CIS 608 Logo

CIS 608 Logo
CIS 608 - Information Security Management

Friday, September 30, 2011

Post 025 - CIS 608

Source: http://workflow-process.com/2011/09/21/records-management-11/


Records Management

In September 2011, as I was taking my required Information Protection training to maintain my clearance status with the U.S. Air Force, I discovered this "Records Management Toolbox." I hope it will help readers of this Blog.

Records Management References

44 U.S.C. Chapters 15, 21, 22, 23, 25, 27, 29, 31, 33 – Records Management
http://www.archives.gov/about/laws/

18 U.S.C. § 2071 - Concealment, Removal, or Mutilation of Records
http://www.archives.gov/records-mgmt/laws/

36 CFR, Chapter XII, Subchapter B - Records Management (Parts 1220 - 1239)
http://www.archives.gov/about/regulations/subchapter/b.html

OMB Circular A-130 – Management of Federal Information Resources
http://www.whitehouse.gov/omb/circulars_a130_a130trans4

OMB Circular A-123 – Management Accountability and Control
http://www.whitehouse.gov/omb/circulars_a123

DoD 5015.02-STD, Electronic Records Management Software Applications Design Criteria Standard
http://www.dtic.mil/whs/directives/corres/pdf/501502std.pdf

AFI 33-321, Authentication of Air Force Records
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-321.pdf

AFI 33-322, Records Management Program
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-322.pdf

AFMAN 33-363, Management of Records
http://www.e-publishing.af.mil/shared/media/epubs/AFMAN33-363.pdf

National Archives and Records Administrationhttp://www.archives.gov/records-mgmt/

Air Force Records Information Management System (AFRIMS)
https://www.my.af.mil/afrims/afrims/afrims/rims.cfm

AF Records Management Community of Practice
https://www.my.af.mil/afknprod/community/views/home.aspx?Filter=OO-SC-EI-M4

AF Regulation on RECORDS DISPOSITION—PROCEDURES AND RESPONSIBILITIES
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-364.pdf


= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University
http://cybersecuritymsbellevue.blogspot.com

CIS 537 Introduction to Cyber Ethics
http://cis537-wfs.blogspot.com

CIS 608 Information Security Management
http://cis608.blogspot.com

CYBR 515 - Security Architecture and Design
http://cybr515.blogspot.com

CYBR 510 Physical, Operations, and Personnel Security
http://cybr510.blogspot.com

Career
http://billslater.com/career

Certifications
http://billslater.com/certifications

Credentials
http://on.fb.me/fW3wH0

ISO 27001
http://billslater.com/iso27001

Chicago, IL
United States of America


Posted by at No comments:
Labels:
Location: Aleje Jerozolimskie 31, 01-001 Warsaw, Poland

Post 024 - CIS 608


Source: http://www.gwu.edu/~nsarchiv/nsa/foia.html


Freedom of Information Act (FOIA) Resources

In September 2011, As I was taking my required Information Protection training to maintain my clearance status with the U.S. Air Force, I discovered this "Freedom of Information Act Toolbox." I hope it will help readers of this Blog.


FOIA Tool Box

OPEN Government Act of 2007: http://www.usdoj.gov/oip/amendment-s2488.pdf

Executive Order 12600: http://www.archives.gov/federal-register/codification/executive-order/12600.html

DoD Regulation 5400.7/AF Supplement: http://www.foia.af.mil/shared/media/document/AFD-070702-060.pdf

DoD Regulation 5400.7: http://www.dtic.mil/whs/directives/corres/pdf/540007r.pdf

AF FOIA Web Page - Public website: http://www.foia.af.mil/

AF Reading Room: http://www.foia.af.mil/reading/documents/index.asp

AF Public Access Link (PAL): https://www.efoia.af.mil/palMain.aspx – Inform requesters to submit request online

Current Value Fund Rate (CVFR): http://www.fms.treas.gov/cvfr – Interest rates are established annually by the Secretary in accordance with 31 U.S.C. 3717

AF FOIA/PA Community of Practice (CoP): https://afkm.wpafb.af.mil/community/views/home.aspx?Filter=OO-SC-AF-53 – Information for policy and guidance


Caution: you may be required to spend money to obtain the information you are requesting, so these FOIA requests can get rather expensive.

= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University
http://cybersecuritymsbellevue.blogspot.com

CIS 537 Introduction to Cyber Ethics
http://cis537-wfs.blogspot.com

CIS 608 Information Security Management
http://cis608.blogspot.com

CYBR 515 - Security Architecture and Design
http://cybr515.blogspot.com

CYBR 510 Physical, Operations, and Personnel Security
http://cybr510.blogspot.com

Career
http://billslater.com/career

Certifications
http://billslater.com/certifications

Credentials
http://on.fb.me/fW3wH0

ISO 27001
http://billslater.com/iso27001

Chicago, IL
United States of America



Posted by at No comments:
Labels: ,

Post 023 - CIS 608

Source: http://www.anonymous-proxies.org/2011/02/price-of-your-privacy-and-why-its.html



Privacy Resources on the Web

As I was taking my required Information Protection training to maintain my clearance status with the U.S. Air Force, I discovered this "Privacy Toolbox." I hope it will help readers of this Blog.

Privacy Toolbox

Privacy Act of 1974 As Amended
http://www.opm.gov/feddata/usc552a.txt

AF Privacy Act Web Page:
http://www.privacy.af.mil

Defense Privacy Office webpage:
http://www.defenselink.mil/privacy/

AFI 33-332, Air Force Privacy Program
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-332.pdf

DoD Publication 5400.11-R, Department of Defense Privacy Program
http://privacy.defense.gov/files/540011R.pdf

DoD Directive 5400.11, DoD Privacy Program
http://privacy.defense.gov/dod_directive_5400.11.shtml

DISA Personally Identifiable Information computer-based training (CBT)
http://iase.disa.mil/eta/pii/pii_module/pii_module/index.html

DISA CBT on Personal Electronic Devices / Removable Storage Media
http://iase.disa.mil/eta/pedrm/pedrm/index.htm

Safeguarding Against and Responding to the Breach of Personally Identifiable Information
http://www.defenselink.mil/privacy/files/PII_Memo_Safeguard.pdf

Federal Trade Commission website on protecting consumer's privacy
http://www.ftc.gov/privacy/


= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager

M.S. in Cybersecurity Program at Bellevue University
http://cybersecuritymsbellevue.blogspot.com

CIS 537 Introduction to Cyber Ethics
http://cis537-wfs.blogspot.com

CIS 608 Information Security Management
http://cis608.blogspot.com

CYBR 515 - Security Architecture and Design
http://cybr515.blogspot.com

CYBR 510 Physical, Operations, and Personnel Security
http://cybr510.blogspot.com

Career
http://billslater.com/career

Certifications
http://billslater.com/certifications

Credentials
http://on.fb.me/fW3wH0

ISO 27001
http://billslater.com/iso27001

Chicago, IL
United States of America


Posted by at No comments:
Labels:

Post 022 - CIS 608









Required Organizational Information Assurance and Information Protection Training Required by the U.S. Air Force, the U.S. Department of Veterans Affairs, and CACI



Both CACI and the U.S. Department of Veterans Affairs require this training. But since I got a Secret Clearance from the U.S. Department of Defense for a contracting job with the U.S. Air Force in 2009. This training may seem like a hassle, but it provides organizations with the peace of mind that their employees and contracts will be aware of best practices in basic Information Security, Privacy and Protection of Data and Information.

The certificates of completion for courses I have completed in the last two months are listed below. Also listed is a Department of Veterans Affairs training certificate in Role-Based Records Management Training from July 2010.








Posted by at No comments:
Labels:

Post 021 - CIS 608




Incident Response Plans

The cover of an excellent Emergency Response Plan is shown at the right. The document comes from the website of the Illinois Institute of Technology located here in Chicago. The IIT Emergency Response Plan is avalailble here: http://www.iit.edu/departments/pr/emergency/Emergency_Flip_Chart_022405.pdf .

For the Week 4 and Week 5, we have looked closely at Incident Response Plans, Disaster Recover Plans, and Business Continuity Plans.

On Wednesday, September 28, 2011, I had to write a critique of the Incident Response Plan that I wrote last week. That critique is shown below. Please excuse how long it was. I found that in retrospect, there were a lot of obvious issues with my original version of my Incident Response Plan. But look closely and you will see a pattern, such as referring to practices and documents that don't yet exist. (At least it was an honest critique.)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Regarding these issues that I discussed with my wife, after careful review, I found that the following parts of my Incident Response plan had issues and /or vulnerabilities and were not presently viable:

Parts of Incident plan

Virus Attack
(not caught by anti-virus software)

Before Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Virus Attack
(not caught by anti-virus software)

Before Attack

Area(s) with Issues

Virus or Security Awareness plan

Reason for Issues

There is no Virus or Security Awareness plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Virus Attack
(not caught by anti-virus software)

After an Attack

Area(s) with Issues

Virus or Security Awareness plan

Reason for Issues

There is no Virus or Security Awareness plan

Reason for Issues

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Virus Attack
(not caught by anti-virus software)

After an Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Virus Attack
(not caught by anti-virus software)

After an Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Power Failure

Before Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Power Failure

Before Attack

Area(s) with Issues

Security Awareness plan

Reason for Issues

There is no Security Awareness plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Power Failure

After an Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Fire

Before Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Fire

Before Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Fire

Before Attack

Area(s) with Issues

Security Awareness Plan

Reason for Issues

There is no Security Awareness Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Fire

After an Attack

Area(s) with Issues

Security Awareness Plan

Reason for Issues

There is no Security Awareness Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Fire

After an Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Fire

After an Attack

Area(s) with Issues

Backups

Reason for Issues

There are no current Backups

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Burst Water Pipe

Before Attack

Area(s) with Issues

Security Awareness Plan

Reason for Issues

There is no Security Awareness Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Burst Water Pipe

Before Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Burst Water Pipe

After an Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Burst Water Pipe

After an Attack

Area(s) with issues

Backups

Reason for Issues

Backups are not done as regularly as assumed by the Incident

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Burst Water Pipe

After an Attack

Area(s) with Issues

Security Awareness Plan

Reason for Issues

There is no Security Awareness Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

Burst Water Pipe

After an Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

ISP Failure

Before Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

ISP Failure

Before Attack

Area(s) with Issues

Security Awareness Plan

Reason for Issues

There is no Security Awareness Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

ISP Failure

After an Attack

Area(s) with Issues

Lessons Learned Plan

Reason for Issues

There is no Lessons Learned Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Parts of Incident Plan

ISP Failure

After an Attack

Area(s) with Issues

Security Awareness Plan

Reason for Issues

There is no Security Awareness Plan

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

References:

Whitman, M. E. and Mattford, H. J. (2010). Management of Information Security. Course Technology: Boston, MA.



Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)