1. Define an SLA and state why it is required in a risk adverse Organization?
A service level agreement (SLA) is a document that identifies an expected level of performance. It identifies the minimum uptime or the maximum downtime. Organizations use SLAs as contracts between a service provider and a customer. An SLA can identify monetary penalties if the terms are not met. If your organization has SLAs with other organizations, these should be included in the risk management review. You should pay special attention to monetary penalties. For example, an SLA could specify a maximum downtime of four hours. After four hours, hourly penalties will start to accrue. You can relate this ...view middle of the document...
You can’t depend on the users to keep their signatures up to date. Instead, you must take control of the process. Many AV vendors provide tools to automatically install and update AV software on workstations. You must also be sure to keep operating systems up to date. When security patches become available, they should be evaluated and deployed when needed. Many of these security patches remove vulnerabilities. Without the patch, the
systems remain vulnerable.
4. List four compliance laws, regulations, or mandates, and explain them?
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA applies to any organization that handles health information. The obvious organizations that handle health information are hospitals and doctor’s offices. However, HIPAA reaches much farther than the medical industry. Health information includes any data that relates to the health of individuals. This includes the past, present, and future health of individuals. It includes their condition, physical health, or mental health. It also includes any past, present, or future payments for health care. If any organization creates or receives health information, it must comply with HIPAA. This includes employers. It includes health plan sponsors, health care providers, public health
authorities, and more.
Sarbanes-Oxley Act (SOX)
The SOX Act applies to any business that is required to be registered with the Securities and Exchange Commission. This is any publicly traded company. In other words, if someone can buy stocks for your company, then SOX applies. SOX establish a set of standards. Even if they don’t apply directly to private businesses, private businesses can use these same standards. If organizations face legal issues later, they can point
to their actions as good faith efforts to avoid the problems.
Federal Information Security Management Act (FISMA)
FISMA applies to all U.S. federal agencies. The goal is to ensure that federal agencies take steps to protect their data. If you work in a federal agency, FISMA applies.
The NIST is tasked by FISMA to develop standards, guidelines, and best practices to support FISMA. Special publications created by NIST for...