16 Jan • All citations and the

COM590 Strategic Planning Cybersecurity

Module 1 Assignment

Answer all Ten (10) questions.

• Submission Requirements

? All sentences must be grammatically correct, and free from spelling errors.

? Your answer for each question should not exceed 250 words.

? Submit a Single Microsoft Word Document.

? Font: Times New Roman, Size 12, Double-Space.

? Cite all references used in APA format.

1. What are three risks and threats of the user domain?

2. Why do organizations have acceptable use policies (AUPs)?

3. Can Internet use and e-mail use policies be covered in an acceptable use policy?

4. Do compliance laws, such as HIPAA or GLBA, play a role in AUP definition?

5. Why is an acceptable use policy not a fail-safe means of mitigating risks and threats within the user domain?

6. Will the AUP apply to all levels of the organization? Why or why not?

7. Why does an organization want to align its policies with the existing compliance requirements?

8. Why must an organization have an acceptable use policy (AUP) even for non-employees, such as contractors, consultants, and other third parties?

9. What security controls can be deployed to monitor users that are potentially in violation of an AUP?

10. Should an organization terminate the employment of an employee if he/she violates an AUP? Why?

COM590 Strategic Planning Cybersecurity

Module 2 Assignment

Answer all Five (5) questions.

• Submission Requirements

? All sentences must be grammatically correct, and free from spelling errors.

? Your answer for questions 1 to 4 should not exceed 250 words.

? Your answer for question 5 should not exceed 500 words.

? Submit a Single Microsoft Word Document.

? Font: Times New Roman, Size 12, Double-Space.

? Cite all references used in APA format.

1. Do employees behave differently in a flat versus a hierarchical organizational structure? Explain your answer.

2. Do employee personality types differ between hierarchical and flat organizations?

3. What is difficult about policy implementation in a flat organization? What is difficult about policy implementation in a hierarchical organization?

4. How do you overcome employee apathy toward policy compliance?

5. Create a policy framework implementation plan for the fictional Specialty Medical Clinic (the plan should not be longer than two pages). The Specialty Medical Clinic is being acquired by a larger parent organization under HIPAA compliance law. The parent organization is a hierarchical structure with multiple departments and clinics. The medical clinic is a flat organization. Following is an outline of those areas of the plan you need to include:

Parent Medical Clinic

Acquires Specialty Medical Clinic

Publish Your Policies for the New Clinic

{Explain your strategy.}

Communicate Your Policies to the New Clinic Employees

{How are you going to do this?}

Involve Human Resources and Executive Management

{How do you do this smoothly?}

Incorporate Security Awareness and Training for the New Clinic

{How can you make this fun and engaging?}

Release a Monthly Organization-Wide Newsletter for All

{How can you make this newsletter succinct?}

Implement Security Reminders on System Logon Screens for All

{This is for access to sensitive systems only.}

Incorporate Ongoing Security Policy Maintenance for All

{Review and obtain feedback from employees and policy-compliance monitoring.}

Obtain Employee Questions or Feedback for Policy Board

{Review and incorporate into policy edits and changes as needed.}

COM590 Strategic Planning Cybersecurity

Module 3 Assignment

Answer all Eight (8) questions.

• Submission Requirements

? All sentences must be grammatically correct, and free from spelling errors.

? Your answer for each question should not exceed 250 words.

? Submit a Single Microsoft Word Document.

? Font: Times New Roman, Size 12, Double-Space.

? Cite all references used in APA format.

1. What is the purpose of defining a framework for IT security policies?

2. Why should an organization have a remote access policy even if it already has an acceptable use policy (AUP) for employees?

3. What security controls can be implemented on your e-mail system to help prevent rogue or malicious software disguised as URL links or e-mail attachments from attacking the workstation domain? What kind of policy definition should you use?

4. Why should an organization have annual security awareness training that includes an overview of the organization’s policies?

5. Consider the following real world situation:

A retired Japanese Coast Guard boat (Takachiho) was sold to a pro-North Korean organization without having assurances that navigational data was deleted. The decommissioned patrol boat could have had as many as 6,000 locations recorded over the 250 days of use. The boat was presumably sold to be turned into scrap. Weapons and radio equipment were removed, but no procedures were in place to ensure that navigational data was securely deleted. It is unknown if navigational data were recovered from vessels disposed of through past sales (Muncaster, 2013).

a. Why was the navigational data on the Japanese Coast Guard vessel not securely deleted?

b. How could the lost navigational data compromise national security?

c. How could the Japanese Coast Guard write an effective data disposal policy?

d. Is a self-assessment of effective security policy a good predictor of actual security? Why or why not?

6. What is meant by Governance Framework? Why is ISO 27000 certification more attractive to companies than COSO or COBIT certification?

7. Locate and read NIST SP 800-53 Revision 4. What are the key benefits of this standard?

8. In your opinion, is the COBIT framework superior to the other standards and frameworks such as the ISO 27000 and NIST? Why or Why not?

References

Muncaster, P. (2013, April). Japan forgot data wipe on ship sold to Pyongyang. Retrieved September 18,

2014, from http://www.theregister.co.uk/2013/04/29/japan_coast_guard_forgets_wipe_data_norks/

COM590 Strategic Planning Cybersecurity

Module 4 Assignment

Answer all Seven (7) questions.

• Submission Requirements

? All sentences must be grammatically correct, and free from spelling errors.

? Your answer for questions 1 to 6 should not exceed 250 words.

? Your answer for question 7 should not exceed 500 words.

? Submit a Single Microsoft Word Document.

? Font: Times New Roman, Size 12, Double-Space.

? Cite all references used in APA format.

1. For each of the seven domains of a typical IT infrastructure, describe a policy you would write and implement for each domain.

2. How does separation of duties throughout an IT infrastructure mitigate risk for an organization?

3. When using a layered security approach to system administration, who would have the highest access privileges?

4. Why do you only want to refer to technical standards in a policy definition document?

5. Explain why the seven domains of a typical IT infrastructure help organizations align to separation of duties.

6. Why is it important for an organization to have a policy definition for business continuity and disaster recovery?

7. Create a security management policy that addresses the management and the separation of duties throughout the seven domains of a typical IT infrastructure. You are to define what the information systems security responsibility is for each of the seven domains of a typical IT infrastructure. From this definition, you must incorporate a definition for the separation of duties into the Procedures section of the policy definition template that you will fill out later in this step.

The scenario you are to work with is for the mock Lone Star Credit Union/Bank:

• The organization is a regional Lone Star Credit Union/Bank that has multiple branches and locations throughout the region.

• Online banking and use of the Internet are the bank’s strengths, given its limited human resources.

• The customer service department is the organization’s most critical business function.

• The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.

• The organization wants to monitor and control use of the Internet by implementing content filtering.

• The organization wants to eliminate personal use of organization-owned IT assets and systems.

• The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.

• The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training.

• The organization wants to define a policy framework, including a security management policy defining the separation of duties for information systems security.

Using the following template, create a security management policy with defined separation of duties for the Lone Star Credit Union/Bank organization (this should not be longer than two pages):

Lone Star Credit Union

Policy Name

Policy Statement

{Insert policy verbiage here.}

Purpose/Objectives

{Insert the policy’s purpose as well as its objectives; include a bulleted list of the policy definitions.}

Scope

{Define whom this policy covers and its scope. Which of the seven domains of a typical

IT infrastructure are impacted? All seven must be included in the scope. What elements, IT assets, or organization-owned assets are within the scope of this policy? In this case, you are concerned about which IT assets and elements in each of the domains require information systems security management.}

Standards

{Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards. You need to reference technical hardware, software, and configuration standards for IT assets throughout the seven domains of a typical IT infrastructure.}

Procedures

{Explain how you intend to implement this policy for the entire organization. This is the most important part of the policy definition because you must explain and define your separation of duties throughout the seven domains of a typical IT infrastructure. All seven domains must be listed in this section as well as who is responsible for ensuring CIA and security policy implementation within that domain.}

Guidelines

{Explain any roadblocks or implementation issues that you must overcome in this section and how you will surmount them per defined policy guidelines. Any disputes or gaps in the definition and separation of duties and responsibilities may need to be addressed in this section.}

COM590 Strategic Planning Cybersecurity

Module 5 Assignment

Answer all Eight (8) questions.

• Submission Requirements

? All sentences must be grammatically correct, and free from spelling errors.

? Your answer for each question should not exceed 250 words.

? Submit a Single Microsoft Word Document.

? Font: Times New Roman, Size 12, Double-Space.

? Cite all references used in APA format.

1. How does a security awareness training policy impact an organization’s capability to mitigate risks, threats, and vulnerabilities?

2. When trying to combat software vulnerabilities in the workstation domain, what is needed most to deal with operating system, application, and other software installations?

3. What are some strategies for preventing users or employees from downloading and installing rogue applications and software found on the Internet?

4. What other strategies can organizations implement to keep security awareness top of mind with all employees and authorized users?

5. Why is it a best practice of a remote access policy definition to require employees and users to fill in a separate VPN remote access authorization form?

6. What security controls, monitoring, and logging should be enabled for remote VPN access and users?

7. Should an organization mention that it will be monitoring and logging remote access use in its remote access policy definition?

8. Review the following characteristics of the mock Sunshine Health Care Provider:

• Regional Sunshine Health Care Provider has multiple, remote health care branches and locations throughout the region;

• Online access to patients’ medical records through the public Internet is required for remote nurses and hospices providing in-home medical services;

• Online access to patients’ medical records from remote clinics is done through SSL VPN secure Web application front-end through the public Internet;

• The organization wants to be in compliance with HIPAA and IT security best practices regarding remote access through the public Internet in the remote access domain;

• The organization wants to monitor and control the use of remote access by implementing system logging and VPN connections;

• The organization wants to implement a security awareness training policy mandating that all new hires and existing employees obtain remote access security training. Policy definition to include HIPAA and ePHI (electronic protected health information) security requirements and a mandate for annual security awareness training for all remote or mobile employees.

Using the following template, create an organization-wide remote access policy for Sunshine Health Care Provider (this should not be longer than two pages):

Sunshine Health Care Provider

Remote Access Policy for Remote Workers & Medical Clinics

Policy Statement

{Insert policy verbiage here.}

Purpose/Objectives

{Insert the policy’s purpose as well as its objectives; use a bulleted list of the policy definition.}

Scope

{Define this policy’s scope and whom it covers.

Which of the seven domains of a typical IT infrastructure are impacted?

What elements, IT assets, or organization-owned assets are within the scope of this policy?}

Standards

{Does this policy point to any hardware, software, or configuration standards?

If so, list them here, and explain the relationship of this policy to these standards. In this case, remote access domain standards should be referenced, such as encryption standards, SSL VPN standards; make any necessary assumptions.}

Procedures

{Explain how you intend to implement this policy organization-wide and how you intend to deliver the annual or ongoing security awareness training for remote workers and mobile employees.}

Guidelines

{Explain any roadblocks or implementation issues that you must address in this section and how you will overcome them per defined policy guidelines.}

COM590 Strategic Planning Cybersecurity

Module 6 Assignment

Answer all Eight (8) questions.

• Submission Requirements

? All sentences must be grammatically correct, and free from spelling errors.

? Your answer should not exceed 250 words.

? Submit a Single Microsoft Word Document.

? Font: Times New Roman, Size 12, Double-Space.

? Cite all references used in APA format.

1. Why is it a good idea to include human resources on the incident response management team?

2. How do an incident response plan and incident response team help reduce risks to the organization?

3. Why is a post-mortem review of an incident the most important step in the incident response methodology?

4. Why is a policy definition required for a computer security incident response team?

5. Why is it critical to align the RTO and RPO standards within the policy definition itself?

6. How do risk management and risk assessment relate to a business impact analysis for an IT infrastructure?

7. Why should organizations update their BCP, BIA, RTOs, and RPOs?

8. Create an organization-wide policy defining and authorizing a security or computer incident response team to have full access to and authority over all IT systems, applications, data, and physical IT assets when a security or other incident occurs. Create this for the Sunshine Credit Union, which has the following characteristics:

• The organization is a regional XYZ Credit Union that has multiple branches and locations throughout the region;

• Online banking and use of the Internet are the bank’s strengths, given its limited human resources;

• The customer service department is the organization’s most critical business function;

• The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees;

• The organization wants to monitor and control use of the Internet by implementing content filtering;

• The organization wants to eliminate personal use of organization-owned IT assets and systems;

• The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls;

• The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training;

• The organization wants to create a security or computer incident response team to deal with security breaches and other incidents if attacked providing full authority for the team to perform whatever activities are needed to maintain chain of custody in performing forensics and evidence collection;

• The organization wants to implement this policy throughout the organization to provide full authority during crisis to the CIRT team members over all physical facilities, IT assets, IT systems, applications, and data owned by the organization.

Using the following template, in your text document, create a computer incident response policy granting team members full access and authority to perform forensics and to maintain a chain of custody for physical evidence containment. Create this policy for the Sunshine Credit Union organization (this should not be longer than two pages):

Sunshine Credit Union

Computer Incident Response Team—Access & Authorization Policy

Policy Statement

{Insert policy verbiage here.}

Purpose/Objectives

{Insert the policy’s purpose as well as its objectives; use a bulleted list of the policy definition. Define the security incident response team members and the authorization and authority granted to them during a crisis or securing incident situation.}

Scope

{Define this policy’s scope and whom it covers. Which of the seven domains of a typical IT infrastructure are impacted? What elements, IT assets, or organization-owned assets are within the scope of this policy? What access and authority are granted to the incident response team members that may be outside of standard protocol?}

Standards

{Does this policy point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.}

Procedures

{Explain how you intend to implement this policy across the organization. Also, define and incorporate the six-step incident response approach here along with how the chain of custody must be maintained throughout any evidence collection process.}

Guidelines

{Explain any roadblocks or implementation issues that you must address in this section and how you will overcome them per defined policy guidelines.}

COM590 Strategic Planning Cybersecurity

Module 7 Assignment

Choose “one” of the following topics:

• Industrial Control Systems (ICS) /SCADA systems

• Cloud Computing

• Social Networks

• Mobile Computing

For that topic, list significant cybersecurity vulnerabilities and associated threats that would have the highest impact on service or users. For each vulnerability/threat combination, discuss why the probability of an occurrence is either high-medium-or low. For each combination, describe the policies and procedures that can most effectively manage that estimated level of risk. How is customer satisfaction affected by implementing each policy and procedure? Provide supporting examples from outside articles and literature.

Prepare your paper to the following format:

1. A single Word Document 5-7 pages (font size – Times New Roman 12)

2. Single spaced with one-inch margins on all sides

3. All citations and the reference list in the paper should be formatted in accordance with APA 6th edition (or later) guidelines

4. References are NOT included in the page count

COM590 Strategic Planning Cybersecurity

Module 8 Assignment

Analyze the policies, vulnerabilities, risks, and internal controls for a French bank (Societe Generale) that was a victim of a large scale fraud and recommend improvements to the company’s IT security policies. This assignment calls for a systematic analysis of an organization’s policies, vulnerabilities, risks, and internal controls. Many scientific, engineering, information, and accounting disciplines advocate general steps to problem solving utilizing a systems approach.

At this point in your academic career, you should be proficient at applying such a general approach to solving specific problems. Select and adapt such an approach with which you are most comfortable from your prior professional and academic experiences to apply to this assignment.

Suggested steps to the general systems approach to problem solving are as follows:

1. Define the problem

2. Identify evaluation criteria/measures of effectiveness

3. Identify alternatives/solutions

4. Evaluate/analyze alternatives utilizing analytical techniques consistent with step 2 criteria/measures

5. Select and display preferred alternative(s)/solution(s) consistent with the analysis in step 4

6. Implement and monitor step 5 solution(s)

Refer to the French bank Societe Generale in the following URLs:

• http://www.spiegel.de/international/business/0,1518,530673,00.html

• http://www.msnbc.msn.com/id/22818054/ns/business-world_business/t/french-bank-blames-trader-billion-fraud/

• http://www.cbsnews.com/stories/2008/02/04/business/main3785088.shtml

Additionally, review specific readings regarding security controls, audits, inspections, risk assessment, and countermeasures. Utilizing an appropriate methodology for analysis (which may be adapted from the above 6 steps), identify a set of 8-10 recommendations toward solving the fraud issue of French bank Societe Generale.

There are three additional things to keep in mind:

Defining the problem or issue will require a data gathering stage.

1. Problem solving is not a once-through sequence of steps always performed in a specified order. It is full of iteration and feedback loops.

2. Finally, you will not be able to implement and monitor your recommendations in this assignment. Perhaps that means provisions for implementation and monitoring should be part of your evaluation criteria.

Your paper should include the following:

• Identification and discussion the policies, vulnerabilities, risks, and internal controls for the French bank;

• Evaluation of the weaknesses and impact on secure bank operations;

• Recommendation and discussion of 8-10 security controls and countermeasures for mitigating problems in and improving the bank’s security posture;

• Discussion of the methods that organizations can use to effectively achieve the adoption and implementation of the security policies, controls and countermeasures.

Prepare your paper to the following format:

• A single Word Document 5 – 7 pages (font size – Times New Roman 12)

• Single spaced with one-inch margins all around

• All citations and the reference list in the paper should be formatted in accordance with APA 6th edition (or later) guidelines

• References are NOT included in the page count