Research & Write
In a minimum of 450 words, develop a policy implementing technology security controls within a fictitious organization. The policy will be based upon elements from NIST 800-53 security controls (NIST). (Links to an external site.)
You will choose one security control from each one of the links under security controls (Low-Impact, Moderate-Impact, and High Impact) for a total of three security controls to write a security policy.
For example:
· Low Impact- CM-11 USER-INSTALLED SOFTWARE
· Moderate Impact- AU-7 AUDIT RECORD REDUCTION AND REPORT GENERATION
· High Impact-AC-8 System Use Notification
This one is High Impact:
- AC-8 SYSTEM USE NOTIFICATION
Control
a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
- 1. Users are accessing a U.S. Government system.
- 2. System usage may be monitored, recorded, and subject to audit.
- 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
- 4. Use of the system indicates consent to monitoring and recording.
b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
c. For publicly accessible systems:
- 1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system.
- 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
- 3. Include a description of the authorized uses of the system.
Discussion
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
This one is moderate risk
AU-7 AUDIT RECORD REDUCTION AND REPORT GENERATION
Control
Provide and implement an audit record reduction and report generation capability that:
a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and
b. Does not alter the original content or time ordering of audit records.
Discussion
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
This one is low impact risk
CM-11 USER-INSTALLED SOFTWARE
Control
a. Establish [Assignment: organization-defined policies] governing the installation of software by users.
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
c. Monitor policy compliance [Assignment: organization-defined frequency].
Discussion
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
Reference