CYB_100_2-3
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
100
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
5
Uploaded by DrTree1894
CYB 200 Module Two Case Study Template
Control Recommendations
Least
Privilege
Layering
(Defense in
Depth)
Fail-Safe
Defaults /
Fail Secure
Modularity
Usability
Security
Objective
Alignment
(CIA)
Explain your
Choices (1-2
sentences)
Automatically lock workstation
sessions after a standard period of
inactivity.
(Completed as an
example)
X
C
I chose
layering
because it adds
another layer
of protection
for the
confidentiality
of our data.
If possible, close and lock your
office door when leaving your
computer.
X
C
Adds a
physical layer
of security
preventing
access to the
devices that
contain
sensitive
information.
Use technology to make sure that
only authorized software executes,
and unauthorized software is
blocked from executing on assets.
X
X
I
Default to no
access and
allows access
only to
authorized
software.
Use automated tools to inventory
all administrative accounts to
ensure that only authorized
individuals have elevated
privileges.
X
I
Prevents
unauthorized
data access by
ensuring only
authorized
Control Recommendations
Least
Privilege
Layering
(Defense in
Depth)
Fail-Safe
Defaults /
Fail Secure
Modularity
Usability
Security
Objective
Alignment
(CIA)
Explain your
Choices (1-2
sentences)
individuals are
giving
elevated
privileges and
there is a log
of who those
individuals
are.
Use system configuration
management tools to automatically
reapply configuration settings to
systems at regularly scheduled
intervals.
X
I
Prevents
unauthorized
users from
using
reconfigured
settings to
access the
system.
Maintain an inventory of all
sensitive information stored or
transmitted by the organization's
technology systems, including
those located on site or at a remote
location.
X
X
A
If one section
of data is
stolen it can be
isolated to find
how it was
accessed and
prevent access
to remaining
data at other
sites.
Use approved whole-disk
encryption software to encrypt the
hard drive of all mobile devices.
X
X
C
Adds a layer
of data
protection that
still allows
Control Recommendations
Least
Privilege
Layering
(Defense in
Depth)
Fail-Safe
Defaults /
Fail Secure
Modularity
Usability
Security
Objective
Alignment
(CIA)
Explain your
Choices (1-2
sentences)
access by
authorized
sources.
If USB storage devices are
required, software should be used
that can configure systems to allow
the use of specific devices.
X
X
C
Defaults to no
access for
USB storage
but software
allows for
USB to be
allowed if and
when
appropriate.
Configure systems not to write data
to external removable media, if
there is no business need for
supporting such devices.
X
X
C
Same as USB
devices
Defaults to no
access for
external
storage but
software
allows for
external
storage to be
allowed if and
when
appropriate.
If USB storage devices are
required, all data stored on such
devices must be encrypted.
X
X
C
USB storage
devices can be
easily stolen.
Encryption is
an extra layer
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Control Recommendations
Least
Privilege
Layering
(Defense in
Depth)
Fail-Safe
Defaults /
Fail Secure
Modularity
Usability
Security
Objective
Alignment
(CIA)
Explain your
Choices (1-2
sentences)
of protection
so if it is
stolen then at
least it can’t be
read.
Protect all information stored on
systems through the use of access
control lists. These access control
lists enforce the principle that only
authorized individuals should have
access to the information based on
approved business need.
X
X
I
Defaults to
giving users
access to the
least amount
of data
possible for
them to
perform their
job.
Require multifactor authentication
for all user accounts, on all
systems, whether managed on site
or by a third-party provider.
X
C
Adds another
step that an
attack has to
get through
before they
can access the
system.
After you have completed the table above, respond to the following short questions:
1.
How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms?
Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies.
I would remind Dr. Beard that as a doctor he needs to be mindful of HIPAA. I would go over the situation with him with the missing
USB drive and remind him that it is unacceptable to place patient information on removable storage and have it outside of the workplace. As a
doctor his license could be on the line for HIPAA breaches. HIPAA law allows for patients to sue individuals as well as the hospital for their
information getting out and many doctors have lost their licenses this way. I would ask why he felt like he needed the information on the USB
drive and see if there is maybe another way, he could have done his job without it. Then I would speak with the system administrator to have
his administrative rights return to the appropriate settings.
1.
How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or
data-in-motion) and one of the control recommendations from your completed table in your response.
The first thing I would do is incorporate software that prevents the use of USB and other external storage devices. There is no reason
why information should be transferred to an external storage device because all work should be done from the hospital and not from home or
on non-work devices. Then I would use automated tools to inventory all administrative accounts to ensure that only authorized individuals
have elevated privileges. This would prevent a systems administrator from giving administrative access to people who should not have it, but
still allow it to be granted to those who do need it. Lastly I would ensure that all hospital staff are educated again on the security policies of
the hospital and the importance of protecting sensitive HIPAA patient data.