State agencies in Texas use the “Texas Department of Information Resources (DIR) Security Control Standards Catalog” document when coming up with a baseline set of security controls. Version 2.0 of this document has 155 baselines from the NIST SP 800-53r5 document with the following breakdown:
Low (145)
Moderate (9)
High (1)
This is probably a reasonable “minimum” baseline given the low amount of sensitive data that most state agencies handle.
However, in addition to the “minimum” baselines that the Texas DIR recommends, each state agency can select additional controls or have more stringent baselines or control enhancements.
After reading the webpages associated with the Security Management Practices discussion and skimming the Texas Security Controls catalog and the NIST SP 800-53r5 documents, please answer these three questions:
Should any of the nine (9) moderate or the one (1) high baseline have prevented the Texas Department of Insurance incident? Explain your reasoning.
List the three (3) most important “low” baselines that could have been more stringent to help prevent the TDI incident from happening. Explain your reasoning for choosing the three (3) baselines.
Although we can only speculate on the exact steps the audit took, state three (3) recommendations for testing procedures for state web applications going forward.
Additional Details
Format: Microsoft Word (or compatible)
Font: Arial, 12-point
Citation style: APA
Suggested length: At least 3 pages, which can vary depending on your presentation of the content
