Module Two_Case Study Template

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

200

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

6

Uploaded by ISSIT_Learn

Report
CYB 200 Module Two Case Study Template After reviewing the scenario in the Module Two Case Study Activity Guidelines and Rubric document, fill in the table below by completing the following steps for each control recommendation: 1. Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X . 2. Indicate which security objective (confidentiality, availability, or integrity) best reflects your selected control recommendation. 3. Explain your choices in one to two sentences, providing a selection-specific justification to support your decision. Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) Automatically lock workstation sessions after a standard period of inactivity. (Completed as an example) X C I chose layering because it adds another layer of protection for the confidentiality of our data. If possible, close and lock your office door when leaving your computer. x C By closing and locking your office door; you are adding am additional layer of protection to your system and data. Use technology to make sure that only authorized software executes, and unauthorized software is blocked from executing on assets. x C Using technology to ensure only authorized software
Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) executes is a type of layering which adds an additional form of security. Use automated tools to inventory all administrative accounts to ensure that only authorized individuals have elevated privileges. x C This is a least privilege security principle because each individual should only have the minimal amount of access to do their assigned duties. Use system configuration management tools to automatically reapply configuration settings to systems at regularly scheduled intervals. x A When systems are properly configured, they avoid resource conflicts. Maintain an inventory of all sensitive information stored or transmitted by the organization's technology systems, including those located on site or at a x C I chose layering because maintaining an inventory of all
Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) remote location. sensitive data and controlling who handles it ensures that the data is secured from multiple perspectives. Use approved whole-disk encryption software to encrypt the hard drive of all mobile devices. X I I chose layering because encryption prevents others from accessing data without the key which provides an additional layer of protection. If USB storage devices are required, software should be used that can configure systems to allow the use of specific devices. X A I chose usability as a properly configured system to accept USB’s and apply any updated drivers and encryptions would improve the users experience and
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) ensure that the systems and data are readily available for use. Configure systems not to write data to external removable media, if there is no business need for supporting such devices. X I I chose least privilege as these devices have the potential to cause harm to the system it plugs in to. If such device is needed, a person from the help desk department should assist in order to ensure the device is safe and not one that could cause harm like a rubber ducky USB. If USB storage devices are required, all data stored on such devices must be encrypted. X C I chose layering because encryption
Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) provides additional security, especially if the USB device is lost or stolen. Protect all information stored on systems through the use of access control lists. These access control lists enforce the principle that only authorized individuals should have access to the information based on approved business need. x C This is least privilege. It ensures that people who are not authorized do not get a hold of the data and hardware. Require multifactor authentication for all user accounts, on all systems, whether managed on site or by a third-party provider. X C I chose layering as multifactor authentication ensures that more than one form of authentication such as a password, token, smartcard, or biometric factor is used to authenticate; providing
Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) additional security layering. After you have completed the table above, respond to the following short questions: 1. How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms? Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies. There are several issues that stand out in regards to this scenario. Dr. Beard is an important man that needs to be able to do his work. It seems that he has not been able to get good resolve working with past help desk personnel. I would address the situation in this manner. First, I would look over the hospital security policy/acceptable use policy and see if there is something in writing about taking the work computer home and ensuring that it is secure. This would include securing the laptop by using a cable lock and locking it to the bottom of the seat if you were to leave your computer in the car for a period over 30 minutes. If the policy did not address this, I would recommend it be added for future incidents. This was part of the policy in my organization, as I traveled with my military computer frequently. Second, I would have to set up a meeting with Mr. Davis to address the issues with Mr. Beard; as he is the senior admin and close friend to the doctor. I would inform Mr. Davis about all that has happened (past and present) with doctor Beard and remind him about the least privilege policy. I would suggest that if the doctor has such a need to access sensitive data from outside of work; that maybe a VPN or an intranet could be set up so that he can log in from home. I would also inform him that I was going to set up a meeting with doctor Beard. In this meeting I would remind doctor Beard about the hospital security policy/acceptable use policy to include password safeguarding, illegal use of USB drive to download sensitive data, and the fact that his administrative rights would be rescinded. I would remind him of the potential impact to him, his patients, and the hospital due to the careless acts that he has committed. Finally, I would re-assure him that I was there to help him, and that we (the IT staff) were looking into creating a safe way for him to be able to access the data he needed from home through a secure network like a VPN. 2. How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-in- motion) and one of the control recommendations from your completed table in your response. I would suggest that all data-at-rest is encrypted to prevent outside people from reading its content without the proper key. Data-in-motion should also be encrypted by way of encrypting the hardware it is traveling on; like an external hard drive or USB Drive. If the data-in-motion is being transferred through a network connection, the connection should be encrypted by using something such as a VPN. Data-in-use is the most vulnerable to attacks. This type of data should be encrypted, users should always be authenticated to prevent unauthorized access, and all users of the data should have the correct permissions according to their profiles within the organization.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

IMG_2827.png
F106A_Short_Answer_Questions.docx
Estates - 8.docx
quiz1a.docx
CYB_200_Project Two.docx
CYB_200_Project One.docx
Competitor Analysis – Part A_ Table sharvesh.docx
Preparing for an IEP Meeting .docx
Gati.docx
Information Document.pdf
homework1.docx
IDS 150 Project Draft Two.docx