Risk Control Self Assessment Policies Discussion & Responses Subject: Operations Security
PART A:
Discussion Topic:
Don't use plagiarized sources. Get Your Custom Essay on
Risk Control Self Assessment Policies Discussion & Responses Subject: Operations Security
PART A:
Discussion Topic:
Learning Objectives and Outcomes
Ide
Get an essay WRITTEN FOR YOU, Plagiarism free, and by an EXPERT!
Learning Objectives and Outcomes
Identify approaches on how to plan for threats and events that could potentially cause disruptions.
Determine why organizations need risk and control self-assessment (RCSA) policies.
Assignment Requirements:Assignment Requirements:
Determine and discuss the need for RCSA policies and the importance of RCSAs with information security as a focal point.
– 1) Discussion topic must be around 200-250 words
– 2) Must respond to 2 peers discussion topics
Reference:
Texbook: Security Policies and Implementation Issues, Author: Robert Johnson
PART B:
Assignment Requirements:
At the end of the discussion, submit a summary of your learning as a bulleted list that explains the relevance of RCSA policies.
Required Resources: None
Submission Requirements:
Format: Microsoft Word
Citation Style: APA
Length: 1–2 pages
Self-Assessment Checklist
I provided a list of reasons why RCSA policies are necessary requirements.
I provided a strong case for policy creation for RCSA.
I participated in the discussion and worked as part of a group. Security Policies and
Implementation Issues
Lesson 11
Data Classification and Handling Policies
and Risk Management Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe the different information security
systems (ISS) policies associated with risk
management.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
▪ Business risks related to information systems
▪ Risks associated with the selected business
model
▪ Risk and control self-assessments (RCSAs)
▪ Quality assurance (QA) and quality control (QC)
▪ Differences between public and private risk management
policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Purpose of Data Classification
Protect information
Retain information
Recover information
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Business Classification Scheme
Mission critical data
Highly
Sensitive
Sensitive Data that is important but not vital to the
business mission
Internal
Data not related to the core business such as
routine communications within the organization
Public
Data that has no negative impact on the
business when released to the public
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Legal Classification Scheme
Prohibited Information
Restricted Information
Confidential Information
Unrestricted Information
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Military Classification Scheme
▪ The U.S. military classification scheme is
defined in National Security Information
document Executive Order (EO) 12356
• Top Secret—Data that the unauthorized disclosure
would reasonably expect to cause grave damage to the
national security
• Secret—Data that the unauthorized disclosure would
reasonably expect to cause serious damage to the
national security
• Confidential—Data that the unauthorized disclosure
would reasonably expect to cause damage to the
national security
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Military Classification Scheme
(Continued)
▪ Unclassified data has two classification
levels:
• Sensitive but unclassified—Confidential data
not subject to release under the Freedom of
Information Act
• Unclassified—Data available to the public
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Declassification of Government
Data
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Risk Management Policies
▪ Risk avoidance is primarily a business
decision, however differences between
public and private are clear:
• Public organizations cannot avoid high risk,
such as police departments
• Private organizations can avoid risk with
strategic decisions as to where to place their
data centers, out of storm paths
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Risk Management Policies
(Continued)
▪ The power to choose what risk to accept is
the main difference between public and
private organizations
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
DISCOVER: PROCESS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Developing a Customized
Classification Scheme
Determine number of classification
levels
Define each classification level
Name each classification level
Align classification to specific handling
requirements
Define audit and reporting
requirements
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Classifying Data
Data ownership
Security controls
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
DISCOVER: ROLES
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Risk Management Process
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Roles
▪ Risk Manager
▪ Auditor
▪ Data Owners
▪ Information Technology (IT) Management
▪ Security Manager
▪ Senior Management
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
DISCOVER: CONTEXTS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Data Handling Policies
▪ Policies, standards, and procedures must be
defined regarding data during:
• Creation—During creation, data must be classified.
That could be simply placing the data within a
common storage area.
• Access—Access to data is governed by security
policies. Special guidance is provided on separation
of duties (SoD).
• Use—Use of data includes protecting and labeling
information properly after its access.
• Transmission—Data must be transmitted in
accordance with policies and standards.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Data Handling Policies
(Continued)
• Storage—Storage devices of data must be
approved. This ensures that access to the device
is secured and properly controlled
• Physical Transport—Transport of data must be
approved. This ensures that the data leaves the
confines of the private network and is protected
and tracked
• Destruction—Destruction of data is sometimes
called “disposal.” When an asset reaches its end
of life, it must be destroyed in a controlled
procedure
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Database Encryption Attack
Scenarios
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Data Classification of Volume
versus Time to Recover
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
DISCOVER: RATIONALE
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Risk Management Strategies
▪ Risk avoidance—Not engaging in certain
activities that can incur risk
▪ Risk acceptance—Accepting the risk involved
in certain activities and addressing any
consequences that result
▪ Risk transference—Sharing the risk with an
outside party
▪ Risk mitigation—Reducing or eliminating the
risk by applying controls
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Risk and Control Self-Assessment
(RCSA)
Major known risks
Risks that limit the
ability of the
organization to
complete its mission
Plans for dealing
with these risks
Management and
monitoring of these
risks
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Quality Assurance vs. Quality
Control
Quality Assurance: The act
of giving confidence, the
state of being certain, or
the act of making certain
Quality Control: An
evaluation to indicate
needed corrective
responses; the act of
guiding a process in which
variability is attributable to
a constant system of
chance causes
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Summary
▪ Data classification based on military scheme
▪ Risk management policies for private and public
sector
▪ Roles and responsibilities associated with risk
management policies
▪ Data handling policies
▪ Quality assurance (QA) and quality control (QC)
▪ Risk and control self-assessments (RCSAs)
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
OPTIONAL SLIDES
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Best Practices for Data Classification
and Risk Management Policies
▪ Keep the classification simple—no more than
three to five data classes.
▪ Ensure that data classes are easily understood
by employees.
▪ Data classification must highlight which data is
most valuable to the organization.
▪ Classify data in the most effective manner that
classifies the highest-risk data first.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Purchase answer to see full
attachment
