Discussion boards are collaborative learning experiences. Therefore, the student will answer questions in response to the provided prompt for each forum. The student must submit a thread of at least 250 words that completely answers the question(s) for each forum.
2.In addition to the thread, the student must also reply to at least 2 classmates’ threads. Each reply must be at least 100 words. The student must use complete paragraphs, proper APA formatting, and cite information that is not his/her own.
Main Discussion Board Post-
Minimum 250 words (-5 for less than 250 words)
Must have a reference from the book with a citation or a reference from the Bible (-5 if no Bible verse AND version).
Each reply must have a min 100 words (-5 for less than 100 words)
Must have two DB replies (-3 for each missing reply)
Each reply must have a Bible verse with the Edition of the Bible (-5 for each reply missing a Bible verse with Bible version
Each thread is due by 11:59 p.m. (ET) on Thursday of the assigned module/week and replies are due by 11:59 p.m. (ET) on Monday of the same module/week, with the exception of Module/Week 8. In Module/Week 8, your thread is due by 11:59 p.m. (ET) on Thursday and replies are due by 11:59 p.m. (ET) on Friday.
Part 1 Discussion Board Question
Describe the fundamental security policies outlined by PCI DSS, FISMA, and COBIT. In a subsequent paragraph, identify at least 2 types of industries (e.g., Internet service providers, health care, education) and describe which of the latter standard(s) should be considered in that industry. Defend your response.
Post your thread by 11:59 p.m. (ET) on Thursday, and your 2 replies by 11:59 p.m. (ET) on Monday.
Part 2: Student Threads ( Must reply to each individually 100 words each)
Payment Card Industry (PCI)
Top of Form
Payment Card Industry (PCI) is a standard developed by the major card providers in an attempt to address public concern about hacks of credit cards. One of the first poster children of credit card hacks was the TJ Max hack in 2007, when 94 million credit cards were stolen (Chickowski, 2008). Due to that event and others, the big five credit card companies: Visa, Mastercard, American Express, Discover, and JCB got together to form the Security Standards Council (SSC). The primary outcome of the SSC, was the development of the Data Security Standard (DSS), which outlines several important security standards for processing and holding credit card data. The PCI DSS has 12 sections, but has been organized into 6 sections, covering the following security concepts: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, maintain an information security policy (Johnson, 2015). The standard has stood the test of time and today serves as a force against hackers that would otherwise have easy access to credit card data.
The PCI DSS standard applies to any entity that produces, processes, or stores credit card data. However, other standards apply to other industries. For example, the Healthcare Insurance Portability and Accountability Act (HIPAA) applies to any entity that produces, transmits, or stores Protected Healthcare Information (PHI). The Federal Information Security Management Act (FISMA) applies to all U.S. Government agencies. There are hundreds of other standards and some organizations have to comply with multiple standards at once.
Chickowski, E. (2008). TJX: Anatomy of a massive breach. Baseline, (81), 28–29.
Johnson, R. (2015). Security Policies and Implementation Issues (2 edition). Burlington, MA: Jones & Bartlett Learning.
Bottom of Form
Thread 2 Nathanael Gentry Forum 4: Fundamental Policies
Top of Form
The Payment Card Industry Data Security Standard (PCI DSS), currently in version 3.0 (2015), represents the efforts of major credit card companies (Visa, MasterCard, American Express) to protect payment information transmitted over the Internet (Johnson, 2015, p. 71). Since nearly all Internet industries (including all mentioned in the prompt) can accept online payment, all much maintain PCI DSS complaint systems. As Johnson (2015, p. 71) notes, PCI DSS mandates security policies and compliance validation from e-commerce companies; noncompliance can provoke punitive charges from the companies and even revocation of card-handling authorization. The standard ensures security through two facets: encryption and processing isolation (segmentation). PCI DSS requires at-rest encryption—the persistent encryption of data even in nonvolatile storage. Moreover, the standard recommends establishing entire compliant network segments; for applications that cannot isolate the payment-processing systems, all systems on the segment must comply with the standard (Johnson, 2015, p. 71).
While PCI DSS represents a private industry’s self-regulation, the Federal Information Security Management Act (FISMA) provides the government’s own regulation of its information security (Johnson, 2015, pp. 58-59). Standards developed by NIST concern inventory management, risk analysis, system security certification, and audits. Since private corporations handling government data must also comply with FISMA, defense contractors (e.g. Lockheed Martin, BWXT) and think-tanks (e.g. RAND) would face such requirements.
Finally, as Johnson (2015, pp. 62-63) notes, Control Objective for Information and Related Technology (COBIT) provides a library of security controls for corporate compliance with the Sarbanes-Oakley Act (SOX). Indeed, COBIT stretches far across private-sector regulations—including auditing, product and policy lifecycle management, and risk management. Since COBIT has international application, global industries like investment firms and technology companies should implement policies from its vast library.
Johnson, R. (2015). Security policies and implementation issues (Second edition). Burlington, MA: Jones & Bartlett Learning.