Solved: Course Project 2 – Information Security Plan

0 Comments

  1. SYSTEM IDENTIFICATION
  1. System Name/Title: [State the name of the system.  Spell out acronyms.]
  1. System Categorization:  Moderate Impact for Confidentiality
  1. System Unique Identifier: [Insert the System Unique Identifier]
  1. Responsible Organization:
Name: 
Address: 
Phone: 
  1. Information Owner (Government point of contact responsible for providing and/or receiving CUI):
Name: 
Title: 
Office Address: 
Work Phone: 
e-Mail Address: 
  1. System Owner (assignment of security responsibility):
Name: 
Title: 
Office Address: 
Work Phone: 
e-Mail Address: 
  1. System Security Officer:
Name: 
Title: 
Office Address: 
Work Phone: 
e-Mail Address: 
  1. General Description/Purpose of System:  What is the function/purpose of the system?  [Provide a short, high-level description of the function/purpose of the system.]
    1. Number of end users and privileged users: [In the table below, provide the approximate number of users and administrators of the system.  Include all those with privileged access such as system administrators, database administrators, application administrators, etc.  Add rows to define different roles as needed.]

Roles of Users and Number of Each Type:

Number of UsersNumber of Administrators/ Privileged Users
  
  1. General Description of Information: CUI information types processed, stored, or transmitted by the system are determined and documented. For more information, see the CUI Registry at https://www.archives.gov/cui/registry/category-list. [Document the CUI information types processed, stored, or transmitted by the system below].
  • SYSTEM ENVIRONMENT

Include a detailed topology narrative and graphic that clearly depicts the system boundaries, system interconnections, and key devices.  (Note: this does not require depicting every workstation or desktop, but include an instance for each operating system in use, an instance for portable components (if applicable), all virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations (e.g., Unix, Windows, Mac, Linux), firewalls, routers, switches, copiers, printers, lab equipment, handhelds).  If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram. 

[Insert a system topology graphic. Provide a narrative consistent with the graphic that clearly lists and describes each system component.]

  • Include or reference a complete and accurate listing of all hardware (a reference to the organizational component inventory database is acceptable) and software (system software and application software) components, including make/OEM, model, version, service packs, and person or role responsible for the component.  [Insert the reference/URL or note that the hardware component inventory is attached.]
  • List all software components installed on the system.  [Insert the reference/URL or note that the software component inventory is attached.]
  • Hardware and Software Maintenance and Ownership – Is all hardware and software maintained and owned by the organization? [Yes/No – If no, explain:]
     
  • REQUIREMENTS

(Note: The source of the requirements is NIST Special Publication 800-171, dated December 2016)

Provide a thorough description of how all of the security requirements are being implemented or planned to be implemented. The description for each security requirement contains: 1) the security requirement number and description; 2) how the security requirement is being implemented or planned to be implemented; and 3) any scoping guidance that has been applied (e.g., compensating mitigations(s) in place due to implementation constraints in lieu of the stated requirement).  If the requirement is not applicable to the system, provide rationale.

Access Control

  • Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
 Implemented Planned to be Implemented Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Limit system access to the types of transactions and functions that authorized users are permitted to execute.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control the flow of CUI in accordance with approved authorizations.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Employ the principle of least privilege, including for specific security functions and privileged accounts.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Use non-privileged accounts or roles when accessing nonsecurity functions.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Limit unsuccessful logon attempts.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Provide privacy and security notices consistent with applicable CUI rules.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Terminate (automatically) a user session after a defined condition.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Monitor and control remote access sessions.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Route remote access via managed access control points.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Authorize remote execution of privileged commands and remote access to security-relevant information.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Authorize wireless access prior to allowing such connections.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Protect wireless access using authentication and encryption.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control connection of mobile devices.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Encrypt CUI on mobile devices and mobile computing platforms.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Verify and control/limit connections to and use of external systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Limit use of organizational portable storage devices on external systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control CUI posted or processed on publicly accessible systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Awareness and Training
  • Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Provide security awareness training on recognizing and reporting potential indicators of insider threat.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Audit and Accountability
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Review and update logged events.
 Implemented Planned to be Implemented   Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Alert in the event of an audit logging process failure.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Provide audit record reduction and report generation to support on-demand analysis and reporting.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Limit management of audit logging functionality to a subset of privileged users.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Audit and Accountability
  • Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Establish and enforce security configuration settings for information technology products employed in organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Track, review, approve or disapprove, and log changes to organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Analyze the security impact of changes prior to implementation.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control and monitor user-installed software.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Identification and Authentication
  • Identify system users, processes acting on behalf of users, and devices.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Use multifactor authentication19F for local and network access20Fto privileged accounts and for network access to non-privileged accounts.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prevent reuse of identifiers for a defined period.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Disable identifiers after a defined period of inactivity.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Enforce a minimum password complexity and change of characters when new passwords are created.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prohibit password reuse for a specified number of generations.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Allow temporary password use for system logons with an immediate change to a permanent password.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Store and transmit only cryptographically-protected passwords.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Obscure feedback of authentication information.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Incident Response
  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Test the organizational incident response capability
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Maintenance
  • Perform maintenance on organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Ensure equipment removed for off-site maintenance is sanitized of any CUI.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Supervise the maintenance activities of maintenance personnel without required access authorization.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Media Protection
  • Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Limit access to CUI on system media to authorized users.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Sanitize or destroy system media containing CUI before disposal or release for reuse.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Mark media with necessary CUI markings and distribution limitations.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control the use of removable media on system components.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prohibit the use of portable storage devices when such devices have no identifiable owner.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Protect the confidentiality of backup CUI at storage locations.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Personnel Security
  • Screen individuals prior to authorizing access to organizational systems containing CUI.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Physical Protection
  • Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Protect and monitor the physical facility and support infrastructure for organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Escort visitors and monitor visitor activity.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Maintain audit logs of physical access.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control and manage physical access devices.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Enforce safeguarding measures for CUI at alternate work sites.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Risk Assessment
  • Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Remediate vulnerabilities in accordance with risk assessments.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Security Assessment
  • Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • System and Communications Protection
  • Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Separate user functionality from system management functionality.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prevent unauthorized and unintended information transfer via shared system resources.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Establish and manage cryptographic keys for cryptography employed in organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Prohibit remote activationof collaborative computing devices and provide indication of devices in use to users present at the device.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control and monitor the use of mobile code.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Protect the authenticity of communications sessions.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Protect the confidentiality of CUI at rest.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • System and Information Integrity
  • Identify, report, and correct system flaws in a timely manner.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Provide protection from malicious code at designated locations within organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Monitor system security alerts and advisories and take action in response.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Update malicious code protection mechanisms when new releases are available.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.
  • Identify unauthorized use of organizational systems.
 Implemented Planned to be Implemented  Not Applicable
Current implementation or planned implementation details.  If “Not Applicable,” provide rationale.


  • RECORD OF CHANGES
Date   DescriptionMade By:
   
   
   
   
   
   
   
   

Get Homework Help Now

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Solved Exam 6

0 Comments

Question 1 During the 19th C it was not uncommon…