Chapter 6 Case Study
Private Sector Case Study
1. How did the director or IT security get started on this project?
The director decided to start with the baseline metrics for IT security. Doing this would help her determine if the system was already in compliance. It would also provide a baseline when assessing systems in the future.
2. What tool did they use to accomplish their goal, and what did that tool require them to do?
The tool that she decided to use NIST SP 800-53 which meant her team would have to classify all of the IT assets the same way. NIST framework classified it’s servers as high, medium, or low impact based on the type of information they contained.
3. What were the "gaps" that they found and how did they deal with them?
Using the NIST framework, Piedmont classified servers as high, medium or low impact which was based on the type of information that was contained, when IT personnel determined the gaps in compliance controls, they could prioritize which servers to address first and prioritize which controls to use.
Public Sectors Case Study
1. What was the need to address in this example?
The need that was addressed in this example was the need for a comprehensive information security program.
2. What tool did they use to accomplish their goal, and was this considered overkill for their needs?
The state accomplished this goal by researching, selecting, and implementing risk management methodologies, security architecture, control framework, and security policies. No this was not considered overkill because this was put in place to protect information.
3. What was the scope of coverage for this framework?
The polices were developed to protect all state owned desktops and computers, all state owned firewalls, routers, switches, and hubs. Any computing platforms, operating system software, middleware, or application software. All data stored on the State of Tennessee’s computing platforms and or transferred by state’s networks....