Topic:Security models
Subject:Accounting
Volume: 15 pages
Type; Other
Format: APA
Description
project 1
Project 1: Security Models is a two week project where you will present the importance of security models in organizations and agencies along with the identification of vulnerabilities.
Scene 1
You have just taken a position as the chief information security officer at your organization. John Williams, the chief technology officer and your new boss, stops at your office door. “I know you’re busy, but I’d like you to come by my office when you get a chance.”
Excited about the prospect of something new, you grab a pen and paper and walk to John’s office.
Scene 2
John says, “Thanks for coming over so quickly. I’ll get right to the point. As the CISO, I’m sure that you’re aware of the recent Office of Personnel Management breach, and the impact that this has had on our industry.
John continues, “I’m sure that you also realize the heavy burden on our department to protect our organization’s assets and information. I would like to make sure that a similar situation doesn’t happen here. My first step toward preventive measures is to develop new policies and procedures that better protect our data.”
John sits at his desk and begins typing while he says, “That brings me to why I asked you here. While I begin my review of current policies and procedures, I would like you to help me by drafting a custom security plan that best fits our organization.”
John continues, “You should start by analyzing our security weaknesses, or vulnerabilities, then continue with reviewing existing security models and analyzing which attributes are best suited for our organization.
“You will look at the pros and cons of each model, which attributes are best suited for us, and the reasoning behind your conclusions. You will need to submit your completed report to me with a drafted security plan in two weeks.”
As a new employee, you realize that this is a great opportunity to show your new boss how you can make a positive contribution to your organization.
You know you have enough time to complete your analysis if you start right away.
Extra info:
Most companies and agencies implement security models to protect the confidentiality, integrity, and availability (CIA) of information and data. As security vulnerabilities and threats continue to evolve, security systems need to adapt to effectively protect data and systems. In this project, you will evaluate existing security models and their attributes and ultimately recommend a custom security plan to your assigned organization. You will also evaluate the pros and cons of implementing particular model attributes based on the type of organization and employees in relation to CIA. Upon completion of this project, you will have written a report on the importance of security models in organizations like yours and identified the vulnerabilities of your organization. This is the first of four sequential projects. There are 14 steps in this project. Begin by reviewing the project scenario, then proceed to Step 1.
Step 1: Review Assigned Organization
All four projects for this course will be completed from the vantage point of a specific industry and an organization assigned to you by the instructor. Familiarize yourself with the organization your instructor has assigned to you by reviewing the organization description. The descriptions include an overview and key information about the organization, as well as information about a breach or attempted breach. For the purposes of this course, you will assume this organization is your employer. You may wish to briefly research your assigned organization to gather additional information about the organization and its security posture.
Step 2: Cybersecurity Background Summary (3 pages)
In Step 1, you familiarized yourself with your assigned organization. Now it is time to write a cybersecurity overview. Write a three-page background summary that includes a general overview of cybersecurity and a section on enterprise cybersecurity.
Please include the following items in your general overview of cybersecurity:
•Compare and contrast cybersecurity and computer security.
•Discuss Data flows across networks. (Review Bits and Bytes, Non-Textual Data, Evolution of Communication systems, Computer Networks, Network Devices & Cables and Network Protocols if you do not already have a working understanding of these topics.)
•Discuss basic cybersecurity concepts and vulnerabilities, including flaws that can exist in software. (Review Systems Software, Application Software, Software Interaction and Programming if you do not already have a working understanding of these topics.)
•Discuss common cybersecurity attacks. (Review A Closer Look at the Web and Web Markup Language if you do not already have a working understanding of these topics.)
•Discuss penetration testing.
•Discuss how to employ Network forensic analysis tools (NFAT) to identify software communications vulnerabilities.
Please include the following items in your enterprise cybersecurity section:
•List and discuss the major concepts of enterprise cybersecurity.
•Discuss the principles that underlie the development of an enterprise cybersecurity policy framework and implementation plan.
•List the major types of cybersecurity threats that a modern enterprise might face.
You will attach this cybersecurity background summary to your security assessment in Step 5.
Submit the cybersecurity background summary for feedback.
Step 3: Analyze Weaknesses
After writing the cybersecurity background summary in Step 2, you are ready to analyze the security weaknesses of your assigned organization. When analyzing cybersecurity weaknesses, there are several areas to consider.
Analyze the organization’s security from the following perspectives:
1.a technology perspective
2.a people perspective
3.a policy perspective
You will include this information in your security assessment in Step 5.
Step 4: Risk Summary
Next, identify areas that should be improved or strengthened, including potential risks associated with maintaining the current security posture. Discuss how you would employ network analysis tools to identify software communications vulnerabilities. Make sure to include the following information:
1. Classify risks according to relevant criteria.
2. Explain system and application security threats and vulnerabilities.
3. Prioritize risks from internal and external sources.
4. Assess the cybersecurity threats faced by your entity.
You will include this information in your security assessment in Step 5.
Step 5: Security Weakness Assessment (two pages)
From the information that you gathered in Steps 2, 3, and 4, develop a two-page summary of your organization’s security weaknesses. Identify threats, risks, and vulnerabilities to achieve a holistic view of risk across the entity.
Consider areas that should be improved from a technology perspective, a people perspective, and a policy perspective. Also note potential risks associated with maintaining the current security posture. You will reference this security assessment later when you make your business case and final recommendation.
Submit your security assessment for feedback.
Step 6: Security Models Summary
Confidentiality, integrity, and availability (CIA triad) as well as authentication and nonrepudiation are fundamental security concepts that must be considered when assessing and developing security options. Cybersecurity models have been developed to address some or all of these security concepts. While these models were generally created to address a specific business case, each of the models has attributes that could be used to assemble a custom security plan. In order to draft a custom security plan for your organization, you will need to understand basic security models. You will identify key features, weaknesses, and targeted sectors and/or infrastructures. In this step and in Step 7, you will develop a short summary for each of the security models listed. These reports will serve as an Appendix A to your final memo and will document the security models and their attributes in advance of the memo that you will deliver with your recommended approach.
Each summary should include a descriptive and evaluative paragraph on the following attributes: Include the origins of the model (who developed it, when was it developed, and the context under which it was developed), main characteristics of the model (details on the business, sector, industry for whom the model was developed), and key features of the model. Write summaries for the following models:
•Bell-LaPadula
•Biba’s Strict Integrity Policy
•Clark-Wilson
•Chinese Wall
When you have completed these summaries, continue to Step 7, where you’ll write a summary for the next four security models.
Step 7: Continuation of the Security Models Summary
Continue summarizing the various Cybersecurity models, as in Step 6. Again, identify key features, weaknesses, and targeted sectors/infrastructures and develop a short summary for each of the security models listed below. These reports will be added to Appendix A for your final memo and will document the security models and their attributes in advance of the memo that you will deliver with your recommended approach.
Each summary should include a descriptive and evaluative paragraph on the following attributes: Include the origins of the model (who developed it, when was it developed, and the context under which it was developed), main characteristics of the model (details on the business, sector, industry for whom the model was developed), and key features of the model. Write summaries for the following models:
•Clinical Information Systems Security
•Noninterference Security
•Deducibility Security
•Graham-Denning
When you have finished Steps 6 and 7, submit Appendix A for feedback.
Step 8: Security Model Analysis
Now that you are familiar with existing common security models, analyze each of the security models that you reviewed in Steps 6 and 7 and their attributes against the needs of your organization as identified in Steps 2, 3, and 4. The information that you gather here will contribute to your security plan.
Step 9: Identify Relevant Model Features
Next, identify features from the models included in Steps 6 and 7 that apply to your assigned organization’s security needs. Also include any security attributes that you believe are important for your organization but are not included in any of the models. The information that you gather here, along with the information gathered in Step 8, will contribute to your security plan.
Step 10: Design a Custom Security Plan
Having completed an assessment of your organization’s security posture and the analysis of security models, you will now design a custom security plan for your organization. Your custom security plan should meet the following criteria:
•The security plan should coincide with your organization’s IT vision, mission, and goals.
•Include an information security program that aligns with business strategy.
•Incorporate all internal and external business functions within the organization’s security programs.
•Classify risks according to relevant criteria.
•Prioritize threats from both internal and external sources.
•Rank the most relevant security attributes for your organization and list them in priority order. This list will serve as Appendix B to your final assignment.
Submit Appendix B for feedback.
Step 11: Develop a Business Case for Your Organization
With your new security plan written, you will need to develop a business case for it to include in the memo to the CTO. Using your knowledge of your organization’s security posture from Step 1 and your understanding of applicable security model features, make the case for changes to your organization. Include the rationale for change and any impacts to the business. Also include an implementation plan. Describe the present situation in your organization and the associated risks assumed given the security weaknesses. The work you do in this step will become the first of three sections of the three-page memo in Step 14.
Step 12: Identify Security Model Attributes
Next, detail the security model attributes that best apply to your organization. Identify the model, if any, from which the attributes are derived and why the attribute applies to your organization. The work you do in this step will become the second section of the memo in Step 14.
Step 13: Assess Security Improvement Potential
Finally, give your best judgment on the potential to improve the security posture of your organization when your recommendations are implemented. You will need to evaluate the pros and cons of implementation in relation to CIA. Discuss the risks and impacts to include a high-level assessment of financials. Consider how business continuity and continued alignment will be maintained. The work you do in this step will become the third section of the memo in Step 14.
Step 14: Develop a Security Plan Recommendation Memorandum
Compile the analyses completed in Steps 11, 12, and 13 into a memorandum from you to your supervisor. This memo should be three pages, excluding Appendices A and B, and should clearly articulate the business case for adopting features from the reviewed security models. It should include the following:
•a description of the security model attributes
•an assessment of the weaknesses in your organization that the security features will address
•your rationale for selecting the specific security attributes and your prognosis of success, noting risks and impacts to include a high-level assessment of financials
•the policies and procedures that will need to be in place for the security plan to work
•the infrastructure that will need to be in place for the security program to operate and to align with each entity within the organization
•a plan for evaluating the security plan’s effectiveness
Update the appendices according to the feedback received. Submit the memorandum along with Appendices A and B.
a. Cybersecurity Background Summary (3pages)
b. Security Weakness Assessment (2pages)
– Appendix A: Security Models
– Step6: short summary for each of the security models listed. (2 pages)
Bell-LaPadula
•Biba’s Strict Integrity Policy
•Clark-Wilson
•Chinese Wall
– Step7: short summary for each of the security models listed below (2 pages)
•Clinical Information Systems Security
•Noninterference Security
•Deducibility Security
•Graham-Denning
c. Appendix B: Custom Security Plan: Starts at step 8 to 10
Step 10 custom security plan should be 3 pages
d. Security Plan Recommendation Memorandum
Step 11: Develop a Business Case for Your Organization (3pages)
F. Step 12: Identify Security Model Attributes If any 1 page)
g. Step 13: Assess Security Improvement Potential
refer to paper.