ComputerScienceExpert
$18/per page/
Section 4Â Professor's Notes:Â Â You did a fair job on the Unit Four IP assignment. You described a methodology that can be used to conduct a risk assessment for an organization. You did not describe the 4 methods for dealing with identified risk. This was discussed in the CHAT session. (Accept, Transfer, Mitigate, Avoid). You explained what Vulnerabilities, Threats & Exploits are. You also included a discussion about how they apply to a risk assessment. You made some good use of APA. You have a lot of references from Wikipedia which is not an approved scholarly source. All references should be in APA format as well. Please remove these and replace with scholarly references. You have met all of the other requirements for this assignment.
Â
Section 5: Controlling Risk
Â
Â
Running Head: Individual Project 4 1 Individual Project 4
Jarod Jones
Colorado Technical University Running Head: Individual Project 4 2 Contents
Section 1: Information Security Management (Week 1).................................................................3
Section 2: Security Program (Week 2)............................................................................................7
Section 3: Security Policies (Week 3)............................................................................................10
Section 4: Assessing Risk (Week 4)..............................................................................................13
Section 5: Controlling Risk (Week 5) TBD...................................................................................16
References......................................................................................................................................17 Running Head: Individual Project 4 3 Section 1: Information Security Management (Week 1)
Optiotronics Inc. of Seeton, California, started business in 1998. Optiotronics, a private
firm, offers a revolutionary product leveraging state-of-the-art micro transmitters and video
pixilation technology. Optiotronics’ product provides a video display similar to a computer
monitor embedded into a transparent contact lens. Optiotronics is a pioneer in the field of
wearable computing with practical applications that provide heads-up, dashboard displays to
several career fields, including the military.
Optiotronics faces a significant problem in managing the growth and security of its
company. The company has spent an extraordinary amount of capital in resources &
development; it has amassed volumes of intellectual property (copyrights, patents, and
trademarks) that directly contribute to its competitive position. However, to accommodate
growth, technology has been acquired and deployed without a great deal of centralized planning.
Securing the electronic information system has become a paramount importance to the
company’s investors.
Responding to this threat, Dr. Melissa Broussard, CEO, has funded the executive position
of Chief Security and Compliance Officer (CSCO), and has established the formation of an
autonomous department independent of the internal IT structure. It is the mission of the CSCO to
implement an information systems security program, manage, and audit the program. Also, the
mission includes alleviating risks to the information system. Billions of dollars in potential
revenues and the reputation of a world-class wearable computing manufacturer are on the line.
Congratulations! You have been hired as the CSCO.
Principles of Security Management Running Head: Individual Project 4 4 Security management is the means to identify Optiotronics assets, which would mean for
the company to create their own form of standard operation procedures to govern the security of
the company’s classified information. The risks would be categorized by the completion of the
company risk assessment and risk analysis that would let the company employee know by
identifying the threats, categorize the assets, and tell the percentage of the vulnerabilities that the
company could possibly face.
Identification and Authentication
Identification and authentication is a two-step process that works by the user or program
fist confirms the identification of a user or program and the second part is the authentication
portion of the process where the user or program then confirms something that identified person
or program would only know.
Documentation
Documentation in the security management field is very important without keeping up with your
documentation could make it very difficult for the organization to maintain accountability of
sensitive information that is critical to keep. Keeping documentation would allow the
organization to understand their own policies that they need to follow to so that they can meet or
maintain their guidelines.
Passwords
Passwords are a very important part of security because common word password can be
easily stolen or guess by a hacker which would leave the network vulnerable. Another great
feature that is used commonly in today’s password login features online is the password limiting Running Head: Individual Project 4 5 login attempts that will lock you out from accessing the system after so many tries if you are
unable to remember your password.
People
This is the most common internal security threat in the work place because of poor
employee awareness of the harms that they can do to the network by plugging in their personal
devices for a quick charge as they would say not knowing that their devices could carry virus that
could be very threatening for the company network. Everyone that operates on the network will
have to go through background checks to verify that they haven’t commit any wrongful crimes
that might make them untrustworthily. For each of the assigned positions within the company
there will be a primary and an alternate personal to compensate for times when the other person
isn’t at work.
Process
Procedures for handling security issues would mean that the end users would have to
report the issues to their local IT rep that will escalate the issues up to the right personal to
resolve the issue. There will be standard operating procedures set in place that will govern the
use of the equipment and the procedures for the operations of the office staff.
Technology
Technology is an important role in the security management responsibly of the
organization because it makes it simple to keep up with a lot of necessary documentation that is
very important to the organization. The constant grown in technology can affect security because
of the constant updates that are pushed to try to keep with the demand of technology to keep Running Head: Individual Project 4 6 hackers out of the network. The company will do weekly scans of the network to ensure that
unauthorized software isn’t installed on the equipment or on the computers on the network. The
company will also use firewall software on the network to ensure the security of the network.
Project Management Role
Some of the main responsibilities of the project manager are the initiation, planning,
design, execution, monitoring, controlling and closure of a project. The project managers use
software like Microsoft project as tool to organize their assignments that they are working on for
the company. The project manager must work with the security managers so that they would be
able to create a project to ensure that the project wouldn’t be vulnerable to security threats. The
project risks should be determined by the completion of a risk assessment that will identify the
highest possible personal that might try to attack the project. The risk analysis should work hand
in hand with the project manager to ensure that the possible security concerns are addressed in
the development process of the project so that they can be addressed during that process to limit
issues later on in the creation of the project. Based upon the risks that are found during the risk
Analysis that will determine the necessary scope of the threats to be considered and the response
that will be required. The level of assurance is based upon the amount of security failures that
would leave the network vulnerable to hackers the way that I would create a mentally stable
organization is by constantly updating the security on the network to ensure that security failure
are less common. Running Head: Individual Project 4 7 Section 2: Security Program (Week 2)
Data Classification overview
The data classification is process that allows Optiotronics Inc to categories the data that
it’s using on its own network. Data classification allows the company to find data that it need to
look for instead of looking through every piece of data that it has on its servers because of the
classification system. The company should policies that should define material or reasoning
would be used to classify data and who needs to access that data based upon their role within the
company. There should be best practices procedure created by the company that will show other
users the information on data classification in very easy to understand simple terms.
Data Classification Scheme
Category 3
This category will include highly sensitive information like the government officials that
are using the wearable lens. This will also include all government officials and employees of the
company information like social security numbers, bank statements, and home address.
Category 2
This category will include information for the different types of contracts for software
and hardware information. This category will also include information pertaining to the
operational reviews of the wearable lens that the government officials have used in the past.
Category 1 Running Head: Individual Project 4
This category will contact information like basic contact information for the employees
and the different type of offices supplies that used in the office like paper types, pens, and etc.
Requirement for management support
The reasoning behind why you would need management support within the cyber
security division of the company is because the executive staff needs to keep the cyber security
division up to date with the latest patches or system upgrade. One of the reasons that
management needs to support cyber security is because it been plenty of cases where
management didn’t want to spend 10,000 dollars on the latest upgrade for their cybersecurity
equipment but once they get attacked and they have pay clients that got their information stolen
over 1,000,000 the 10,000 upgrade would’ve been the best route to take.
Organization Structure 8 Running Head: Individual Project 4
The organization structure for Optiotronics will be as follows below. Organization structure cont. 9 Running Head: Individual Project 4 10 The reporting methods that will be used for the company is as described above the
security guards and facilities management will report to the site security managers. The security
managers will report to the information asset owners and they will report to the local security
committees. The risk & contingency management, security operations, security administration,
and policy & compliance report the information security manager. The local security committees
and the information security manager report to the chief security and compliance officer. The
chief security and compliance officer reports to the executive officer.
Informing management strategies
The best way that you can inform management is by having a well-planned communication plan
that you and your team members will use to communicate to executive committee members or
senior leadership. The communication plan should include background of the program, your
analysis of the program, potential risks of the program, and the budget for the program. Running Head: Individual Project 4 11 Section 3: Security Policies (Week 3)
General
The form of the network security policy will be written in a way that will basically be
contract agreement between the end users and the managers that will operate on the company’s
network. The process that we will use to ensure that this policy best fits the company’s needs is
through a series of checks and balances by the information technology personal management.
One very important set into the impletion of the policy is to ensure that the executive leadership
approves of the policy so that the policy can be enforced without any limitations.
User Accounts
System administers will request user network accounts using the account request forms
that were created by the company IT department. The form must be completely filled out by the
users, supervisor, and security manager. The user will be provided a copy of the completed,
signed form and acceptable use policy. If the user leaves the company the system administers
will be responsible for the deletion of the users account. User’s accounts that haven’t been
logged on within 45 days will be disabled and deleted after 60 unless prior notice was submitted.
General security standards
End users are not authorized administrate access to the company’s network infrastructure.
Network
Email
All outlook exchange services will be provided by the company’s IT department. Running Head: Individual Project 4 12 IPhone / Android usage
Cellular handheld devices that provide remote email access to the network in support of
official business. Due to the ease of use and tight integration with existing infrastructure, cellular
devices are authorized for personal to allow email access.
Cellular handheld devices must support secure/Multipurpose internet mail extension
(S/MIME) software to be public key infrastructure (PKI) compliant. This feature enhances the
cellular devices security to ensure that the security of the network.
Internet/Intranet usage
All end users will need to use caution when posting comments or information pertaining
to the company to social networking sites. A list of the company’s approved social networking
sites can be found on the company’s SharePoint homepage.
Privileged access
Only personnel with the title system administrator will be granted privileged access on
the company’s network and/or workstations. Privileged access is granted based on need and
includes the ability to administer local machines in order to install drivers or other type of
required software.
Remote network access
Remote access is defined as any means used to connect to electronic data resources
outside the boundaries of the network. Currently the technology that allows this to happen is
called virtual private network (VPN). VPN additionally allows users to use the applications
available to them in their normal office environment. Remote users will be subject to Running Head: Individual Project 4 13 monitoring; their connection will be terminated if it causes damage to any part of the network or
if their computer is found to be not configured correctly. VPN users will have to request access
through their system administers upon their systems have the latest antivirus software and
security updates.
Distribution plan
The distribution of the policy will be sent out in the form physical distributions from the
executive staff meetings to a variety of other forms of physical distribution methods. Some of the
examples of methods that we will use in this company are by posting the new policy onto the
company SharePoint portal so that all employees can access the new policy at will. Another
example of our method of distribution will be to ensure that all the managers receive a copy of
the new policy via email. To ensure that all employees are aware of the policy there will be
required training that will cover the basis of the policy information to ensure that all employee
have a general knowledge of network security. Running Head: Individual Project 4 14 Section 4: Assessing Risk (Week 4)
Methodology for conducting risk assessments
The different methods that we will use at the company which assess the risk could be for
example the what-if analysis, checklist, checklist and what-if analysis, and fault tree analysis.
These are the best practice risk assessment methods that are commonly used in today’s
companies. The purposes of these many different risk assessment methods are to simplify the
process of identifying the risks that could happen within the company.
What-if analysis method
This method is used to identify threats and hazards. This method is basically a series of
questions that will walk end users on the required process they would need to take if risk calls for
them to take action.
Checklists method
This method is a simplified version of a risk assessment that explain to the users in a
series of items that they should check to ensure that what they are dealing with isn’t a risk that
can hard the network.
Checklists and what-if analysis method
This method is similar to the checklist methods but it also has the what if version
incorporated into so that once you confirm that it’s a known risk that could be a threat to the
network the what if clause comes into effect to walk through the process of eliminating the that
now known risk. Running Head: Individual Project 4 15 Fault tree analysis method
The reason that this method is explained to be in the form of a tree is because it for the
hazards that start out as one risk that has many different effects that could be very dangers for the
company network.
Common terms for risks
Vulnerability
The definition explains it to be a weakness of an asset or group of assets that can be
exploited by one or more threats.
Threat
This is explained as a potential cause of an incident that may result in harm of systems
and organization. Threats can be a form of spying or illegal processing of data that will be used
for the wrong reasons.
Exploits
This is a sequence of commands that can take advantage of a known bug or vulnerability
in order to cause unintended or unanticipated behavior to occur on computer software, hardware,
or other forms of electronic equipment.
Risk assessment discussion
The above definitions apply to the risk assessment in so many different ways for example
a threat to the network creates an attack which exploits the vulnerabilities of an network to gain
whatever information that the hacker are trying to access. The risk assessment is taken place in a Running Head: Individual Project 4
series which requires you to find out what hazards or vulnerabilities you might have on your
network. This risk assessment process allows you to control the risks that you have and make
records of your findings so that it doesn’t happen twice. 16 Running Head: Individual Project 4 Section 5: Controlling Risk (Week 5) TBD 17 Running Head: Individual Project 4 References
Security risk Management, Retrieved on 01/08/2017, Retrieved from
https://en.wikipedia.org/wiki/Security_management#Security_risk_management
The role of the project manager, Retrieved on 01/09/2017. Retrieved from
https://www.projectsmart.co.uk/the-role-of-the-project-manager.php
Data classification, Margaret Rouse, Retrieved on 01/15/2017, retrieved from
http://searchdatamanagement.techtarget.com/definition/data-classification
Chief security officer, Wikipedia, retrieved on 01/16/2017, retrieved from
https://en.wikipedia.org/wiki/Chief_security_officer
Keeping project stakeholders in the loop, retrieved on 01/17/2017, retrieved from
http://www.brighthubpm.com/monitoring-projects/52884-keeping-project-stakeholders-in-the-loop/
Customer service and Distribution plan, retrieved on 01/22/2017, retrieved from
http://www.smallbusiness-marketing-plans.com/distribution-plan.html
Network security policy, retrieved on 01/22/2017, retrieved from
https://en.wikipedia.org/wiki/Network_security_policy
(2013, February 5) Network security concepts and polices, Catherine Paquet, retrieved from
http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3
Risk assessment, retrieved on 01/29/2017, retrieved from
https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html
How to perform a risk assessment, retrieved on 01/29/2017, retrieved from
http://www.praxiom.com/risk-assessment.htm
Vulnerability, Wikipedia, retrieved on 01/29/2017, retrieved from
https://en.wikipedia.org/wiki/Vulnerability_(computing)#Definitions
Threats, Wikipedia, retrieved on 01/30/2017, retrieved from
https://en.wikipedia.org/wiki/Threat_(computer)#Threats_classification
Exploit, Wikipedia, retrieved on 01/30/2017, retrieved from
https://en.wikipedia.org/wiki/Exploit_(computer_security)
Introduction to risk analysis, retrieved on 01/30/2017, retrieved from http://www.security-riskanalysis.com/introduction.htm 18