Sra International Inc Essay
SRA International Inc.,
TEAM: PHOENIX
ANJANA
ANISH
ARUN
ARUNA
ARUL
S AT H I S H
VA I S H N AV I
S U P R I YA
Introduction
SRA International is a leading provider of IT
services and solutions to the Federal
Government
Headquartered in Fairfax, VA, has over 7,000 employees located in more than 50 locations around the world
In 2005, the company’s revenue was around
881 million dollars
99% of companies revenue was from federal government Continued…
SRA is the significant contributor to C4ISR systems that supports
U.S Department of Defense and Department of Homeland security
SRA’s responsibilities typically involve the design, Development,
Integration and Implementation of Large and complex
Information systems
The Service Category falls into three groups:
Strategic …show more content…
consulting services
Systems design, development, and integration services
Outsourcing and operation management
1.Why do you think SRA has chosen to focus its efforts on federal government departments and agencies within the national security market? Explain why this has been a good strategy for SRA.
SRA prefers the federal agencies since their requirements are more in align with the business solutions provided by SRA which focuses on
Common Operational Requirements that are based on reusable tools, techniques and methods.
This Strategy suits SRA because of it’s
Highly secure and reliable systems and operations
Enterprise architecture
2.What is open source intelligence? What is the relationship between open source intelligence, national security, and text and data mining software? Why should businesses be concerned about open source intelligence? Open Source Intelligence (OSINT) is relevant to
information which can be trivial or pose very less threat to other people.
It involves 4 processes: Uncovering,
Discrimination, Refining and Delivery.
This works well only with unclassified data.
Yet used in Military and Non-military applications.
Businesses can utilize OSINT for faster data aggregation and data retrieval.
3. What are critical infrastructures? List the U.S. critical infrastructure sectors and provide examples of each.
Backbone for the functioning of a country
(economy, security, etc.,)
Facilities that are described as assets by governments The U.S critical infrastructure definition:
- Systems which are so vital that their destruction would have devastating impact on the nation’s security and economy.
Different sectors
Agriculture, water and food
Emergency & public health
Department of Defense
Information & telecommunications
Energy
Banking & finance
Transportation & shipping
4.Why is improved interoperability between federal agency systems necessary for national security purposes?
Through the use of common software and
hardware, federal agency systems can communicate easily and share data.
SRA uses Enterprise Architecture to help
Federal agencies to unify their systems, networks and databases.
5. FISMA replaced the Government Information Security Reform Act (GISRA).
Provide an overview of GISRA. Do you think that there are significant differences between FISMA and GISRA?
GISRA- Government Information Security
Reform Act
Objective is to perform risk assessments of non-classified systems, develop and implement security policies and procedures for data, develop a process for fixing security weaknesses and provide security awareness training for agency employees.
GISRA held agencies accountable by tying compliance reports to the budget cycle.
5.Difference b/w FISMA & GISRA
The Act lacked specifics regarding the type of
IT controls that agencies should implement.
Wherein the FISMA, Specific security controls and Classification standards were included to make Information Assurance
Effective in each federal agency.
6.Are the eight FISMA requirements a good model for business information security programs? Explain your answer.
Yes, the eight FISMA requirements a good model for business
information security programs.
Reasons being,
The systems are exposed to periodic testing and evaluation.
Also the risk based policies are set in order to mitigate the risk.
Remedial action plans that identify the weakness in information security policies and procedures, estimate the resources needed to resolve these deficiencies, and describe the status of the existing corrective actions.
Security incident procedures to detect, report, and respond to security incidents, to mitigate the risks associated with these incidents before substantial damage is done.
Continuity of operations, plans and procedures that provide specific instructions for restoring critical systems.
7. In spite of FISMA’s mandate to strengthen information security within the federal government, many federal agencies receive low grades on the Federal Computer Security
Report Card because of the weaknesses in their information systems and information security programs.
Explain why this has happened.
It is because most of the times even though the
right systems are adopted, they require continuous updating and maintenance. So, systems might not be updated.
At times managers are not aware of the status of the security systems adopted.
Systems might not meet the physical security requirements. Etc
8.What are the differences, in terms of legal regulations and guidance for compliance, between the federal government and industry in managing the security of information and information systems?
The major differences are:
1. Assessment questions once answered takes considerably less time for future evaluation.
2. Software developed is shared among the federal agencies in a more efficient and cost effective manner. 3. Information security within the federal government is a demanding endeavor requiring team work (sharing ideas, application of security solutions, evolution of standardized practices, cost effective).
4. Federal agencies must strictly verify their
compliance with government information security regulations.
9.Compare the classes and families of the minimum security control requirements, shown in Table 5-5, to the classes and control objectives of ASSERT’s assessment questions, shown in Table 5-6. How do you explain the discrepancies?
The classes and controls explained in both the table at the outset
are the same. However the method the questions and control points are categorized are different. For example, under the family of risk assessment there are no questions relating to risk assessment policies and procedures and security categorization while emphasis is laid upon risk assessment.
Consider the third family of system and acquisition services, questions regarding the systems and services acquisition policy and procedure are missing and stress is laid on the life cycle and testing parts.
In table5.5 the rules of behavior has been listed in the family of planning but in table 5.6 it has a mention in certification and accreditation. In table 5.5 the system security plan is listed in the family of planning but in 5.6 ,it is considered to be separate family.
10.Explain how ASSERT's questions could be used by a business to better control its IT systems and to mitigate its security risks.
ASSERT System questions are relevant to
other businesses and can be used by other businesses to review their security systems.
For example the questions regarding risk assessment gives a 360 degree assessment in terms of the threats expected, readiness of the system to pass over it etc. Similarly the questions on life cycle does not just include the technical aspects but also the financial and budgetary ones thus taking an integrated approach. Thank you
TEAM: PHOENIX
ANJANA
ANISH
ARUN
ARUNA
ARUL
S AT H I S H
VA I S H N AV I
S U P R I YA
Introduction
SRA International is a leading provider of IT
services and solutions to the Federal
Government
Headquartered in Fairfax, VA, has over 7,000 employees located in more than 50 locations around the world
In 2005, the company’s revenue was around
881 million dollars
99% of companies revenue was from federal government Continued…
SRA is the significant contributor to C4ISR systems that supports
U.S Department of Defense and Department of Homeland security
SRA’s responsibilities typically involve the design, Development,
Integration and Implementation of Large and complex
Information systems
The Service Category falls into three groups:
Strategic …show more content…
consulting services
Systems design, development, and integration services
Outsourcing and operation management
1.Why do you think SRA has chosen to focus its efforts on federal government departments and agencies within the national security market? Explain why this has been a good strategy for SRA.
SRA prefers the federal agencies since their requirements are more in align with the business solutions provided by SRA which focuses on
Common Operational Requirements that are based on reusable tools, techniques and methods.
This Strategy suits SRA because of it’s
Highly secure and reliable systems and operations
Enterprise architecture
2.What is open source intelligence? What is the relationship between open source intelligence, national security, and text and data mining software? Why should businesses be concerned about open source intelligence? Open Source Intelligence (OSINT) is relevant to
information which can be trivial or pose very less threat to other people.
It involves 4 processes: Uncovering,
Discrimination, Refining and Delivery.
This works well only with unclassified data.
Yet used in Military and Non-military applications.
Businesses can utilize OSINT for faster data aggregation and data retrieval.
3. What are critical infrastructures? List the U.S. critical infrastructure sectors and provide examples of each.
Backbone for the functioning of a country
(economy, security, etc.,)
Facilities that are described as assets by governments The U.S critical infrastructure definition:
- Systems which are so vital that their destruction would have devastating impact on the nation’s security and economy.
Different sectors
Agriculture, water and food
Emergency & public health
Department of Defense
Information & telecommunications
Energy
Banking & finance
Transportation & shipping
4.Why is improved interoperability between federal agency systems necessary for national security purposes?
Through the use of common software and
hardware, federal agency systems can communicate easily and share data.
SRA uses Enterprise Architecture to help
Federal agencies to unify their systems, networks and databases.
5. FISMA replaced the Government Information Security Reform Act (GISRA).
Provide an overview of GISRA. Do you think that there are significant differences between FISMA and GISRA?
GISRA- Government Information Security
Reform Act
Objective is to perform risk assessments of non-classified systems, develop and implement security policies and procedures for data, develop a process for fixing security weaknesses and provide security awareness training for agency employees.
GISRA held agencies accountable by tying compliance reports to the budget cycle.
5.Difference b/w FISMA & GISRA
The Act lacked specifics regarding the type of
IT controls that agencies should implement.
Wherein the FISMA, Specific security controls and Classification standards were included to make Information Assurance
Effective in each federal agency.
6.Are the eight FISMA requirements a good model for business information security programs? Explain your answer.
Yes, the eight FISMA requirements a good model for business
information security programs.
Reasons being,
The systems are exposed to periodic testing and evaluation.
Also the risk based policies are set in order to mitigate the risk.
Remedial action plans that identify the weakness in information security policies and procedures, estimate the resources needed to resolve these deficiencies, and describe the status of the existing corrective actions.
Security incident procedures to detect, report, and respond to security incidents, to mitigate the risks associated with these incidents before substantial damage is done.
Continuity of operations, plans and procedures that provide specific instructions for restoring critical systems.
7. In spite of FISMA’s mandate to strengthen information security within the federal government, many federal agencies receive low grades on the Federal Computer Security
Report Card because of the weaknesses in their information systems and information security programs.
Explain why this has happened.
It is because most of the times even though the
right systems are adopted, they require continuous updating and maintenance. So, systems might not be updated.
At times managers are not aware of the status of the security systems adopted.
Systems might not meet the physical security requirements. Etc
8.What are the differences, in terms of legal regulations and guidance for compliance, between the federal government and industry in managing the security of information and information systems?
The major differences are:
1. Assessment questions once answered takes considerably less time for future evaluation.
2. Software developed is shared among the federal agencies in a more efficient and cost effective manner. 3. Information security within the federal government is a demanding endeavor requiring team work (sharing ideas, application of security solutions, evolution of standardized practices, cost effective).
4. Federal agencies must strictly verify their
compliance with government information security regulations.
9.Compare the classes and families of the minimum security control requirements, shown in Table 5-5, to the classes and control objectives of ASSERT’s assessment questions, shown in Table 5-6. How do you explain the discrepancies?
The classes and controls explained in both the table at the outset
are the same. However the method the questions and control points are categorized are different. For example, under the family of risk assessment there are no questions relating to risk assessment policies and procedures and security categorization while emphasis is laid upon risk assessment.
Consider the third family of system and acquisition services, questions regarding the systems and services acquisition policy and procedure are missing and stress is laid on the life cycle and testing parts.
In table5.5 the rules of behavior has been listed in the family of planning but in table 5.6 it has a mention in certification and accreditation. In table 5.5 the system security plan is listed in the family of planning but in 5.6 ,it is considered to be separate family.
10.Explain how ASSERT's questions could be used by a business to better control its IT systems and to mitigate its security risks.
ASSERT System questions are relevant to
other businesses and can be used by other businesses to review their security systems.
For example the questions regarding risk assessment gives a 360 degree assessment in terms of the threats expected, readiness of the system to pass over it etc. Similarly the questions on life cycle does not just include the technical aspects but also the financial and budgetary ones thus taking an integrated approach. Thank you