Risk Management Framework used by the Federal Government

In this module, you explored selecting security controls as it relates to the Risk Management Framework used by the Federal Government and other organizations to manage risk. The security control baselines address the security needs of a broad and diverse set of constituencies and are developed based on a number of general assumptions, including common environmental, operational, and functional considerations. The baselines also assume typical threats facing common information systems.You have been tasked to brief your manager/CFO or CEO of your company (continue to use the one you have been referring to in the previous models) about selecting security controls. Prepare a three-four page paper, not including title and reference pages, describing how and why you selected and tailored a set of baseline controls based on the categorization of your company’s payroll system Discuss the security controls you selected (at a high level – families) based on impact levels of each security objective: confidentiality, integrity and availability and your justification for each. (Refer to NIST SP 800-53r5, Chapter 3 for assistance).Your paper must be double-spaced, use a standard 12-point font and standard margins. At least two APA formatted in-text citations are required plus appropriate references must be listed. (Note: No wiki or blog references are allowed).Your document should be free of spelling and/or grammatical errors.

THE PAYROLL CATEGORIES AND CIA TRIAD

Payroll categories

Some payroll categories within St John’s healthcare facility shall include taxes, wages, deductions, employer expenses, and accruals. According to the law, an organization must create payroll categories where different employees are assigned the due amounts of finances. Within our organization, these categories shall help determine the specific amount assigned to every employee and make the process automated to prevent potential delays and human-related errors. However, it’s essential to understand that before the exposes, wages and accruals are expended as paychecks, they must be assigned to different workers.

The first category shall include wage creation determined by the salary and hourly performance of the involved individuals. Within our facility, other wages will include overtime, bonus, commissions and salaries. Secondly, the accruals will be created based on employees’ accumulated hourly performance that helps them receive special payments and packages like sick leave and vacations. Therefore the number of hours one works weekly shall determine the accruals for the vacation payment.

The third category is the creation of the deductions, which are the amounts of money that must be subtracted from the employee’s paycheck. However, this amount does not include the taxation rates. Finally, the employer expenditure shall include the amounts of money deducted from the organization for having employees. The amount is not subtracted from employees’ payments, although it affects their contributions, for example, the pension contributions.

The impact levels

Confidentiality

According to Srinivas et al. (2019), it is the process of ensuring that employees’ payroll information is kept privately against access from unauthorized parties. The financial information of any healthcare information, including the employee’s payroll, should often be securely stored and should not be received directly or indirectly by other parties. Additionally, most workers normally need their private database to be kept securely. Therefore, if it is exposed, this may damage organizational reputations and break the confidentiality agreement between the organization and the employee involved. Sometimes there may be lawsuits from the process when some employees realize that the management is underpaying them despite delivering similar value to the organization.

Integrity

Integrity is ensuring that employees’ payroll data is not changed, duplicated or added maliciously. Integrity ensures that the amount the organization expects should be paid to the employees is the correct amount. However, when there are changes, the employee may receive a lower or higher amount which has different consequences. When an employee receives a higher amount without reports, the organization may undergo losses, especially when auditing is not done. When employees are underpaid, they are more likely to get less motivated in their workplace. Therefore integrity seeks to ensure that the agreed and expected amount is calculated and delivered to the relevant parties. Sometimes the employees within the IT offices are more likely to manipulate the system to overpay themselves; that is why external and internal auditing are significant. Lisdorf (2021).

Availability

According to Force (2018), it is the task of ensuring that data regarding employees’ payroll is always accessible. For example, accessing the data may be difficult when hardware or software failures. It may lead to delayed payment, which also demotivates employees. Every time a salary payment date is postponed, employees’ productivity is reduced significantly, which may lead to increased suffering of the patients and a lost reputation of the organization. To promote availability, there is a need to have a comprehensive data backup system for retrieval in case failure occurs.

References

Force, J. T. (2018). Risk management framework for information systems and organizations. NIST Special Publication, 800, 37. https://www.itdojo.com/oolruchu/2019/01/NIST_SP_800-37r2.pdf

Lisdorf, A. (2021). Securing the Cloud. In Cloud Computing Basics (pp. 131-143). Apress, Berkeley, CA. https://link.springer.com/chapter/10.1007/978-1-4842-6921-3_11

Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards and recommendations. Future generation computer systems, 92, 178-188. https://www.sciencedirect.com/science/article/pii/S0167739X18316753