CYB 200 Module Two Case Study Colby (2)

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

200

Subject

Information Systems

Date

Oct 30, 2023

Type

docx

Pages

Uploaded by DukeFog10607

2-3 Activity: Data Protection Case Study Kerry Colby CYB-200 Daniel Wand 09/09/2023 CYB 200 Module Two Case Study Template

After reviewing the scenario in the Module Two Case Study Activity Guidelines and Rubric document, fill in the table below by completing the following steps for each control recommendation: 1. Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X . 2. Indicate which security objective (confidentiality, availability, or integrity) best reflects your selected control recommendation. 3. Explain your choices in one to two sentences, providing a selection-specific justification to support your decision. Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) Automatically lock workstation sessions after a standard period of inactivity. (Completed as an example) X C I chose layering because it adds another layer of protection for the confidentiality of our data. If possible, close and lock your office door when leaving your computer. X C I choose layering because adding a locked door adds an extra layer to keep the items inside confidential. Use technology to make sure that only authorized software executes, and unauthorized software is blocked from executing on assets. X C + I I choose fail- safe/fail-secure because it blocks unauthorized software from executing. Fail- secure protects data in the event

Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) of a breach or alter so I also went with C + I Use automated tools to inventory all administrative accounts to ensure that only authorized individuals have elevated privileges. X A I choose least privilege because people with more authorization can access info that others may not. This also aligns with availability because only certain info in available for curtain individuals. Use system configuration management tools to automatically reapply configuration settings to systems at regularly scheduled intervals. X I I choose modularity because each task is broken into its regular intervals. I also selected integrity as it is maintained in a correct and updated state. Maintain an inventory of all sensitive information stored or transmitted by the organization's technology systems, X A I choose usability because while

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) including those located on site or at a remote location. it’s protected, it is still operational to use. I also choose availability because that data is accessible by authorized users. Use approved whole-disk encryption software to encrypt the hard drive of all mobile devices. X C I choose layering because it adds another layer of security in the event of misplacing the mobile device. I choose confidentiality because it keeps the info on the phone confidential in any case. If USB storage devices are required, software should be used that can configure systems to allow the use of specific devices. X C I choose usability because if the USB drive is required for access, it shouldn’t be

Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) difficult for the user to get access. I choose confidentiality because if they are required, they should help secure the information from unauthorized users. Configure systems not to write data to external removable media, if there is no business need for supporting such devices. X C I choose fail- safe/fail-secure because in the event someone wanted to leave with sensitive info, this would protect against unauthorized use of info. I choose confidentiality as this protects the data from being stolen and stored on unauthorized devices. If USB storage devices are required, all data stored on such devices must be X C I choose layering

Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) encrypted. because encrypting a USB storage device protects the data on it in the event it gets into the wrong hands. I choose confidentiality because the data stored on the USB drive can only be accessed by authorized Individuals. Protect all information stored on systems through the use of access control lists. These access control lists enforce the principle that only authorized individuals should have access to the information based on approved business need. X C + I I choose least privilege because the access control list blocks unauthorized individuals from gaining access and giving access to unauthorized users. I choose C + I because utilizing such list can protect

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Control Recommendations Least Privilege Layering (Defense in Depth) Fail-Safe Defaults / Fail Secure Modularity Usability Security Objective Alignment (CIA) Explain your Choices (1-2 sentences) from unauthorized users to gain access to info they can alter but have nothing to do with their business needs. Require multifactor authentication for all user accounts, on all systems, whether managed on site or by a third-party provider. X C I choose layering because MFA adds an additional layer of security in any sector that requires access. I choose confidentiality because this forces only the individuals that are allowed access, to gain access so no threat actors gain access to sensitive information. After you have completed the table above, respond to the following short questions:

1. How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms? Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies. Dr. Beard needs some security awareness training/coaching. The system administrator also may need some work in this area as well to spot potential threats prior to them affecting business operations. There are many risks/threats that may arise and cause harm to both partners of the hospital, as well as the patients with the lack of awareness and security in place. Some training can shed some light to the situation and help with any potential future attacks or mistreatment of information. 4. How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-in- motion) and one of the control recommendations from your completed table in your response. There are several helpful topics that can better secure the patients files and they include: -Laptops and mobile devices associated with the business need to be encrypted to safeguard and info stored or seen through them. Don’t store them in your car, make sure they are always in a safe place like your home or office. -A backup shouldn’t be created on a personal USB drive and should not be backed up to the system (data at rest). -All USB storage devices must be fully encrypted (data at rest). -Sensitive information such as usernames and/or passwords should never be written down. Instead, use a password management system if account information is hard to memorize. -If accessing company data remotely, your connection should be through an approved, company VPN (data in motion). - Elevated access should only be approved and/granted to those in need of it for business purposes. If it doesn’t pertain to their business needs, they should not be granted such privilege. The principal of least privilege is a principal for a reason. -There is a big conflict of interest between Dr. Beard and the Sr. System Administrator. When Dr. Beard has a request for something related to the system, another system administrator should step in and make that decision. Maybe higher ups should be involved as to mitigate ant risks.