Complete Each Section Of The Worksheet Using The Textbooks

Complete Each Section Of The Worksheet Using The Textbooks And Course

Complete each section of the worksheet using the textbooks and course materials provided in Week 2. 1. The set of laws, rules, directives, and practices that regulate how an organization manages, protects, and distributes controlled information is called _______. 2. The security concept that states every user should be responsible for his or her own actions is called _______. 3. The individual who is responsible for deciding on the access rights to the information for various personnel is called an _______. 4. Physical, technical, and administrative controls used to protect information systems are called _______. 5. The probability that a particular threat will exploit a particular vulnerability of an information system is called _______. 6. An event, process, activity, or substance that has an adverse effect on organizational assets is called a _______. Federal Information Security Management Act (FISMA) of 2002 Terminology Matching Match the terminology with the correct definition by inserting the corresponding letter in the answer column. Terminology Answer Definitions 7. Authorize A. Information systems and internal information are grouped based on impact. 8. Supplement B. The step where an initial set of security controls for the information system are chosen and tailored to obtain a starting point for required controls. 9. Monitor C. Assess the risk and local conditions, including the security requirements, specific threat information, and cost–benefit analysis to increase or decrease security controls. 10. Categorize D. Step where the original and supplement controls are put in writing. 11. Document E. Original and supplement controls are applied to the system. 12. Select F. Security controls are evaluated to see if they are implemented correctly and are operating as intended. 13. Assess G. Evaluation of risk to organizational operations, organizational assets, or individuals that leads to this action. 14. Implement H. Requires checking and assessing the selected security controls in the information system on a continuous basis.

Paper For Above instruction

The protection and management of organizational information are governed by a comprehensive framework of laws, standards, and practices, collectively known as information security governance. This set of rules ensures that data is managed responsibly, securely, and in accordance with legal and organizational policies. Computer security law encompasses statutes like the Federal Information Security Management Act (FISMA) of 2002, which mandates federal agencies to develop, document, and implement an information security program. It aims at safeguarding federal information systems from cyber threats and ensuring accountability and transparency in information management.

The core principle underpinning individual accountability in information security is the concept of responsibility. This principle asserts that every user of an information system should be responsible for his or her actions, a concept often referred to as accountability. It emphasizes the importance of user vigilance and adherence to security policies to prevent unauthorized access or actions that could compromise organizational data or systems.

Access control is fundamental to safeguarding information. The person responsible for determining who can access what information within an organization is known as the access rights administrator or access control authority. They evaluate the needs of personnel and assign appropriate access privileges—ranging from read-only to full administrative rights—based on job responsibilities. This role is critical in ensuring that sensitive data remains protected from unauthorized access, accidental disclosure, or malicious activity.

Protective measures for information systems include physical, technical, and administrative controls. Physical controls involve securing facilities and hardware against unauthorized physical access, theft, or damage. Technical controls refer to security measures embedded in hardware and software—such as encryption, firewalls, and intrusion detection systems—that protect data in transit and at rest. Administrative controls are policies, procedures, and management strategies that govern security practices within an organization, such as security training and incident response plans.

Risk management in information security involves understanding the likelihood of threats exploiting vulnerabilities and evaluating the potential impact. The probability that a threat will successfully exploit a vulnerability is called the threat-exploit likelihood or risk probability. This metric helps organizations prioritize security measures and allocate resources effectively to mitigate potential damages.

An incident or activity that adversely affects organizational assets is classified as a security incident or security event. Such adverse effects can include data breaches, system outages, or data corruption, which threaten the confidentiality, integrity, and availability of information. Recognizing and responding appropriately to these events is crucial for maintaining organizational resilience and compliance.

FISMA Terminology Matching

The process of aligning security efforts with organizational impact is called categorization, which groups information systems based on the potential consequences of security breaches. Security categorization helps determine the appropriate level of safeguards needed.

The initial phase of establishing secure systems involves selecting and tailoring security controls suited to organizational needs, known as supplementation or control selection. This step lays the foundation for a robust security posture.

Monitoring involves ongoing assessment, evaluation, and testing of implemented security controls to ensure their effectiveness and proper operation over time. Continuous monitoring helps detect and respond to security incidents swiftly.

The security framework requires documenting security controls—both initial and supplementary—and their application within the information system. Documentation ensures clarity of security measures and provides accountability.

Post-control selection, organizations evaluate the appropriate controls to verify their correct implementation and operational effectiveness, which is known as security control assessment.

Risk assessment constitutes analyzing the vulnerability of organizational assets to threats, often leading to decisions about the level of security controls necessary.

The process of authorizing the operation of an information system involves evaluating the security posture and determining if the system complies with security requirements, a process termed authorization.

Finally, implementing and continuously assessing the controls in an ongoing cycle is essential to maintaining a secure environment, ensuring that security measures remain effective against evolving threats.

References

• National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST Cybersecurity Framework.
• FISMA Implementation Project. (2007). FISMA Reporting Guidance, NIST SP 800-53.
• ISO/IEC 27001:2013. (2013). Information Security Management Systems — Requirements.
• Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Cengage Learning.
• Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
• Cavusoglu, H., Raghunathan, S., & Raghunathan, S. (2004). The Effect of Security Breaches on Shareholder Value: Evidence from the Information Security Breach Notification Laws. Information Systems Research, 15(2), 135–150.
• Schneier, B. (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. W.W. Norton & Company.
• ISO/IEC 27002:2013. (2013). Code of Practice for Information Security Controls.
• Ulrich, P. (2019). Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley.
• American National Standards Institute. (2013). ANSI/ISA-62443-3-3-2018. Security for Industrial Automation and Control Systems.