Issc331 Assignment 1

timer Asked: Jul 2nd, 2018
account_balance_wallet $15

Question description

Assignment Instructions

Instructions: Do Exercise 1 or Exercise 2 below, but not both.

Exercise 1: Executive Summary on Risk Analysis

Learning Objectives and Outcomes

Describe common concepts in information security, privacy and the law. You will learn how to present and justify risk analysis for assets in an organizational setting and will relate those findings to the basic security principles of confidentiality, integrity, and availability.

Assignment Requirements

Refer to the case scenario that was provided to you in Lab 1. By now, you will have created the comprehensive asset list in order of importance of each asset. For this assignment, you need to create an executive summary that explains your list. This executive summary will be presented to the school’s board of directors.

Much of the information you have analyzed will be technical in nature. First, without creating a full executive summary of the operation, summarize your findings in a simple bullet-point list. Then, assign a quantitative value to each asset by examining its numerical, measurable characteristics such as original cost, cost of replacement, loss of teaching skills or created information, school image and reputation.

This will allow you to organize your priorities, and be able to use that information to prepare a full executive summary for presentation to the school's board of directors.


Exercise 2: Executive Summary on Veterans Affairs (VA) and Loss of Private Information

Learning Objectives and Outcomes

Review the case on loss of personal information and be able to make conclusions based on your findings on the VA case and loss of private information.

Assignment Requirements

Refer to the case scenario provided in this lesson’s Lab. By now, you have analyzed the case study and have suggested possible mitigating remedies to prevent loss of private information. Write an executive summary that supports your list of suggested remedies.

Much of the information you have analyzed will be technical in nature. First, without creating a full executive summary of the operation, summarize your findings in a simple bullet-point list. This will help to prioritize the remedies suggested. Once you have the summary ready, compile your findings in the form of an executive summary. The main points you need to cover are:

  • Analyze the mistakes committed by both the employees and the Veterans Affairs Administration that led to data loss.
  • Ensure that the remedies you suggest prevent the mistakes you analyzed from reoccurring in the future. You can think of using encryption as one of the possible remedies. In this case, describe how encryption can be used.
  • Explain methods that will ensure proper monitoring and enforcement of the existing security policies.

Submission Instructions:

Submit your answer in a Microsoft Word document in not more than 300 words.

Font: Arial 10 point size

Line Spacing: Double

Grading Criteria

1. Content 50%

2. Writing Conventions (Grammar and Mechanics)10%

3. Organization of Ideas/Format 300 Words 30%

4. Source (APA Format) 10%

CHAPTER 1 Information Security Overview Ensuring that information is secure is not the job just of computer geeks in data centers. It concerns governments, corporations, and individuals. The digital revolution greatly changed how people communicate and do business. Because information exchanges now take place instantly, and because almost everyone shares data of some kind, you should question how all organizations use and protect data. This text is about information security and the law. Information security seeks to protect government, corporate, and individual information. It’s a good business practice. Many organizations today want a reputation for properly protecting their own and their customers’ data. A good reputation can make a company stand out from its competitors. It can increase sales. It also can make a government agency seem more trustworthy. Laws also protect information, especially private personal information. They require that data be protected in certain ways. Laws aren’t optional. If a law applies to an organization, then it must follow the law. Laws make information security more than just a good business practice. They make it a business requirement. 2 1 Chapter 1 Topics This chapter covers the following topics and concepts: • Why information security is an issue • What information security is • What the basic information security concepts are • What common information security concerns are • How different types of information require different types of protection • Which mechanisms protect information security • How special kinds of data require special kinds of protection Chapter 1 Goals When you complete this chapter, you will be able to: • Describe the key concepts and terms associated with information security • Describe information security goals and give examples of each • Describe common information security concerns • Describe mechanisms used to protect information security Why Is Information Security an Issue? You see these kinds of stories in the news media every day: • Someone attacks a university computer and gains access to the records of over 30,000 students and staff members. These records include names, photographs, and Social Security numbers. • A computer virus infects an organization’s computer network. The virus uses up system resources and slows down the network. It takes the organization several days to remove the virus and repair the network. • A bank loses a backup tape, potentially exposing more than 1 million customer records. It’s never found. • A company that processes credit cards stores unencrypted account information on its servers. Attackers gain access to the servers, exposing over 40 million accounts. 3 Information Security Overview 4 PART 1 | Fundamental Concepts • An e-mail scam targets an organization. The scam asks employees to verify their account settings. When employees respond, they provide their computer usernames and passwords. Attackers use those credentials to access and compromise the organization’s computer systems. Organizations use and store a lot of data. For many, information is one of their most important assets. They use data to conduct their business operations. They use large and complex databases to keep track of customer product preferences. They use these same systems to manage the products and services that they offer customers. Organizations also transfer information to other businesses so that both companies can benefit. Organizations collect data for many reasons. Much of the data they collect is personal information, which can be used to identify a person. Personally identifiable information includes the following: • Social Security numbers • personal identification numbers (PINs) • passwords Driver’s license numbers • Health data and biometric data • Financial account data, such as account numbers or Authentication credentials, such as logon or usernames and Based on media reports, security breaches appear to be growing in number. These breaches include data that is lost, stolen, or disclosed without permission. A security breach can damage an organization’s reputation. Customers take their business elsewhere when organizations fail to protect their data. The organization may have to pay fines and/ or defend itself in court. If a security breach is particularly bad, an organization’s leaders can face criminal charges. An organization that fails to protect its information risks damaging its reputation— or worse. Information security is the term that generally describes the steps an organization should take to protect its information. NOTE What Is Information Security? Information security is the study and practice of protecting information. The main goal of information security is to protect the confidentiality, integrity, and availability of information. Professionals usually refer to this as the C-I-A triad, or sometimes the A-I-C triad. (A triad is a group of three things considered to be a single unit.) The C-I-A triad appears in Figure 1-1. You might think that information security refers only to data stored on a computer. However, it refers to information in both paper and electronic form. 1 CHAPTER 1 | Information SePcurorittyeOcvetirnviegwConfidentiality, Integrity, and Availability Availability 5 FiguRE 1-1 The C-I-A triad. In some ways, securing information isn’t new. For instance, Julius Caesar used a simple letter-substitution code to share secrets with his military commanders. This type of code is a Caesar cipher. Cryptography is the practice of hiding information so that unauthorized persons can’t read it. Using cryptography preserves confidentiality. Only those with the secret key are able to read an encoded note. Caesar used codes to ensure that his enemies could not read his messages. Secret decoder badges were popular during the golden days of radio. Business sponsors often paid for decoders to market their products. Radio program fan clubs gave them to their members to promote specific radio shows. Secret decoder badges often used a Caesar cipher. In other ways, information security is a relatively new area of study. Modern computing systems have existed only since the 1960s. The Internet didn’t exist in its current form until almost 1983. The first well-known computer security incident was discovered in 1986. President Obama created the first “cybersecurity czar” in the federal government in 2009. NOTE Cliff Stoll described the first well-known computer security incident in his book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Stoll noticed an error in the records of systems connected to the Internet’s predecessor— the Advanced Research Projects Agency Network. During the investigation, he exposed an international plot to steal information from U.S. computer systems. The range of information security topics and the number of places to protect data may seem overwhelming. However, the main goal is to protect information’s confidentiality, integrity, and availability. What Is Confidentiality? Confidentiality means that only people with the right permission can access and use information. It also means protecting it from unauthorized access at all stages of its life cycle. You must create, use, store, transmit, and destroy information in ways that protect its confidentiality. Information Security Overview Integrity Confidentiality 6 PART 1 | Fundamental Concepts Encryption is one way to make sure that information remains confidential while it’s stored and transmitted. Encryption converts information into code that makes it unreadable. Only people authorized to view the information can decode and use it. Attackers who intercept an encrypted note can’t read it because they don’t have the decoding key. Encryption protects the note’s confidentiality. Access controls are another way to ensure confidentiality. They grant or deny access to information systems. An example of an access control is requiring a password to access a computer system. Passwords keep unauthorized individuals out of information systems. You also can use access controls to ensure that individuals view only information they have permission to see. You can compromise information confidentiality on purpose or by accident. For example, shoulder surfing is a type of intentional attack. It occurs when an attacker secretly looks “over the shoulder” of someone at a computer and tries to discover his or her sensitive information without permission. Shoulder surfing is a visual attack. The attacker must view the personal information. This term also describes attacks in which a person tries to learn sensitive information by viewing keystrokes on a monitor or keyboard. Attackers use the stolen data to access computer systems and commit identity theft. Social engineering is another type of attack that represents an intentional threat to confidentiality. Such attacks rely heavily on human interaction. They take advantage of how people talk with one another and interact. It’s not a technical attack. It involves tricking other people to break security rules and share sensitive information. Social engineering attackers take advantage of human nature, such as kindness and trust. They are often charming. Their victims want to help them by providing information. The attacker uses the information obtained from the victim to try to learn additional sensitive information. An old-fashioned “con game” is an example of a social engineering attack. The classic film The Sting is a great example of a social engineering scam. In the movie, two con artists, played by Paul Newman and Robert Redford, set up an elaborate plan to con a man out of his money. Their scam relies heavily on manipulating the victim and those around him. The scam takes advantage of human nature. Kevin Mitnick is perhaps one of the best-known computer hackers of all time. In his book The Art of Deception, he writes that he gained much of the information he used to compromise computer systems through social engineering. It was very easy to get information from people if he asked questions in the right way, he said. 1 CHAPTER 1 | Information Security Overview 7 Confidentiality compromises also take place by accident. An employee of the U.S. Transportation Security Administration (TSA) posted a redacted copy of a TSA manual on a federal Web site in December 2009. The manual described how TSA agents should screen airline passengers and luggage. It also contained the technical details of how airport screening machines work. The manual contained pictures of identification cards for average Americans, Central Intelligence Agency employees, and U.S. legislators. The TSA posted the manual by mistake, and the public could access the manual online for several months. TSA employees redacted some portions of the manual; however, the TSA improperly performed technical aspects of the redaction. Some people were able to uncover the original information with common software tools. They reposted the manual on a number of other nongovernmental Web sites. Some of the other Web sites posted the document with all of the original text available. The manual highlighted the increase in airport security requirements after the September 11, 2001, terrorist attacks. Lawmakers immediately questioned the TSA about the incident. They asked how the TSA would mitigate the disclosure. They also asked what it would do to prevent future mistakes. Lawmakers wanted to know how the government could prevent other Web sites from reposting the unredacted manual. The TSA argued that posting the manual didn’t compromise the safety of U.S. air travel. The TSA example shows that even unintended compromises to confidentiality can have serious results, even to public safety. What Is Integrity? Integrity means that information systems and their data are accurate. Integrity ensures that changes can’t be made to data without appropriate permission. If a system has integrity, it means that the data in the system is moved and processed in predictable ways. It doesn’t change when it’s processed. Controls that ensure the correct entry of information protect integrity. In a computer system, this means that if a field contains a number, the system checks the values that a user enters to make sure that they are numbers. Making sure that only authorized users have the ability to move or delete files on information systems also protects integrity. Antivirus software is an example of a control that protects integrity. This type of software checks to make sure that there are no viruses in the system that could harm it or change the data in it. Information systems can be compromised in a number of ways. A compromise can be accidental or on purpose. For example, an employee accidentally mistypes a name or address during data entry. Integrity is compromised if the system doesn’t prevent or check for this type of error. Another common type of accidental compromise of integrity is an employee deleting a file by mistake. Information Security Overview 8 PART 1 | Fundamental Concepts Integrity compromises also can take place on purpose. Employees or external attackers are potential threats. For example, an employee deletes files that are critical to an organization’s business. The employee might do this on purpose because of some grievance against the organization. External attackers also are a concern. They can infect information systems with computer viruses or vandalize a Web page. External attackers who access systems without permission and deliberately change them harm confidentiality and integrity. In 2007, three Florida A&M University students installed secret keystroke loggers on computers in the university registrar’s office. A keystroke logger is a device or program that records keystrokes made on a keyboard or mouse. The students obtained the usernames and passwords of registrar employees from the logger. For a fee, the hackers modified 650 grades in the computer system for other students. They changed many failing scores to an “A.” The student hackers also changed the residency status of other students from “out-of-state” to “in-state.” This resulted in the out-of-state students paying less tuition. The university discovered the keystroke loggers during a routine audit. It then found the modified data. It fixed the incorrect data, but the student hackers accessed the system and changed grades again. The university discovered the hackers’ identities through additional security measures such as logging and audit review. Prosecutors charged the student hackers with breaking federal laws. The court sentenced two of them to 22 months in prison each. In September 2009, it sentenced the third student to seven years in prison. The Florida A&M case illustrates how safeguards protect the integrity of computer systems. Routine security audits can detect unauthorized or harmful software on a system. What Is Availability? Availability is the security goal of making sure information systems operate reliably. It makes sure data is accessible when it needs to be. It also helps to ensure that individuals with proper permission can use systems and retrieve data in a dependable and timely manner. Organizations need to have information available to conduct their business. When systems work properly, an organization can function as intended. Ensuring availability means that systems and information are available during peak hours when customer demand is high. System maintenance should be scheduled for off hours when customer demand is low. Availability can be protected in a number of ways. Information systems must recover quickly from disturbances or failures. Organizations create plans that describe how to repair or recover systems after an incident. They specify how long systems may be offline before an organization starts to lose money or fails to meet its business goals. In the worst case, an organization might go out of business if it can’t repair its infor- mation systems quickly. 1 CHAPTER 1 | Information Security Overview 9 Organizations also can protect system availability by designing systems to have no single points of failure. A single point of failure is a piece of hardware or application that is key to the functioning of the entire system. If that single item fails, a critical portion of the system could fail. Single points of failure also can cause the whole system to fail. An easy example of a single point of failure is a modem. A modem connects an organi- zation to the Internet. If the modem fails, the organization can’t connect to the Internet. If the organization does most of its business online, the modem failure can really hurt its business. Organizations also can protect availability by using redundant equipment. This equipment has extra functional elements designed into it. In the event of a failure, the extra elements make sure that the piece of equipment is still able to operate for a certain period. Backing up systems also ensures their availability. Attackers target availability in order to harm an organi- zation’s business. A denial of service (DoS) attack disrupts information systems so they’re no longer available to users. These attacks also can disable Internet-based services by consuming large amounts of bandwidth or processing power. They can disable an organization’s Web site. These services are critical for businesses that sell Web-based products and services or provide information via the Internet. NOTE In late December 2009, hackers attacked the Web site. Twitter is a social networking site that allows members to send short messages to each other. Hackers replaced the homepage for a short period with a political message allegedly sponsored by a foreign government. Twitter services were unavailable while it responded to the attack. Not all DoS attacks directly target information systems and their data. Attackers also target physical infrastructures. For example, an organization can experience a loss of availability if an attacker cuts a network or power cable. The result is the same as a technical DoS attack. Customers and other audiences can’t reach the needed services. Unplanned outages can also negatively impact availability. An outage is an interruption of service. Natural disasters create outages, such as a power outage after an earthquake. Outages also take place if a technician accidentally cuts a service cable. A Web site experiencing an increase in use can result in a loss of availability. When Michael Jackson died in 2009, the Internet experienced a massive increase in search queries from people trying to find out what had happened to him. The rapid rise in search traffic caused Google to believe it was under a DoS attack. In response to this perceived attack, Google slowed down the processing of “Michael Jackson” queries. Users entering those queries received error messages until Google determined its services were not under attack. The Michael Jackson/Google example shows that organizations can take actions to make sure their information systems are available to their customers. These actions can alert organizations to an issue. Then they can take steps to correct it. Information Security Overview 10 PART 1 | Fundamental Concepts The Seven Domains of a Typical Information Technology Infrastructure There are seven domains in a typical information technology (IT) infrastructure. • User Domain—This domain refers to any users of an organization’s IT system. It includes employees, consultants, contractors, or any other third party. These users are called end users. • Workstation Domain—This area refers to the computing devices used by end users. This includes devices such as desktop or laptop computers. • LAN Domain—This domain refers to the organization’s local area network (LAN) technologies. A LAN is two or more computers connected together within a small area. • WAN Domain—A wide area network (WAN) is a network that spans a large geographical area. The most common example of a WAN is the Internet. Organizations with remote locations use a WAN to connect those locations. • LAN-to-WAN Domain—This domain refers to the infrastructure that connects the organization’s LAN to a WAN. • Remote Access Domain—This domain refers to the processes and procedures that end users use to remotely access the organization’s IT infrastructure and data. • System/Application Domain—This domain refers to the equipment and data an organization uses to support its IT infrastructure. It includes hardware, operating system software, database software, and client-server applications. Figure 1-2 illustrates the seven domains and how they relate to one another. Basic Information Security Concepts A number of different concepts are helpful in understanding information security and the laws that affect it. Laws that regulate information security often use risk management to justify them. Risk management is the process of understanding the risks that an organization faces and then taking steps to address or mitigate them. You will briefly learn about basic risk management concepts and terms here. Vulnerabilities A vulnerability is a weakness or flaw in an information system. Vulnerabilities can be exploited (used in an unjust way) to harm information security. They may be construction or design mistakes. They also may be flaws in how an internal safeguard is used or not used. Not using antivirus software on a computer, for instance, is a vulnerability. There are many different types of vulnerabilities. You can classify them into the following broad categories: • People • Process • Facility • Technology CHAPTER 1 | Information Security Overview 11 7-Domains of a Typical IT Infrastructure 1 User Domain FiguRE 1-2 Workstation Domain Computer Computer Router Firewall NOTE Firewall The seven domains of a typical IT infrastructure. System/Application Domain People can cause a number of vulnerabilities. One employee could know too much about a critical function in an organization. This is a violation of the separation of duties principle. This rule requires that two or more employees must split critical task functions so that no employee knows all of the steps of the critical task. When only one employee knows all of the steps of a critical task, they can use the information to harm the organization. The harm may go unnoticed if other employees can’t access the same information or perform the same function. A common example of the separation of duties principle is a rule requiring two people to sign organization checks. This is so one person can’t steal from the organization by writing and signing checks made out to himself or herself. Requiring two signatures protects the organization. LAN Domain Server Hub Remote Access Domain LAN-to-WAN Domain Mainframe Application & Web Servers Process-based vulnerabilities are flaws or weaknesses in an organization’s proce- dures. An attacker can exploit these weaknesses to harm security. Process-based vulner- abilities include missing steps in a checklist. They also may include not having a checklist in the first place. Another process vulnerability is the failure to apply hardware and software vendor patches in a timely manner. A patch is a piece of software or code that updates a program to address security problems. Patches are available for many types of software, including operating systems. Systems may be open to attack if patches are not properly applied. Information Security Overview (Grama 2-11) Grama, Joanna L. Legal Issues in Information Security, 2nd Edition. Jones & Bartlett Learning, 06/2014. VitalBook file.

Tutor Answer

School: UCLA


VA Data Breach

Causes and Remedies to VA Data Breach

VA Data Breach

Causes and Remedies to VA Data Breach
The VA led the country in the process of converting medical records to digital for easier access
and future references. Though there have been observed different cases where the privacy of some
clients has been breached. The following are some of the causes of the breaches.

Failure to encrypt data

There are cases of reckless...

flag Report DMCA

Thanks, good work

Similar Questions
Hot Questions
Related Tags

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors