Help with case study

User Generated

errffrf214

Business Finance

Description

Scenario

Welcome to Padgett-Beale! As a new management intern, your first rotation will be with the Training Team in the Office of Human Resources. T2, as they like to be known, is part of a collaborative effort to develop a robust internal training program for Padgett-Beale’s employees and managers. Your first assignment is to help develop a training module for security awareness. The training will be included in “first day” training for future employees and will also be presented as part of an on-going series of employee Lunch & Learn seminars offered by the Office of Human Resources.

The topic for this training module will be “Digital Footprints and Asset Protection.” This topic was selected after several members of Padgett-Beale’s leadership team reviewed a program from the United Kingdom’s Centre for the Protection of National Infrastructure that is part of their “embedding security savvy behaviors online” campaign. (See https://www.cpni.gov.uk/my-digital-footprint and https://www.cpni.gov.uk/embedding-security-behaviour-change )

Your deliverable for this assignment will be a briefing paper that identifies and discusses five or more major issues that employees need to be aware of about this topic (Digital Footprints and Asset Protection). After you identify and describe each issue, include two to three additional points that employees should know. Try to keep a neutral tone, that is, you should include items that represent both the benefits and the drawbacks of a digital footprint. You should also address the importance of protecting both personal and company owned digital assets that are part of a digital footprint. See the instructions below for additional information about length, formatting, and citing of sources.

Research

Write

Write a 2 page briefing paper (single spaces minimum 1000 word count) in which you present a summary of your research about the topic and your recommendations as to what should be included in the training module. Be choosy about what you include – the total training time available will be 30 minutes. Don’t be too choosy however. Your recommended content should be comprehensive and fully address the training topic.

At a minimum, your briefing paper for this case study must include the following:

1.An introduction to the case scenario and the topic (use the information above)

2.A discussion of five or more key points about the topic (“security and privacy issues”)

3.Recommendations for 5 or more actions that managers and employees should take to address the identified security and privacy issues.

4.A closing section in which you restate the key issues and your recommendations.

As you write your briefing paper, make sure that you address security issues using standard terms and definitions. See the resources listed under Week 1 and under Course Resources > Cybersecurity Concepts for definitions and terminology.

Submit For Grading

Submit your research paper in MS Word format (.docx or .doc file) using the Case Study #1 Assignment in your assignment folder. (Attach your file to the assignment entry.)

Additional Information

  • To save you time, a set of appropriate resources / reference materials has been included as part of this assignment. You must incorporate at least three of these resources into your final deliverable. You must also include one resource that you found on your own.
  • Your briefing paper should use standard terms and definitions for cybersecurity. See Course Content > Cybersecurity Concepts for recommended resources.

3.You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s minimum page count. (An example and template file are available in the LEO classroom. See CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx file under Content > Course Resources.)

4.Your briefing paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx.

5.You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.

6.You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA).

7. You are expected to follow the Rubrics assesment for grading criteria.

Unformatted Attachment Preview

Case Study Resources: 1. Introduction to Information Security https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf 2. Baldridge Cybersecurity Excellence Builder (pp. C2, Skim Read 2-22) https://www.nist.gov/sites/default/files/documents/2017/04/03/baldrige-cybersecurity-excellencebuilder-v1.0.pdf 3. NICE Cybersecurity Workforce Framework https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework 4. Seasonal Employee Security Risks: Present Danger, Proactive Defense https://securityintelligence.com/seasonal-employee-security-risks-present-danger-proactive-defense/ 5. Unlocking the Secrets of Cybersecurity https://www.umuc.edu/documents/upload/unlocking-the-secrets-of-cyber-security.pdf 6. Are you keeping tabs on your digital footprint? https://www.envision-creative.com/companys-digital-footprint-keeping-tabs/ Case Study #1: Digital Footprints and Asset Protection Scenario Welcome to Padgett-Beale! As a new management intern, your first rotation will be with the Training Team in the Office of Human Resources. T2, as they like to be known, is part of a collaborative effort to develop a robust internal training program for Padgett-Beale’s employees and managers. Your first assignment is to help develop a training module for security awareness. The training will be included in “first day” training for future employees and will also be presented as part of an on-going series of employee Lunch & Learn seminars offered by the Office of Human Resources. The topic for this training module will be “Digital Footprints and Asset Protection.” This topic was selected after several members of Padgett-Beale’s leadership team reviewed a program from the United Kingdom’s Centre for the Protection of National Infrastructure that is part of their “embedding security savvy behaviors online” campaign. (See https://www.cpni.gov.uk/my-digital-footprint and https://www.cpni.gov.uk/embedding-security-behaviour-change ) Your deliverable for this assignment will be a briefing paper that identifies and discusses five or more major issues that employees need to be aware of about this topic (Digital Footprints and Asset Protection). After you identify and describe each issue, include two to three additional points that employees should know. Try to keep a neutral tone, that is, you should include items that represent both the benefits and the drawbacks of a digital footprint. You should also address the importance of protecting both personal and company owned digital assets that are part of a digital footprint. See the instructions below for additional information about length, formatting, and citing of sources. Research 1. Review the Week 1 and 2 readings. 2. Research the term “digital footprint.” Here are some resources to help you get started: a. https://www.internetsociety.org/your-digital-footprint-matters (there are nine video tutorials on this page) b. http://blog.trendmicro.com/the-importance-of-understanding-your-digital-footprint/ c. https://cyberbullying.org/the-importance-of-your-digital-reputation d. https://memeburn.com/2013/06/your-digital-footprint-is-important-heres-how-togrow-it/ e. https://www.envision-creative.com/why-your-digital-footprint-is-your-best-salesman/ 3. Review three or more items in CPNI employee awareness campaign https://www.cpni.gov.uk/my-digital-footprint and https://www.cpni.gov.uk/embeddingsecurity-behaviour-change 4. Research additional ownership, privacy, and security issues associated with a digital footprint. a. https://us.norton.com/internetsecurity-privacy-clean-up-online-digital-footprint.html b. http://thewiseinvestorgroup.com/Wise-Investor-Files/Public/PDF_Files/FeaturedArticles/YourDigitalLifeasPartofyourEstatePlan2.pdf c. https://efinplan.com/estate-planning-for-your-digital-footprint/ 5. Find at least one additional source which provides information an employee can use to better protect their own digital assets (the things that contribute to your digital footprint) loss or harm. Write Write a 2 page briefing paper in which you present a summary of your research about the topic and your recommendations as to what should be included in the training module. Be choosy about what you include – the total training time available will be 30 minutes. Don’t be too choosy however. Your recommended content should be comprehensive and fully address the training topic. At a minimum, your briefing paper for this case study must include the following: 1. An introduction to the case scenario and the topic (use the information above) 2. A discussion of five or more key points about the topic (“security and privacy issues”) 3. Recommendations for 5 or more actions that managers and employees should take to address the identified security and privacy issues. 4. A closing section in which you restate the key issues and your recommendations. As you write your briefing paper, make sure that you address security issues using standard terms and definitions. See the resources listed under Week 1 and under Course Resources > Cybersecurity Concepts for definitions and terminology. Submit For Grading Submit your research paper in MS Word format (.docx or .doc file) using the Case Study #1 Assignment in your assignment folder. (Attach your file to the assignment entry.) Additional Information 1. To save you time, a set of appropriate resources / reference materials has been included as part of this assignment. You must incorporate at least three of these resources into your final deliverable. You must also include one resource that you found on your own. 2. Your briefing paper should use standard terms and definitions for cybersecurity. See Course Content > Cybersecurity Concepts for recommended resources. 3. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s minimum page count. (An example and template file are available in the LEO classroom. See CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx file under Content > Course Resources.) 4. Your briefing paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources > APA Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Basic_Paper_Template(APA_6ed,Nov2014).docx. 5. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 6. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.). Case Study Resources: 1. Introduction to Information Security https://www.us-cert.gov/sites/default/files/publications/infosecuritybasics.pdf 2. Baldridge Cybersecurity Excellence Builder (pp. C2, Skim Read 2-22) https://www.nist.gov/sites/default/files/documents/2017/04/03/baldrige-cybersecurity-excellencebuilder-v1.0.pdf 3. NICE Cybersecurity Workforce Framework https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework 4. Seasonal Employee Security Risks: Present Danger, Proactive Defense https://securityintelligence.com/seasonal-employee-security-risks-present-danger-proactive-defense/ 5. Unlocking the Secrets of Cybersecurity https://www.umuc.edu/documents/upload/unlocking-the-secrets-of-cyber-security.pdf 6. Are you keeping tabs on your digital footprint? https://www.envision-creative.com/companys-digital-footprint-keeping-tabs/ CYBERSECURITY MANAGEMENT & POLICY Padgett-Beale, Inc. A case study for CSIA 300 Valorie J. King, PhD 8/18/2017 Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300 Cybersecurity for Leaders and Managers Welcome! Dear Intern, Welcome to Padgett-Beale! We are excited to have you join us as a management intern and hope that your participation in our virtual / online program will be beneficial for both you and our company. This year, our management interns will have the opportunity to participate in Padgett-Beale’s pervasive cybersecurity initiative. This initiative is designed to help our employees and managers better understand and address the cybersecurity problems that our company is facing. These problems include a host of privacy related concerns, intellectual property protection issues, and the appropriate use of information technology resources. Since you are joining us as a management intern, you will also be participating in our internal training program: Cybersecurity for Leaders and Managers. During this eightweek program, you will have an opportunity to participate in a number of management and leadership activities and assessments related to cybersecurity. As you move through this program, we hope that you and your peers will take advantage of the numerous communication channels made available to you via our internal Websites and discussion forums. We are truly interested in learning from you and hearing your thoughts on the management and leadership issues that you encounter during your time with us. Finally, our goal is to help you find opportunities to take what you learn here and apply it to your future studies and career. We hope that you, in turn, will help us by providing feedback during and at the end of this program. Thank you for your participation and, again, Welcome! Sincerely, Edwina L. Beale Edwina L. Beale Chief of Staff and Manager, Internship Programs Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300: Cybersecurity for Leaders and Managers Padgett-Beale Organization Chart -- 2017 Figure 1. Padgett-Beale, Inc. Organization Chart Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300: Cybersecurity for Leaders and Managers Company History Elmer and Robenia Padgett’s first hotel, Robenia’s Guest House, opened in 1925 with six family suites (two per floor), a tea room, and a formal dining room. The guest house primarily served wealthy families who relocated to the seashore for the summer to escape the heat in New York City. This property provided amenities and services matching those of rival longstay hotels in major cities along the East Coast. The second and third properties, Padgett’s Hotel and Padgett’s Beach House, were acquired in 1935. Flintom’s Tavern, a landmark restaurant and entertainment venue, was added to the Padgett properties portfolio in 1940. Periodic resurgences in popularity of the seashore as a vacation destination occurred over the next fifty years (1940-1990) as bridges were built, roads were improved, and regional economies strengthened. These resurgences brought additional competition as new motels and resorts operated by national chains entered the seashore vacations market. Major weather events in the 1970’s resulted in damage to both Padgett’s Beach House and Flintom’s Tavern causing both to close for an extended period of renovations. The Padgett family’s brand remained strong, despite these setbacks, as members of the family took a personal interest in the day-to-day operations and management of the company. Padgett’s was not an early adopter of computers and information technology. But, over time and as younger family members entered the business, computers began a slow march into the company’s offices in the form of personal computers with word processing, spreadsheets, and database systems. Personal computers also made their way into manager’s offices in the hotel properties where spreadsheets proved valuable in tracking revenues and expenses. In 1982, an embezzlement scandal at Flintom’s Tavern forced the company to adopt computer-based point of sale (POS) systems throughout the company for all cash handling functions (hotel front desks and restaurants). A benefit of the POS systems were the built-in reporting functions, which enabled the company to more closely track cash and credit sales by property. By 1995, the company had fully integrated custom hotel management software into its operations. This software and the associated databases were hosted on company owned / operated mainframe computer systems. By the end of the decade, information technologies were in use to support all aspects of the company’s internal operations (accounting, customer service, property management, and reservations). At the beginning of the new century, the company adopted its first strategic plan with a heavy emphasis upon growth and expansion. Under this plan, the company branched out and began offering hotel and resort management services to other hoteliers and property owners. Advanced telephony services and implementation of custom software allowed Padgett’s to offer one of the first centralized reservations management services. The company also leveraged the Internet and World Wide Web to launch a resort affiliates program, which provided a menu of business related services to member properties. These services included: online advertising and promotions, architecture and design assistance, business operations consulting, group Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300: Cybersecurity for Leaders and Managers business insurance, and guest loyalty programs. The hotel and resort management services business area continues to be the major source of revenues and profits for the company and its owners. As part of Padgett’s expansion plan, the company purchased Beale Realty Holdings in 2001 and formed Padgett-Beale, Inc. (PBI). Shortly thereafter, PBI embarked on a series of realestate acquisition activities, which led to the purchase of several large tracts of prime Eastern Shore waterfront property. The company’s long-term plan was to hold the properties as real estate investments and, when market demand rose sufficiently, expand into development, sales, and management of condominiums and vacation time-share properties. The focus on long term investment was a wise choice as this particular market segment was adversely impacted by the housing boom/bust in the mid 2000’s. At the time of purchase, the waterfront properties were in use as campgrounds and resorts for tent-campers, travel-trailers, and motorhomes. These camping facilities were allowed to continue their existing operations with minimal investment and oversight for the next 15 years (2002 – 2017). During this laissez-faire management period, some campground managers modernized their camp offices and stores by purchasing computer-based point of sale systems that allowed them to accept credit and debit cards. Most of these managers also outsourced their reservations management to a third party online reservations system, which provided a customized website to advertise each park and provide access to the online reservations system. A few campgrounds did not modernize beyond setting up a simple website with contact information and a few photographs. These facilities continue to use a mail or telephone-based reservation process with a “cash only” payment policy. In 2015, the day-to-day operations and management of PBI was transitioned to a new leadership team recruited from leading hotel and resort management companies. The new leadership team includes the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer / Director for Resort Operations, and the Corporate Counsel (attorney) who is also dual-hatted as the Chief Privacy Officer. Under this new leadership, the company was reorganized to better focus on the three most profitable business areas: Resort Operations, Reservations Services, and Resort Affiliates. Management and daily operations for the three company owned hotel properties (Robenia’s Guest House, Padgett’s Hotel, and Padgett’s Beach House), Flintom’s Tavern, and the campgrounds / trailer parks were transferred to the newly formed Property Holdings and Development division. Building a strong management and leadership team is a priority for both the new CEO and the current chair of the PBI Board of Directors. In 2017, these two leaders developed and launched a management internship program whose participants were recruited from a select group of colleges and universities. The next class of management interns has just started in program and will soon find out where their first assignment will take them within the company. Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300: Cybersecurity for Leaders and Managers Industry Overview Padgett-Beale, Inc. (PBI) operates in the Hotels, Motels, & Resorts industry (NAICS Codes 721110 and SIC Codes 7011) (First Research, 2017a). Hotels, motels, and resorts provide short-term housing and lodging for travelers and visitors. Related services offered by companies in this industry include: catering and meals, conferences and event hosting, entertainment, resort amenities (golf, swimming, spa, etc.), etc. The company also operates in the Recreational Vehicle Parks industry (NAICS Codes 721211; SIC Codes 7033) as both an owner/operator and as a management and operations partner providing specialty services to member and affiliate RV parks. Hotels, Motels, and Resorts Leading firms in this industry include Marriott International, Inc., Hilton Worldwide Holdings, Inc., and Starwood Hotels & Resorts Worldwide, LLC (First Research, 2017a). On an annual basis, this global industry generates over $500 billion in revenue. The U.S. segment of this industry generates approximately $175 billion in revenues each year. These revenues may be generated directly from operation and management of company owned properties. Or, revenues may be generated through franchising arrangements or through fees generated in conjunction with property management / hotel operations services provided to other property owners. Demand for products and services in this industry is driven by two primary factors: (a) business travel and (b) vacation or tourist travel (First Research, 2017a). Both of these factors are highly sensitive to the health of regional, national, and global economies. Financial analysts estimate that 75% of industry revenues result from fees for overnight lodging. The remaining 25% of revenues result from sales of related products and services (e.g. meals, beverages, etc.). Labor is the most significant source of expenses. This industry uses information technology and the Internet in a variety of ways. First, most brands use the Internet and social media to support their marketing efforts. Second, all but the smallest of properties / brands use information technologies and the Internet to support reservation call center operations. Third, information technologies are used in the daily operations of facilities (front and back of house) and in support of corporate business processes and functions. These technologies include Point of Sale systems for handling customer financial transactions, housekeeping and maintenance management systems, card key access systems for guest rooms and restricted areas, scheduling and timekeeping systems for personnel, and building / facilities management systems that control and monitor energy using systems such as lighting and heating/ventilation/cooling (HVAC) systems. Information technologies are also used to provide physical security in such forms as video surveillance and recording, access controls for equipment and control zones (key pads, badge readers, password controlled logins), and automated access logs which record identity information along with timestamped entry/exit for controlled zones. Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300: Cybersecurity for Leaders and Managers Recreational Vehicle Parks Leading firms in this industry include Thousand Trails (owned by Equity LifeStyle Properties), and Kampgrounds of America (KOA) (First Research, 2017b). Each of these companies has a slightly different business model. Thousand Trails is an owner/operator for RV Parks (First Research, 2017b). KOA sells franchises to owner/operators of privately owned RV Parks and provides brand related services such as marketing, park design and management consulting, and reservations management. A third company, Good Sam Enterprises, markets and sells RV travel related services to individual travelers (“members”) and provides marketing and sales support to member parks (Good Sam Club, 2017). All three firms provide online guidebooks (some with reviews, inspection reports, and ratings), which include information about individual parks and their amenities. In addition to these three firms, there are thousands of smaller owner/operators of RV parks in the United States. These RV parks range in size from 10 – 100 acres with a capacity of 150 to 2,000 or more RV, tent, and rental cabin sites. Demand for products and services in this industry is driven by vacation or tourist travel (First Research, 2017). Sales and revenues are highly seasonal as preferred destinations change with the weather and with the usual and customary vacation periods (summer, holidays, school breaks, etc.). Rental fees for overnight stays are the largest source of revenues for individual RV Parks. Additional revenue sources include: camp store and gift shop operations, restaurants and snack bars, fuel sales (propane), and sales of RV parts and accessories. Major areas of expenses are: utilities (water, electric, sewer, cable TV, and Internet service), park maintenance (including roads and buildings), vehicles, property taxes, and operating expenses for amenities such as laundry facilities, bath houses, swimming pools, playgrounds, etc. Insurance coverage for park operations is also a major area of expense and may include additional coverage for cybersecurity liability (Philadelphia Consolidated Holding Company, 2017). This industry uses information technology and the Internet in a variety of ways. First, many RV parks maintain a Website to advertise the park (First Research, 2017b). They may also use social media to attract visitors to their Website and to the RV park. They may also depend upon Websites operated by third parties such as RV Park Reviews, Trip Advisor, and Good Sam Club to attract the attention of individuals who are planning trips or vacations. Second, all but the smallest of properties use an online reservation management system that allows travelers to search for available sites by date(s) and by required or desired amenities (electric, water, sewer, cable, pet friendly, etc.). Larger operators and networks of parks may also use a telephone call centers for reservations management. These call centers depend upon computer applications to route and manage calls. Reservation management systems also depend upon databases and database servers to store and process customer information. Third, information technologies are used in the daily operations of some facilities. Such uses include guest check-in/check-out, cash and credit card transaction management (payments & refunds), maintenance records, camp store / gift-shop inventory and sales, and bookkeeping / reporting (revenue tracking). Some RV parks also use computer-based systems for video and audio surveillance, automated vehicle entry/exit, and energy usage monitoring. Copyright © 2018 by University of Maryland University College. All Rights Reserved. CSIA 300 Cybersecurity for Leaders and Managers References First Research. (2017a). Hotels, motels, & reports: First Research custom report. Retrieved July 26, 2017 from Hoovers Online. First Research. (2017b). Recreational vehicle parks: First Research industry custom report. Retrieved July 26, 2017 from Hoovers Online. Good Sam Club. (2017). Who we are. Retrieved from http://www.goodsamclub.com/about Philadelphia Consolidated Holding Corp. (2017). Cyber security liability. Retrieved from https://www.phly.com/mplDivision/managementLiability/CyberSecurity.aspx Copyright © 2018 by University of Maryland University College. All Rights Reserved. 3/6/2018 LEADERSHIP & MANAGEMENT Study Note for CSIA 300 UNDERSTANDING LEADERSHIP From: Northouse, P. G. (2008 ). Introduction to leadership: Concepts and practice (4th ed.). Thousand Oaks, CA: SAGE Publications. 1 3/6/2018 From: https://nelsontouchconsulting.wordpress.com/2011/02/22/leadership-vs-management/ LEADERSHIP IN CYBERSECURITY • Define and articulate a vision • Develop and promote strategy • Motivate, inspire, and empower • Create, invent, integrate solutions • Excellence, Quality, Ethics, Morality 2 3/6/2018 INFLUENCING LEADERS • Find a wedge and then widen the crack to open doors for Cybersecurity discussions with the organization’s leaders • Learn to speak their language • Business Leaders think in terms of profits and losses • Government Leaders think in terms of budgets and compliance (legal, regulatory) • Address the twin problems of ignorance and complacency • Cybersecurity is not a well-known quantity outside of CIO and CISO organizations • Seek opportunities to educate peers within the organization • Participate in Governance activities • Contribute to Enterprise Risk Management • Contribute to Business Continuity Planning • Contribute to Budgets, Strategies, and Futures Thinking From: https://nelsontouchconsulting.wordpress.com/2011/02/22/leadership-vs-management/ 3 3/6/2018 ASSETS TO BE MANAGED • Information • Intellectual Property including sensitive business plans, product designs, finances • Information held in trust (customer and vendor) • Information Systems • Workstations • Mobile Devices • Network Security Appliances • Information Infrastructures • Networks • Networking Equipment CYBERSECURITY MANAGEMENT • Threats • Vulnerabilities • Configurations • Patches • Mitigations & Controls • Compliance & Audits • People, Processes, Policies, Plans, Technologies (and quite a bit more!) 4 3/6/2018 PROJECT MANAGEMENT • Project Management is concerned with: • Cost • Schedule • Quality • “A project is temporary in that it has a defined beginning and end in time, and therefore defined scope and resources.” • “A project is unique in that it is not a routine operation, but a specific set of operations designed to accomplish a singular goal.” Source: https://www.pmi.org/about/learn-about-pmi/what-is-project-management PROJECT MANAGEMENT • Project management processes fall into five groups: • Initiating • Planning • Executing • Monitoring and Controlling • Closing • Source: https://www.pmi.org/about/learn-about-pmi/what-is-project-management 5 3/6/2018 PROJECT MANAGEMENT • Project management knowledge draws on ten areas: • Project management knowledge draws on ten areas: 1. Integration 6. Procurement 2. Scope 7. Human resources 3. Time 8. Communications 4. Cost 9. Risk management 5. Quality 10. Stakeholder management Source: https://www.pmi.org/about/learn-about-pmi/what-is-project-management LEADERSHIP + MANAGEMENT “[John] Kotter argues that leadership and management involve two distinct but complementary sets of action.  “Leadership is about coping with change  “Management is about coping with complexity.” (Amit Mohindra) • Adapted from https://nelsontouchconsulting.wordpress.com/2011/02/22/leadership-vsmanagement/ 6 CSIA 300: Cybersecurity for Leaders and Managers Why do Businesses Need Security? There are many different types of businesses. Each one needs security in some form. In this reading, we will explore the reasons why a business needs to have someone or some group within the business that is responsible for security. Types of Businesses A sole proprietorship is a simple form of business in which the owner is personally responsible for the business’s activities (including debts) (Entrepreneur Staff, 2017b). The business may have a trade name but it does not have a legal identity separate from its owner. In this form of business, the owner’s personal knowledge of cybersecurity issues and solutions will be very important. A partnership is a form of business in which two or more individuals own the business (Entrepreneur Staff, 2017a). Partners contribute resources to the business (“investments”) and then share any resulting profits or losses. Partnership agreements state how those profits or losses will be distributed among the owner. Such agreements also provide for management and authority over the day-to-day operations of the business. A partnership will also need some form of governance structure to guide decision making about how the business will be operated (strategies, goals, policies, etc.). At least one of the partners involved in daily operations will need to have cybersecurity knowledge. A corporation (Investopedia, 2017) is a legally recognized entity (owned or controlled by a group of people) that enjoys many of the rights, responsibilities, and duties as are granted under the law to a person. The corporation’s rights, responsibilities, and duties exist separately from those of the corporation’s owners. The documents of incorporation provide structure to the company’s governance by outlining key roles and responsibilities. The members of the Board of Directors and the senior leaders / managers of the company all need to have some familiarity with cybersecurity related principles, practices, threats and risks. Reasons Why Businesses Need Security Asset Protection (Traditional & Digital Assets) Businesses exist to make a profit. They do this by creating and selling products and services. Business assets are resources used by the organization to produce the goods and services it will sell or to provide supporting services required to operate the business (Kovacich & Halibozek, 2003). An asset is a possession (item or object) that has value. This value must be protected against harm or loss. 1 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers Digital assets are information assets that exist only in digital form (electronically stored information). These assets are stored on digital media and are accessed / used via digital devices. The term is used to refer to files, software, and firmware. Digital assets may also be physical assets (when they exist in stored form) or they may be classified as intangible assets. Physical assets include buildings, land, property, etc. Computer hardware and infrastructures are physical assets. Intangible assets include such things as intellectual property, trade secrets, brand recognition, reputation and good will. Thus, we have our first reason that businesses need security – to protect business assets. Asset security consists of those measures taken by the business to protect its assets from harm or loss. This harm or loss may be caused by insiders (e.g. employees), outsiders (criminals, competitors), and extraordinary events (force majeure) or acts of God. Business assets that must be protected against loss or harm include:           buildings and facilities, equipment and furnishings business processes computer systems financial instruments and cash (money) information (databases, documents, and files) inventory (completed products, parts, and supplies) networks and infrastructures personnel (skilled workforce) intellectual property (e.g., patents, trade secrets, plans, and strategies) reputation Information and information systems are assets. Information is an asset because the organization must spend money to obtain it so that the information can be used to produce goods and services. Examples of valuable information assets include recipes or formulas, customer and vendor lists, sales plans, and marketing strategies. An information system is an asset because each component of the system costs money to purchase or replace. Note: Businesses may also be holders or custodians of information belonging to others. This information must also be protected from harm or loss. The security measures required to protect business assets are determined by identifying the assets that require protection and then assessing the specific threats and vulnerabilities (for each asset or type of asset) that are present in the organization’s operating environment. 2 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers Legal and Regulatory Compliance Businesses must comply with laws and regulations set forth by certain governments and government agencies (Reynolds, 2010). Sometimes, it can be difficult to determine which laws or regulations apply and in what circumstances they apply. Businesses need the advice and services of attorneys or corporate counselors to provide guidance in making such determinations. It is important to have competent legal counsel for areas where the business is at risk or may face penalties for non compliance. Cybersecurity requirements imposed by laws or regulations are an area where specialized legal counsel may be required. Key concepts from law that affect business operations are due diligence and duty of care (Reynolds, 2010). Due diligence is the obligation to be conscientious in performing your duties. In some uses, this term refers specifically to functions related to contracts and acquisitions. Duty of care is the obligation to be attentive and to avoid causing harm. Leaders and managers need to understand cybersecurity principles, practices, threats, and risks in order to meet their obligations under both due diligence and duty of care. Integrating Security with Business Operations Businesses can be described as systems of people, processes, policies, and technologies and the interconnections / relationships between these components (ISACA, 2009). These components can also be viewed as assets, which have value to the organization. Each component, each relationship between components requires some level of protection from harm or loss. Thus, the need for security throughout the system is pervasive and should be approached in a holistic manner. Figure 1. Systems View of an Organization 3 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers Working with the entire system at once can be a daunting task especially when greater levels of detail are required. Breaking the system down into smaller chunks is an obvious solution but, how should those chunks be defined? One organizing strategy, used by business analysts, is to divide the organization into functional areas. Within each functional area, we can identify the components of the system that operate within the functional area and those components which are cross-cutting (apply to multiple functional areas at the same time. Dividing the business into functional areas will also allow us to analyze and assess security needs within each area. After the needs in each area are considered, we can identify cross-cutting or system-wide security requirements and gaps. Finding commonalities allows us to identify ways to reduce costs and improve efficient allocation of resources to deliver required levels of security. Business Functions The day-to-day business operations of organizations are typically organized into five functional areas (see figure 1). Each functional area is supported by business processes and assets. As business becomes e-business and commerce becomes e-commerce, businesses must reevaluate their security programs to ensure that the confidentiality, integrity, and availability of business processes and assets are protected against threats (sources of harm or loss). The figure below shows the five functional areas typically found in the day-to-day operations and activities of an organization. Notice that “security” is a separate business function yet is fully integrated within the business enterprise. Security both supports and is supported by the other functional areas of the business. Figure 2. Day-to-Day Business Operations 4 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers Accounting and Finance Functions The accounting and finance functions of a business include:     accounting and bookkeeping budget preparation and monitoring fiscal analysis and reporting sales or other financial transaction processing Security is required for devices and information systems which process or provide access to financial information. Required security functions include providing authentication, authorization, and nonrepudiation for access to and use of both physical and digital assets containing financial information. Additional security services may also be required to ensure compliance with federal and state laws and regulations (e.g., Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Fair Credit Reporting Act, etc.). Commercial Functions The commercial functions of a business include:    sales marketing and business intelligence customer relationship management Security needs for commercial functions include:    protection of confidential business information (client lists, sales/marketing plans, etc.), trade secrets, and other forms of intellectual property protection of customer and vendor information (including personally identifiable information) provision of authentication, authorization, and nonrepudiation for access to and use of information systems involved in the collection, use, reporting, and storage of customer information Additional security services may be required to comply with provisions federal and state laws regarding privacy, data breach reporting, and corporate transparency. For marketing and business intelligence functions, the organization may need to incorporate auditing and control functions to ensure that the information collected about competitors does not violate the Economic Espionage Act or other applicable laws. 5 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers General and Functional Management Functions According to Henri Fayol (Svenson, 1961), the management functions of a business include:    Planning, organizing, and coordinating the work of the organization Allocating and controlling resources (including budgeting) Monitoring and controlling (“commanding”) the work of the organization These management functions frequently involve decision-making activities which require access to and the ability to benefit from a variety of information that the organization collects, processes, transmits, and stores (Tannenbaum, 1950). Such information includes:        business records confidential business information (client lists, sales/marketing plans, corporate strategies, etc.) customer data (including personally identifiable information) financial data and forecasts plans and schedules trade secrets other forms of intellectual property The information and confidential business processes used in the general and functional management activities of an organization must be protected against unauthorized access or disclosure. Typically, this is done by putting restrictions in place which control access to information and information resources. These restrictions must be balanced against legitimate uses and disclosures of information while communicating, coordinating, and collaborating as part of the day-to-day operations of the business. Security Functions Security of the business, from assets to operations and all the functions in between, is a shared responsibility for all managers and employees (Kovacich & Halibozek, 2003). This responsibility includes diligence in the performance of duties under the duty of care (Reynolds, 2010). The reasonable person standard is used to determine if an individual has performed these responsibilities with the same level of diligence and care that a conscientious person would put forth. The effectiveness and efficiency of security functions are improved when there is a single manager with primary responsibility for these functions (Kovacich & Halibozek, 2003). The security manager has both an operational and a strategic role in the business and must use a great deal of influence and collaboration to ensure cooperation on security matters throughout the organization (Kovacich & Halibozek, 2003). The security manager is usually supported by a dedicated organization whose personnel are specifically trained in security administration, physical security, 6 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers personnel security, operations security, and information security. The security manager is responsible for the establishment and management of the organization’s security program. These responsibilities include ensuring compliance with laws, regulations, and standards for corporate security. The security manager and supporting security personnel are also trained in risk management, fraud deterrence, internal investigations, contingency planning, disaster recovery, and crisis management. The security functions of an organization include (Kovacich & Halibozek, 2003):       protect against harm or loss detect attempts to cause harm or loss react to events causing harm or loss document incidents and responses prevent by planning and implementing security measures to prevent future incidents assist in ensuring compliance with laws and regulations The protection of business functions which depend upon cyberspace and digital assets which can be accessed from cyberspace has become an increasingly important area of responsibility for security managers. A separate sub-specialty or functional area for security, Cybersecurity (Department of Homeland Security, 2017), has emerged as a result of this growing need. Technical Functions The technical functions of a business are those activities, which directly or indirectly contribute to the conversion of inputs (raw materials and labor) into outputs (products and services which can be sold or otherwise converted into monetary value). These functions include:     business operations product development and production purchasing and logistics research and development The security needs of each activity area vary by the types and sensitivity levels of the processes and information required by the activity and the degree to which each activity interacts with or relies upon the external environment. These activities require security protections that ensure the confidentiality, integrity, and availability of information (data) and services. Many of these activities also require auditing, monitoring, and control capabilities (security services) that provide for nonrepudiation of actions taken by both insiders and external actors. 7 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers E-Business/E-Commerce Infrastructure E-business and e-commerce infrastructures are built from capabilities provided by the technical and commercial functions of a business. These infrastructures are then used to provide products and services that are either delivered in cyberspace or which are accessible from cyberspace (e.g. products ordered via an online ordering system). Special care must be taken to ensure that the data storage, processing, and transmission capabilities (see figure 2) within the e-business and e-commerce infrastructure protect the confidentiality, integrity, and availability of information and services. Figure 3. E-Business/E-Commerce Infrastructure 8 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. CSIA 300: Cybersecurity for Leaders and Managers References Department of Homeland Security. (2017). Glossary. Retrieved from https://niccs.us-cert.gov/glossary Entrepreneur Staff. (2017a). Partnership. Retrieved from https://www.entrepreneur.com/encyclopedia/partnership Entrepreneur Staff. (2017b). Sole proprietorship. Retrieved from https://www.entrepreneur.com/encyclopedia/sole-proprietorship Investopedia. (2017). Corporation. Retrieved from http://www.investopedia.com/terms/i/incorporate.asp ISACA. (2009). An introduction to the Business Model for Information Security. Retrieved from http://www.isaca.org/knowledge-center/research/documents/introduction-to-the-businessmodel-for-information-security_res_eng_0109.pdf Kovacich, G. L., & Halibozek, E. P. (2003). The manager’s handbook for corporate security: Establishing and managing a successful assets protection program. Burlington, MA: Elsevier. Reynolds, G. W. (2010). Ethics in information technology (3rd ed.). Boston, MA: Course Technology. Svenson, A. L. (1961). Pioneers of management organization theory. Management International 1(5/6), 115-130. Tannenbaum, R. (1950). Managerial decision-making. The Journal of Business of the University of Chicago, 23(1), 22-39. 9 Copyright ©2018 by University of Maryland University College. All Rights Reserved Cite this work as: King, V. (2018). CSIA 300: Why do businesses need security? Adelphi, MD: University of Maryland University College. Business Horizons (2016) 59, 567—569 Available online at www.sciencedirect.com ScienceDirect www.elsevier.com/locate/bushor GUEST EDITORS’ PERSPECTIVE Cybersecurity in 2016: People, technology, and processes Michael Parent a,*, Brian Cusack b,* a b Telfer School of Management, University of Ottawa, 55 Laurier Avenue East, Ottawa, ON K1N 6N5, Canada Auckland University of Technology, 55 Wellesley Street East, Auckland 1142, New Zealand You have been, are being, or will be hacked. It’s that simple, that certain, and that daunting. For most organizations today, it’s no longer a matter of if, but when. As James Comey, director of the Federal Bureau of Investigation (FBI), bluntly stated in a 60 Minutes interview in 2014: ‘‘There are two kinds of big companies in the United States. Those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese’’ (Cook, 2014). According to the National Association of Corporate Directors (NACD), from 2014 to Q2 2015, companies reported over 2,429 data breaches affecting more than 1.25 billion records, at a hard (out-of-pocket) cost of over $150 per record. For individual firms, this typically means costs of $5.85 million for a single security incident (CompTIA, 2015; Owen & Bondi, 2016). And it is only going to get worse. The forthcoming, aptly-named Internet of Things (IoT) will see well over 10 billion internet-connected devices by 2020–—more than the current number of computers, smartphones, tablets, and wearables combined (Adler, 2013), providing hackers with untold gateways into the world’s networks and databases. The Ponemon Institute reports that it takes an average of three months for financially vigilant firms to discover they have been hacked, an average of * Corresponding authors E-mail addresses: michael.parent@telfer.uOttawa.ca (M. Parent), brian.cusack@aut.ac.nz (B. Cusack) seven months for most organizations, and even years for others; meanwhile, it may take hackers just minutes to compromise a network (Kennedy, 2016; Osborne, 2015). A compilation of some of the largest hacks in recent history attests to this. Following is a miniscule sample of the many large breaches (Dingman, Silcoff, & Greenspan, 2015):  Target — December 2013: 110 million records  TJX — January 2007: 94 million records  JP Morgan — August 2014: 83 million records  The Home Depot — September 2014: 56 million records We are witnessing a new dawn in cybercrime: a layer cake, if you will, of criminals eagerly seeking out networks and data. The bottom layer–—in more ways than one–—are the so-called script kiddies: hackers who troll the internet for attack scripts and then copy-paste them into attacks of their own. Not terribly sophisticated; but then again, a recent report calculated that over 652,000 distributed denial-of-service (DDoS) attacks occurred in a seven-day period (Graphic News, 2015). The next layer consists mainly of criminals, who have become increasingly enamored of ransomware: encrypting companies’ data and offering to sell back the decryption key at a high price (Dingman, 2016). Organized crime and terrorists occupy the next 0007-6813/$ — see front matter # 2016 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.bushor.2016.08.005 568 two tiers, using attacks to hide money-laundering activities or to gain valuable intelligence against people, places, and infrastructures. At the top of the cake are APTs: Advanced Persistent Threats, or sovereign hacking. According to Comey, most APTs come from two countries: the People’s Republic of China (PRC) and the Democratic People’s Republic of Korea (DPRK, or North Korea). In this case, the perpetrators are not looking for credit cards or personal information, but rather for patents, new drug discoveries, proprietary information, financial data (like forthcoming mergers or acquisitions), intellectual property, or even national secrets. Any way you look at it, the news and prognoses are grim. Data breaches have paradoxically become commonplace crises and organizations are lagging in responding, adapting, and adopting protective measures. Reaction windows are now measured in minutes, not hours, much less days. As we like to say when briefing managers: ‘‘Hope is no longer a strategy.’’ In soliciting articles for this issue, we sought to go beyond the conventional and beyond the dramatic. There seems to be a widespread culture of shared negative experiences surrounding cybersecurity. Contributing to alarmist discourses does little to reassure managers and even less to encourage constructive research. Our goal was to provide clear and cogent perspectives that might facilitate positive information exchanges. If one thing is clear, it is that cybersecurity is more than just a technical issue. It involves unique alchemies between technologies, people, and processes–—the latter in the form of overarching regulations and laws. As such, we have divided the articles into these three sections, starting with two articles on the most important element: people. The first article–—by Dang-Pham, Pittayachawan, and Bruno–—considers how and when security advice is shared by employees. Research supports the efficacy of security-centric cultures. However, more often than not, managing security is seen as a top-down exercise, where a lack of compliance is met with disciplinary action. The authors analyze some of the underlying personal and structural causes impeding security cultures, asserting they are more circular than hierarchical, and offer some practical insights for both researchers and managers who wish to develop and sustain peer-managed security cultures in their organizations. The role of Chief Information Security Officer, or CISO, is a recent creation in organizations. The second article–—by Hooper and McKissack–—outlines the responsibilities of this role, its place in the organization, and the type of leadership it demands if it is to succeed. GUEST EDITORS’ PERSPECTIVE The technology subsection of the issue presents the next three articles, each dealing with different technological considerations related to security. Lutui’s article is our only piece on digital forensics and is eerily reminiscent of the FBI’s recent desire to unlock a domestic terrorist’s phone, the subject of court action against Apple Inc. Lutui presents a forensic model that is both contemporary and concise. In doing so, he provides a sound overview of digital forensics for those who might not be familiar with the field. While the tool he presents is still in its infancy, it holds much promise for investigators as smartphones and smart devices proliferate. The two other articles in this subsection–—by co-editor Cusack and his colleague Ghazizadeh; and Mills, Watson, Pitt, and Kietzmann–—discuss the risks inherent in nascent technologies: the cloud and single sign-on failures for the former and the growing field of wearables for the latter. In both cases, we deal with security issues at the cutting edge of technology. However, the authors also make the point that while the technologies might be new and their imperatives different, the principles underlying sound security policies and practices still apply–— now more than ever. Finally, Crowley and Johnstone conclude the special issue section with an overview of the legal and technical issues surrounding data security. As they so aptly state, ‘‘nothing in cyberspace may be private.’’ The article explores the tension between privacy and disclosure using the recent Microsoft E-Mail and Apple iPhone cases. Crowley and Johnstone echo some of the points made by earlier authors in the subsections on people and technology. Although the Apple case has been resolved, it nevertheless allowed legislators, law enforcement authorities, privacy advocates, equipment manufacturers, and end-users to comment on and gain insight from each other. With the vastness, visibility, and velocity of data breaches increasing exponentially, managers are left with a complex challenge that spans across the organization, not just their information technology (IT) divisions. Cybersecurity is a critical, cross-functional issue that affects everyone and every organization, directly and indirectly. The six articles presented in this special issue, we believe, collectively merge the human, technological, and regulatory environments, offering intriguing insights and ideas for both research and practice as this discussion evolves. References Adler, E. (2013, December 7). Here’s why ‘the Internet of Things’ will be huge, and drive tremendous value for people and GUEST EDITORS’ PERSPECTIVE business. Business Insider. Retrieved May 1, 2016, from http:// www.businessinsider.com/growth-in-the-internet-of-things2013-10 CompTIA. (2015). Trends in Information Security. Retrieved May 10, 2016, from https://www.comptia.org/resources/ trends-in-information-security-study Cook, J. (2014, October 6). FBI Director: China has hacked every big US company. Business Insider. Retrieved May 15, 2016, from http://www.businessinsider.com/fbi-director-chinahas-hacked-every-big-us-company-2014-10 Dingman, S. (2016, May 20). Ransomware in real time: How hackers infiltrate secured systems. The Globe and Mail. Retrieved May 30, 2016, from http://www.theglobeandmail. com/technology/ransomware-in-real-time-how-hackersinfiltrate-secured-systems/article30111818/ Dingman, S., Silcoff, S., & Greenspan, R. (2015). Hacked: The escalating arms race against cybercrime. The Globe and Mail. Retrieved December 12, 2015, from http://www. theglobeandmail.com/report-on-business/hacked-the- 569 escalating-arms-race-against-cybercrime/article21305464/ ?page=all Graphic News. (2015, October 27). Cyber smokescreen to steal data. Graphic News. Retrieved from http://www. graphicnews.com/en/go/pages/33616/TECHNOLOGY_ Destructive_cyber_assaults Kennedy, J. (2016, April 25). Data breaches take minutes to happen, but weeks to discover. Silicon Republic. Retrieved May 16, 2016, from https://www.siliconrepublic.com/ enterprise/verizon-data-breach-report-2016 Owen, D. R., & Bondi, B. J. (2016, March 16). Defending data — A director’s cybersecurity duty. NACD Directorship Boardroom Intelligence. Retrieved May 1, 2016, from https://www. nacdonline.org/Magazine/Article.cfm?ItemNumber=25613 Osborne, C. (2015, May 19). Most companies take over six months to detect data breaches. ZDNet. Retrieved May 16, 2016, from http://www.zdnet.com/article/businesses-take-over-sixmonths-to-detect-data-breaches/
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

...


Anonymous
Great content here. Definitely a returning customer.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags