Creating an IT Infrastructure Asset List

Creating an IT Infrastructure addition numerate epitomeThis document was created following Lab 1 titled Creating an IT Infrastructure Asses sway and Identifying Where secretiveness Data Resides in the testing groundoratory manual that accompanies Legal Issues in knowledge Security. The lab focuses on creating an IT summations/inventory check sway organized within the septet domains of IT infrastructure. Identifying assets and applying classifications to each asset and explaining how information classification precedent is linked to customer privateness data and shelter stops. In addition to answering questions presented in the lab, I will also mention 1 piece of hardware, software, or firmware and provide a technical, operational, and managerial control as delimit in SP 800-53 R4.Keywords Asset List, Privacy Data, SP 800-53 R4, Data ClassificationCreating an IT Asset List and Identifying Where Privacy Data ResidesOrganizations who kick inle customer data are progress ively organism attacked by unscrupulous actors. wiz of the about sought afterwards and stolen data is the organizations private customer data. The theft of this information shag be used for a variety of reasons including identicalness theft. The aegis of this pregnant privacy data is best apply with a well-planned strategy focused on minimizing the risk of improper disclosure.An asset is everything that contains value to the organization. Inventory is considered part of an asset. The mapping for chance oning assets and inventory is to quantify them and provide insight of threats to each asset. This is accomplished by using Risk Management. Asset Identification is more than creating a list of the hardware and software in the computer, it must include the information, or data, that is neat on those computers (Kadel, 2004). Part of the credit should not only be what the assets are, scarce also who in the organization is responsible for the asset. Once an organization has place all the assets they shadow assign a value, and classification to the asset. It is all essential(p) to arrest asset and inventory documentation updated when assets are added or removed from the organization.Asset classification is a process in which each asset set is given a classification. The organizations security department policy should gather mention of germane(predicate) marks for classification. The lab manual offers the following three classifications Critical, Major, and Minor. One purpose of asset classification is to label an asset so it receives an appropriate level of antifertility covering. This label studys to be defined by upper level guidance but the IT and security staff is then responsible for machineing the undeniable controls. It is important that senior management make this decision. Without data classification information protection decisions are beingness made every twenty-four hour period at the slightness of security, system, and data base administrators (Fowler, 2003).An organizations Web site would be classified advertisement as minor in this scenario because it is required for normal business ladders and operations. The e-commerce waiter on the other hand would be considered critical because of what the asset does and the type of data it holds. In the lab manual, the web server Linux Server 2 is responsible for hosting the web site. Its function is required for normal business functions but does not contain any information to warrant it being classified as Major and does not represent an gifted property asset or generate revenue. The e-commerce server on the other hand does generate revenue and is considered as an clever property asset. It also contains a customer database subset which contains information that needs to be protected.One reason customer privacy data would be classified as critical is to meet compliance guidelines. For example, the Gramm-Leach-Biley Act (GLBA) is a law that was passed in 1 999 by congress. It requires financial institutions to protect Nonpublic Personal information. One section, cognize as the safeguards rule required federal bank restrictive agencies to issue security standards to organizations they regulate. If an organization does not follow the law, they can be penalized.The most compelling reason to classify information is to satisfy regulatory mandates. For example, the Gramm Leach Bliley and the Health Insurance Portability and Accountability Acts mandate information protection controls for financial and checkup organizations, respectively. Although information classification is not specified as a required protection measure, it is implied by special handling requirements for sensitive, medical and financial information (Fowler, 2003).Intellectual property would be considered critical because it is intellectual property. Intellectual property by its nature should be handled as critical. assume the following example, your organization makes the best widgets, because they are the best, consumers are willing to carry extra for your widgets. This is because they perform better, and conk longer than all other widgets being offered by your competitors. If the competitors had access to your widgets design and manufacturing process, your company would lose its competitive payoff over that competitor. Consumers would no longer rate your widgets as the best, and would buy competitors widgets. damage of this intellectual property would resolving in your organizations loss of their competitive value and revenue.Some security controls for HIPAA compliance is subcategory PR.DS-5 Protections against data leaks are implanted this can be mapped to the NIST SP 800-53 rev up. 4 controls of AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-32, and SI-4 (HHS, 2016). AC-4 as defined by the NIST SP 800-53 Rev. 4 is referred to as information flow enforcement. Flow control restrictions include, for example, keeping export-con trolled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the same organization (NIST, 2003).A data classification standard attend tos with asset classification because it sets a frame croak for uniformly assignment of classification. This in turn gives the organization guidance on what assets are most important and need to contribute the highest security controls implemented. This is also beneficial because it gives members of the organization an swooning way to determine how to handle such assets.Under the SI family of the NIST 800-53 Rev 4, you could implement SI-16 known as Memory Protection. You could implement data achievement prevention, and address space layout randomization. You could also implement SI-7 known as Software, Firmware, and nurture Integrity. The intent of this control is to protect against unauthorized changes to software, or firmware. This should be implemented using an integrity verif ication tool, that reports any inconsistencies or changes that were not approved. In the IA family, you could implement Identifier Management or IA-4. In this case the organization could exploiter role based access to the server. If your user account does not have access to the resource, you will not be able to access it.I would recommend implicating two factor authentications for all users in the Mock infrastructure. This is important because one factor authentication such as something you know is considered a weak form of authentication. A solution such as a device that generates a random token that is also used would make the customer data much more see. I would also implement a encrypted VPN solution for users that connect over to the ASA_student switch. A VPN uses a secure tunnel and all traffic through the tunnel will be encrypted. Last, I would make modifications to the net cultivate layout, the current layout does not allow for protective isolations. For example, the web s erver should be positioned in a DMZ and divide from the other components of the network.An organization can use risk analysis to help mitigate risks, threats, and liabilities. A risk assessment is used to document the identity of assets, threats, and how the organization wants to mitigate the risk. The overall purpose of risk analysis is to identify the assets within a company and their value so that you can identify threats against those assets (Clark, 2014). The risk assessment is broken in to separate variants. The first course is the identification of assets in this phase the organization identifies the assets. The second phase, focuses on identification of threats to each asset. It is important to understand that most of the threats come from the fact that weaknesses, or vulnerabilities, exist in the assets of the business (Clark, 2014). The third phase known as the impact analysis phase. The goal of impact analysis is to identify what the result of the threat occurring woul d be on the business (Clark, 2014). The fourth phase known as threat prioritization. In this phase the organization needs to grade the threats against each asset. You must prioritize the threats based on their impact and fortune of occurring (Clark, 2014). The fifth phase, known as mitigation is the step that in most cases implements a security control to lower the risk associated with a threat. This is the phase where a control is implemented to reduce the risks, threats and liabilities. The last and final step, is paygrade of residual risk. This is looking at the remaining threats and deciding if the organization has flop mitigated the risk. It is critical to express this residual risk to management and watch if you are willing to accept that residual risk or need to implement additional solutions (Clark, 2014).True, under both HIPAA and GLBA it calls for an carrying out of IT security policies, standards, procedures, and guidelines. GLBA is comprised of the Privacy Rule, Sa feguard Rule, and Pretexting Rule. The safe guards rule calls for each of the regulatory agencies to establish security standards. The FTC Safeguards Rule requires financial institutions to create a written information security program (Grama , 2015). HIPAA also calls for a similar implementation of security policies. 45 C.F.R. 164.316 calls for covered entities and business associates to, implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in code 164.306(b)(2).It is important to identify where privacy data resides so that proper controls can be placed on that privacy data. This is also important so that management and staff know if any changes made to places where privacy data resides, they leave the protections planned for and implemented in place. This is important for those organizations who are required to follow legislation such as the GLBA and HIPPA.I choose the workstations in the user domain indicated in B in the lab manual. The operational control I choose is AC-9 which informs the user upon successful login, the last day and time of login. This is important because it give the user information relative to the last time their credentials were used. If a user was not at work or did not logon on the last logon shown they would be aware that their credentials have been used by someone else. The one technical control I choose for this piece of hardware is AU-3 which lays out the ground work in regards to audit records. This is important because unsuccessful, and successful logins will be enter in the audit logs. The managerial control I choose to apply, is AC-2 which involves controls on account management. This is important for workstations to control access. It also defines who should have access to varied resources and monitors the use of the information system accounts.ReferencesFowler, S. (2003 , February 28). Information Classification Who, Why and How. Retrieved knock against 11, 2017, from https//www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846Kadel, L. A. (2004, March 24). Designing and Implementing an Effective InformationSecurity Program Protecting the Data Assets of Individuals, tiny and Large Businesses. Retrieved March 11, 2017, from https//www.sans.org/reading room/whitepapers/hsoffice/designing-implementing-effective-information-security-program-protecting-data-assets-of-1398Grama, J. L. (2015). Legal Issues in Information Security Second Edition. Jones and BartlettLearning.Clark, G.E. (2014). CompTIA Security+ Certification Study black market (exam SY0-401).Mcgraw-Hill Education.Stewart, J. M. (2014). Network Security Firewalls and Vpns Second Edition. Jones andBartlett Learning.