Scribd
Upload
39 views4 pages

Jayvee Kris Alvarado - Worksheet

Uploaded by

juliustaha123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
39 views4 pages

Jayvee Kris Alvarado - Worksheet

Uploaded by

juliustaha123
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Data leak worksheet

Incident summary: A sales manager shared access to a folder of internal-only documents with their
team during a meeting. The folder contained files associated with a new product that has not been
publicly announced. It also included customer analytics and promotional materials. After the meeting,
the manager did not revoke access to the internal folder, but warned the team to wait for approval
before sharing the promotional materials with others.

During a video call with a business partner, a member of the sales team forgot the warning from their
manager. The sales representative intended to share a link to the promotional materials so that the
business partner could circulate the materials to their customers. However, the sales representative
accidentally shared a link to the internal folder instead. Later, the business partner posted the link on
their company's social media page assuming that it was the promotional materials.

Answer the following:

Control Least privilege

Issue(s) What factors contributed to the information leak?


- The sales manager shared a folder containing confidential
documents with more people than necessary. This made it more
likely that someone would share it by accident.
- The manager failed to remove access to the folder after the
meeting, so those who did not require it still had it.
- During a video chat, one of the sales team members unintentionally
shared the folder link rather than the correct papers.
- The salesperson could not recall the manager's instruction to wait
before providing sensitive materials.

Review What does NIST SP 800-53: AC-6 address?


NIST SP 800-53: AC-6 ensures only authorized users can access particular
computer resources. It functions similarly to a lock for files and folders,
preventing them from falling into the wrong hands.

Recommendation(s) How might the principle of least privilege be improved at the company?
- Only grant access to items that people require for their jobs.
- Check who has access regularly and remove access from persons
who no longer require it.
- Only allow individuals to see what they truly need to complete their
jobs.
- Make logging in more secure: In addition to passwords, use
fingerprints or codes to ensure the correct individual is logged in.

Justification How might these improvements address the issues?


By taking these steps, the organization can prevent leaks and mistakes.
They'll make sure that only those who need to see specific things may see
them. Checking in regularly and making logging in more difficult reduces
the likelihood of something negative happening, such as someone
accidentally exposing sensitive information.
Security plan snapshot
The NIST Cybersecurity Framework (CSF) uses a hierarchical, tree-like structure to organize
information. From left to right, it describes a broad security function, then becomes more specific as
it branches out to a category, subcategory, and individual security controls.

Function Category Subcategory Reference(s)

Protect PR.DS: Data security PR.DS-5: Protections against NIST SP 800-53: AC-6
data leaks.

In this example, the implemented controls that are used by the manufacturer to protect against data
leaks are defined in NIST SP 800-53—a set of guidelines for securing the privacy of information
systems.

Note: References are commonly hyperlinked to the guidelines or regulations they relate to. This
makes it easy to learn more about how a particular control should be implemented. It's common to
find multiple links to different sources in the references columns.
NIST SP 800-53: AC-6
NIST developed SP 800-53 to provide businesses with a customizable information privacy plan. It's a
comprehensive resource that describes a wide range of control categories. Each control provides a
few key pieces of information:
● Control: A definition of the security control.
● Discussion: A description of how the control should be implemented.
● Control enhancements: A list of suggestions to improve the effectiveness of the control.

AC-6 Least Privilege

Control:
Only the minimal access and authorization required to complete a task or function
should be provided to users.

Discussion:
Processes, user accounts, and roles should be enforced as necessary to achieve least
privilege. The intention is to prevent a user from operating at privilege levels higher
than what is necessary to accomplish business objectives.

Control enhancements:
● Restrict access to sensitive resources based on user role.
● Automatically revoke access to information after a period of time.
● Keep activity logs of provisioned user accounts.
● Regularly audit user privileges.

Note: In the category of access controls, SP 800-53 lists least privilege sixth, i.e. AC-6.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy