Project 1: Global Economic Summit
Start Here
Print Project
Your team has been given the responsibility of conducting a baseline analysis for establishing a secure communications network for your assigned organization at the summit. The risk assessment process for a baseline analysis requires a multidisciplinary examination of the internal and external cyber environments.
The graded assignment for Project 1 is a Cybersecurity Policy and Baseline Analysis Report, which should be a minimum of 20 pages. There are 16 steps in this project, and it should take about 17 days to complete. This project is longer in duration than others in the course because some of the work you will complete also lays the foundation for work to be completed in Projects 2, 3, and 4. Begin with Step 1, where you will complete preparatory exercises designed to familiarize you with the tools and processes to be used throughout the project.
Professionals in the Field
New Cybersecurity Team Assignment!
Follow this scenario about setting up and maintaining a secure communications network.
Transcript
Competencies
Your work will be evaluated using the competencies listed below.
- 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
- 4.1: Lead and/or participate in a diverse group to accomplish projects and assignments.
- 4.3: Contribute to team projects, assignments, or organizational goals as an engaged member of a team.
- 6.1: Knowledge of methods and procedures to protect information systems and data by ensuring their availability, authentication, confidentiality, and integrity.
- 7.2: Evaluate international cybersecurity policy.
Project 1: Global Economic Summit
Step 7: Compare International Security Policies
Now that you and the team members have viewed the conference material submission from all the countries, add a column to the policy matrix for each country represented in the conference. In this column, you and the other members of your team will compare each of their policies to those of your country.
In your comparison, be sure to address the following policy aspects of their submissions:
- security engineering policies
- identity and access management policy
- data acquisition, preservation, analysis, and transfer
If one or more of the other countries lack a specific policy addressing any of these issues, note that in your updated report.
Take Action
Submit your assignment to your instructor for review and feedback.
Follow these steps to access the assignment:
- Click My Tools in the top navigation bar.
- Click Assignments.
- Select the relevant assignment.
In the next step, you will work on a checklist for network security.
Learning Topic
Security and Risk Management
All organizations possess numerous assets, including facilities, hardware, software, and information. It is critical, therefore, that these organizations define and implement appropriate policies and procedures to protect assets as part of a security management approach. And once all assets are identified, organizations must ensure to the greatest degree possible that the vulnerabilities of each asset have been identified in order to define a risk management strategy to protect their confidentiality, integrity, and availability. Confidentiality ensures information is only accessible by those who require the access to that information. Integrity ensures the accuracy of information. Availability ensures the information is accessible when needed.
Organizations use various tools to manage their security and risk profiles. These tools include data classification (e.g., confidential, proprietary, private), risk assessment approaches, and risk analysis, enabling organizations to both categorize their assets and identify threats and vulnerabilities. Once identified, the organizations can then select appropriate security measures and controls to protect their assets and mitigate risks. Security controls take many forms and include management controls (e.g., policies, guidelines, procedures), operational and physical controls (e.g., policy execution, education and training, facility protection), and technical controls (e.g., access control, identification, authorization).
As organizations establish their security management strategies, in addition to the focus areas, they must also consider their information security governance approach, how they will either acquire or develop systems and/or services, their approach to addressing cybersecurity threats through risk management, the certification and accreditation of their systems, and their security assessment strategies. In doing so, they will develop documentation including new standards, policies and procedures, and documents such as system security plans (SSPs), risk mitigation plans, and system security authorization agreements (SSAAs).
How does cyber risk management and compliance work? A risk is a threat that has some likelihood of occurring, exploiting a vulnerability and resulting in some negative impact or loss to the organization. If an organization can proactively identify a potential threat or cybersecurity vulnerability it can put countermeasures, or safeguards, in place to mitigate against that risk. Effective risk management implementation includes a risk assessment to identify, analyze, and prioritize the risks and risk control, including risk management planning, risk monitoring, and risk resolution. Risks can be associated with a variety of organizational assets including, but not limited, to hardware, software, data/information, people, and facilities. A thorough risk assessment must consider organizational assets and their vulnerabilities, determine the likelihood of the risk occurrence, and quantify the potential impact in order to establish an effective risk management plan. This process must be revisited regularly to ensure the organization’s security posture remains as effective as possible.
Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.
Acceptable Use Policy
Business Continuity Plan
Confidentiality, Integrity, and Availability
Cyber Czar
Cybercrime
Cybersecurity Cultural Issues
Cybersecurity Economic Issues
Cybersecurity International Policy
Cybersecurity Laws, Regulations, Policies, Standards, and Guidelines
Cybersecurity Standards Organizations
Cyberspace Policy Review
Cyberterrorism
Digital Rights Management
FISMA
General Compliance
Global Cybersecurity Threats
Gramm-Leach-Bliley Act (GLBA)
Hackers and Actors
Industry Compliance
Information Resource Valuation
Insider Threats
International Cybersecurity Approaches
International Cybersecurity Legal Issues
Internet Governance
Internet Use Policy
Intrusion Motives/Hacker Psychology
Legal Compliance
Risk Management Cost Benefit Analysis
Risk Management Framework
Writing Case Reports
References
Ouyang, A. (n.d.). Information security governance & risk management domain. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-1-ISRM_files/1-InfoSec+Risk_Mgmt.pdf
Learning Topic
Asset Security
Asset security, or ensuring the security of assets, is critical to the success and longevity of any organization. In order to protect these assets, organizations must first determine how they will be categorizing information types (e.g., proprietary, sensitive, confidential) based on who should have access and who should be denied access to it.
Within information systems, this type of access or denial of access is managed through access control. For example, system owners can grant or deny access to data, programs, and applications using something called permissions. File permissions can be granted to individual users or groups; examples of these permissions include “create,” “read,” “edit,” and “delete.” Users can either be granted or denied permission to execute a specific computer program. They can be granted or denied permissions to retrieve or update information in a database.
The goal of any access control strategy is to protect information assets from unauthorized access; management must be able to specify resources to which users should have access, be able to specify what actions users can perform, and be able to individually account for user actions. In addition to the use of file permissions to protect data, other strategies such as user authentication, multifactor authentication, access control lists, and firewalls can ensure data is protected from unauthorized access, and technologies like cryptography and encryption can assist in protecting both data at rest and data in transit.
There are two key implementation principles related to access control: least privilege and separation of duties. Least privilege ensures users only have access to resources at the level required to perform their assigned job functions. Separation of duties ensures a specific process is designed in such a way requiring multiple people to perform parts of that process for it to be completed. And the environment in which access control is enforced not only includes information systems but also physical facilities, support systems critical to the infrastructure (e.g., HVAC, water), and personnel. Securing these other assets requires resources such as physical barriers, security guards, monitoring systems, badge systems, locks, and gates.
Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.
Anonymity
Categorizing Information Types
Confidentiality, Integrity, and Availability
Data Backup Strategies
Data Loss Prevention
Digital Rights Management
Exfiltration
File Protection
Information Resource Valuation
Intellectual Property – Cybersecurity
References
Ouyang, A. (n.d.). Access control domain. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-8-AC_files/8-Access_Control.pdf
Learning Topic
Communications and Network Security
Organizations depend on their network infrastructure to securely transmit data flows across networks—local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), internets, intranets, extranets—both internally and externally to other entities. These security structures must ensure the integrity, availability, and confidentiality of organizations’ information. Whether they use analog or digital methods of data network communication or synchronous or asynchronous modes of communication, network structures must employ strategies for both detecting and mitigating the risk of network attacks.
The seven-layer Open Systems Interconnection (OSI) reference model, considered the “foundation of communication networks,” provides the base for the development of the five-layer TCP/IP Protocol architecture, which is widely used to provide these protections to data in motion.
Both wired (e.g., twisted pair, coaxial cable, fiber optic) and wireless (e.g., microwave, spread-spectrum, 3G, Bluetooth) solutions must be supported. Network devices (e.g., switches, routers, modems, gateways, firewalls) must be securely configured. Secure communications accomplished through routing protocols must be implemented. And technical countermeasures, such as intrusion detection and prevention (IDS/IPS) systems, must be put in place to protect against cyberattacks (e.g., denial-of-service attacks (DoS), distributed denial-of-service attacks, MAC flooding) and cyberterrorism.
Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.
Ad-Hoc Wireless Network
Attacks to Enterprise Networks
Auditing and Logging of Changes
Botnets
Bring Your Own Device (BYOD)
Broadband
Cloud Computing
Communication Interfaces
Cross-Site Scripting (XSS/CSRF) Flaws
Cyber-Physical Systems (CPS)
Data in Motion
Data in Transit Vulnerabilities
Distributed Computing
Enclave Boundary Defense
Enclave/Computing Environment
Form Factors of Smart Devices and Other Wireless Technologies
Frequency Hopping
Honeypots
Internet of Things (IoT)
Internet Packets
IP Address Schemes
IP Spoofing and Packet Sniffing
IPv6
LAN Security
Man-in-the-Middle Attacks
Mobile Architectures
Mobile Platform
Open and Closed Networks
Overview of Cellular Networks
PCI Standards DSS 12 Requirements
SQL PL/SQL, XML and Other Injections
Untrusted Network
References
Jha, A. (n.d.). Networking: OSI reference model [Blog post]. Used under the Creative Commons Attribution 4.0 International license. Retrieved from http://cyberlingo.blogspot.com/2016/09/networking-osi-reference-model.html
Jha, A. (n.d.). TCP/IP model [Blog post]. Used under the Creative Commons Attribution 4.0 International license. Retrieved from http://cyberlingo.blogspot.com/2016/09/tcpip-model.html
Ouyang, A. (n.d.). Telecommunications & network security domain — part 1. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-3-TNS_files/3-Telecom+Network-Part1.pdf
Learning Topic
Security Engineering
Security engineering focuses on the engineering and management of security. This includes software development security, asymmetric- and symmetric-key cryptography, physical (environmental security), and security architectures and design.
Organizations developing custom software solutions must ensure that the code is secure and doesn’t contain any security “holes” that could be exploited, leaving the software user vulnerable to manipulation or malicious attacks.
Cryptography uses mathematical algorithms and transformations to ensure data integrity, confidentiality, and authentication. It is used in the implementation of the public-key infrastructure (PKI), secure web protocols (e.g., HTTPS, SSH), single sign-on solutions, and secure e-mail transmission. It is also used in the implementation of digital certificates and digital signatures, providing nonrepudiation, or proof of the integrity and origin of data resulting credible authentication.
Cryptography uses encryption, the conversion of plaintext into ciphertext (scrambled data) to obfuscate data from its sender to the receiver in an unreadable format; the message is then decrypted and converted from ciphertext back to plaintext on the recipient’s end. While there are obvious benefits to using cryptography, cryptographic attacks do occur. It is important for organizations to continually revisit their security posture to ensure potential vulnerabilities have been identified so the risk of attack can be mitigated.
In addition to protecting data transmissions, organizations also strive to control access to their proprietary assets. Digital rights management (DRM) provides this type of access control by restricting use of proprietary or copyrighted assets as well as systems within devices that enforce DRM policies.
Security engineering also requires consideration of physical, or environmental, security. When considering physical security, threats that may occur include natural or environmental threats such as storms, floods, or fires and man-made or political events such as explosions, espionage, sabotage, and unauthorized access. There are numerous references containing best practices and lessons learned for physical security; organizations should review those resources prior to implementing physical security controls.
Furthermore, site security and design should be performed strategically, using crime prevention through environmental design to take advantage of the facility location, construction, and management. For example, the facility location and construction may provide natural surveillance; that is, there may be architectural design features of the facility that maximize the visibility of people, parking areas, and building entrances. These natural features should be incorporated into the site security design strategy. Facility features down to the heating, cooling, and lighting systems must be considered in the site security planning and design since each of these may have potential vulnerabilities that could affect the mission and operations of the organization.
Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.
Additive Cipher
Block Ciphers
Challenges With Mobile Technology
Ciphers
Cybersecurity Models
Distributed Computing
EMP Attack
Enclave/Computing Environment
Encryption
Error Handling and Information Leakage
File Protection
File System
Firewalls
Hardware-Based Acquisition
Hash Functions
Hash Set Analysis
Insecure Handling
Intrusion Detection and Prevention (IDS/IPS) Systems
iOS Encryption
Keys
Linux Vulnerabilities
Management of Mobile Device Risks
Mobile Device Vulnerabilities
Mobile Platform Security
Mobile Protocols and Security
Multiple Independent Levels of Security (MILS)
Untrusted Network
XOR Cipher
References
Ouyang, A. (n.d.). Cryptography domain — part 1. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-5-C_files/5-Cryptography-Part1.pdf
Ouyang, A. (n.d.). Cryptography domain — part 2. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-5-C_files/5-Cryptography-Part2.pdf
Ouyang, A. (n.d.). Physical (environmental) security domain. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-6-PS_files/6-Physical_Security.pdf
Learning Topic
Identity and Access Management
Organizations must have the ability to grant, deny, and revoke access to data and give users the permissions to perform actions on data within their systems. Access controls (access control concepts), the collection of mechanisms that help protect information assets from unauthorized access, ensure organizations can specify who can have access to resources and what operations they can perform on the data. In addition, authentication of who is performing the actions is critical to providing accountability for any manipulation or modification of organizations’ information.
Access controls are not only required for information systems but also for facilities, support systems (e.g., HVAC, water), and personnel. These four access control environments are susceptible to numerous threats. Computing threats include denial-of-service (DoS) attacks, malicious code, and software defects. Physical threats may include unauthorized physical access, and personnel threats could include disgruntled or careless employees.
Some organizations will use discretionary access control (DAC) where the information owner determines the access capabilities of a user, while others will use mandatory access control (MAC) where a system user’s access capabilities are predetermined by the security classification of the user and the sensitivity of the information. This access is often managed using an access control matrix that documents the access relations between the users and the organizational resources.
Access control lists (ACLs) are the most common implementation of DAC and are implemented using access control matrices with access permissions, but there are many other access control models organizations may choose to implement: role-based access control (RBAC), Biba, Clark-Wilson, Bell-LaPadula. Regardless of the access control methodology selected, organizations should assess and evaluate their access control posture by performing routine vulnerability assessments, making adjustments to prevent unauthorized access to their assets.
Click on each of the following links for topics related to the Certified Information Systems Security Personnel (CISSP) Common Body of Knowledge to help you better understand the subject area.
Authorization
Cloud Computing
Common Access Card (CAC)
Email Activity
Exfiltration
Insider Threats
Security of Wireless Access Points
References
Ouyang, A. (n.d.). Access control domain. In CISSP common body of knowledge review. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported license. Retrieved from http://opensecuritytraining.info/CISSP-8-AC_files/8-Access_Control.pdf
