Identify, formulate, and solve technical and policy challenges

SoccerBoss
Category:
Programming
Price: $20 USD

Question description

Objective: Identify, formulate, and solve technical and policy challenges in an InfoSEC position.

Background: Dave Dandy, Owner of David’s Dandy Doohickies (D.D.D.) has noticed that several of the intranet servers are located in the system administrator’s cube and have been for 3 months. The servers include these servers: a web server that hosts the HR system; an internal email server that routes mail destined for the “outside” to the world facing server in the DMZ; and an internal only ftp server used to hold proprietary design information on the new lone of framastats that D.D.D is developing.

The current server room at D.D.D. has no locks, cameras, or access lists. In fact, it still resembles the warehouse that it is housed in, lacking even a rudimentary fire extinguisher system. While there is a tape backup process, labels consist of small notes taped to each backup tape. There is also no centralized log management; list of who has administrative rights on any of the servers in the server room or outside the administrator’s cube.

Instructions: Remember there are three types of controls: administrative, technical, and policy. You first need to identify all of the security issues with D.D.D. Divide the issues identified into the three control categories. Each issue may over lap the categories and often do. For each issue, identify a specific technique in that control category to mitigate the issue. This is most easily done with a matrix but there are certainly many other acceptable ways. 

You should seek controls that will provide the most security effectiveness for the money. That said, Dave will listen to reasonable proposals for spending his money.

Deliverables:

Submit a matrix or other suitable way of expressing the relationship between issue, type of control, and type of mitigation. Use proper citations when appropriate, so a reference page will also be required. Remember that security must be cost effective as well as effective so use wisdom when deciding to use a control or a mitigation technique.

While there are non-access control issues that you may include, the focus should be on those issues related to access control as we have discussed during this course.

Example Deliverable:

Note: this example may or may not follow the citation rules used by the school. You need to check the proper citation rules for yourself. 

An organization has decided to implement a stronger password management system. For this one issue, a matrix could look like this:

Issue

Administrative

Technical

Physical

Password security

Establish policy to require minimum length of 14 characters, mixed case and special characters (1997)

Enforce policy using PAM (2004).

Use OTP token to provide multi-factor RSA (2006)

Explanation of mitigation:

Pluggable Authentication Module (PAM) will allow verification and enforcement of more complex password rules than provided for in our current authentication system.

A One Time Password (OTP) token such as MyPw will allow inexpensive multi-factor authentication (www.MyPw.com).

References

(1997). "RFC-2196, Site Security Handbook." Request for Comments Retrieved February 8, 2005, from http://www.ietf.org/rfc/rfc2196.txt.

(2004) OATH Reference Architecture Release 1.0. Volume, DOI:

RSA (2006). Making the FFIEC Guidance Operational, Balancing Authentication Methods with Online Banking Risk, RSA.

Grading Criteria AssignmentsMaximum Points
Meets or exceeds established assignment criteria40
Demonstrates an understanding of lesson concepts20
Clearly presents well-reasoned ideas and concepts30
Uses proper mechanics, punctuation, sentence structure, spelling, APA Format10
Total100


Tutor Answer

(Top Tutor) Daniel C.
(997)
School: Rice University
PREMIUM TUTOR
Studypool has helped 1,244,100 students
Ask your homework questions. Receive quality answers!

Type your question here (or upload an image)

1825 tutors are online

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors