Cyber Security Research Paper Essay

1. PrefaceThis shelter profile of the segment of Veterans affairs (VA) is based on two scrolls of public record. The first is the published VA handbook 6500 (VAH 6500) which defined policy and procedures for governances at bottom the purview of the VA ( incision of Veterans Affairs, 2007). The second document is the national knowledge bail Management Act Assessment for FY 20011 commissioned by the VA magnate of examiner General (OIG) and performed by Ernst & Young in pact with Federal learning Security Management Act (FISMA) guidelines (VA component of quizzer General, 2012, p. i).2. Identification of ControlsThis security profile presents one control function from deuce-ace primary policy and procedure controls. These controls are dodging/New engine room maturation Life Cycle from Management Controls, Security Training, Education, and Awareness from practicable Controls, and inappropriate Access from Technical Controls. These controls are selected based on the ne ediness of resolution based on culture provided fiscal year 2006, 2010 (VA Office of Inspector General, 2011) and 2011 (VA Office of Inspector General, 2012) FISMA audits.3. Management ControlsThe protection of systems via risk easing techniques are referred to as steering controls. Management controls are designed to disparage risk associated with development process and systems implementation. 4.1. VAH6500 portion 6.a.(7) placement/New technology Development Life Cycle VAH6500 requires that every new technology undergo a systems development life turn (SDLC) specific to the VA. The cycle consists of Initiation, Development / Acquisition, implementation, Operation / Maintenance and Disposal. constitutions must be able to encrypt/ decode data. Systems not capable of this must give a waiver from the OIG.4.2. Implementation AssessmentThe SDLC program provided does not provide the necessary information for an hard-hitting program. No supporting material or references to NIST SP 800-64 Rev2 Security Considerations in the System Development Life Cycle or VAH 6500.5 Incorporating Security and Privacy into the System Development Life Cycle is made.4.3. Implementation clashThe OIG 2011 FISAM Assessment indicates that FISMA Section 3544 requires establishing policies and procedures to take care information security is addressed throughout the life cycle of each agency information system (VA Office of Inspector General, 2012, p. 9). found on the lack of consistency in use of SDLC and alternate control, major(ip) security risks may go unnoticed.4. Operational ControlsOperational controls focus on techniques and procedures put in place by Information Technology cater or systems managers. The purpose is to increase security and provide deterrence via system controls. 5.4. VAH6500 Section 6.b.(11) Security Training, Education, and Awareness VAH6500 provides a concise policy which states any individuals that glide path sensitive information or systems must c omplete yearly security formulation. Key persons with significant roles must attend additional reading. solely training is monitored for completeness. Policy indicates before employees can use systems security training must be completed.5.5. Implementation AssessmentPolicy indicates that fourteen name pieces of information must be covered before an individual is allowed to depart work. This training must also be refreshed annually. The tracking of this information is the responsibility of the local ISO (surgical incision of Veterans Affairs, 2007, p. 57).5.6. Implementation ImpactThe distributed manner of training management is not conducive to consistent security training. The OIG 2011 FISAM Assessment findings indicate a centrally managed training database be used to ensure personnel receive the proper training needed for their job function (VA Office of Inspector General, 2012, p. 15).5. Technical ControlsThe expert control champaign focuses on minimizing and/or preventing access to a system(s) by unauthorized individuals via technical measures. The measures are designed to ensure the confidentiality, integrity and availability of a system(s) (VA Office of Inspector General, 2012, p. 54). 6.7. VAH6500 Section 6.c.(3) opposed Access ControlVAH6500 relies on nineteen policy requirements to enforce technical control. VA policy states that no sensitive information may be genic via internet or intranet without proper security mechanisms that meet NIST FIPS 140-2 criteria (Department of Veterans Affairs, 2007, p. 61). Each subdivision within the Agency is responsible for monitoring remote access and perk functions. Access can be revoked by a supervisor or superior at any time. The remaining requirements cover contractor access, PKI security distribution and termination of accounts. System protection is the responsibility of the ISO for each area of access.6.8. Implementation AssessmentVAH6500 does not utilize NIST SP 800-46 Guide to Enterprise Telewor k and Remote Access Security. The OIG 2011 FISAM Assessment also indicates some remote access systems do not provide Network Access Control (NAC) to block systems that do not meet predefined security requirements (VA Office of Inspector General, 2012, p. 6).6.9. Implementation ImpactThe diversity of ISO management practices coupled with a lack of specific procedures for management, auditing and access creates opportunity for security breaches.6. SummaryThe three controls outlined in this document show the disparity between written policy, procedure, and implementation. In order for the VA to be successful in meeting the standards of future FISMA assessments, a fundamental change in operations within the VA is required.7. CommentsThe multifaceted nature of operations within the VA requires guidelines that meet the needs of multiple departments within the Agency. All three controls discussed in this document get hold of very broad definitions to accommodate the extensive cast of ser vices the VA provides. This flexibility coupled with a drop in training acceptance, legacy systems (VA Office of Inspector General, 2012, p. 7) and the lack of an implemented components of its agency-wide information security risk management program (VA Office of Inspector General, 2012, p. 3) will endure to limit future progress.These delay factors provide an understanding of why xii recommendations from prior FISAM assessments remain open. Of the twelve recommendations listed in the VA FISMA FY 2011 report, only three have been closed, while three other recommendations have been superseded by new recommendations (VA Office of Inspector General, 2012, p. 19). The recent announcement of the Continuous, Readiness in Information Security Program (CRISP) seems to indicate a fundamental shift in the focusing the VA views security issues (United States Department of Veterans Affairs). In order for this program to be successful, this gist must be understood and acted upon by all perso ns under the VA umbrella.8.ReferencesDepartment of Veterans Affairs. (2007). VA Handbook 6500. Washington, DC US Government impression Office. Retrieved February 20, 2013, from http//www.va.gov/vapubs/viewPublication.asp?Pub_ID=56 Department of Veterans Affairs. (2010). Strategic Plan FY 2010-2014. Washington, DC US Government Printing Office. Retrieved February 20, 2013, from http//www.va.gov/op3/Docs/StrategicPlanning/VA_2010_2014_Strategic_Plan.pdf issue Institute of Standards and Technology. (2010). Guide for Assessing the Security Controls in Federal Information System (NIST 800-53a). Washington, D.C. US Government Printing Office. http//csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf United States Department of Veterans Affairs. (n.d.). CRISP. Retrieved February 21, 2013, from United States Department of Veterans Affairs http//www.saltlakecity.va.gov/features/CRISP.asp VA Office of Inspector General. (2011). Department of Vete rans Affairs Federal Information Security Management Act Assessment for FY 2010 (10-01916-165). Washington, D.C. US Government publication Office. Retrieved from http//www.va.gov/oig/52/reports/2011/VAOIG-10-01916-165.pdf VA Office of Inspector General. (2012). Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2011 (11-00320-138). Washington, D.C. US Government Printing Office. Retrieved February 20, 2013,from http//www.va.gov/oig/pubs/VAOIG-11-00320-138.pdf