Kibata

Sign In

Our Services

Get 15% Discount on your First Order

Order Now
[rank_math_breadcrumb]

ITM 517 – IT Management

I need help with my homework please!

Module 1 – Case

Frameworks of Information Security Management

Assignment Overview

Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements.

Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. 

Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.  

Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession is the quality or state of having ownership or control of some object or item.  Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.


Module 1 Video

Case Assignment

Discuss the CNSS security model, which has a dimension consisting of the components of confidentiality, integrity, and availability; a second dimension with the components of processing, storage, and transmission; and a third dimension dealing with the components of policy and procedures, technology and education training, and awareness. 

Assignment Expectations

Use the CNSS security model to evaluate the protection of information for some organization, club, or class in which you are involved. Using the CNSS model, examine each of the component combinations and discuss how you would address them in your chosen organization.  Present your results in a word document using a table to show the security module components and a discussion of how these will be addressed in the organization, club, or class that you selected to discuss.

You are required to make effective and appropriate use of in-text citations to the assigned readings and other source material to support your arguments. Please use the 

Trident APA 7 Guide
 at proper formatting and style.

Module 1 – Resources

Frameworks of Information Security Management

Required Reading

Required Reading

Blum, D. (2021).  Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment, Apress.  Chapter 1 – 4. 

Elbayad, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Chapter 1 -4. Apress.  

Finding Skillsoft Books
  

Gupta, C. P., & Goyal, K. K. (2020). Cybersecurity : A self-teaching introduction Mercury Learning & Information.  Chapters 1,2, and 3. 

Finding Skillsoft Books
   


McCumber Cube Model Framework
 –

Optional Reading

Harris, S., & Maymi, F. (2018). CISSP all-in-one exam guide, seventh edition, 8th edition (7th ed.) McGraw-Hill, Chapter 1. Available under Skillsoft Books in the Trident Online Library.

Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy. 
Journal of Advanced Research, 5(4), 491–497. Available in the Trident Online Library.

Module Overview – Background Reading

In this model the foundation for understanding the broader field of information security is established by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of information security. The role of security in the Systems Development Life Cycle is also discussed, along with the roles of security professionals. 

Information security in organizations and governments is a critical business capability that needs to be aligned with corporate strategy to identify security risks and implement effective controls to minimize those risks.  The need for computer security began in the early days of computing, with securing the physical location of the hardware from outside threats resulting in mainframes being locked away in the basements of corporate headquarters where physical access to locations included the need for badges and keys. The primary threats in these early days were physical theft of equipment, espionage against the products of the systems, and sabotage. As the Internet evolved from its early days in the 1960’s to our current state of always being connected in the Internet of Things where millions of devices are Internet enabled, security of this interconnected data has become very complex. 

Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements. 

The value of information is dependent on many information dimensions. 

Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. 

Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. 

Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession is the quality or state of having ownership or control of some object or item.  Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. 

To understand the importance of information security, it is necessary to briefly review the elements of an information system. An information system (IS) is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. Software is the operating systems, applications, and assorted utilities of an information system. Hardware consists of the physical assets that run the applications that manipulate the data of an information system. As hardware has become more portable, the threat posed by hardware loss has become a more prominent problem.

The lifeblood of an organization is the information needed to strategically execute business opportunities, and the data processed by information systems are critical to today’s business strategy. People are often the weakest link in an information system, since they give the orders, design the systems, develop the systems, and ultimately use and game the systems that run today’s business world.

Procedures are the written instructions for accomplishing a task, which may include the use of technology or information systems. These are the rules that are supposed to be followed and the foundation for the technical controls that security systems must be designed to implement. Modern information processing systems are extremely complex and rely on many hundreds of connections, both internal and external.

Networks are the highway over which information systems pass data and users complete their tasks. The proper control over traffic in every network in an organization is vital to properly managing the information flow and security of that organization. 

In this discussion of information security, it is important to realize that it is impossible to obtain perfect security. Security is not an absolute; it is a process and not a goal. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats. Security begins as a grassroots effort when systems administrators attempt to improve the security of their systems. This is referred to as the bottom-up approach, which seldom works, as it lacks a number of critical features, such as participant support and organizational staying power. An alternative approach, which has a higher probability of success, is called the top-down approach, where the project is initiated by upper management who issue policy, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions. The top-down approach has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture. 

Management of information security must be managed in a manner similar to any other major system implemented in the organization. The SDLC is a methodology for the design and implementation of an information system in an organization based on a structured sequence of procedures to insure a rigorous process and to create a comprehensive security posture.

The first phase, investigation, is where the objectives, constraints, and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits.  The feasibility analysis is performed to assess the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization’s time and effort.

In the analysis phase, the information is learned during the investigation phase and consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. The next step is selecting applications capable of providing needed services based on the business need. Based on the applications needed, data support and structures capable of providing the needed inputs are selected. Then specific technologies are selected to implement the physical solution. In the end, another feasibility analysis is performed.

In the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.  After another feasibility analysis, the entire solution is presented to management for approval.

In the implementation phase, any needed software is created, components are ordered, received, and tested. Afterwards, users are trained and supporting documentation is created. Again, a feasibility analysis is prepared, and sponsors are presented with the system for a performance review and acceptance test.

The maintenance and change phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase.

When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented.  With software assurance (SA) as a methodological approach, security is built into the development life cycle rather than addressed at later stages. 

NIST
 ( recommends that organizations incorporate the associated IT security steps into the SDLC for their development processes.  It is imperative that information security be designed into a system from its inception, rather than added in during or after the implementation phase. 

In this discussion, the key roles in the management of information security are described. The Chief Information Officer is the senior technology officer, although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The Chief Information Security Officer is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title. 

For information security project teams, many individuals are needed.  The Champion is a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. The Team leader is a project manager, who may be a departmental line manager or staff unit manager, understands project management, personnel management, and information security technical requirements. The Security policy developers are individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. The Risk assessment specialists are individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.  The Security professionals are dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. The Systems administrators are individuals whose primary responsibility is administering the systems that house the information used by the organization. The End users are those who the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard. 

Now we will discuss the roles of those who safeguard the data.  Data Owners are those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change. The Data Custodians are those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. The Data Users are end users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. 

Security as Art means that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. While there are many security manuals to support individual systems, once these systems are interconnected, there is no magic user’s manual for the security of the entire system. This is especially true with the complex levels of interaction between users, policy, and technology controls.  Security is also a science where we are dealing with technology developed by computer scientists and engineers designed to operate at rigorous levels of performance. Even with the complexity of the technology, most scientists would agree that specific scientific conditions cause virtually all actions that occur in computer systems. Almost every fault, security hole, and systems malfunction is a result of the interaction of specific hardware and software. Social science examines the behavior of individuals as they interact with systems, whether societal systems or, in our case, information systems. End users who need the very information the security personnel are trying to protect may be the weakest link in the security chain. If security administrators understand some of the behavioral aspects of organizational science and change management, then security administrators can greatly reduce the levels of risk caused by end users, and they can create more acceptable and supportable security profiles.

Share This Post

Email
WhatsApp
Facebook
Twitter
LinkedIn
Pinterest
Reddit

Order a Similar Paper and get 15% Discount on your First Order

Order Now

Related Questions

Information Systems Assignment1

Find the details in the attached file. UU-MBA-740-ZM Web design and development Assignment 1 Dear students, This is your first assignment for this course that accounts for 50% of your total marks for the course. Please answer and elaborate on the following questions: 1. What do you need to take

V

Risk mitigation, which is part of the risk management plan, takes place once you have identified and analyzed your risks. Risk mitigation is identifying the strategies you are going to use to accept, avoid, share/reduce, or work around the identified and analyzed risks. Which of the seven domains do you

SLP 3 – 40

Please help me Module 3 – SLP Database Applications Recall that for the SLP assignment for this course, we are conducting assessments of database programs and demonstrations available online. For this SLP review the tutorial  Microsoft SQL Server 2022 Essential Training  from LinkedIn Learning.  Once you have completed your exploration

Case 3 – 40

I need help Module 3 – Case Database Applications Assignment Overview Computer supported collaborative work (CSCW) was developed to support teams by providing team members with powerful and convenient ways to schedule their interactions, communicate with each other, and record and update group output. Much of the early research in

SLP 2 – 40

help with homework Module 2 – SLP Database Management Recall that for the SLP assignment for this course, we are conducting assessments of database programs and demonstrations available online. For this module, your task is to try the tutorial  Learning SQL Programming  from LinkedIn Learning.   The more of the

Case 2 – 40

help pls Module 2 – Case Database Management Assignment Overview The Case Assignment for this module revolves around the question of large-scale data and the implications of database capabilities for organizational data management. As we’ve said, the change from data as a scarce resource to data as overabundance is still

SLP 4 – 24

I need help please Module 4 – SLP Strategic Portfolio Management Often best practices in the workplace lag behind technology advances. Ethical principles and best practices must be constantly reviewed and deeply considered in the workplace. Social media have had a big impact particularly on the Digital Native (those born

INFA PROJECT 4 PRIVACY COMPLIANCE

   For this project, you will leverage your research from Projects #1, #2, and #3 to develop a privacy compliance strategy for your chosen company. The deliverable for this project will be a Privacy Compliance Strategy that includes a legal and regulatory analysis for privacy laws and regulations. The scope

INFA PROJECT 3 RISK MITIGATION

 For this project, you will leverage your research from Project #1 and analysis from Project #2 to develop a risk mitigation strategy for your chosen company. If necessary, you can adjust your Information Usage Profile or your Risk Profile using feedback from your instructor and additional information from your readings

Case 4 – 24

I need help Module 4 – Case Strategic Portfolio Management Assignment Overview While some refer to Web 2.0/Web 3.0 as jargon, it has come to symbolize the sharing economy and the ability of people and businesses to interact with each other, forming virtual relationships. These virtual relationships include social media,

SLP 3 – 24

Help please Module 3 – SLP IT Governance Dashboards, which display data using graphics, have become commonplace. They are used for many applications, such as showing voter turnout in different states during national elections. The first informational dashboards were used in early automobiles and featured gauges to indicate speed and

case 3 – 24

help please Module 3 – Case IT Governance Assignment Overview Many firms are using Big Data to power their decision making. Here is a chance to see how firms are using Big data and how it impacts their decision making. Case Assignment For Big Data, find a case study and

SLP 4 -17

I NEED HELP Module 4 – SLP Managing and Assessing Information Security Policy Using a graphics program, design several security awareness posters on the following themes: updating antivirus signatures, protecting sensitive information, watching out for e-mail viruses, prohibiting the personal use of company equipment, changing and protecting passwords, avoiding social

case 3 – 17

i need help Module 3 – Case Security Laws and Standards Assignment Overview Employees must be trained and kept aware of topics related to information security, not the least of which is the expected behaviors of an ethical employee. This is especially important in information security, as many employees may

Case 4 – 17

Need help Module 4 – Case Managing and Assessing Information Security Policy Assignment Overview The Information Security Blueprint is the basis for the design, selection, and implementation of all security program elements. The blueprint builds on top of the organization’s information security policies and it is a scalable, upgradable, comprehensive plan

III

See attached The purpose of the PowerPoint presentation is to show threats, vulnerabilities, and recommendations in an affinity diagram. An example of this diagram is provided in your textbook in Chapter 4. As a risk management project manager, you must identify the threats, vulnerabilities, and recommendations for ABC IT Organization’s

Help with system change course

· What do critical pragmatism, improvement research, and democracy have to do with each other? · How do you make sense of your personal epistemology / worldview and improvement science? · Improvement science focuses on being problem focused and user centered, but it also uses methods and theory responsibly and

Coding for Musculoskeletal Services

  You are a new medical coder that works for an Orthopedic medical practice. Patients are often seen for fractures or dislocations which require either a cast or splint. A common patient encounter may be for the application of a long-arm split. Apply your knowledge of CPT to this patient