The NIST \"Guide for Developing Security Plans for Federal Information Systems\"

Question

The NIST "Guide for Developing Security Plans for Federal Information Systems" describes several example Rules of Behavior within Section 1, Figure 2 (on page 8). Review the examples and choose 2 of them and describe in your own words how a Federal employee might break/abuse each type of rule. What types of formal consequences might be appropriate for each broken rule of behavior? Are there any other topics that fit within this "Rules of Behavior" heading?  

For example, the topic "Use of copyrighted work": A Federal employee might decide to copy information from a private company's website and use it on their government website, without giving credit or referencing the source. This is plagiarism and would break any rule about properly using copyrighted work. An employee who did this might face legal issues for plagiarism, could be suspended or fired, or may lost their ability to edit/update any government websites

NEED ASAP please!

Thank you

Figure 2: Rules of Behavior Examples

1.9 System Security Plan Approval Organizational policy should clearly define who is responsible for system security plan approval and procedures developed for plan submission, including any special memorandum language or other documentation required by the agency. Prior to the certification and accreditation process, the designated Authorizing Official, independent from the system owner, typically approves the plan.
8
Guide for Developing Security Plans for Federal Information Systems


2. System Boundary Analysis and Security Controls Before the system security plan can be developed, the information system and the information resident within that system must be categorized based on a FIPS 199 impact analysis. Then a determination can be made as to which systems in the inventory can be logically grouped into major applications or general support systems. The FIPS 199 impact levels must be considered when the system boundaries are drawn and when selecting the initial set of security controls (i.e., control baseline). The baseline security controls can then be tailored based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, costbenefit analyses, the availability of compensating controls, or special circumstances. Common security controls, which is one of the tailoring considerations, must be identified prior to system security plan preparation in order to identity those controls covered at the agency level, which are not system-specific. These common security controls can then be incorporated into the system security plan by reference.

2.1 System Boundaries The process of uniquely assigning information resources9 to an information system defines the security boundary for that system. Agencies have great flexibility in determining what constitutes an information system (i.e., major application or general support system). If a set of information resources is identified as an information system, the resources should generally be under the same direct management control. Direct management control10 does not necessarily imply that there is no intervening management. It is also possible for an information system to contain multiple subsystems.

A subsystem is a major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions. Subsystems typically fall under the same management authority and are included within a single system security plan. Figure 3 depicts a general support system with three subsystems.

In addition to the consideration of direct management control, it may be helpful for agencies to consider if the information resources being identified as an information system:

• Have the same function or mission objective and essentially the same operating characteristics and security needs, and
9 Information resources consist of information and related resources, such as personnel, equipment, funds, and information technology. 10 Direct management control typically involves budgetary, programmatic, or operational authority and associated responsibility. For new information systems, management control can be interpreted as having budgetary/programmatic authority and responsibility for the development and deployment of the information systems. For information systems currently in the federal inventory, management control can be interpreted as having budgetary/operational authority for the day-to-day operations and maintenance of the information systems.

Explanation / Answer

I am taking the rules connection to the internet and Searching database and divulging information.

Connection to the internet :- In any organisation access to the internet is only controlled by the newtwork team. In order to connect to the internet the employee must go through the specific process and need to get the approvels from the specific people then only he would get the internet connection.

Prior to get the internet connection employee must folloe proper guidelines like system patches must be installed to the latest version. He must get the connection by registering or specifying system name or hostname or mac address only.

If the employee connect's his system without following proper guidelines then he directly access the network there might be the chance that total organisation network and data might become enter into danger zone if that is the organisation related to shares or banking there might be many spammers who continiously tries to get into the system at that time if they got the chance like this they can take down the netwrok and system cotrol and they can do what ever they want.

If this situation happens the employee might have the chance to get fired or to face legal issues and even in some situations he might get penalty of loss to the organisation.

Searching database and divulging information:- The permission to the database search in any organiation will be very limited to the employees. Hardly there might be few people who work on the complete database having full permissions. If that person is accessing the information from the database and if leaks this information to the outside people this might cause effect to the lifes of people whose information is leaked or organisation if it is projects information etc like that.

In this situations for example if we take the banking databse. If anyone leaks the customer information like account number passwords with banks and the amount holding in account this might cause theft of the account or might cause dangerous to the customer life and the bank reputation also will leads to decrease.

If this situation arises the employee who leaks the data might loose the job or sentensed to legal punishment and penalties etc like this so many can happen.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.