Kibata

Sign In

Our Services

Get 15% Discount on your First Order

Order Now
[rank_math_breadcrumb]

ITM 517 – IT Management

I need help with my homework please!

Module 1 – Case

Frameworks of Information Security Management

Assignment Overview

Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements.

Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. 

Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.  

Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession is the quality or state of having ownership or control of some object or item.  Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.


Module 1 Video

Case Assignment

Discuss the CNSS security model, which has a dimension consisting of the components of confidentiality, integrity, and availability; a second dimension with the components of processing, storage, and transmission; and a third dimension dealing with the components of policy and procedures, technology and education training, and awareness. 

Assignment Expectations

Use the CNSS security model to evaluate the protection of information for some organization, club, or class in which you are involved. Using the CNSS model, examine each of the component combinations and discuss how you would address them in your chosen organization.  Present your results in a word document using a table to show the security module components and a discussion of how these will be addressed in the organization, club, or class that you selected to discuss.

You are required to make effective and appropriate use of in-text citations to the assigned readings and other source material to support your arguments. Please use the 

Trident APA 7 Guide
 at proper formatting and style.

Module 1 – Resources

Frameworks of Information Security Management

Required Reading

Required Reading

Blum, D. (2021).  Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment, Apress.  Chapter 1 – 4. 

Elbayad, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Chapter 1 -4. Apress.  

Finding Skillsoft Books
  

Gupta, C. P., & Goyal, K. K. (2020). Cybersecurity : A self-teaching introduction Mercury Learning & Information.  Chapters 1,2, and 3. 

Finding Skillsoft Books
   


McCumber Cube Model Framework
 –

Optional Reading

Harris, S., & Maymi, F. (2018). CISSP all-in-one exam guide, seventh edition, 8th edition (7th ed.) McGraw-Hill, Chapter 1. Available under Skillsoft Books in the Trident Online Library.

Elmaghraby, A. S., & Losavio, M. M. (2014). Cyber security challenges in Smart Cities: Safety, security and privacy. 
Journal of Advanced Research, 5(4), 491–497. Available in the Trident Online Library.

Module Overview – Background Reading

In this model the foundation for understanding the broader field of information security is established by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of information security. The role of security in the Systems Development Life Cycle is also discussed, along with the roles of security professionals. 

Information security in organizations and governments is a critical business capability that needs to be aligned with corporate strategy to identify security risks and implement effective controls to minimize those risks.  The need for computer security began in the early days of computing, with securing the physical location of the hardware from outside threats resulting in mainframes being locked away in the basements of corporate headquarters where physical access to locations included the need for badges and keys. The primary threats in these early days were physical theft of equipment, espionage against the products of the systems, and sabotage. As the Internet evolved from its early days in the 1960’s to our current state of always being connected in the Internet of Things where millions of devices are Internet enabled, security of this interconnected data has become very complex. 

Security means to be protected from adversaries, from those who would do harm, intentionally or otherwise. The Committee on National Security Systems (CNSS) defines information security as the protection of information and its critical elements. 

The value of information is dependent on many information dimensions. 

Availability enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. 

Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

Confidentiality is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. 

Utility is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

Possession is the quality or state of having ownership or control of some object or item.  Information is said to be in one’s possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality. 

To understand the importance of information security, it is necessary to briefly review the elements of an information system. An information system (IS) is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. Software is the operating systems, applications, and assorted utilities of an information system. Hardware consists of the physical assets that run the applications that manipulate the data of an information system. As hardware has become more portable, the threat posed by hardware loss has become a more prominent problem.

The lifeblood of an organization is the information needed to strategically execute business opportunities, and the data processed by information systems are critical to today’s business strategy. People are often the weakest link in an information system, since they give the orders, design the systems, develop the systems, and ultimately use and game the systems that run today’s business world.

Procedures are the written instructions for accomplishing a task, which may include the use of technology or information systems. These are the rules that are supposed to be followed and the foundation for the technical controls that security systems must be designed to implement. Modern information processing systems are extremely complex and rely on many hundreds of connections, both internal and external.

Networks are the highway over which information systems pass data and users complete their tasks. The proper control over traffic in every network in an organization is vital to properly managing the information flow and security of that organization. 

In this discussion of information security, it is important to realize that it is impossible to obtain perfect security. Security is not an absolute; it is a process and not a goal. Security should be considered a balance between protection and availability. To achieve balance, the level of security must allow reasonable access, yet protect against threats. Security begins as a grassroots effort when systems administrators attempt to improve the security of their systems. This is referred to as the bottom-up approach, which seldom works, as it lacks a number of critical features, such as participant support and organizational staying power. An alternative approach, which has a higher probability of success, is called the top-down approach, where the project is initiated by upper management who issue policy, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions. The top-down approach has strong upper-management support, a dedicated champion, dedicated funding, clear planning, and the opportunity to influence organizational culture. 

Management of information security must be managed in a manner similar to any other major system implemented in the organization. The SDLC is a methodology for the design and implementation of an information system in an organization based on a structured sequence of procedures to insure a rigorous process and to create a comprehensive security posture.

The first phase, investigation, is where the objectives, constraints, and scope of the project are specified. A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate levels of cost an organization is willing to expend to obtain those benefits.  The feasibility analysis is performed to assess the economic, technical, and behavioral feasibilities of the process and to ensure that implementation is worth the organization’s time and effort.

In the analysis phase, the information is learned during the investigation phase and consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems. In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. The next step is selecting applications capable of providing needed services based on the business need. Based on the applications needed, data support and structures capable of providing the needed inputs are selected. Then specific technologies are selected to implement the physical solution. In the end, another feasibility analysis is performed.

In the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.  After another feasibility analysis, the entire solution is presented to management for approval.

In the implementation phase, any needed software is created, components are ordered, received, and tested. Afterwards, users are trained and supporting documentation is created. Again, a feasibility analysis is prepared, and sponsors are presented with the system for a performance review and acceptance test.

The maintenance and change phase consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle. Even though formal development may conclude during this phase, the life cycle of the project continues until it is determined that the process should begin again from the investigation phase.

When the current system can no longer support the changed mission of the organization, the project is terminated and a new project is implemented.  With software assurance (SA) as a methodological approach, security is built into the development life cycle rather than addressed at later stages. 

NIST
 ( recommends that organizations incorporate the associated IT security steps into the SDLC for their development processes.  It is imperative that information security be designed into a system from its inception, rather than added in during or after the implementation phase. 

In this discussion, the key roles in the management of information security are described. The Chief Information Officer is the senior technology officer, although other titles such as vice president of information, VP of information technology, and VP of systems may also be used. The CIO is primarily responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The Chief Information Security Officer is the individual primarily responsible for the assessment, management, and implementation of securing the information in the organization. The CISO may also be referred to as the manager for security, the security administrator, or a similar title. 

For information security project teams, many individuals are needed.  The Champion is a senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization. The Team leader is a project manager, who may be a departmental line manager or staff unit manager, understands project management, personnel management, and information security technical requirements. The Security policy developers are individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies. The Risk assessment specialists are individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.  The Security professionals are dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint. The Systems administrators are individuals whose primary responsibility is administering the systems that house the information used by the organization. The End users are those who the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard. 

Now we will discuss the roles of those who safeguard the data.  Data Owners are those responsible for the security and use of a particular set of information. Data owners usually determine the level of data classification associated with the data, as well as changes to that classification required by organizational change. The Data Custodians are those responsible for the storage, maintenance, and protection of the information. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. The Data Users are end users who work with the information to perform their daily jobs supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role. 

Security as Art means that there are no hard and fast rules regulating the installation of various security mechanisms, nor are there many universally accepted complete solutions. While there are many security manuals to support individual systems, once these systems are interconnected, there is no magic user’s manual for the security of the entire system. This is especially true with the complex levels of interaction between users, policy, and technology controls.  Security is also a science where we are dealing with technology developed by computer scientists and engineers designed to operate at rigorous levels of performance. Even with the complexity of the technology, most scientists would agree that specific scientific conditions cause virtually all actions that occur in computer systems. Almost every fault, security hole, and systems malfunction is a result of the interaction of specific hardware and software. Social science examines the behavior of individuals as they interact with systems, whether societal systems or, in our case, information systems. End users who need the very information the security personnel are trying to protect may be the weakest link in the security chain. If security administrators understand some of the behavioral aspects of organizational science and change management, then security administrators can greatly reduce the levels of risk caused by end users, and they can create more acceptable and supportable security profiles.

Share This Post

Email
WhatsApp
Facebook
Twitter
LinkedIn
Pinterest
Reddit

Order a Similar Paper and get 15% Discount on your First Order

Order Now

Related Questions

Concurrency Control

  There are times when a database is accessed by many users across the enterprise. Transaction logs can help maintain concurrency in a multiuser platform. Describe at least two business scenarios where “commit” and “rollback” would be required. Describe how these functions would be essential for business continuity and concurrency

Healthcare Industry Solutions: Transforming Patient Care and Operational Efficiency

Healthcare industry solutions refer to a wide range of technologies, tools, and strategies designed to improve the way healthcare organizations operate and deliver patient care. These solutions combine software, digital platforms, data analytics, medical devices, and process innovations to address challenges in hospitals, clinics, pharmaceutical companies, insurance providers, and the

Comprehensive SharePoint and Teams Migration Solutions

   Modern businesses depend on collaboration and document platforms to stay productive, and moving these systems during a tenant migration is often complex. CloudBik’s Teams to Teams Migration offers an effective way to transfer Teams environments, including chats, channels, and files, without impacting end-users. At the same time, the SharePoint

Why Businesses Need Tenant to Tenant Migration

   The need for Tenant to Tenant Migration is growing as many companies go through mergers, acquisitions, or restructuring. Having data in two separate tenants can create confusion and extra work for IT teams. Moving everything into one tenant gives users a simple and unified experience. The OneDrive Migration Tool

Easy Data Transfer from Google to Office 365

  Many businesses choose Microsoft 365 over Google Workspace because it connects better with apps like Excel, Teams, and Outlook. But during migration, the main worry is losing data or breaking folder structures. The migrate from Google Workspace to Office 365 blog explains how to transfer emails, calendars, and files safely

HIS-D40-C

I have a question about Health Information System, who can help with questions?

HIS-B39-C

My questions are about Health IS. Who can help with these questions?

Advanced SQL and PL/SQL

  Extracting and interpreting data can be very valuable to an organization. Describe the importance of using sub queries in a database system. Provide at least two business case scenarios to support your response.

creating

Create a Visual Origin Story In Module 1 you are to complete the team-building exercise ” Visual Origin Story: Adventures in collaborative storytelling .” This exercise is from the book:  Murdoch-Kitt, K. M., & Emans, D. J. (2020). Intercultural collaboration by design drawing from differences, distances, and disciplines through visual

HIS-553-A

I have a question about Health Information Systems. Who is willing to help?

Case 4 – 90

I need help please Module 4 – Case Managing Complex IT Organizational Change and Capstone Paper Assignment Overview The Impact of Various Internal and External Organizational “Environments” on IT Management The ability to understand various elements within and outside your topic organization and the extent to which they affect information

SLP 4 – 90

PLEASE HELP Module 4 – SLP Managing Complex IT Organizational Change and Capstone Paper The continuing professional development of IT personnel is a key managerial responsibility. In this light, reflect on a subordinate and prepare a somewhat detailed and actionable professional development plan which would be intended for use in

Logical and Physical Design

  In order to ensure optimal database performance, the logical and physical design should consider the user requirements thoroughly. Suppose you have been hired to transform a conceptual model into a logical model for a sales database. Describe the specific steps that you must perform in order to appropriately construct

tERRORISM I

SEE ATTACHED. 2 Response to natural and man-made disasters have changed quite significantly since the implementation of the National Incident Management System (NIMS). Provide an example of a recent natural disaster or terrorist attack that has occurred in your region in the last 10 years. In what ways do you

Case 2 – 90

I need help please Module 2 – Case Architecting the IT Governance Plan Assignment Overview The Capstone course is a summary of your learning from all previous MSITM coursework. Thus, it has some suggested recent materials in IT governance along with writing/Capstone Case guides, or other materials directly provided by

SLP 2 – 90

Please Help Module 2 – SLP Architecting the IT Governance Plan As a consultant to, or manager of, an IT unit within your selected organization, you must be keenly aware of challenges facing your selected organization. This assignment asks you to identify, intellectually discuss, and broadly report on at least

Planning the DBLC

  The development of a database requires thorough methodology that ensures quality within the solution. Imagine you have been contracted to develop a finance database that will help an organization track monthly expenditures by departments. Discuss the various activities that you would have to achieve each phase, using the DBLC.