Solved by a verified expert :Week 1 discussion
DQ1 Competitive Differentiator
Increasingly, companies are under pressure from their
shareholders to increase profits by reducing internal expenses and increasing
sales. Many companies believe that globalization using information technology
(IT) is a good approach to reducing expenses and increasing sales. What are
some of the advantages of using IT to meet these goals, and what are some of
the pitfalls? Increasingly, companies are under pressure from their
shareholders to increase profits by reducing internal expenses and increasing
sales. Many companies believe that globalization using information technology
(IT) is a good approach to reducing expenses and increasing sales. What are
some of the advantages of using IT to meet these goals, and what are some of
the pitfalls?
DQ2 Computer Security Program Manager (CSPM)
The CSPM is the top security officer in an organization. The
CSPM may be responsible for defining the security organization, setting it up,
and operating it so that the business is both profitable and secure. Would you
want this job? Why or why not?
Week 2 discussion
DQ1 Is Ignorance Bliss?
In Chapter 4 of NIST SP800-12 you read about clear and
present dangers that threaten the CIA Triad. Some believe that it is better not
to know what security risks they are facing, while others believe that they
need to know exactly what security risks they face. Can you think of some
reasons that companies would rather be ignorant of security risks and why
others believe they need to know about every possible security risk? If so,
please share your ideas.
DQ2 HIPAA Compliance
Review the Administrative Safeguards in the HIPAA Security
Rule at this link: http://www.hipaa.org/How does HIPAA enforce due care? What is the role of the Compliance Manager?
Week 3 discussion
DQ1 Cryptography
Explain the role of Cryptography in authentication,
confidentiality, and integrity. Give an example where Symmetric Cryptography
(Secret Key) is normally used and an example where Asymmetric Cryptography (Public
Key) is normally used.
DQ2 Computer System Life Cycle
Describe the security issues that apply to the disposition
(retirement and disposal) phase of the Computer System Life Cycle. What needs
to be accomplished and why?
Week 4 discussion
DQ1 Three Factor Authentication
Three-factor authentication has become a standard for
strengthening authentication in some industries. One could argue that
three-factor authentication is a form of “defense-in-depth” applied
to the authentication control. Would this be true or not?
DQ2 File Access Controls
Access controls for files come in many forms, from simple
passwords to access control lists, to capabilities (such as token or
certificate authentication), and may also use various combinations of these
techniques. What is the purpose of file access controls? If the only
file-access-control used by an organization is access control lists, what
issues might arise as the organization grows?
Week 5 discussion
DQ1 Catastrophic Events
Some suggest that the recent catastrophic disasters that
inflicted the Gulf Coast and the Midwest should teach us to give greater
consideration to physical security and redundancy. In response to these very
public incidents, have you seen your company respond to physical catastrophic
threats to IT-related assets over the last few years? How do you think small
businesses are able to respond to redundant physical locations or physical
safeguards? Is it reasonable to plan for disastrous events?
DQ2 Hacking People
Consider the following scenario: While entering the
company’s building, Jeremy waves his proximity card in front of the secured
door. The door unlocks, and Jeremy opens the door only to be waived down by a
young lady asking for him to hold open the door. Jeremy politely holds the door
open, and the young lady is allowed into the building. What just happened? What
is your analysis of the situation? How should this kind of scenario be
controlled for in the future?
Week 6 discussion
DQ1 Stratification of Data Ownership
Consider the difference between a data owner, a data
steward, and a data custodian. Some would claim that these three “data
authorities” must work together if a company wants to secure its
information assets. Is this true? Why?
DQ2 Responding to Data Loss or Compromise
How should a CSPM respond to a compromise of critical
company information assets?
Week 7 discussion
DQ1 Professional Certification
Professional certifications are available from the
Information Systems Audit and Control Association and Foundation (ISACA) and
the IISSCC, including the CISSP (certified information system security
professional), the SSCP (system security certified practitioner), the CISM
(certified information security manager), and the CISA (certified information
security auditor). Some companies and some U.S. government agencies use
attainment of these certifications as hiring criteria for information security
professionals, others have stopped using these certifications as hiring
criteria, and some have never considered these certifications as hiring
criteria. What do you think of the use of these certifications or credentials
as hiring criteria?
DQ2 Project Discussion
Please download your project briefing (only the briefing) to
this discussion forum. Review all of the project briefings. Note differences in
findings and discuss these differences. Why are there differences?
Week 2 assignment
Administrative Controls Paper
Write a 3 to 5 page paper to answer these questions:
How do Administrative Controls demonstrate “due
care?”
How does the absence of Administrative Controls impact
corporate liability?
How do Administrative Controls influence the choice of
Technical and Physical Controls?
How would the absence of Administrative Controls affect
projects in the IT department?
The total points for this assignment are 100 points. Each
question is worth 20 points, and the remaining 20 points will be awarded for
clarity, consistency, and quality of writing. Grammatical and spelling errors
are considered clarity problems.
Please follow DeVry standard for papers (APA) and also
number your pages.
Submit your assignment to the Dropbox, located at the top of
this page. For instructions on how to use the Dropbox, read these step-by-step
instructions.
See the Syllabus section “Due Dates for Assignments
& Exams” for due date information.
Week 3 assignment
Technical Controls Paper
Write a 3 to 5 page paper to answer these questions:
How could Administrative, Technical, and Physical Controls
introduce a false sense of security?
What are the consequences of not having verification
practices?
What can a firm do to bolster confidence in their
Defense-in-Depth strategy?
How do these activities relate to “Best
Practices”? How can these activities be used to demonstrate regulatory
compliance?
The total points for this assignment are 100 points. Each
question is worth 20 points, and the remaining 20 points will be awarded for
clarity, consistency, and quality of writing. Grammatical and spelling errors
are considered clarity problems.
Please follow DeVry standard for papers (APA) and also
number your pages.
Submit your assignment to the Dropbox, located at the top of
this page. For instructions on how to use the Dropbox, read these step-by-step
instructions.
See the Syllabus section “Due Dates for Assignments
& Exams” for due date information.
Week 5 assignment
We have designed a simulation that depicts a real-world
physical security survey situation. Please set aside 30 to 35 minutes to review
the simulation below.
First download the transcript. This document contains the
instructions and thirty-one (31) survey questions needed to complete this
assignment.
Executive the simulation by clicking the Physical Security
Survey Simulation link.
Visit each room and gain information from people, by
clicking on objects in the room, and from your team’s observations.
The rooms will change color when you have gathered all of
the information from that room, but you may view the simulation more than one
time.
Be sure to return to the Board Room occasionally; you will
be able to tell when you have finished collecting all of the available
information on your final visit to the Board Room.
You will find that it is very important to complete the
simulation.
Prepare the report. In your report, number each question for
the first thirty (30) questions followed by an answer to that question. Provide
one or more short introductory paragraphs that describe what was surveyed, who
performed the survey, the date of survey, and any other information you
consider important. Write a concluding paragraph that contains your answers to
question number thirty-one (31); the concluding paragraph that contains your
recommendations.Your survey report should contain the following sections:
Top Notch Security
Physical Security Survey Report for
Consultant Name:
Date of Survey:
Introduction
Questions and Answers
Question 1
Answer 1
Question 2
Answer 2
etc.
Question 30
Answer 30
Conclusion and Recommendations
Question 31 and Answer 31
introduction of the report is worth seven (7) points. The entire assignment is
worth 100 points. Keep the report very short and simple, but be clear as to
exactly what was surveyed and how the survey was performed. Make sure to read
the transcript very carefully, concentrating especially upon the introduction.
Also, watch the entire simulation and view it as many times as desired.
Simulation
In this simulation, you will take on the role of an
apprentice security consultant in your first big assignment. Your experienced
mentor will be there alongside you to guide you with valuable hints as you
explore the client’s business locations. You’ll have opportunities to interview
employees and survey rooms and offices through a clickable interface that
provides informative feedback.
Physical Security Survey Simulation (Runs roughly 35 minutes
for activity)
Download: 3M Stream Requires sound
Thank you for taking the time to review our simulation
exercise. We will discuss your thoughts about this situation in the Physical
Security threaded discussion section. See you there.
Submit your assignment to the Dropbox, located at the top of
this page. For instructions on how to use the Dropbox, read these step-by-step
instructions.
See the Syllabus section “Due Dates for Assignments
& Exams” for due date information.
Week 6 course project
Objective
Write a Risk Assessment Report that is 5–10 pages long and
contains a required risk management matrix.
Present a senior management-level PowerPoint briefing
consisting of no more than 10 slides.
Listen
Guidelines
Papers must be 5–10 pages long (this would be roughly one
page per area included in the report) with 10-point font. They must be
double-spaced must include a cover page, table of contents, introduction, body
of the report, summary or conclusion, and works cited.
Even though this is not a scientific-type writing
assignment, and is mostly creative in nature, references are still very
important. At least six authoritative outside references are required
(anonymous authors or web pages are not acceptable). These should be listed on
the last page, which is titled “Works Cited.”
Appropriate citations are required.
All DeVry University policies are in effect, including the
plagiarism policy.
Management Briefing (PowerPoint) is due at the end of Week 6
(resubmit to the Project Discussion topic in the Week 7 Discussion forum) of
the course.
Risk Assessment Report and Risk Management Matrix are due
during Week 6 of this course.
Any questions about the Course Project may be discussed in
the weekly Q & A Discussion topic.
The paper and PowerPoint are worth 190 total points and will
be graded on quality of research topic, quality of paper information, use of
citations, and grammar and sentence structure.
Week 1
Read the first week’s Course Project files in the CSPM
Project Files and Hacker Project Files in Doc Sharing. To obtain the role
information for either the CSMP or the hacker, go to the Doc Sharing dropdown
menu. There you will see a box next to the “Select View.” Click on
the arrow to view the choices. Then click on the “GO” button.
The case study will explore an information system and the
organization in which it operates, and the current state of the information
system. You will choose a scenario from either the perspective of a Computer
Security Program Manager (CSPM) or from a hacker’s perspective.
Next, place your decision in a Word document and submit it
to the Week 1 Course Project Planning Assignment Dropbox. If there are
insufficient CSPM choices or hacker choices, the teacher may (randomly) ask a
student to change the choice.
Note: Once the choice is made, it is final. Sharing the CSPM
and Hacker packets is not allowed.
Each teacher will send an additional handout to each student
and provide extra information pertinent to the case. Each member will be
provided identical information as its other group members (either the CSPM or
hacker group). The CSPM packet and the Hacker packet present different
information. The idea is to get two views of the risk for comparison: one from
the point of view of the CSPM, and one from the point of view of a hacker.
Differing and contrasted perspectives offer a lens through
which to view the problem of physical and operational security: from the lens of
a responsible manager or from the lens of a hacker. The differing perspectives
are useful in exploring the fundamental problems associated with securing an
information system, and will have the student considering problems from both
perspectives. In the industry, we even see the availability of “hacker
certification” where technology professionals are trained to think like
hackers in order to gain meaningful perspectives. As mentioned in the Week 1
Lecture, the advice to know the enemy and to think as the enemy is thousands of
years old (Sun Tzu) but is as valid today as it was in 500 B.C.
Week 6
Management Briefing
The PowerPoint will be a briefing to senior management that
could be used to present the findings of the risk assessment to management. The
briefing will identify the system that was assessed, provide a brief
description of the assessment process used, state the conclusions of the
assessment, and recommend a course of action to management.
At the end of Week 6, the senior management-level briefing
will be posted to the Project Discussion topic in the Week 7 Discussion forum
and discussed among class members during that week. Differences in approach and
findings will be identified and the ramifications of those differences will be
discussed. Discussion, however, is not limited to these two topics but is
expected to be “freewheeling” (where anything is fair game, but
please use discretion).
Risk Assessment Report
The risk assessment report will contain a simple risk
management matrix that can be easily read and understood by senior management
so that management can make an appropriate risk management decision.
Risk Management Matrix
The risk management matrix will be a matrix with at least
the following columns.
Risk description
What adversary might exploit this risk
Estimated likelihood of exploitation
Impact if the risk is exploited
Recommended course of action
At least three risks must be identified. Students are at
liberty to add columns and rows to the risk management matrix if deemed necessary.
Keep in mind this matrix is for senior management’s use.
The following table is a sample to use.
Brief Description of
Risk Adversary (Who Might
Exploit this Risk) Likelihood Impact Course of Action
Risk 1
Risk 2
Risk 3
Submit the Risk Assessment Report, Risk Management Matrix,
and Management Briefing to the Week 6 Course Project Dropbox.
Note: the Management Briefing receives two grades: one for
its submission to the Project Discussion topic in the Week 7 Discussion forum
and the other for its submission to its Week 6 Course Project Dropbox.
See the Syllabus section “Due Dates for Assignments
& Exams” for due date information.
Week 4 midterm
Question 1.1.(TCO A) According to NIST, a weakness in an
information system, system security procedures, internal controls, or
implementation that could be exploited is a(n) ______. (Points : 5)
vulnerability
threat
risk
impact
danger
Question 2.2.(TCO B) The expression {(confidentiality,
impact), (integrity, impact), (availability, impact)} is an expression called
what? (Points : 5)
Security Risk
Security Threat
Security Damage
Security Category
INFOCON
Question 3.3.(TCO C) According to NIST, preserving
authorized restrictions on information access and disclosure, including means
for protecting personal privacy and proprietary information is called _______.
(Points : 5)
nonrepudiation
confidentiality
authorization
integrity
availability
Question 4.4.(TCO F) According to NIST, what is the weakest
link in security? (Points : 5)
Administrative
controls
Technical controls
Personnel controls
Physical controls
People
Question 1. 1. (TCO A) What does it mean to say that
information assets are critical business assets? (Points : 5)
Question 2. 2. (TCO B) Explain why the term due care is very
rarely used in policy documents. (Points : 5)
Question 3. 3. (TCO C) What are the vulnerabilities that (1)
confidentiality controls, (2) integrity, controls, and (3) availability
controls protect information assets against? (Points : 5)
Question 4. 4. (TCO F) Describe the idea of reuse in the
computer systems life cycle. (Points : 5)
Below 4
1. (TCO A) Reuse is a term that is commonly used to mean
that things do not need to be developed each time that they are needed, but
rather can be used over and over without redevelopment. Reuse is common in the
software and hardware industries. However, one must be careful with reuse. What
is a pitfall of the strategy of reuse? (Points : 15)
Question 2. 2. (TCO B) Controlled Unclassified Information
is a term invented by the President of the United States in 2008. This new
category of information replaces about 150 (or more) existing categories of
information and eliminates those over a five-year period. Controlled
Unclassified Information is intended to include all of the unclassified
information currently addressed by SOX, HIPAA, FERPA, FISMA, GLB, and so forth.
When this effort is completed, there will be exactly three categories of
Controlled Unclassified Information, which will replace all 150 (or more)
current information categories. What is the advantage of reducing the number of
categories of unclassified information from the estimated 150 to three? (Points
: 15)
Question 3. 3. (TCO C) Today, several security services are
increasingly provided as common security services. These include audit and
monitoring services, authentication services, access management services,
directory services, and a variety of detection, prevention, and mitigation
services. What is meant by “common security services” and what
advantage and disadvantage do they provide when compared to commodity security
controls? (Points : 15)
Question 4. 4. (TCO F) Explain why human errors are
considered a threat to computer security. (Points : 15)
Week 8 final exam
Question 1. 1. (TCO A) What are the goals of information
security? (Points : 5)
Administrative,
technical, and physical
Confidentiality, accountability, and integrity
Confidentiality, integrity, and accountability
Technical,
integrity, and administrative
Confidentiality, integrity, and availability
Question 2. 2. (TCO A) Security controls protect ______.
(Points : 5)
facilities
people
information
computers and
networks
All of the
above
Question 3. 3. (TCO B) Due care is used as a test to
determine whether management has taken precautions that are ______. (Points :
5)
compliant
legal
reasonable
secure
readiness
Question 4. 4. (TCO B) Regulations that enforce compliance,
including SOX, FERPA, FISMA, and GLB, require protection of ______. (Points :
5)
governments
industries
types of
information
personal
privacy
computer
systems
Question 5. 5. (TCO C) What is a privilege? (Points : 5)
The authority
to use an information asset in a particular way
The ability to
use an information asset in a particular way
The right to
use an information asset in a particular way
The means to
use an information asset in a particular way
None of the
above
Question 6. 6. (TCO C) Access control can be based on
______. (Points : 5)
roles
location
message routes
time of day
All of the
above
Question 7. 7. (TCO D) Physical controls for electromagnetic
emanations are called what? (Points : 5)
SPREAD SPECTRUM
SHIELDING
TEMPEST
BLACKOUT
None of the
above
Question 8. 8. (TCO E) What threats are most likely to
compromise CIA safeguards? (Points : 5)
Viruses
Malicious codes
Spyware
Employees
External
hackers
Question 9. 9. (TCO E) What is the name of the phenomenon in
which two pieces of information are nonsensitive in isolation but when combined
produce highly sensitive information? (Points : 5)
Combinatorics
Synthesis
Aggregation
High-water mark
None of the
above
Question 10. 10. (TCO F) Adversaries may be ______. (Points
: 5)
competitors
employees
news reporters
thrill seekers
All of the
above
Page 2
Question 1. 1. (TCO A) Identify the phases of the Computer
System Life Cycle and briefly define at least one role of the CSPM in each
phase. (Points : 10)
Question 2. 2. (TCO C) What are the vulnerabilities that (1)
confidentiality controls, (2) integrity controls, and (3) availability controls
protect information assets against? (Points : 10)
Question 3. 3. (TCO B) If the CSPM finds that his or her
company has information that needs protection according to company policy (that
is, it is considered proprietary company information), but there is no external
law, order, or rule that requires protection of that kind of information, how
should the CSPM proceed? (Points : 10)
Question 4. 4. (TCO D) Many CSPMs would argue that CCTV
should be installed in storage rooms, wiring closets, and other nonpublic areas
of buildings; other CSPMs would argue that those are low-frequency access areas
and do not need CCTV. How should such a decision whether to install CCTV in
such nonpublic areas be made? Who should make the final decision? (Points : 10)
Question 5. 5. (TCO E) What is the single most likely event
that will compromise the confidentiality, integrity, or availability of
information assets? Briefly explain why you have chosen your answer. (Points :
10)
Question 6. 6. (TCO F) Explain briefly why privileged users
are of concern to the CSPM. (Points : 10)
Page 3
Question 1. 1. (TCO A) Explain why understanding globalism
is an important aspect of modern business and why it is also an increasingly
important aspect of modern information security. Discuss at least competitive
advantage as well as supply-chain issues and legal issues. (Points : 15)
Question 2. 2. (TCO B) Analyze why administrative controls
should be documented. (Points : 15)
Question 3. 3. (TCO C) Explain the idea of situation
awareness and identify at least five elements that should be part of situation
awareness for a wide area network (WAN) environment. (Points : 15)
Question 4. 4. (TCO C) We have looked at compliance
legislation for several kinds of information (e.g., health, financial,
educational) and have also reviewed requirements for protection of particular
kinds of information such as intellectual property (trade secrets, patents,
copyrights). Most companies store, process, and handle all of these kinds of
information. The number of different compliance statutes written by federal,
state, local, and tribal governments and of specialty protection requirements
issued by independent commissions (such as riverboat gambling commissions)
continue to increase. A CSPM may have to deal with several of these laws or
rules. Assuming that the CSPM has identified the rules and laws that apply to
his company, how can the CSPM ensure that system controls are sufficient to
satisfy all of them? (Points : 15)
Question 5. 5. (TCO D) Evaluate advantages of deploying
closed-circuit television (CCTV) in a waiting room. (Points : 15)
Question 6. 6. (TCO E) The SOC was established to measure
readiness. However, some components of a computer and network system are more
critical for readiness than others. Let’s say that there are three levels of
criticality for system components: mission critical, mission essential, and
support. Using what you have learned about calculating the security category
for information, devise a similar scheme for categorizing computer and network
system components for readiness. (Points : 15)
