Our Services

Get 15% Discount on your First Order

[rank_math_breadcrumb]

ITM 517 – IT Management

I need help with my homework please!

Module 1 – Case

Frameworks of Information Security Management

Assignment Overview

Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements.

Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. 

Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.  

Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession is the quality or state of having ownership or control of some object or item.  Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.


Module 1 Video

Case Assignment

Discuss the CNSS security model, which has a dimension consisting of the components of confidentiality, integrity, and availability; a second dimension with the components of processing, storage, and transmission; and a third dimension dealing with the components of policy and procedures, technology and education training, and awareness. 

Assignment Expectations

Use the CNSS security model to evaluate the protection of information for some organization, club, or class in which you are involved. Using the CNSS model, examine each of the component combinations and discuss how you would address them in your chosen organization.  Present your results in a word document using a table to show the security module components and a discussion of how these will be addressed in the organization, club, or class that you selected to discuss.

You are required to make effective and appropriate use of in-text citations to the assigned readings and other source material to support your arguments. Please use the 

Trident APA 7 Guide
 at proper formatting and style.

Module 1 – Resources

Frameworks of Information Security Management

Required Reading

Required Reading

Blum, D. (2021).  Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment, Apress.  Chapter 1 – 4. 

Elbayad, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Chapter 1 -4. Apress.  

Finding Skillsoft Books
  

Gupta, C. P., & Goyal, K. K. (2020). Cybersecurity : A self-teaching introduction Mercury Learning & Information.  Chapters 1,2, and 3. 

Finding Skillsoft Books
   


McCumber Cube Model Framework
 –

Optional Reading

Harris, S., & Maymi, F. (2018). CISSP all-in-one exam guide, seventh edition, 8th edition (7th ed.) McGraw-Hill, Chapter 1. Available under Skillsoft Books in the Trident Online Library.

Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy. 
Journal of Advanced Research, 5(4), 491–497. Available in the Trident Online Library.

Module Overview – Background Reading

In this model the foundation for understanding the broader field of information security is established by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of information security. The role of security in the Systems Development Life Cycle is also discussed, along with the roles of security professionals. 

Information security in organizations and governments is a critical business capability that needs to be aligned with corporate strategy to identify security risks and implement effective controls to minimize those risks.  The need for computer security began in the early days of computing, with securing the physical location of the hardware from outside threats resulting in mainframes being locked away in the basements of corporate headquarters where physical access to locations included the need for badges and keys. The primary threats in these early days were physical theft of equipment, espionage against the products of the systems, and sabotage. As the Internet evolved from its early days in the 1960’s to our current state of always being connected in the Internet of Things where millions of devices are Internet enabled, security of this interconnected data has become very complex. 

Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements. 

The value of information is dependent on many information dimensions. 

Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. 

Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. 

Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession is the quality or state of having ownership or control of some object or item.  Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. 

To understand the importance of information security, it is necessary to briefly review the elements of an information system. An information system (IS) is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. Software is the operating systems, applications, and assorted utilities of an information system. Hardware consists of the physical assets that run the applications that manipulate the data of an information system. As hardware has become more portable, the threat posed by hardware loss has become a more prominent problem.

The lifeblood of an organization is the information needed to strategically execute business opportunities, and the data processed by information systems are critical to today’s business strategy. People are often the weakest link in an information system, since they give the orders, design the systems, develop the systems, and ultimately use and game the systems that run today’s business world.

Procedures are the written instructions for accomplishing a task, which may include the use of technology or information systems. These are the rules that are supposed to be followed and the foundation for the technical controls that security systems must be designed to implement. Modern information processing systems are extremely complex and rely on many hundreds of connections, both internal and external.

Networks are the highway over which information systems pass data and users complete their tasks. The proper control over traffic in every network in an organization is vital to properly managing the information flow and security of that organization. 

In this discussion of information security, it is important to realize that it is impossible to obtain perfect security. Security is not an absolute; it is a process and not a goal. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats. Security begins as a grassroots effort when systems administrators attempt to improve the security of their systems. This is referred to as the bottom-up approach, which seldom works, as it lacks a number of critical features, such as participant support and organizational staying power. An alternative approach, which has a higher probability of success, is called the top-down approach, where the project is initiated by upper management who issue policy, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions. The top-down approach has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture. 

Management of information security must be managed in a manner similar to any other major system implemented in the organization. The SDLC is a methodology for the design and implementation of an information system in an organization based on a structured sequence of procedures to insure a rigorous process and to create a comprehensive security posture.

The first phase, investigation, is where the objectives, constraints, and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits.  The feasibility analysis is performed to assess the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization’s time and effort.

In the analysis phase, the information is learned during the investigation phase and consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. The next step is selecting applications capable of providing needed services based on the business need. Based on the applications needed, data support and structures capable of providing the needed inputs are selected. Then specific technologies are selected to implement the physical solution. In the end, another feasibility analysis is performed.

In the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.  After another feasibility analysis, the entire solution is presented to management for approval.

In the implementation phase, any needed software is created, components are ordered, received, and tested. Afterwards, users are trained and supporting documentation is created. Again, a feasibility analysis is prepared, and sponsors are presented with the system for a performance review and acceptance test.

The maintenance and change phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase.

When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented.  With software assurance (SA) as a methodological approach, security is built into the development life cycle rather than addressed at later stages. 

NIST
 ( recommends that organizations incorporate the associated IT security steps into the SDLC for their development processes.  It is imperative that information security be designed into a system from its inception, rather than added in during or after the implementation phase. 

In this discussion, the key roles in the management of information security are described. The Chief Information Officer is the senior technology officer, although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The Chief Information Security Officer is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title. 

For information security project teams, many individuals are needed.  The Champion is a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. The Team leader is a project manager, who may be a departmental line manager or staff unit manager, understands project management, personnel management, and information security technical requirements. The Security policy developers are individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. The Risk assessment specialists are individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.  The Security professionals are dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. The Systems administrators are individuals whose primary responsibility is administering the systems that house the information used by the organization. The End users are those who the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard. 

Now we will discuss the roles of those who safeguard the data.  Data Owners are those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change. The Data Custodians are those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. The Data Users are end users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. 

Security as Art means that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. While there are many security manuals to support individual systems, once these systems are interconnected, there is no magic user’s manual for the security of the entire system. This is especially true with the complex levels of interaction between users, policy, and technology controls.  Security is also a science where we are dealing with technology developed by computer scientists and engineers designed to operate at rigorous levels of performance. Even with the complexity of the technology, most scientists would agree that specific scientific conditions cause virtually all actions that occur in computer systems. Almost every fault, security hole, and systems malfunction is a result of the interaction of specific hardware and software. Social science examines the behavior of individuals as they interact with systems, whether societal systems or, in our case, information systems. End users who need the very information the security personnel are trying to protect may be the weakest link in the security chain. If security administrators understand some of the behavioral aspects of organizational science and change management, then security administrators can greatly reduce the levels of risk caused by end users, and they can create more acceptable and supportable security profiles.

Share This Post

Email
WhatsApp
Facebook
Twitter
LinkedIn
Pinterest
Reddit

Order a Similar Paper and get 15% Discount on your First Order

Related Questions

III

see attached. You are an IT consultant hired by ABC Tech Solutions, a small but growing technology firm specializing in software development. The firm has recently expanded its operations and is looking to ensure its IT infrastructure is secure and compliant with industry standards. As part of your engagement, you

How does an online port scanner check for open ports?

 I want to understand how an online port scanner works. How can it detect whether specific ports on my IP address are open or closed? Are there any tools that show both open ports and my public IP address in one place? 

CASE 3 – 80

I need your help please Module 3 – Case Creating Value Assignment Overview The Case Assignment for this module is about understanding the development of IT strategies that support and are supported by business strategy in a global economy. Given the large amount of investment in IT, companies need to

SLP 3 – 80

Please help me Module 3 – SLP Creating Value Read or listen to these resources on Dr. Michael Porter’s competitive strategies.  Porter, M. E. and Mauborgne, K. R., HBR’s 10 must reads on strategy. Ascent Hu. Audio book. Go to Library Access. In Additional Library Resources, select Skillsoft Books. In

Make, Buy, or Modify

  As a project manager, you may be given the choice to either a) build your system from scratch; b) buy an existing system; or c) buy an existing system and modify it. With regards to each option, explain the make or buy decision you would take. Justify your response.

Cloud

See attached Case Analysis #1 – Cloud Computing Choose a case study or story of a cloud sourcing event or project in an organization. Find an article online.. Then do a brief analysis of the project or services being sourced in the cloud.  Focus on the type of cloud service SaaS,

II

see attached. • Your initial post should be at least 200 words in length. Imagine that you have been promoted to the position of an IT manager in a mid-sized firm, SecureFunds Inc, which specializes in financial services and has recently undergone significant growth and adapted to the new conditions

Managing Risks

 Identify and discuss the common sources of risk for IT software development projects. What will be your plan to manage them? Justify your response. 

Communications

  Explain why you agree or disagree with some of the suggestions covered this week for improving project communications, such as creating a communications management plan, stakeholder analysis, or performance reports for IT software development projects. Justify your response. What other suggestions do you have?

Case 2 – 80

I need help  Module 2 – Case Information Technology Planning Assignment Overview Strategic planning is a process exercise where it is important to gather whatever strategic collateral the rest of the company has generated to understand what the CEO and board hope to do in the future through the enterprise-level

SLP 2 – 80

Please help me with my assignment Module 2 – SLP Information Technology Planning Xerox is a firm that has dominated the copier business. As the market for copiers continues to shrink, how will Xerox survive? Research the current business environment for Xerox by using Fortune.com and Forbes.com, etc. In your

PowerPoint

 The Baypoint Group (TBG) needs your help with a presentation for Academic Computing Services (ACS), a nationwide organization that assists colleges and universities with technology issues. ACS needs more information about the differences between the IEEE 802.11a and IEEE 802.11g standards so that their salespeople will be better equipped to

Journal VIII

see attached. 2 Identify a task that you would need to perform in your current career or future career, and explain in detail how you would apply the knowledge you have learned in this course to succeed at performing the task in a real-world scenario. Your submission should be in

SLP 1 – 80

I need help on my assignment  Module 1 – SLP Strategy and Strategic Planning Review this  comprehensive review of strategic planning . The website is the brain-child of Dr. Ross A. Wirth, who has extensive experience in management consulting. However, the website is about general strategic planning, rather than IT

Case 1 – 80

I need help please.  Module 1 – Case Strategy and Strategic Planning Assignment Overview The Case for this module starts us off by looking at why IT strategy matters.  Please view the following video: Please note that this link will open in a new window and may require activation of

Improving Quality

  You are committed to improving the quality of developing software applications. Identify and discuss three recommendations for improving quality in IT software development projects. Justify your response.

Macfee subscription

  [1-888-226-6629] How Do i Cancel M C A F e e Subscription & Get a R E F U N D  To cancel your M C A F E E subscription and request a refund, call [1-888-226-6629]. A support agent will help verify your account, [1-888-226-6629] process the cancellation,

How do i cancel McAfee subscription and get a refund?

 To cancel your McAfee subscription 1-888-226-6629 and request a refund, log in to your account at mcafee.com, go to My Account > Subscriptions, select your active plan, and turn off auto-renewal. To request a refund, visit the Support section or call 1-888-226-6629. McAfee’s customer support 1-888-226-6629 is available 24/7 to