Running head PRACTICAL CONNECTIONS PAPER 1Executive P.docx

Running head: PRACTICAL CONNECTIONS PAPER 1
Executive Program Practical Connection Assignment
Application Security ISOL-534-41
Name
University of the Cumberlands
Prof. Name
Application security course has been very interesting for me so
far and I have learned many new things related to IT security. I
already have good experience in my previous company for most
of the topics I learned in this course such as managing Active
Directory, Group Policy, Group Policy Object, Windows
systems administrations, etc. Knowledge of application security
policies plays most essential role for securing network and
system in any organization. I think I have gained good
command on security topic after taking this course and will help
me to apply my knowledge in my current or future companies.
The course content has been well defined and well balanced for
student like us who are inspired to make their career in
application securities. The lab assignments of this course have
helped me to apply practical knowledge which I have learned so
far in this course.
In my previous company I was working as Systems Engineer
and I used to create new user accounts in Active Directory and
provide them access as required for their roles, just like we did
in Lab 01 assignment. In addition, I have worked on creating
Virtual Machines for clients and install different application
into the VM servers. I have also worked and managed on Citrix
Severs including publishing and assigning the user permissions
to access the Applications in Citrix Management Console.

In this course I have learned how to secure applications,
operating systems, databases, network and systems. In addition,
the lab assignments have practically helped me on encryption
policies used for password, files or disk. We have also studied
various tools and technologies for encryption of Microsoft
windows, different methodologies for encryption, malware and
how to defend Microsoft windows against malware using
antivirus and anti-spyware applications, malware prevention
strategies. Our residency research topic is BYOD and I have
learned many positive and negative aspects of using BYOD
devices.
We have also studied various tools and technologies for encrypt
ion of Microsoft
windows, different methodologies for encryption, malware and
how to defend Microsoft windows against malware using antivir
us and antispyware applications, malware prevention strategies.
Our residency research topic is BYOD and I have learned many
positive and negative things during our research about this
topic. The discussion topics for this course also helped me
understand about information securities and its management,
and how other students are using it in their organizations.
In my current company, we use two factor authorization to login
to our systems and/or applications, which makes login
authentication more secure. The tools which we use to generate
passcodes for login are Entrust and Duo Mobile. My current job
role is not directly related to application security, but it is
related to managing client’s applications.
I have done certifications such as CCNA (CISCO Certified
Network Associate), MCITP (Microsoft Certified IT
Professional), CCA (Citrix Certified Associate) and ITIL which
are somewhat related to the IT security. Hence, I got more
interested in taking this course which will help me to get better
job in application security field. The knowledge which I gained
in this course will help me to proactively identity and mitigates
against any possible threats and vulnerabilities in an
organization.

Contents
Preface
Acknowledgments
PART ONE The Need for IT Security Policy
Frameworks
CHAPTER 1 Information Systems Security
Policy Management
What Is Information Systems Security?
Information Systems Security Management Life Cycle
What Is Information Assurance?
Confidentiality
Integrity
Nonrepudiation
What Is Governance?
Why Is Governance Important?
What Are Information Systems Security Policies?

Where Do Information Systems Security Policies Fit Within an
Organization?
Why Information Systems Security Policies Are Important
Policies That Support Operational Success
Challenges of Running a Business Without Policies
Dangers of Not Implementing Policies
Dangers of Implementing the Wrong Policies
When Do You Need Information Systems Security Policies?
Business Process Reengineering (BPR)
Continuous Improvement
Making Changes in Response to Problems
Why Enforcing and Winning Acceptance for Policies Is
Challenging
CHAPTER SUMMARY
https://www.safaribooksonline.com/library/view/security-
policies-and/9781284055993/09_ch1.xhtml#sec_21

policies-and/9781284055993/09_ch1.xhtml

policies-and/9781284055993/08_part1.xhtml
policies-and/9781284055993/07_ack.xhtml
policies-and/9781284055993/06_pre.xhtml
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Business Drivers for Information
Security Policies
Why Are Business Drivers Important?
Maintaining Compliance
Compliance Requires Proper Security Controls
Security Controls Must Include Information Security Policies
Relationship Between Security Controls and Information
Security Policy
Mitigating Risk Exposure
Educate Employees and Drive Security Awareness
Prevent Loss of Intellectual Property
Protect Digital Assets
Secure Privacy of Data
Lower Risk Exposure

Minimizing Liability of the Organization
Separation Between Employer and Employee
Acceptable Use Policies
Confidentiality Agreement and Nondisclosure Agreement
Business Liability Insurance Policies
Implementing Policies to Drive Operational Consistency
Forcing Repeatable Business Processes Across the Entire
Organization
Differences Between Mitigating and Compensating Controls
Policies Help Prevent Operational Deviation
CHAPTER SUMMARY

ENDNOTES
CHAPTER 3 U.S. Compliance Laws and
Information Security Policy Requirements
U.S. Compliance Laws
What Are U.S. Compliance Laws?
Why Did U.S. Compliance Laws Come About?
Whom Do the Laws Protect?
Which Laws Require Proper Security Controls to Be Included in
Policies?
Which Laws Require Proper Security Controls for Handling
Privacy Data?
Aligning Security Policies and Controls with Regulations
Industry Leading Practices and Self-Regulation
Some Important Industry Standards
Payment Card Industry Data Security Standard (PCI DSS)
Statement on Standards for Attestation Engagements No. 16

(SSAE16)
Information Technology Infrastructure Library (ITIL)
CHAPTER SUMMARY
ENDNOTES
CHAPTER 4 Business Challenges Within the
Seven Domains of IT Responsibility
The Seven Domains of a Typical IT Infrastructure
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain

policies-and/9781284055993/11_ch3.xhtml#sec_56a

System/Application Domain
Information Security Business Challenges and Security Policies
That Mitigate Risk Within the Seven
Domains
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
CHAPTER SUMMARY

CHAPTER 5 Information Security Policy
Implementation Issues
Human Nature in the Workplace
Basic Elements of Motivation
Personality Types of Employees
Leadership, Values, and Ethics
Organizational Structure
Flat Organizations
Hierarchical Organizations
The Challenge of User Apathy
The Importance of Executive Management Support
Selling Information Security Policies to an Executive
Before, During, and After Policy Implementation
The Role of Human Resources Policies
Relationship Between HR and Security Policies

Lack of Support
Policy Roles, Responsibilities, and Accountability
Change Model
Responsibilities During Change
Roles and Accountabilities
When Policy Fulfillment Is Not Part of Job Descriptions
Impact on Entrepreneurial Productivity and Efficiency
Applying Security Policies to an Entrepreneurial Business
Tying Security Policy to Performance and Accountability
CHAPTER SUMMARY

ENDNOTE
PART TWO Types of Policies and Appropriate
Frameworks
CHAPTER 6 IT Security Policy Frameworks
What Is an IT Policy Framework?
What Is a Program Framework Policy or Charter?
Industry-Standard Policy Frameworks
What Is a Policy?
What Are Standards?
What Are Procedures?
What Are Guidelines?
Business Considerations for the Framework
Roles for Policy and Standards Development and Compliance
Information Assurance Considerations
Confidentiality

policies-and/9781284055993/14_part2.xhtml

Integrity
Availability
Information Systems Security Considerations
Unauthorized Access to and Use of the System
Unauthorized Disclosure of the Information
Disruption of the System or Services
Modification of Information
Destruction of Information Resources
Best Practices for IT Security Policy Framework Creation
Case Studies in Policy Framework Development
Private Sector Case Study
Public Sector Case Study

CHAPTER SUMMARY
CHAPTER 7 How to Design, Organize,
Implement, and Maintain IT Security Policies
Policies and Standards Design Considerations
Architecture Operating Model
Principles for Policy and Standards Development
The Importance of Transparency with Regard to Customer Data
Types of Controls for Policies and Standards
Document Organization Considerations
Sample Templates
Considerations for Implementing Policies and Standards
Building Consensus on Intent

Reviews and Approvals
Publishing Your Policies and Standards Library
Awareness and Training
Policy Change Control Board
Business Drivers for Policy and Standards Changes
Maintaining Your Policies and Standards Library
Updates and Revisions
Best Practices for Policies and Standards Maintenance
Case Studies and Examples of Designing, Organizing,
Implementing, and Maintaining IT Security Policies
CHAPTER SUMMARY

CHAPTER 8 IT Security Policy Framework
Approaches
IT Security Policy Framework Approaches
Risk Management and Compliance Approach
The Physical Domains of IT Responsibility Approach
Roles, Responsibilities, and Accountability for Personnel
The Seven Domains of a Typical IT Infrastructure
Organizational Structure
Organizational Culture
Separation of Duties
Layered Security Approach
Domain of Responsibility and Accountability
Governance and Compliance

IT Security Controls
IT Security Policy Framework
Best Practices for IT Security Policy Framework Approaches
What Is the Difference Between GRC and ERM?
Case Studies and Examples of IT Security Policy Framework
Approaches
Critical Infrastructure Case Study
CHAPTER SUMMARY
ENDNOTE

CHAPTER 9 User Domain Policies
The Weakest Link in the Information Security Chain
Social Engineering
Human Mistakes
Insiders
Seven Types of Users
Employees
Systems Administrators
Security Personnel
Contractors
Vendors
Guests and General Public
Control Partners
Contingent

System
Why Govern Users with Policies?
Acceptable Use Policy (AUP)
The Privileged-Level Access Agreement (PAA)
Security Awareness Policy (SAP)
Best Practices for User Domain Policies
Understanding Least Access Privileges and Best Fit Privileges
Case Studies and Examples of User Domain Policies
Government Laptop Compromised
The Collapse of Barings Bank, 1995
Unauthorized Access to Defense Department Systems
CHAPTER SUMMARY

CHAPTER 10 IT Infrastructure …

Running head PRACTICAL CONNECTIONS PAPER 1Executive P.docx

Recommended

Recommended

More Related Content

Similar to Running head PRACTICAL CONNECTIONS PAPER 1Executive P.docx

Similar to Running head PRACTICAL CONNECTIONS PAPER 1Executive P.docx (20)

More from todd581

More from todd581 (20)

Recently uploaded

Recently uploaded (20)

Running head PRACTICAL CONNECTIONS PAPER 1Executive P.docx