requires banking institutions to provide privacy
policy notice to customers. This allows the customer to make the decision as to whether they
want their personal information shared with third party associates in other banking institutions.
The privacy policies must be disclosed to any new or potential customers, at the time of their
intent, to do any banking transactions or account initiations with the company (G.P.O., 2011).
The bottom line of the GBLA law is to comply with financial record handling, disclosure, and
protection requirements. The GBLE looks at three parts in the principal parts of GBLA. The
three principle parts look at the commission’s financial privacy, policy, and rules, what
safeguards are attached to the rules of the policy, and if there is any pretexts to the safeguards or
rules of the policy (Whitman & Mattord, 2010). The banking institutions have another little
Payment Card Industry-Data Security Standard (PCI-DSS) – This isn’t really
considered a legal law, mandate, executive law, or any other form of law. However, PCI-DSS is
a methodological framework for applying security assurance and awareness on any business,
enterprise, or establishment, who chooses to engage in electronic funds transfers, from sales of
items of services. The Security Standards Counsel is made up of a conglomerate of banks,
business institutions and organizations, phone companies and cyber security organizations, like
Cisco and MIT Technologies, and other company vendors and businesses. The goal of the
Security Standards Council (SSC), is to ensure that all funds transfers have, which are processed
by any business or enterprise, will meet formal security awareness platforms, developed by the
SSC. This guidance focuses on creating an organizational security awareness, which assembles
a security awareness team and utilizes matrices for training and real-time environment within the
organization. The platform also addresses awareness content, which envelope roles and

IAS CAPSTONE 68
responsibilities within the organization in handling PCI-DSS and creates the proper structure
aspect for what is needed in the training. The platform also looks at developing checklists for
development, monitoring and maintaining security awareness for handing credit card payments.
This way there will be a more adequate controlled environment when dealing with financial
transfers (PCI Institute, 2015).
Federal Information Systems Management Act (FISMA) – FISMA was developed as part
of the E-Government Act in 2002 which laid the foundation for all government departments to
initiate an agency-wide framework, which would develop, document and implement platforms to
provide information security for the data and systems for which information resides on. FISMA
provides mandates and compliance measures for a security system to have risk assessments
performed, have policies and procedures based on risk assessment, and provide subordinate plans
for implementing information security for networks, facilities, information systems groups and
other components, as needed or required. FISMA also mandates the development of training
standards, penetration testing, risk mitigation planning and remediation’s, and ways to detect,
report and respond to incidents (107th Congress, 2016). Interestingly, the FISMA Act was
developed shortly after the introduction of the National Institute of Standards and Technology
Act, which was ratified in the early part of 2002. The National Institute of Standards and
Technologies (NIST) was brought to fruition for the need of standardizing all electronic data in
commerce and associated businesses. NIST provided for standards and compliance measures,
which would meet or exceed the requirements for keeping electronic data secure and private, by
maintaining the confidentiality, integrity and availability (CIA) of data, no matter what system it
may be on. NIST was now able to lay the foundation to create standards on any electronic
device, which dealt with data and associated software and hardware peripherals (NIST(e), 2011).

IAS CAPSTONE 69
Health Information and Portability Protection Act (HIPAA) – HIPAA was originally
enacted in 1996 to assist in the matters of Medicaid and implement the construction of a medical
program that could achieve and effective and efficient means of providing standards an
requirements, for when electronic health patient information (e-PHI) was being transferred under
electronic means. In the early implementation of HIPAA, health care providers really didn’t take
data privacy and security seriously, which meant that fines were only $100 dollars per occurrence
and up to a $25,000 cap, depending upon the severity of the leak. After February 18th, of 2009,
congress got serious with health care entities and providers, in considering the privacy and
security. They cranked fines to $250,000 per occurrence and a cap of 1.5 million, depending upon
the severity of the leakage (Kannensohn, Kottkamp, & Dongarra, 2013). Along with HIPAA,
another act was initiated to accelerate the privacy and security of e-PHI by medical facilities,
entities and practicing physicians. The Health Information Technology for Economic and Clinical
Health (HITECH) Act was introduced in 2009 to accelerate the medical industry in complying
with security and privacy by providing incentives to medical facilities, who diligently created
advances in privacy and security of their medical health records on databases. It also mandated
that all active users of personally identifiable health information, had to attend classes before they
were allowed to access any medical related records (Leyveh, 2015).
Associate Laws and Statues – Besides the federal laws of compliance, Washington State
has extra laws on the books, which stipulate extra layers of compliance for medical facilities and
entities, within the state of Washington. These laws can be found under revised Codes of
Washington (RCW), Title 70.02. This law specifically covers, who is allowed access to patient
health record information and who is allowed to disseminate e-PHI. This title also has nineteen
sub-categories, which covers the coordination of e-PHI privacy security and access of the

IAS CAPSTONE 70
electronic patient health information (e-PHI). The coordination includes handling, retention and
assurance of the records. To enforce compliance with the security, privacy and assurance of this
data, Washington State implemented R.C.W. 9A.58.020, that if a non-certified individual
intercepts, reads or manipulates this data information, however slight, they will be subject to a
Class “C” felony offense, which is punishable by a $10,000 dollar fine and up to 5 years in the
state prison system (WA State Legislators, 2015). Washington State has also implemented the
Public Records Act, under RCW 42.56.230, which specifically defines the requirements and
compliance measures associated with maintaining CIA of any and all records, which pertains to
schools, financial institutions, emergency contact information, credit history and any other
personally identifiable information (PII). Under the public records act, these areas are to maintain
a required level of security, privacy and assurance, which will be maintained, and is punishable
under the same purviews of RCW 9A.58.020, if this information is used to steal someone’s identity
(WA State Legislators, 2015).
Certification and Accreditation
Creating a plan, which is functional to design, implementation, monitoring and control,
and modifications of information security and assurance frameworks, is no small feat. It takes
many hours of planning and integration to have a workable compliance system for an enterprise.
Over the years, many ideas and concepts have come on board to help enterprises construct
methodologies and frameworks for implementing these programs. The International Standards
Organization (ISO 27000), National Institute of Standards and Technology (NIST SP800 Series),
Cisco Network Security Baseline framework, NIST SP800-66 for HIPAA framework and many
other compliance frameworks and standards, can create a speculative choice for what each security
manager and their department will need, in order to properly inspect, certify and gain certifications

IAS CAPSTONE 71
and accreditations, for their network systems. Executive Order 13636 was signed in order to
introduce two other frameworks, known as Common Core and Cybersecurity Framework and
Common Criteria. One thing that is hard to understand is that Common Core and Cybersecurity
Framework are both devised by NIST, and Common Criteria is devised by ISO (Grama , 2011).
There is one other, which most enterprises use in today’s market, and cyber strategies. This is
known as Control Objectives, or IT Processes (CobiT) and is devised by the Information Systems
Audit and Control Association (ISACA). ISACA was referenced in section one and pertained to
the roles and responsibilities involving policies, procedures, standards and guidelines. In
particular, it spoke of the certifying agent and his/ her role in certifying a network systems, which
required sensitive and critical data systems be in compliance, to properly handle data and its
transmissions, during daily operations and mission objectives (Grama , 2011).
COBIT and C&A
Control Objectives, or IT Processes (CobiT) egotistically outlines what it is all about. In
the actual CobiT-5 book, it specifically states the CobiT was devised to create a business
framework for the governance and management of enterprise information technologies. CobiT
then applies the eight principles to management by emphasizing the need to meet stakeholder
needs, present and overall goals plan and outlook, creating a 360 overview and assessment of the
company from end-to-end, and defining and applying a single orientated framework with a holistic
approach. In the final structure set the management and governance are separated into to separate
entities, which still ensuring communications comparisons in daily approaches. The final principle
of CobiT, is to implement the CobiT guidance and apply the compatibilities for any differences,
which might occur (COBIT 5 Task Force, 2013).

IAS CAPSTONE 72
Once these guidelines have enveloped the progression of the company security privacy and
security, CobiT is also capable of creating the framework for certification and accreditation of the
system. To understand the certification and accreditation (C&A) process, and individual must
comprehend the technical details associated with what constitutes a threat, vulnerability, exposure
or risk to the company or organization. Threats such as viruses, worms, Trojans and other malware
have the potential of exploiting systems that may have sensitive, critical, or classified data being
processed. Vulnerabilities could include software flaws or human mistakes. The key component
of having a C&A done is that it exposes these risks and vulnerabilities and provides reasonable
controls to avert, mitigate, transfer and contend with risk, which may expose the sensitive
information, but limits or diverts the threat, so that the system won’t be compromised. The nice
thing about conducting a C&A is that various threats are identified, analyzed, and mitigated or
accepted, if minimal enough. In some instances, a company may choose to have a pre-certification
audit conducted to work on identifying, assessing and eliminating risks of high value. This way,
they increase their chance of the system being certified by third party auditors, when the time
comes for the actual certification process (Guttman & Roback, 1995).
Once the pre-certs have been completed, a company will initiate the regular certifications
phases. The first phase is to initiate the process, by ensuring all participants of the certification
know their perspective responsibilities and roles pertaining, to comprehending all system
properties and functions, which will be evaluated. The enterprise will perform resource
identification for all components and peripheral resources, which will support the certification and
accreditation process. These will all be delivered to the audit teams for analysis during the C&A
process. The audit team will begin their analysis and conduct a controls analysis to ensure the
controls are accurate. During the actual certification process, the audit team will create milestones

IAS CAPSTONE 73
involving documentation for system tests and evaluations, what delivered plan of actions and
milestones will be identified and applied, creation of the certification and accreditation
documentation, and signing off on the documentation upon finding a clean bill of health for C&A
(CC Staff, 2012).
The certification process and accreditation process go hand-in-hand. Upon completion of
the certification phase, the accreditation phase looks to see if the system is providing an acceptable
level of risk and is abiding by all the configuration and management controls that have been
approved for the operation. The accreditation of the whole C&A package is now occurring during
this portion of the C&A. The C&A package will be delivered to the security officer for review.
Once the security officer has reviewed the actual C&A documentation, they will brief the chief
information officer and the chief technology officer of their findings. All parties will make a final
decision on the accreditation process and decide if accreditation has been fulfilled on the tested
system. If all agree, then the C&A package will be signed off for implementation (CC Staff, 2012).
The monitoring phase checks that the system has automated and manual controls, which
are being constantly monitored, to ensure management and configuration control is being carried
out. Milestones in the accreditation process include monitoring the change management,
conducting an annual security penetration control and evaluation test, committing to quarterly
status reporting, and setting up for a reoccurrence of accreditation, if needed. The inclusive
reasoning for conducting the risk assessment, configuration management plan and the security plan
is to break down potential risks that are both qualitative and quantitative in nature. These risks are
then brought into a manageable and controllable perspective of being continually monitored and
mitigated in a much simpler fashion.

IAS CAPSTONE 74
Conclusion
We have come a long way in the realization the data is a vital resource in how businesses,
and enterprises do business. Early into the process of using network and distributed systems, the
last thing anyone remotely worried about was a person’s data being used against them. As time
has passed, this has now become a huge revelation, which some still hate to accept. Thus, the
federal government stepped in for the safety of all and introduced Acts, Directives, Executive
Orders, state and municipal laws, which now govern the way data is handled at rest, in motion and
in use. With the introduction of all these legal laws and regulations, came a facet of frameworks,
which formally designated a way to integrate the methodologies and frameworks into security and
information assurance. This was only the first step. To verify the controls were online ad doing
what they were supposed to, NIST, ISACA, and ISO also introduced certification and accreditation
programs, which verify authenticity of structure, design, risk, and overall security, privacy and
safety of current network distributed systems. Network design is forever changing and so must
the compliance frameworks and methodologies, which support the security and the controls.
Compliance will always have to be driven home, as no one seems to hold true to integrity, on any
network systems.

IAS CAPSTONE 75
References
107th Congress. (2016, Aug 25). FISMA Detailed Overview. Retrieved Oct 04, 2016, from
NIST(d): http://csrc.nist.gov/groups/SMA/fisma/overview.html
ACC- (EU). (2010, May 18). Works Councils in the European Union (EU). Retrieved Dec 02,
2015, from Association of Corporate Counsel:
http://www.acc.com/legalresources/quickcounsel/wciteu.cfm
Avolio, F. M. (2007, July 01). Produciing Your Network Security Policy. Retrieved Oct 21,
2016, from Watch Guard:
https://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf
Barker, E. (2016, Jan 22). NIST SP 800-57 Part-1 Rev.4. Retrieved Oct 31, 2016, from National
Infromation Standards and Technologies :
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
Barker, K., Morris, S., Wallace, K., Watkins, M., Anastasoff, B., & Burns, D. (2013). CCNA
Security - Official Cert Guide (1st ed.). (B. Barrow, Ed.) Indianapolis, IN, USA: Cisco
Press. Retrieved Oct 22, 2016, from
http://staffweb.itsligo.ie/staff/pflynn/Telecoms%203/CCNP%202%20Secure%20WAN's/
Secure%20Converged%20Networks/CCNA%20Security%20554%20official.pdf
Blake, A. (2016, Sep 20). Infromation Security Roles and Responsibilities. Retrieved Oct 08,
2016, from Michagan Tech University: http://www.security.mtu.edu/policies-
procedures/is-roles-responsibilities.pdf

IAS CAPSTONE 76
Buecker, A., Browne, K., Foss, L., Jacbs, J., Jeremic, V., Lorenz, C., . . . Van Herzele, J. (2011).
IBM Security Solutions Architecture for Network, Server and Endpoint (2nd ed.).
Armonk, NY, USA: Redbook Publishing. Retrieved Oct 22, 2016, from
http://www.redbooks.ibm.com/redbooks/pdfs/sg247581.pdf
CC Staff. (2012, Sept). CC v3.1. Release 4 Intro and General Model. Retrieved Nov 06, 2016,
from Common Criteria: http://www.commoncriteriaportal.org/cc/
Chalker, A. (2014, Aug 12). Data Governance Overview. Retrieved Oct 15, 2016, from Protivity
risk & Business Consulting:
https://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents/GW2014/Implem
enting%20a%20Data%20Governance%20Program%20-%20Chalker%202014.pdf
Chen, W. (2010, June 25). A Brief History of Data Governance. Retrieved Oct 14, 2016, from
Magnitutdew Software: http://blog.magnitudesoftware.com/2010/06/25/a-brief-history-
of-data-governance/
COBIT 5 Task Force. (2013, May 08). CobiT 5 Download. Retrieved Oct 15, 2016, from
ISACA(a): http://www.isaca.org/cobit/Pages/CobitFramework.aspx
Collibra(STARLabs). (2009, Mar 17). Semantic Alignment. Retrieved Oct 16, 2016, from
Information Managment: http://cdn.information-
management.com/media/pdfs/collibra.pdf
Conklin, A. W., White, G., Williams, D., Davis, R. L., & Cothren, C. (2012). Principles of
Computer Security (3rd Ed. ed.). (B. E. Rogers, & J. Walden, Eds.) New York, NY,
USA: McGraw-Hill Publishing. Retrieved Mar 17, 2016

IAS CAPSTONE 77
Council of E-Commerce Consultants. (2011). Disaster Recovery (1st ed.). Cliffton Park, New
York, USA: Cengage Learning. Retrieved Nov 16, 2015
D.A.V. (2015, Jan). Physical Security Design Manual. Retrieved Aug 06, 2016, from U.S. Dept.
of Vet. Affairs: http://www.cfm.va.gov/til/physicalsecurity/dmphysecmc.pdf
Davidowicz, D. (1999, Dec 23). Domain Name system (DNS) Security. Retrieved Oct 24, 2016,
from Computer Security 101: http://compsec101.antibozo.net/papers/dnssec/dnssec.pdf
Daya, B. (2008, Aug 26). Network Security: History, Importance, and Future. Retrieved Oct 21,
2016, from Massachussets institute of Technologied:
http://web.mit.edu/~bdaya/www/Network%20Security.pdf
Editorial Board. (2014). World Cultures. Schaumburg, IL, USA: Words of Wisdom, LLC.
Retrieved Oct 15, 2016
Evans, D. L., Bond, P. J., & Bement, A. L. (2004, Feb 01). Standards for Security
Categorization. Retrieved Oct 10, 2016, from NIST FIPS-PUB99:
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Fischer, E. (2014, Dec 17). Federal Laws Relating to Cybersecurity: Overview of Major Issues,
Current Laws, and Proposed Legislation. Retrieved Oct 04, 2016, from Federation of
American Scientists: https://www.fas.org/sgp/crs/natsec/R42114.pdf
FTC Staff. (2015, Feb). Privacy and Security | Safe Harbor Framework. Retrieved Dec 01, 2015,
from Federal Trade Commission: https://www.ftc.gov/tips-advice/business-
center/guidance/information-eu-residents-regarding-us-eu-safe-harbor-program

IAS CAPSTONE 78
G.P.O. (2011, Feb 27). Gram'Leech-Bliley Act. Retrieved Oct 04, 2016, from General Printing
Office: pkisupport@gpo.gov
Gibson, D. (2015). Managing Risks in Information Systems (2nd ed.). Burlington, MA, USA:
Jones & Bartlett Learning. Retrieved Feb 21, 2016
Grama , J. L. (2011). Legal Issues in Infromation Security. (L. J. Goodricj, Ed.) Sudbury, MA,
USA: Jones & Bartlett Learning. Retrieved Dec 01, 2015
Gray, J. (1996). Data Managment: Past, Present, & Future. Microsoft Corporation, Microsoft
Research. Redmond, WA: Institute of Electrical and Electronic Engineers. Retrieved Oct
14, 2016, from https://www.microsoft.com/en-us/research/publication/data-management-
past-present-and-future/
Green, S. (2004). A Look at the Causes, Impact and Future of the. Journal of International
Business & Law, Vol. 3(Iss.1), p.p.1-21. Retrieved Nov 27, 2015, from
http://scholarlycommons.law.hofstra.edu/jibl/vol3/iss1/2/?utm_source=scholarlycommon
s.law.hofstra.edu%2Fjibl%2Fvol3%2Fiss1%2F2&utm_medium=PDF&utm_campaign=P
DFCoverPages
Guttman, B., & Roback, E. (1995). Intro to Computer Security: Hanndbook. Boulder, CO, USA:
U.S. DOC. Retrieved Dec 10, 2015, from
http://csrc.nist.gov/publications/PubsSPs.html#SP 800
Hinson, G. (2012, Oct 04). ISO 27000 Change Managment and Controls Policy`. Retrieved Oct
16, 2016, from ISO27k Infromation Security.

IAS CAPSTONE 79
ISACA. (2016, Sep). ISACA Certification: IT Audit, Security, Governance and Risk. Retrieved
Pct 09, 2016, from ISACA: http://www.isaca.org/CERTIFICATION/Pages/default.aspx
Kannensohn, K., Kottkamp, N., & Dongarra, V. (2013, Feb 14). HIPAA Omnibus Final Rule
Implements Tiered Penalty Structure for HIPAA Violations. Retrieved Nov 21, 2015,
from McGuire Woods Consulting: https://www.mcguirewoods.com/Client-
Resources/Alerts/2013/2/HIPAA-Omnibus-Final-Rule-Implements-Tiered-Penalty-
Structure-HIPAA-Violations.aspx
Leyveh, C. (2015, Nov). HITECH Act Summary. (Lion Publishing) Retrieved Nov 21, 2105,
from HIPAA Survival Guide: http://www.hipaasurvivalguide.com/hitech-act-
summary.php
Lieberman, G. (2016, Oct 27). Asset Security Managment. CSS450_01_292_6_3_0_5 - Live
Chat #4 Risk Management. Colorado Springs, CO, USA: CTU. Retrieved Oct 30, 2016,
from
http://ctuadobeconnect.careeredonline.com/p6y9c5agjwu/?launcher=false&fcsContent=tr
ue&pbMode=normal
Merkow, M. S., & Breithaupt, J. (2014). Infromation Security Principles and Practices (2nd ed.).
(S. Schroeder, Ed.) Indianapolis, IN, USAA: Pearson Education. Retrieved Oct 31, 2016,
from
http://proquestcombo.safaribooksonline.com.proxy.cecybrary.com/book/networking/secu
rity/9780133589412/chapter-11dot-
cryptography/ch11#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTk3ODAxMzM1ODk

IAS CAPSTONE 80
0MTIlMkZjaDExbGV2MXNlYzImcXVlcnk9KCgoSW5mb3JtYXRpb24lMjBTZWN1c
ml0eSUzQSUyM
Merriam-Webster. (2016). Definition of Policy. Retrieved Oct 07, 2016, from Merriam-Webster:
http://www.merriam-webster.com/dictionary/policy
MIS Inc. (2015, Apr. 21). DG Framework- DG POlicy Manual. Retrieved Oct 16, 2016, from
British Columbia First Nations’ Data Governance Initiative:
https://static1.squarespace.com/static/558c624de4b0574c94d62a61/t/558c7c65e4b0b067e
f50a4ad/1435270245149/BCFNDGI-Data-Governance-Framework-Data-Governance-
Policy-Manual.pdf
Mitre Corp. (2016, May 24). Common Vulnerabilities and Exposures. Retrieved May 31, 2016,
from CVE: https://cve.mitre.org/
Mohan, V. (2013, Nov 15). IT Asset Managment Benefits & Best Practices. Retrieved Oct 28,
2016, from Solar Winds:
http://cdn.swcdn.net/creative/pdf/Whitepapers/IT_Asset_Management_%20Benefits_%2
0Best_Practices.pdf
N.V.D. (2016, Sep 28). The Security Content Automation Protocol (SCAP). Retrieved Oct 24,
2016, from NVD-NIST.gov: https://scap.nist.gov/
NIST. (1997, Nov 10). An Introduction to Computer Security: The NIST Handbook SP800-12.
Retrieved July 07, 2016, from NIST:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-12.pdf

IAS CAPSTONE 81
NIST(e). (2011, July 12). National Institute of Standards and Technology Act. Retrieved Nov 04,
2016, from NIST(b):
https://www.nist.gov/sites/default/files/documents/director/ocla/NIST-Organic-Act.pdf
PCI Institute. (2015, May). PCI DSS Quick Reference Guide. Retrieved Jan 10, 2016, from PCI
Security Standards Counsel:
https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf
Pierce, E. M. (2011, Dec 18). Designing a Data Governance Framework to Enable and
Influence IQ Strategy. Retrieved Oct 15, 2016, from Massachusetts Institute of
Technology: http://mitiq.mit.edu/iqispapers.aspx?iciqyear=200777
Ross, R., Sweanson, M., Stoneburner, G., Katzke, S., Johnson, A., & Smith, F. (2004, May 11).
Guide for Security Cert and Accreditation of FIPS. Retrieved Oct 09, 2016, from
NIST(a): https://www.fismacenter.com/SP800-37-final.pdf
Russell, C. (2002, Oct 25). Security Awareness-Implementing an Effective Strategy. Retrieved
Oct 2016, from SANS Institute: https://www.sans.org/reading-
room/whitepapers/awareness/security-awareness-implementing-effective-strategy-418
Salido, J., & Voon, P. (2010, Jan 26). A Guide to Data Governance, Privacy, Confidentiality and
Compliance. Retrieved Oct 16, 2016, from International Association of Privacy
Professionals:
https://iapp.org/media/pdf/knowledge_center/Guide_to_Data_Governance_Part1_The_C
ase_for_Data_Governance_whitepaper.pdf

IAS CAPSTONE 82
SANS Institute. (2014, June). Acceptable Use Policy. Retrieved Nov 30, 2015, from SANS
Institute: https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-
policy
SANS Staff. (2014, June). Find the Policy Template You Need! Retrieved Oct 16, 2016, from
SANS: https://www.sans.org/security-resources/policies/
Shamim, A., & Fayyaz, B. (2014, Sep 19). LayerDefense in Depth Model for IT Organizations.
Retrieved Ocy 23, 2016, from International Institute of Engineers:
http://iieng.org/images/proceedings_pdf/8285E0914047.pdf
Solove, D. (2013, Sep 09). A List of Privacy Training and Data Security Training Requirements
in Laws, Regulations, and Industry Codes. Retrieved Oct 24, 2016, from Tach Privacy:
https://www.teachprivacy.com/list-privacy-training-data-security-training-requirements/
Stewart, M. (2014). Network Security, Firewalls, and VPN's (2nd ed.). (M. Johnson, Ed.)
Burlington, MA, USA: Jones & Bartlett Learning LLC. Retrieved Nov 19, 2015
Stine, K., Kissel, R., Barker, W., Lee, A., Fahasing, J., Guiterrez, C., & Turner, J. (2008, Aug
13). VOl. 2:Guide for Mapping Data Classifications. Retrieved Oct 16, 2016, from NIST:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf
Swanson, M., & Guttman, B. (1996, Sept 23). NIST Special Publication 800-14. Retrieved Oct
08, 2016, from N.I.S.T.: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Thomas, G. (2009, Apr. 24). How to Use the DGI Framework to Configure Your Porgram.
Retrieved from The Data Governance Institute:

IAS CAPSTONE 83
http://www.inf.ufsc.br/~jose.todesco/dw/Artigos/Data%20Governance%20Framework.pd
f
UCDavis Chancellor & Provost. (2011, Jan 05). Guide to Wrinting and Maintaingin POlicy.
Retrieved Oct 16, 2016, from Unviversity of Californai Davis:
http://manuals.ucdavis.edu/resources/GuidetoWritingPolicy.pdf
Vacca, J. R. (2009). Computer and Secuiryt Information Handbook. (J. R. Vacca, Ed.)
Burlington, MA, USA: Morgan Kaufmann. Retrieved July 08, 2016
WA State Legislators. (2015, April 30). Revised Codes of Washington. Retrieved Nov 21, 2015,
from Washington State Legislature: http://apps.leg.wa.gov/rcw/default.aspx
Weaver, R., Weaver, D., & Farwood, D. (2014). Guide to Network Defense and
Countermeasures (3rd. ed.). (W. Overocker, Ed.) Boston, MA, USA: Cengage Learning.
Retrieved Feb 21, 2016
Whitman, M. E., & Mattord, H. J. (2010). Principles of Information Secvurity (4th ed.). (S.
Helba, Ed.) Boston, MA, USA: Cengage Learning. Retrieved Oct 22, 2016
Yang, L. (2005, Aug 18). CPSC 4610: Information Security Management. Retrieved Oct 08,
2016, from University of tennessee: http://web2.utc.edu/~Li-Yang/cpsc4610/
Young, L. (2012, Nov 04). Infromation Assurance Program. Retrieved Oct 08, 2016, from
National Service - Office of Infromation Technology:
http://www.nationalservice.gov/sites/default/files/upload/IAP_082112_Final%20Public.p
df

IAS CAPSTONE 84
Created By: Mark L Simon II

CSS-454 information Security Assurance CAPSTONE

More Related Content

What's hot

Viewers also liked

Similar to CSS-454 information Security Assurance CAPSTONE

More from Mark Simon

Recently uploaded

CSS-454 information Security Assurance CAPSTONE