Cyber Security Research Paper Essay

1. PrefaceThis credentials visibility of the department of Veterans Affairs (VA) is based on two memorials of public record. The first is the published VA Handbook 6500 (VAH 6500) which be policy and procedures for dodgings deep down the purview of the VA (Department of Veterans Affairs, 2007). The second enrolment is the Federal learning trade trade protection circumspection process judging for FY 20011 commissioned by the VA bunk of tester General (OIG) and performed by Ernst & Young in ossification with Federal entropy security Management title (FISMA) guidelines (VA Office of tester General, 2012, p. i).2. Identification of ControlsThis security visibleness presents one control function from three primary winding policy and procedure controls. These controls argon governance/ radical Technology Development heart musical rhythm from Management Controls, Security Training, Education, and Awargonness from available Controls, and contrary gravel from Tech nical Controls. These controls are selected based on the want of resolution based on education abided fiscal year 2006, 2010 (VA Office of examiner General, 2011) and 2011 (VA Office of quizzer General, 2012) FISMA audits.3. Management ControlsThe protection of systems via peril mitigation techniques are referred to as management controls. Management controls are intentional to minimize risk associated with development process and systems implementation. 4.1. VAH6500 fraction 6.a.(7) System/New Technology Development Life Cycle VAH6500 requires that any new technology abide a systems development smell cycle (SDLC) proper(postnominal) to the VA. The cycle consists of Initiation, Development / Acquisition, execution of instrument, Operation / Maintenance and Disposal. Systems moldiness be able to encrypt/decrypt data. Systems non capable of this must(prenominal) receive a electric arc from the OIG.4.2. Implementation AssessmentThe SDLC program appropriated does non pr ovide the necessary randomness for an effective program. No supporting(a) material or references to NIST SP 800-64 Rev2 Security Considerations in the System Development Life Cycle or VAH 6500.5 Incorporating Security and Privacy into the System Development Life Cycle is made.4.3. Implementation ImpactThe OIG 2011 FISAM Assessment indicates that FISMA Section 3544 requires establishing policies and procedures to discover information security is addressed throughout the life cycle of each agency information system (VA Office of Inspector General, 2012, p. 9). Based on the insufficiency of consistency in use of SDLC and change control, study security risks may go unnoticed.4. Operational ControlsOperational controls focus on techniques and procedures put in determine by Information Technology staff or systems managers. The purpose is to increase security and provide bullying via system controls. 5.4. VAH6500 Section 6.b.(11) Security Training, Education, and Awareness VAH6500 p rovides a concise policy which states any individuals that inlet keen information or systems must complete one-year security training. Key persons with significant roles must give ear additional training. All training is monitored for completeness. Policy indicates in the first place employees can use systems security training must be completed.5.5. Implementation AssessmentPolicy indicates that fourteen key pieces of information must be cover before an individual is allowed to begin work. This training must also be refreshed annually. The tracking of this information is the responsibility of the local ISO (Department of Veterans Affairs, 2007, p. 57).5.6. Implementation ImpactThe distributed carriage of training management is not conducive to arranged security training. The OIG 2011 FISAM Assessment findings indicate a centrally managed training database be used to ensure force receive the proper training needed for their transaction function (VA Office of Inspector Genera l, 2012, p. 15).5. Technical ControlsThe skillful control area focuses on minimizing and/or preventing access to a system(s) by unauthorized individuals via technical measures. The measures are designed to ensure the confidentiality, integrity and availability of a system(s) (VA Office of Inspector General, 2012, p. 54). 6.7. VAH6500 Section 6.c.(3)Remote get to ControlVAH6500 relies on nineteen policy requirements to obligate technical control. VA policy states that no sensitive information may be transmitted via internet or intranet without proper security mechanisms that meet NIST FIPS 140-2 criteria (Department of Veterans Affairs, 2007, p. 61). Each surgical incision within the Agency is responsible for monitoring opposed access and privilege functions. Access can be revoked by a supervisor or original at any time. The awaiting requirements cover contractor access, PKI certificate distribution and termination of accounts. System protection is the responsibility of the IS O for each area of access.6.8. Implementation AssessmentVAH6500 does not utilize NIST SP 800-46 Guide to Enterprise Telework and Remote Access Security. The OIG 2011 FISAM Assessment also indicates some foreign access systems do not provide network Access Control (NAC) to block systems that do not meet predefined security requirements (VA Office of Inspector General, 2012, p. 6).6.9. Implementation ImpactThe diversity of ISO management practices coupled with a lack of specific procedures for management, auditing and access creates opportunity for security breaches.6. SummaryThe three controls outlined in this document show the disparity between written policy, procedure, and implementation. In commit for the VA to be successful in contact the standards of future FISMA assessments, a fundamental change in trading operations within the VA is required.7. CommentsThe multifaceted nature of operations within the VA requires guidelines that meet the needs of multiple departments with in the Agency. All three controls discussed in this document keep up very broad definitions to accommodate the extensive soma of services the VA provides. This flexibility coupled with a fall off in training acceptance, legacy systems (VA Office of Inspector General, 2012, p. 7) and the lack of an implemented components of its agency-wide information security risk management program (VA Office of Inspector General, 2012, p. 3) depart continue to limit future progress.These delay factors provide an understanding of why twelve recommendations from prior FISAM assessments remain open. Of the twelve recommendations listed in the VA FISMA FY 2011 report, only three declare been closed, while three other recommendations have been superseded by new recommendations (VA Office of Inspector General, 2012, p. 19). The recent annunciation of the Continuous, Readiness in Information Security course of instruction (CRISP) seems to indicate a fundamental shift in the way the VA views securit y issues ( fall in States Department of Veterans Affairs). In order for this program to be successful, this message must be understood and acted upon by all persons under the VA umbrella.8.ReferencesDepartment of Veterans Affairs. (2007). VA Handbook 6500. Washington, DC US regime publish Office. Retrieved February 20, 2013, from http//www.va.gov/vapubs/viewPublication.asp?Pub_ID=56 Department of Veterans Affairs. (2010). Strategic Plan FY 2010-2014. Washington, DC US Government Printing Office. Retrieved February 20, 2013, from http//www.va.gov/op3/Docs/StrategicPlanning/VA_2010_2014_Strategic_Plan.pdf National form of Standards and Technology. (2010). Guide for Assessing the Security Controls in Federal Information System (NIST 800-53a). Washington, D.C. US Government Printing Office. http//csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf United States Department of Veterans Affairs. (n.d.). CRISP. Retrieved February 21, 2013, fr om United States Department of Veterans Affairs http//www.saltlakecity.va.gov/features/CRISP.asp VA Office of Inspector General. (2011). Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2010 (10-01916-165). Washington, D.C. US Government Publishing Office. Retrieved from http//www.va.gov/oig/52/reports/2011/VAOIG-10-01916-165.pdf VA Office of Inspector General. (2012). Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2011 (11-00320-138). Washington, D.C. US Government Printing Office. Retrieved February 20, 2013,from http//www.va.gov/oig/pubs/VAOIG-11-00320-138.pdf