43060Please make it 18 slides powerpoint
Project 2
Scene 1
On your computer monitor, you read the meeting topic: “HR Data Access.” You think, “This might be a
tricky one.”
You remember a discussion with John, the CTO, about conflict caused by the sharing of information
between two departments. Grabbing your laptop, you head to the meeting.
Scene 2
In the conference room, John is already waiting. He says, “We will be joined by the VP of HR and the
managers of the Payroll and Training departments. Our focus will be on access to data that is housed in
the HR database.”
The door opens and the other three attendees walk in.
Amy Jones, the vice president of HR, begins: “The database that we use contains all employee data
ranging from payroll and benefits information to training and performance results. The issue that we are
facing, and that I hope you can help us alleviate, is that all departments within Human Resources have
full access to all of the data within the database.
“Recently, it was brought to my attention that the training department has access to payroll data.”
The two managers glance at one another.
John says, “I believe we can come up with a solution. As a matter of fact, this could be an opportunity to
also evaluate the risk level that the HR database has from outside threats.”
John turns to you: “I would like you to prepare a presentation for HR management.
“In this presentation, you will suggest how we might limit access to specific types of data and protect
vulnerable data from outside threats. Since we will be presenting to non-technical managers, you will
need to explain the difference between authentication, authorization, and access control in plain
language. The presentation will be scheduled in three weeks.”
After the meeting, you realize that while you might understand the problems of data access, other
employees may not be aware of the issues involving information access in an organization. Your
presentation will have to be understood by employees who do not have an information technology
background.
Transcript
Organizations have two concerns surrounding access to data: They must limit access to data from outside the organization as well as control which people have access to what data within the organization. In this project, you will explain to management the difference between authentication, authorization, and access control and suggest how to keep outsiders from getting in and keep insiders from getting data they shouldn’t. During this project, you will research the various models for authentication, authorization, and access control. You will also be able to communicate the recommended solution to a nontechnical audience. This is the second of four sequential projects. There are 12 steps in this project. Begin by reviewing the project scenario, then proceed to Step 1.
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
5.3: Support policy decisions with the application of specific cybersecurity technologies and standards.
6.2: Create an information security program and strategy, and maintain alignment of the two.
6.3: Integrate the human aspect of cybersecurity into an organization’s cybersecurity policy.
9.3: Assess policies, processes, and technologies that are used to create a balanced approach to identifying and assessing risks and to manage mitigation strategies that achieve the security needed.
Step 1: Explore the Basics of Authentication
In order to build a presentation with the most current information available, you will gather information by reaching out to a group of your peers working in various industries. In the next three steps, you will prepare background information for this discussion. You’ll need to have a basic understanding of authentication. Define authentication and identify the core principles and key tenets of authentication as listed below. (Review Computer Networks, Network Devices & Cables and Network Protocols if you do not already have a working understanding of these topics.)
Identify the ways in which someone can be authenticated (e.g., userids, passwords).
Describe how authentication has evolved over time and identify stressors that have resulted in changes to authentication.
Identify the different types of authentication (e.g., layered or two-factor), compare and contrast their attributes, and give examples of each.
Compare and contrast single-factor and multi-factor authentication.
Step 2: Explore the Basics of Authorization
Another topic you’ll need to be prepared to discuss is authorization. Define authorization and differentiate it from authentication (how are they similar, how are they different?). You will use the notes compiled in this step in your upcoming peer discussion. Complete each of the items listed below.
Define authorization and identify examples of authorization schemes.
Determine how access policies are used to express authorization rulesets. Identify key principles of access policies.
Identify the challenges that can arise when policies are used to maintain authorization rules. Identify solutions to mitigate these challenges.
Step 3: Explore the Basics of Access Control
One last topic to prepare for the upcoming discussion is access control: Define access control, then differentiate between access control, authentication, and authorization. You will use the notes compiled in this step in your upcoming peer discussion. You should describe the different access control models and how they are used, including, but not limited to, the list below. (Review Systems Software, Application Software, Software Interaction and Programming if you do not already have a working understanding of these topics.)
RBAC—Role-Based Access Control
MAC—Mandatory Access Control
ABAC—Attribute-Based Access Control
IBAC—Identity-Based Access Control
Step 4: Social Psychology Report
In Step 3, you explored the basics of access control and common models of implementing it. Your next task in preparing for your discussion with your peers is to consider the impact that human factors, such as ethics, legal issues, and psychology have on cybersecurity. To synthesize your research on these factors, you will write a report on the psychological aspects of cybersecurity. This report will be used to formulate your recommendations in Step 10 and be included as an appendix to your final presentation in Step 12.
In your report, do the following:
Explore the typical intrusion motives / hacker psychology. Classify the types of hackers and actors and give an example of a potential incident.
Define a cybersecurity policy as it relates to employees and employment. For example, how would an organization apply a security policy to employees and employment in relation to network-related programming or other cyber-related positions?
Define the separation of duties policy and give an example.
Define redundancy and diversity and explain how they relate to cybersecurity access control. Give an example of a policy integrating the concepts of redundancy and diversity to reduce risk.
Summarize how the implementation of the access control mechanisms mentioned in this section may have a positive or negative consequence on employee productivity.
Submit your report for feedback.
Submission for Social Psychology Report
Step 5: Privacy Awareness Report
Following your report on the impact of social psychology on cybersecurity, you will compose a report on privacy (Privacy – definition) awareness and the implications on cybersecurity policy to further prepare for the discussion with your peers. This report will be used to formulate your recommendations in Step 10 and be included as an appendix to your final presentation in Step 12.
In your report, complete the following:
Define ECPA and explain how it affects cybersecurity today. Give an example of how it might come into play at your organization today. Suggest how policy at your organization could support ECPA compliance.
Define FISA and explain how it affects cybersecurity today. Give an example of how it might come into play at your organization today. Suggest how policy at your organization could support FISA compliance.
Identify any other privacy law that may impact your assigned organization. Give a brief summary of what the law does, how it impacts your organization, and how policy could support compliance.
Submit your report for feedback.
Step 6: Anonymity Report
To go along with your reports on the impact of social psychology on cybersecurity in Step 4 and the impact of privacy awareness on cybersecurity policy in Step 5, you will now report on the implication anonymity (Anonymity – definition) has on cybersecurity by giving a brief one-paragraph summary on the following items. Each summary should include a definition, and explanation of how the term relates to your organization, and an explanation of how you will integrate it into your policy recommendations. This report will be used to formulate your recommendations in Step 10 and be included as an appendix to your final presentation in Step 12. (Review Introduction to the Internet, The World Wide Web, A Closer Look at the Web, Web Markup Language and Web and Internet Services if you do not already have a working understanding of these topics.)
Pseudonymity (Pseudonymity – definition)
ip spoofing (IP spoofing & packet sniffing at the network layer)
simple mail transfer protocol (SMTP) servers
web filters
types of encryption
remailersStep 7: SIMTRAY Training
In Step 6, you explored and reported on the human aspects of cybersecurity. Chief Information Security Officers frequently make security decisions in high-pressure environments and deal with diverse individuals who may violate certain standards of behavior and ethics. In this step, complete a simulated training exercise to practice making common decisions to resolve issues ranging from hacker attacks to privacy awareness.
Complete the Human Aspects in Cybersecurity Simtray Training and advise your instructor once it is complete.
Step 8: Assess Authentication, Authorization, and Access Control
Now that you have explored authentication, authorization, and access control in Steps 1, 2, and 3 and completed the simtray training in Step 7, you will direct your attention to the specific issues of your assigned organization. Identify particular issues that your organization has had, currently has, or could potentially have in terms of authentication, authorization, and access control. Next, assess the potential effectiveness of the access control models from Step 3 for your organization and scenario. Document your assessment, as you will refer to this information throughout this project.
Step 9: Research Industry Best Practices
In Steps 1, 2, and 3, you gathered information regarding authentication, authorization, and access control and had an opportunity to apply these concepts through training in Step 7. In Step 8, you thought about how to apply this knowledge to your own organization. In Steps 4, 5, and 6 you wrote reports on how psychology, anonymity, and privacy awareness impact cybersecurity. You are finally ready to meet with your peers in the industry to get a sense of current practices.
Your peer discussion can take various shapes. Research online articles and/or interview colleagues, friends, and acquaintances in different fields to gather the most current information of what various industries are doing to face their cybersecurity needs. The information and ideas that you obtain here will help you to formulate a recommendation and develop a job aid for the human resources (HR) managers that John requested. You will need to at least cover the items in the list below.
Give examples of authentication, authorization, and access control that you have seen in your experience, in your assigned organization, and/or in your research and interviews.
Discuss what worked well and what could be improved.
Discuss the role of policy in defining and implementing authorization schemes as applied to your experience.
Apply key points and principles in the NIST Cybersecurity framework for virtual machine cybersecurity.
Analyze the technologies, uses, and roles of information assurance and software protection technologies.
Prioritize current cybertechnological threats faced at the enterprise, national, and international levels.
Evaluate the procedures, policies, and guidelines used to protect the Confidentiality, integrity, and availability of information (CIA triad).
Use the information gathered here to assist in formulating your recommendations in Step 10.
Step 10: Formulate Recommendations
From the information that you have gathered throughout this project, formulate a recommendation for authentication, authorization, and access control. If you determine that your organization needs no changes in these areas, explain your position and what your leadership (and you, as CISO) will continue to monitor to ensure that your security standards are commensurate with expectations. Make sure that you consider the needs of restricting data from department to department as appropriate, protecting the organization’s HR data from outside and inside threats in general and allowing for employees to access the data they need while offsite. Also consider the human aspects of cybersecurity from Steps 4, 5, 6, and 7. Include a recommendation for an ongoing risk management strategy. You will include your recommendations in your Implementation Guidance Presentation in Step 12.
Your recommendation must meet the following criteria:
coincide with IT vision, mission, and goals
align with business strategy
incorporate all internal and external business functions
create the organizational structure to operate the recommendation and align with the entities as a whole
Step 11: Develop a Job Aid
Now that you have formulated your recommendation for authentication, authorization, and access control in Step 10, you are ready to begin developing a job aid that the HR managers can take to their departments after the presentation. This job aid will empower the HR managers to educate their staff on the topics of authentication, authorization, and access control in a simple and effective way to improve the security of their systems. The job aid will be distributed after the presentation.
Develop a short (two-to-three page) job aid which explains the differences between authentication, authorization, and access control using common-sense examples to help the reader understand the differences and the importance of each in protecting the organization’s information. The job aid should address all of the items listed below.
Define—in layman’s terms—authorization, authentication, and access control, and the relationships between them.
Identify and articulate examples that are easy to comprehend and that would resonate with your company’s leadership.
Describe the importance of authorization, authentication, and access control to the overall security of your organization. Use details of your company’s products/services and the need to protect them to emphasize the need for strong controls.
Submit the job aid for feedback.
Step 12: Implementation Guidance Presentation
In response to the request from the CTO and VP of HR, you will develop a presentation for HR management which discusses how to limit access to specific types of data and protect vulnerable data from outside threats. You will explain the lineage of data, data ownership, and data-access related authentication, authorization, and access control. You will also take this opportunity to educate on the basic principles of data/network access control and to advocate for stronger access controls. You will develop an 18-20 slide presentation that clearly explains the principles of authentication, authorization, and access control, examines various models, and recommends a strategy for your organization. You will use the information that you have gathered in Steps 1 through 9. Make sure to include the following:
Describe authentication, authorization, and access control as an important security concept.
Evaluate the different models and examples of authentication, authorization, and access control.
Make the case for changes to your organization’s authentication, authorization, and access control policies/systems.
Present the recommended strategy.
Discuss how you will evaluate the effectiveness of the security program.
Submit the presentation.
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.
5.3: Support policy decisions with the application of specific cybersecurity technologies and standards.
6.2: Create an information security program and strategy, and maintain alignment of the two.
6.3: Integrate the human aspect of cybersecurity into an organization’s cybersecurity policy.
9.3: Assess policies, processes, and technologies that are used to create a balanced approach to identifying and assessing risks and to manage mitigation strategies that achieve the security needed.
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.