Ethics Related to the Collection of Information The following are ethics that must be addressed when information systems are designed, and how they relate to the Confidentiality, Integrity, Availability (CIA) security concept. The first concern related to ethics is; who benefits from the information collected? The applicable area of the CIA security triad is confidentiality. Information collected for… Read More »
Information Security Publication Comparison Chart comparing major sections of the USPS Handbook AS-805 – Information Security to NIST Special Publications; 800-12, 800-14, 800-18, 800-26, and 800-30. Handbook AS-805 – Information Security (USPS, 2015) NIST Special Publications Introduction: Corporate Information Security Generally Accepted System Security Principles (NIST SP 800-14) Security Roles and Responsibilities System Security Plan Responsibilities (NIST SP… Read More »
Information System Incident Response Effective information system Incident response requires proper planning and good management. Since organizations are diverse and vary in size, organizations must design their incident response plans based on a detailed assessment of their information system and business requirements. Constructing a proficient Incident Response Team (IRT) is a critical component of any effective Incident Response Plan.… Read More »
Incident Response Teams Computer Incident Response Teams (CIRTs or IRTs) are key components in information security incident response. Effective incident response doesn’t just happen; it takes careful planning and practice. An effective Incident Response Policy should have a plan documenting steps that must be followed and should contain key tasks or milestones with details, processes, and procedures,… Read More »
Cross-Site Scripting (XSS) These attacks can occur when data enters a Web application through an untrusted source, or data is included in dynamic content that is sent to a web user without being validated for malicious content. Malicious content can be JavaScript, but may also be HTML, Flash, or any other type of code that the browser can… Read More »
Roles in Database Security Separation of duties state that no user should be given enough privileges to misuse a system on their own. Roles establish separation of duties by breaking down user privilege to job duty requirements. A Role is a group of individual privileges that correlate to a users job responsibilities. Example, a role is created named… Read More »
Guidelines for Media and Data Sanitizing When information systems are taken offline and retired, great care must be taken to ensure media that stored the data in the system remains protected through the retirement process. If media used is going to be removed and discarded, or re-purposed, organizations must ensure data that was stored on the media is… Read More »
Developing an Effective Red Team Penetration testing (pen-testing) is characterized as a method of evaluating internal and external technical security controls through a methodically planned simulated attack that imitates threats from malicious outsiders and malicious insiders to understand the security weaknesses in a system and/or network. When properly executed, pen-testing is a critical tool in assessing and improving … Read More »
Measurement and Metrics in Secure Software Development Security metrics are measurements that can be applied to software development as a way to improve the security characteristics of the software being developed. Guidance on software measurement and analysis can be found in the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 15939 (Software Measurement Process standard), the Capability… Read More »
Securing the Administrator Account in Microsoft Windows Systems The Administrator account is a default account used in all versions of the Windows operating system. The Administrator account is used by system administrators for tasks that require administrative credentials. The Administrator account cannot be deleted or locked out, but the account can be renamed or disabled. The Administrator account… Read More »