CYB 200 H7854 2-3 Bryan Robertson PDF

Preview

Summary

In this case study assignment, we will continue to investigate the Fundamental Security Design Principles at work in a real-world scenario. Through the lens of
data protection, we will analyze the following principles:
 Least Privilege
 Layering (Defense in Depth)
 Fail-Sa...

Description

CYB 200 Module Two Case Study Template After reviewing the scenario in the Module Two Case Study Activity Guidelines and Rubric document, fill in the table below by completing the following steps for each control recommendation: 1. Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X. 2. Indicate which security objective (confidentiality, availability, or integrity) best reflects your selected control recommendation. 3. Explain your choices in one to two sentences, providing a selection-specific justification to support your decision. Control Recommendations

Least Privilege

Layering (Defense in Depth)

Fail-Safe Defaults / Fail Secure

Modularity

Usability

Security Objective Alignment (CIA)

Explain your Choices (1-2 sentences)

Automatically lock workstation sessions after a standard period of inactivity. (Completed as an example)

X

C

I chose layering because it adds another layer of protection for the confidentiality of our data.

If possible, close and lock your office door when leaving your computer.

X

C

I chose layering because the locked door adds a layer of physical security, further protecting the confidentiality of our data.

I

I chose fail-safe because, by definition, we explicitly deny access based upon whether

Use technology to make sure that only authorized software executes, and unauthorized software is blocked from executing on assets.

X

Control Recommendations

Least Privilege

Layering (Defense in Depth)

Fail-Safe Defaults / Fail Secure

Modularity

Usability

Security Objective Alignment (CIA)

Explain your Choices (1-2 sentences) the software is authorized or not.

Use automated tools to inventory all administrative accounts to ensure that only authorized individuals have elevated privileges.

Use system configuration management tools to automatically reapply configuration settings to systems at regularly scheduled intervals.

X

X

C

I chose layering because the automated tools keep track of the administrative membership, ensuring that an already privileged group is not inadvertently manipulated.

I

I chose modularity because the management tools break down the larger task of systemwide coverage into an automated and more minor task because of the scheduled interval frequency.

Control Recommendations

Least Privilege

Layering (Defense in Depth)

Fail-Safe Defaults / Fail Secure

Modularity

Usability

Security Objective Alignment (CIA)

Explain your Choices (1-2 sentences)

Maintain an inventory of all sensitive information stored or transmitted by the organization's technology systems, including those located on site or at a remote location.

X

I

I chose layering because this is an additional control that helps track sensitive information locally and remotely.

Use approved whole-disk encryption software to encrypt the hard drive of all mobile devices.

X

C

I chose layering because wholedisk encryption software is another series of checks and balances to ensure the system is secured from multiple angles of attack. Likewise, the encryption software is often accompanied by protection via numeric PIN upon boot.

C

I chose fail-safe because unless

If USB storage devices are required, software should be used that can

X

Control Recommendations

Least Privilege

Layering (Defense in Depth)

Fail-Safe Defaults / Fail Secure

Modularity

Usability

Security Objective Alignment (CIA)

configure systems to allow the use of specific devices.

Configure systems not to write data to external removable media, if there is no business need for supporting such devices.

Explain your Choices (1-2 sentences) the system is given direct access to grant the USB drive read/write access, access to the file system and its files should be blocked upon insertion. This type of operation is commonly seen in data loss and prevention (DLP) configurations.

X

C

I chose fail-safe because we are explicitly telling the system not to write data. By not allowing the write operation to external removable media, we further protect the

Control Recommendations

Least Privilege

Layering (Defense in Depth)

Fail-Safe Defaults / Fail Secure

Modularity

Usability

Security Objective Alignment (CIA)

Explain your Choices (1-2 sentences) confidentiality of our data.

If USB storage devices are required, all data stored on such devices must be encrypted.

Protect all information stored on systems through the use of access control lists. These access control lists enforce the principle that only authorized individuals should have access to the information based on approved business need.

Require multifactor authentication for all user accounts, on all systems, whether managed on site or by a third-party provider.

X

X

X

C

I chose layering because wholedisk encryption software is another series of checks and balances to ensure the system is secured from multiple angles of attack.

I

I chose least privilege because we ensure that those who need access to the information are permitted and those who don’t need to know are blocked.

C

I chose layering because, on top of an already supplied

Control Recommendations

Least Privilege

Layering (Defense in Depth)

Fail-Safe Defaults / Fail Secure

Modularity

Usability

Security Objective Alignment (CIA)

Explain your Choices (1-2 sentences) password, we are asking for something we have on top of something we know, further protecting the confidentiality of our data.

After you have completed the table above, respond to the following short questions: 1. How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms? Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies. a. We can work with someone like Dr. Beard by arranging a sit-down session either with himself or someone who can duplicate the problem and address the issues accordingly. A lot of these grab the hammer and break the glass scenarios come from impatience, lack of understanding, or just flat-out refusal to cooperate. With instant rejection, we can share the financial costs incurred from the loss and illegal exposure of personal health information (PII). There is also the professional damage done to Beard through the potential loss of his license. 4. How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-inmotion) and one of the control recommendations from your completed table in your response. a. Some technical controls can be put in place to help the hospital better secure its patient files. The data should be controlled in a consolidated software platform; access to that data needs protection via username, passwords, and MFA. Also, there need to be backups, audit logs of who is accessing the data and when. Lastly, there needs to be encryption of the data....