Popular in Course
verified elite notetaker
Popular in Department
This 5 page Study Guide was uploaded by kimwood Notetaker on Monday November 9, 2015. The Study Guide belongs to a course at a university taught by a professor in Fall. Since its upload, it has received 14 views.
Reviews for ISSC363_Case_Study_Phase1
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 11/09/15
PHASE I 1 Case Study: Phase I Brian Page American Military University PHASE I 2 Introduction There are many different ways that one can define Risk, it really depends on the circumstances that surround the term. For the purposes of this Case Study, Risk is defined as “the potential an unwanted outcome resulting from an incident, event or occurrence, as determined by its likelihood and the associate consequences.” (“Risk Management Fundamentals”) In other words, does the benefit of allowing a risk outweigh the consequences that “could” happen if the risk was exploited? Selection The organization I chose to conduct the Risk Assessment on is the Falcons Nest Bowling Center. The areas covered are Organizational and Management, Personnel, Physical Security, Data Security, Information Integrity, Software Integrity, Personal Computer Security, Network Protection, and Incident Response. Organizational and Management Practices Management has assigned roles and responsibilities for information security across the organization in the form of an information security policy. Organization documents and disseminates and reviews information security policies periodically. The program has been updated within the last six months. Confidentiality and Nondisclosure agreements are kept on file for personnel that are employed and are retained for a minimum of two years after personnel are let go or quit. Risk Assessments are conducted semiannually in order to maintain compliance with regulations. System Certification PHASE I 3 The Point of Sale system used (Qubica) meets or exceeds PCI DSS requirements for security controls. All traffic is encrypted and organization has Attestation of PCI Compliance on file. Changes made to information systems are controlled by System Administrators and are logged st and documented in the 71 Force Support Information Systems continuity binder. Potential vulnerability to the POS system; administrators do not regularly check for updates to the system due to lack of access. Suggest giving administrators access to required software updates. Security Categorization st No systems assigned to the Falcons Nest or the 71 Force Support Systems personnel are categorized as classified or private. Procedures have been put in place in the event that the potential for classified or private information or systems. Vulnerability Scanning Vulnerability Scanning is performed at a minimum of once per quarter using eEye Retina identifying potential configuration errors, needed patches and services for known vulnerabilities is conducted. PCI DSS requirement annual. Personnel Practices Information Awareness training is provided to all personnel on initial hire. Additionally, personnel are required to conduct refresher training annually after initial training is complete. Policies and procedures to prevent unauthorized access to files are established and reviewed annually. Systems access needs are identified by job function and a rigorous screening process has been implemented to ensure position categorization is maintained. Contractors are required to be vetted and have on file, the documents verifying same. Employee background checks are conducted before personnel are hired. Physical Security Practices PHASE I 4 Policies and procedures that govern security entry controls and equipment security are documented within the organizations Information Security Policy. Consent to monitoring statements are signed by each employee during the hiring process and displayed on the login screens of the computers that employees utilize to perform daily tasks. Disposal of equipment is handled through system administration personnel. Data Security Practices In the event of a disaster, the Falcons Nest has a Disaster Recovery Plan set in place. Backups of daily activities are conducted on an incremental basis every five hours along with a full back up once daily. Training is provided to Falcons Nest personnel in the event that a Disaster occurs. Backup copies of the information are stored off site. Policies for portable devices such as hard drives and thumb drives are in place, devices must be labeled and stored in a single location. PHASE I 5 References Cited pcisecuritystandards. (n.d.). Retrieved from https://www.pcisecuritystandards.org/index.php Risk Management Fundamentals. (2011, April 1). Retrieved November 5, 2014, from https://www.dhs.gov/xlibrary/assets/rmariskmanagementfundamentals.pdf
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'