MKTwain - CMGTCB-559 - Comp 2 Reflection
.docx
keyboard_arrow_up
School
University of Phoenix *
*We aren’t endorsed by this school
Course
559
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
3
Uploaded by PrivateOtterPerson4789
Mark Twain
December 12, 2023
CMGTCB/559 – Competency 2 Reflection
Risk Management and Compliance in an Organization
All organizations must meet minimum risk management and/or compliance requirements if they expect to be in business. This applies to for-profit organizations, non-profit organizations, as well as those in the
educational, healthcare and government sectors. As technology makes things easier for society, it also has opened up new platforms susceptible to all types of risk in the digital landscape. This has resulted in the creation of new risk management and compliance tools to keep information and information systems
secure.
Risk management and regulatory compliance are both similar in that they are a means to safeguarding the systems, processes and information an organization uses in the course of their operations. They are also similar in the way that they are meant to mitigate the losses, either financial, data, or other claims that can result in the organization being held liable for a breach or loss. Risk management is more of the
processes put into place to mitigate risks by an organization.
When it comes to regulatory compliance, these are the set minimum requirements created by regulatory
agencies that an organization is required to follow at a minimum. These are the same in that they establish a baseline of what needs to be followed, no matter the type of organization, such as the Payment Card Industry Data Security Standard that all organizations that use payment card tools are required to follow. They are also similar because a violation of these regulations will have the same consequences by any organization that is bound by it.
On the other hand, regulatory compliance can be different amongst organizations depending on the regulation that applies to that type of organization, but not another based on there are of operations. An example of this is how the compliance standard of The Federal Information Security Management Act
applies mostly to any agency or organization that does business in or for federal agencies. FISMA Compliance has strict standards that must be followed, however, these only apply to doing business with
or for federal agencies. The difference here will be that a dirt-road farmstand in rural Kansas will not have to abide by this regulatory compliance because they do not do business with or for federal agencies. They may, however, have to abide by regulatory compliance set by the FDA or USDA.
The Goals and Process of an Information Security Program
My organization, and the one I have been most familiar with for the last two decades, is education. Previously I was in higher education, now in the K-12 sector, and security programs have evolved from previously safeguarding student data that was mostly in file cabinets or in on-premises server storage, to now being 90% cloud based. Previously we were mostly worried about viruses that would disable our workstations, but now we are more focused on ransomware, cloud security, safeguarding student materials and data as well as testing materials.
The most recent push for our department in the K-12 arena was to make sure that our faculty set up multi-factor authentication for their devices and profiles. We operate with both the Microsoft environment for our administrative, administration, and support staff and Google Classroom environment for our faculty and students, therefore security across two platforms is tedious. We are in the process of integrating Microsoft Intune into our environment to manage the cross-platform devices that we use. The primary goal with this is to make sure all of our devices are secure and lease likely to be
an entry point for security breaches, especially with a portion of our staff and faulty that are allowed to utilize our BYOD option. We may not be able to control the security levels or software on those that use their own devices for work, however, we can prevent them from accessing our network if they do not meet the security requirements we have set in our Microsoft Intune controls.
In this case, it is our Director of IT, network engineer, and security specialist that are working on this project because they all manage a portion of these systems that will be running the software. The information security policies have been communicated to employees via email indicating that with the expansion of our network devices, upgraded cloud capabilities, and the BYOD option, we must do more to protect our network because an outage due to a breach may result in disruption to the learning environment of the students and capabilities of teachers to grade work on digital learning platforms. They’ve been enforced by requiring that all user accounts set up multi-factor authentication, if not, they are unable to log in to their profiles or use their own devices and will have to use a district provided device after setting up multi-factor authentication.
The applicable measurements and requirements for this information security program is to get our senior management, such as superintendents, board members, and administrators to communicate the implementation of this program, the reasons for it, and how other districts are doing the same in our region and by guidance from the Illinois State Board of Education as well as the U.S. Department of Education. By senior management citing the instances when breaches have occurred, what type of loss educational institutions have suffered, as well as the legal ramifications of these breaches, they can lay the groundwork for why these implementations are necessary. Of course, the buy-in and practice of these policies have to be followed by senior management first so that they can get others to follow and make it a successful implementation.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help