Project

Develop an automated and instant all-in-one support software that is compatible with multiple Microsoft Components

Student’s name

Professor’s name

Course title

Date

Abstract

The report aims to provide a comprehensive overview of ‘Support Software’ being developed to facilitate user support services for the regular users of Microsoft components. The ‘Support Software’ will be an integrated, all-in-one support solution that will be capable of providing instant, customized and rapid troubleshooting for various Microsoft Components including Microsoft Access, Microsoft Publisher, Microsoft Project, and Microsoft Vision. It will be aimed to enhance customer support service for regular users of Microsoft. The report provides a detailed financial analysis, feasibility and contingency analysis, methodology, targeted deliverables and goals of the project.

Project Overview

Project Scope

Our project “All-In-One Support Software For Microsoft Components” aims to provide an integrated and instant support for revolutionary user experience. For this purpose, it is requested to our honorable sponsor Adam Schulz, Head Finance Department, Microsoft to review our project scope and limitations for better facilitation of successful development of our project.

The project is completed four Phases – Planning, Design, Trial Implementation, and Feedback/Assessment. Once successfully accomplished, the project membership is granted to interested users – individual and company-based. The Phase 1 focused on Planning the trial implementation of software during its assessment period and planning to generate feasible feedback. Phase 2 involved designing the assessment and feedback methodology. Phase 3 focused on successful deployment of the software at the targeted location for trial and assessment purposes. While Phase 4 ensured that the users of the software will be assessed for their experiences and recommendations once the trial period is over.

Each of this phase is specifically focused and completed by modularly focusing on sub-components. The modularization of the project helped in focusing on the specific problems that were identified in Problem Statement, and addressing them in most optimized manner. Furthermore, modularization also helped in enhancing the performance efficiency of our team.

When planning and scheduling the project, we ensured its completion on time. However, the unscheduled Audit of the project delayed the completion by one week. However, it must be understood that this Audit is inevitable and beneficial for the project in long term. It helped us in reassessing our performance and resource utilization efficiency. The Audit is conducted right after we finished the Phase 3. Therefore, our Phase 4 had to be rescheduled. But we used our team’s rapid decision making skills to re-plan and re-schedule Phase 4 tasks while Phase 3 is being conducted. This helped us stay focused and determined to successfully completing our project.

Tentative Results

Our project “All-In-One Support Software For Microsoft Components” aims to provide an integrated and instant support for revolutionary user experience. The project is scheduled to be completed in 2020.

The goal of the project is to develop an automated and instant all-in-one support software that is compatible with multiple Microsoft Components such as Microsoft Access, Microsoft Publisher, Microsoft Project, and Microsoft Vision. It is aimed to enhance customer support service for regular users of Microsoft. The project is successfully completely as shown by the Phase 4 i.e. Assessment/Feedback phase. Over 85% of the participants and users showed their satisfaction and provided positive feedback for the developed application.

The developed application will be successful to address the user support issues being faced by the users. Now the users are able to get rapid, customized and integrated support without any hassle. The Microsoft Inc. will also be demonstrated for the successful implementation of the project. And We got very encouraging support from the viewers and stakeholders.

The application is expected to manage to generate significant revenue by membership within the first month of its formal release. The stakeholders have assessed the ROI and current income generation rate. And they are very hopeful for its future success and tendencies. According to our future market assessments, the Application is promising. And with continuous upgradations and improvements, we can generate some major annual revenue on constant basis.

Overall, it is a very successful development lifecycle for the innovative project. The support of sponsors and stakeholders kept us determined and focused on our goals.

Restraints, Limitations and Assumptions

Phase 3 of our project focuses on Implementation of the Project within the test environment for further assessment, feedback and improvements. It is expected that the implementation of the project would be completed successfully and we can swiftly move on to the next phase. However, there is an unforeseen, but important event that delayed the start-up for Phase 4 of the project.

Right in the middle of this phase an unscheduled audit took place as per the demands of our company. This audit for the project delayed the project by one week. While this is an unscheduled audit, it is necessary to ensure quality and success of the project. Therefore, it is inevitable. The audit is conducted in order to assess modular efficiency, accuracy of financial investments, performance criteria, etc. The entire process took 4 working days to complete while the audit report is released 2 days later.

In order to overcome this delay, we have rescheduled and re-planned our Phase 4 activities, tasks and goals in such a way that it must not be delayed any further even in case of any emergencies or unforeseen events. For this purpose, we have conducted a quick risk analysis and feasibility analysis for Phase 4 that could help us plan an alternative in case of any incidents. As part of the plan, our Review and Testing team will continue to work on their regular designated tasks regardless of any incident. While the managerial and support team will look into the incidental matter. This will help us utilize our time and human resources in an optimized manner.

While this process delayed the project completion by one week, I am glad to report that the audit report confirmed high level efficiency and quality of the on-going project. For the commencement of this Audit, we spent $25K to ensure reliable audit report and overcome the loss of time as much as possible.

While Phase 3 is completed on time, the Week 4 had a delayed start. We started one week later from our designated schedule. Our stakeholders and developers were notified of the delay and upcoming challenges to ensure completion of the project without any further delays. The vigilance of team helped us remain efficient. They immediately rescheduled the tasks and re-designed the goals. The team is immediately put to work so that no further delays are caused. We are very much hopeful that no further delays will occur and the completion of project with high level of quality will be ensured.

Final Recommendations

The project will successfully accomplish the specified goal that is to develop an automated and instant all-in-one support software that is compatible with multiple Microsoft Components such as Microsoft Access, Microsoft Publisher, Microsoft Project, and Microsoft Vision. Once the project is successfully implemented, it will be high time that we must consider moving forward and planning to enhance the quality, performance, scope and efficiency of our current project. One of my immediate recommendations is to broaden the scope of the project. This will involve integrating more support facilities that are compatible with more Microsoft Domains including Microsoft Visio, MS Word, etc. The broadening of the scope will ensure that we are targeting more of the consumer base that can generate more revenues and profits. Furthermore, in order to improve the efficiency and reliability of the service, we can integrate Artificial Intelligence within the Application that is capable to developing customized solutions and guides according to the level, demand and previous trends of support taken up by the user. Another module that can be added within the Support Software is the facility to have face-to-face or voice over chat with the customer service representative in a hassle free manner. This will further enhance the services being offered by our application. The application will have a global scope as well.

Term Definitions

Support System: a network of people who provide an individual with practical or emotional support.

Troubleshooting: analyse and solve serious problems for a company or other organization.

Artificial Intelligence: is an area of computer science that emphasizes the creation of intelligent machines that work and react like humans.

Scheduling Tasks: Scheduling is the process of arranging, controlling and optimizing work and workloads in a production process.

Decision-Making: the action or process of making important decisions.

Section II

In order to accomplish this research, following are our milestones. All of these steps will be conducted in detail. However, brief modifications can be done in order to accommodate any required changes or enhancements. Following Gantt chart previews the tentative plan of accomplishment of this research work.

The above mentioned Gantt Chart shows that there are 8 major milestones that have to be achieved throughout the process of project accomplishment. However, these are the major milestones only. Each of these milestones consist of several sub-units as well that need to be completed and achieved with great vigilance and dedication.

References

Kerzner, H., & Kerzner, H. R. (2017). Project management: a systems approach to planning, scheduling, and controlling. John Wiley & Sons.

Larson, E. W., & Gray, C. F. (2017). Project management: The managerial process. McGraw-Hill Education.

Schwalbe, K. (2015). Information technology project management. Cengage Learning.

Fleming, Q. W., & Koppelman, J. M. (2016, December). Earned value project management. Project Management Institute.

Heagney, J. (2016). Fundamentals of project management. Amacom.

Project #1 Employee Handbook (IT Security)

Project#1: Employee Handbook (IT Security)

[Author’s name]

[Institute’s name]

Project #1: Employee Handbook (IT Security)

Executive Summary

           Red Clay Renovations Company established its business position in providing suitable services for renovation and rehabilitation in the case of residential buildings and dwellings. The specific operational features of this company characterized as the “smart home” and “Internet of Things.” This organization is focused to utilize upgraded technological services to give the best architectural experience to potential customers. Data security management is one of the prominent departments of the organization that is closely connected with another operational unit ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"J0RvrJEI","properties":{"formattedCitation":"(Simshaw, 2014)","plainCitation":"(Simshaw, 2014)","noteIndex":0},"citationItems":[{"id":200,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/2N32REGN"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/2N32REGN"],"itemData":{"id":200,"type":"article-journal","title":"Legal Ethics and Data Security: Our individual and collective obligation to protect Client data","container-title":"Am. J. Trial Advoc.","page":"549","volume":"38","author":[{"family":"Simshaw","given":"Drew T."}],"issued":{"date-parts":[["2014"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Simshaw, 2014). It is noteworthy to mention that there is the existence of specific security risks for the company when it comes to proper protection of the client’s information and addresses the threat of data breaching. The information technology management department must develop suitable IT policies to meet the standards of data protection. 

1st Policy: Acceptable Use Policy for Information Technology

Scope

           The implications of this specific policy consisted of all the authorized users who access information technology resources managed by the IT department of Red Clay Renovations Company. The overall IT system of the organization covers the comprehensive development of the company’s Information Technology Security program under the spectrum of ISO 27001/27002 requirements. 

Purpose

           The purpose of this policy approval draft is to explain employees’ obligations and responsibilities concerning the approach of information technology security in the organization. 

Policy Statement

           IT resources of the company play a critical role to broadcast important information about an organization’s operations to different departments. The primary goal is to deliver and expand the overall knowledge and information in the case of all the shareholders. The organization of Red Clay Renovation has a comprehensive IT security policy to successfully handle all IT related matters. The aim is to maintain an integrated IT system to effectively channelize all the organizational activities under the domain of proper practice. 

           The broad approach of Red Clay Renovation Company’s IT system includes various physical domains such as electronic equipment, IT services, technologies, and the entire data used for information handling, accurate transfer, storage, display, and the overall IT communication platforms ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"rteyaIu4","properties":{"formattedCitation":"(Siau, Nah, & Teng, 2002)","plainCitation":"(Siau, Nah, & Teng, 2002)","noteIndex":0},"citationItems":[{"id":197,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/2UK548Y6"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/2UK548Y6"],"itemData":{"id":197,"type":"article-journal","title":"Acceptable internet use policy","container-title":"Communications of the ACM","page":"75-79","volume":"45","issue":"1","author":[{"family":"Siau","given":"Keng"},{"family":"Nah","given":"Fiona Fui-Hoon"},{"family":"Teng","given":"Limei"}],"issued":{"date-parts":[["2002"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Siau, Nah, & Teng, 2002). Computer-based instructional management systems, electronic devices, computer usage in the form of email, networks, telephone, voicemail, printing instruments, and electronic instructional materials characterized as the range of existing IT resource systems of the organization. Consideration of Owing Mills Facility functioning in the company also associated with the dissemination of information between different operating units. 

Acceptable and Unacceptable Uses of Information Technology Resources

           The employees need to have a proper understanding that what forms of information technology resources or permissible and what needs to be avoided. This form of understanding is vital to avoid any complication in the future and ensure the appropriate domain of IT resources handling. When it comes to the acceptable use of information technology resources of the company than all the employees of the company characterized as authorized users of the system. They can use information technology resources for managerial and business purposes considering the prospects of financial systems and the human resource department of the organization. 

           Exploration of unacceptable use of information technology resources is also important to avoid any future discrepancies. It is forbidden for the employees to share or transfer business authentication information to external entities. Moreover, the use of credentials of others is also strictly prohibited under the legal policy of data protection of the company. Additionally, it is also important for the workers to follow different federal and state laws to avoid the risk of data breaching or improper use of the company’s information. The great range of unauthorized email messages is also not allowed to ensure proper protection of the internal data of the company. 

A Violations/Sanctions Section

           All the employees need to have a complete understanding that what can be the aftermath of failing the permissible use of information technology resources of the company. The failure to accomplish all the provisions of this policy may result in the immediate suspension of access to different IT resources of the company. Moreover, the legal spectrum developed in the organization has the authority to take strict disciplinary actions against the employee who falls in any form of data threat for the company. The facets of privacy and data protection laws are strictly applied to ensure the proper use of information technology data adhered to by the organization. 

2nd Policy: Bring Your Device Policy

Scope

           The policy regarding Bring Your Device (BYOD) is applicable for all company’s employees who intended to connect their information technological devices with the overall IT system of the organization. 

Purpose

           The core purpose of this policy statement is to explicitly define the company’s rules and regulations for all the employees concerning the approach of their smart technologies such as smartphones in the form of an organization’s network. It is the responsibility of the information technology management department to set instructions for the employees when it comes to using specific web browsers. 

Policy Statement

           Identification of suitable IT security instruments for the employees is a necessary paradigm to ensure the protection of internal data. This policy also intended to provide a proper plan of action to the employees when it comes to using their smart technologies within the vicinity of the company. The core aim of this perspective is to ensure the proper protection of the company’s data. The organization of Red Clay Renovation shows flexibility and allows employees to purchase and use different smart technologies at work for the sake of their comfort. The primary intent of this policy is to protect the information security of the organization under the domain of information technology infrastructure ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"qRWSYpL7","properties":{"formattedCitation":"(Caldwell, Zeltmann, & Griffin, 2012)","plainCitation":"(Caldwell, Zeltmann, & Griffin, 2012)","noteIndex":0},"citationItems":[{"id":198,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/D5I5ZXU9"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/D5I5ZXU9"],"itemData":{"id":198,"type":"paper-conference","title":"BYOD (bring your own device)","container-title":"Competition forum","publisher":"American Society for Competitiveness","page":"117","volume":"10","ISBN":"1545-2581","author":[{"family":"Caldwell","given":"Chris"},{"family":"Zeltmann","given":"Steven"},{"family":"Griffin","given":"Ken"}],"issued":{"date-parts":[["2012"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Caldwell, Zeltmann, & Griffin, 2012). Specific terms and guidelines set for the employees under the spectrum of the BYOD program and any form of failure can cause strict action by the company. 

Acceptable Use

Acceptable business use of smart technologies and activities are clearly defined for all the stakeholders to ensure successful support to the company. 

When it comes to acceptable use of technologies that reasonable time is awarded for all the workers to meet their requirements of personal interaction and communication with others. 

Moreover, there are specific networking websites that are completed prohibited for the employees to use during work in the company. 

Personal technological devices can never be used to store the internal data of the company. 

Attaining or storing business information of any other organization is also not allowed under the risk of data theft or inappropriate business networking. 

Continuous engagement in activities other than business objectives is also under strict consideration.

It is allowed for the workers to use smartphones but this approach should not affect the pace of work and all the tasks should be completed on time. 

All the connectivity problems need to be addressed by the IT department of the organization.

When it comes to the use of devices than initially they must be approached to the information technology management system of the company. The objective of this consideration is to ensure the domains of job provisioning and configuration of different applications and security instruments.  

Security Dimensions

     A detailed consideration of different security approaches under the practical scenario of the BYOD policy is also important to ensure data protection cases of both individual and organizational levels. 

Consideration of password to use devices is necessary to prohibit unauthorized access to information.

All the devices need to be lock automatically with the approach of a password or PIN after some time.  

Rooted technological instruments need to be completely banned when it comes to accessing a specific network. 

All the smartphones used by employees for personal use should be connected to the company’s overall network. 

The operating information technology system of the company has the right to disconnect services whenever there is the detection of any form of risk. 

The workers must use all their devices ensuring the successful domain of ethical obligations and proper guidelines. 

3rd Policy: Digital Media Sanitization, Reuse, & Destruction Policy

Scope

All workers of Red Clay Renovation Company have a critical responsibility to guarantees the confidentiality and protection of the company’s important information. This specific perspective is associated with the fair use of computer systems and different digital storage instruments as well as the consideration of non-reusable media. The broad perspective of digital storage devices comprised of elements of desktop workstation, laptop, server, smartphones, tablets, and the hard drives of all the computers. Consideration of external data storage instruments is also considered in the forms of disks, flash drives, CDs, etc. 

Purpose 

           The main aim of this policy development is to direct all the employees concerning the main idea of licensed software programs and the protection of the data. It is essential for the employees to reliably erased the company’s data before it transferred to the outside areas. 

Policy Statement

           It is important to share proper and brief guidelines for all the employees working in different departments of the company. This central aim of this policy brief is to enhance the understanding level of employees considering the sensitivity of digital media sanitization. 

The stakeholders need to ensure that electronic storage media information needs to be sanitized once it is no longer in business use of the company. 

The priority areas of electronic storage media in the case of Red Clay Renovations Organization are mainly prioritized for the personal information of clients. 

A comprehensive application of shredding paper reports by the concerned department is necessary to meet the objective of sanitization in case of non-reusable electronic media before the domain of disposal ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"oTCAl42R","properties":{"formattedCitation":"(Golubic & Stancic, 2012)","plainCitation":"(Golubic & Stancic, 2012)","noteIndex":0},"citationItems":[{"id":199,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/REM3C3MK"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/REM3C3MK"],"itemData":{"id":199,"type":"paper-conference","title":"Clearing and Sanitization of Media Used for Digital Storage: Towards Recommendations for Secure Deleting of Digital Files","container-title":"Central European Conference on Information and Intelligent Systems","publisher":"Faculty of Organization and Informatics Varazdin","page":"331","ISBN":"1847-2001","author":[{"family":"Golubic","given":"Kruno"},{"family":"Stancic","given":"Hrvoje"}],"issued":{"date-parts":[["2012"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Golubic & Stancic, 2012). 

The heads of all the departments of the company are accountable to ensure the execution of proper sanitization in the case of all the workers. 

The involvement of the logistic services department is critical to meet the standards of disposal of computer media and other devices that are no longer in use of the company. 

Clearing data from various storage instruments is also essential to remove sensitive company information. These specific devices can be identified in the forms of thumb drives, hard drives, and CDs, etc. 

It is also essential for the concerned workers to ensure the removal of names, numbers, and addresses from phones, fax machines, and computer systems when it comes to sanitizing the devices. 

All the electronic information systems should not be released from the overall storage of the company once the process of sanitization can never be complete by following all the relevant rules and guidelines.    

Penalties in Case of Violations

           It is also important for the decision-makers in the case of operations of these organizations to clearly defines the prospects of all the complications and penalties if the standards of sensitization and reuse of electronic devices are not met. 

           The violation of this policy can cause the establishment of strict disciplinary action against the guilty individual. The severity of this perspective can be observed in the form of complete termination from the services in the organization of Red Clay Renovations.  

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Caldwell, C., Zeltmann, S., & Griffin, K. (2012). BYOD (bring your own device). Competition Forum, 10, 117. American Society for Competitiveness.

Golubic, K., & Stancic, H. (2012). Clearing and Sanitization of Media Used for Digital Storage: Towards Recommendations for Secure Deleting of Digital Files. Central European Conference on Information and Intelligent Systems, 331. Faculty of Organization and Informatics Varazdin.

Siau, K., Nah, F. F.-H., & Teng, L. (2002). Acceptable internet use policy. Communications of the ACM, 45(1), 75–79.

Simshaw, D. T. (2014). Legal Ethics and Data Security: Our individual and collective obligation to protect Client data. Am. J. Trial Advoc., 38, 549.

Project #2 Managers Deskbook

Project#2: Managers Desk-book

[Author’s name]

[Institute’s name]

Project #2: Managers Desk-book

Executive Summary

           The aim of developing this desk-book by Chief Information Security Office and Security Team for the company is to appropriately identify potential IT-related problems and offer possible solutions in the form of policies. It is recognized as fundamental guidelines for employees and managers to understand the intensity of IT security risks and offer practical measures. Data Breach Response Policy, Controlling Shadow Policy, and Social Media Policy are considered to propose better solutions to the anticipated data security issues for the company. The idea of Data Breach Policy is helpful to provide mandatory assistance to managers and all the workers when it comes to objectives of proper management of potential hazards of data breaching. Identification of roles, responsibilities, and relevant processes is essential to ensure the successful application of this specific policy. 

The applications of Controlling Shadow Policy is also actively associated with proper consideration of all the employees. It is important that the entire IT equipment of the company needs to approved by the IT management department. This perspective is significant to avoid the risk of misuse of the company’s information. Unauthorized use of personal devices and systems by the employees needs to be addressed by offering and implementing Shadow IT policy. Proper documentation of all the procedures and information management system is essential to avoid any hazards of data breaching or improper use of the company’s and client’s sensitive information. 

The increasing trend of using social media accounts also requires management of Red Clay Renovations Company to adopt suitable practical measures. Development of proper management of corporate social media account policy is one appropriate practical measure to gain maximum benefits from the instrument of social media. It is critical to share necessary guidelines to all the users on an initial basis to protect the prestige of Red Clay Renovations Company. The overall conduct of employees overall social media platforms should be according to the main vision and relevant objectives of the company. Cooperation and active communication between all the stakeholders is an integral condition to ensure successful execution of all the related policies.  

1st Policy: Data Breach Response Policy

Policy Overview:

           Today, business organizations massively facing different challenges related to data protection and proper risk management. The core objectives of cybersecurity policy, comprehensive plan, and programs can never be achieved without the collaboration between different operating departments in case of Red Clay Renovation Corporation. Protection of the client’s data is one major concern that needs to be addressed by adopting appropriate practical measures. The growing risk of data theft in the form of cyber-attacks could be better overcome by implementing data breach response policy. The company is planning to develop the Data Breach Response Policy to ensure clear vision and objectives in the form of risk management. The potential risk of data breaching demands the management of the company to be well prepared by utilizing correct instruments and processes. 

Scope:

           The establishment of this policy relates to all the shareholders who are direct links with the data collection, processing, and handling. The focal practical measures recognized as to collect, evaluate, maintain, dispense, store, use, and proper protection of personally identifiable information or client’s data. The Data Breach Response Policy will explicitly illustrate the aspects under which the policy will be applied considering all the rules and standards of data protection. The governance issues for the company related to the policy perspectives in the forms of mechanisms, feedback, reporting, and implementation. 

Purpose:

           The central objective of this proposed policy is to adopt a systematic procedure to ensure appropriate reporting of all forms of suspected thefts at different governance levels. The possible risks of thefts in the company mainly can be observed in the forms of data, data breaches, or unauthorized access to the data. All the operating units of Red Clay Renovations Corporation must consider the growing risk of data breaching. Increasing the risk of cyber-attacks is the main reason for proposing and enforcing the Data Breach Response Policy. 

Policy Statement:

           The IT Security program of the Red Clay Renovations Company focuses on specific guidelines considering the implications of NIST and the Data Breach Response Policy. The primary aim of this approach is to successfully meet the standards of NIST special publication 800-62, Control Family Incident Response, and the criteria of privacy and security controls established for the company ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"XYEgLRM3","properties":{"formattedCitation":"(National Institute of Standards and Technology, 2006)","plainCitation":"(National Institute of Standards and Technology, 2006)","noteIndex":0},"citationItems":[{"id":208,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/MV2Y2FYK"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/MV2Y2FYK"],"itemData":{"id":208,"type":"webpage","title":"Information Security Handbook: A Guide for Managers","container-title":"NIST","author":[{"family":"National Institute of Standards and Technology","given":""}],"issued":{"date-parts":[["2006"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (National Institute of Standards and Technology, 2006). 

           It is crucial to develop and establish this policy according to the overall management procedure of Red Clay Renovations Company. Moreover, it is also essential to consider a comprehensive framework for enhancing the approach of improving critical infrastructure cybersecurity within the organization. The identified problem for the company characterized as an information breach that increases the potential risk of stealing clients’ data. Once the risk of data theft reveals, it is crucial to take immediate corrective measures to ensure the protection of aspects of confidentiality and sensitivity of the information.  

Enforcement:

           The proper response to the issue requires the suitable application of the policy considering the core objectives to ensure data protection within the organizational setting. There is a need for considering and implementing different steps to meet the core aim associated with this policy. It is essential to identify the unsatisfactory aspects of the entire information system operating in the organization. It is crucial to consider the proper prevention of data breaches as the essential domain when it comes to the internal policy adopted by the company. 

           The human element and technological element are two fundamental prospects that can cause the issue of a data breach for the company. It is crucial to strictly check the performance of these two domains to timely identify potential risks. When it comes to the human aspect, it is essential to provide a necessary guideline to all the workers that they need to ensure data safety and security within the company. Application of additional security actions is required to maintain standards of storing and processing sensitive data under the domain of technical challenge. Complete application of ISO 27001 security principles is obligatory to minimize the hazards of a data breach in an organizational context. 

2nd Policy: Preventing/ Controlling Shadow Policy

Policy Overview:

           The practical phenomenon of controlling shadow comprised of some specific protocols. It is an important aspect for the organization’s governance to ensure significantly and desired to handle of shadow IT. The stakeholders need to have the necessary understanding that at which level it is permissible and what restrictions need to be applied. A thorough assessment of IT operations functioning in Red Clay Renovations Company explicitly revealed that there are chances of improper transmission of important organization’s information. It is observed that workers of the company immensely rely on using their technological devices to perform different tasks. This growing trend within an organizational setting ultimately made it integral for Red Clay Renovations Company to properly plan and enforce Controlling Shadow Policy. The increasing security risk in the form of using personal devices by workers can be detrimental for the company to ensure proper data protection ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"HlEqMSBS","properties":{"formattedCitation":"(Nieles, Dempsey, & Pillitteri, 2017)","plainCitation":"(Nieles, Dempsey, & Pillitteri, 2017)","noteIndex":0},"citationItems":[{"id":209,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/U5B732KR"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/U5B732KR"],"itemData":{"id":209,"type":"report","title":"An introduction to information security","publisher":"National Institute of Standards and Technology","author":[{"family":"Nieles","given":"Michael"},{"family":"Dempsey","given":"Kelley"},{"family":"Pillitteri","given":"Victoria"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Nieles, Dempsey, & Pillitteri, 2017). All the operating IT system needs to be operating under the company’s information technology system. The inability of this approach can be characterized as one primary risk factor for data security and IT governance within the context of Red Clay Renovations Company. 

Scope:

The implications of this specific policy are relevant to all the users of the informational technology management system of the company. Proper maintenance of information integrity of the organization is important to successfully deal with issues of misuse of data and potential risk of data loss. 

Purpose:

           The approach of Shadow IT is a potential threat for Red Clay Renovations Company when it comes to the domain of informational and digital security. The organization needs to adopt a set of immediate practical measures to successfully address this concern. The aspects of Shadow IT Policy can be helpful to maintain the efficiency of information technologies used in the company. 

Policy Statement:

           The approach of Shadow IT can bring severe security threat to the company’s overall information technology management system. It is one threatening perspective because it enhances the potential risks of data loss, data breach, and misuse of data for the company. There is a need for establishing significant Controlling Shadow Policy. The spectrum of IT governance of the company needs to be focusing on developing a comprehensive list of various IT procedures, applications, and resources, which are not directly owned by the organization. These programs can be identified in the form of personal devices and applications used by the workers of the company. The potential risks of shadow IT can be mainly observed in the forms of Dropbox, USB, Gmail, Skype, Google Docs, and SD media. All these platforms used by the company’s workers but these can be categorized as major security risks for the company. To successfully cater to this concern, there is a need for offering multiple practical measures under the domain of Controlling Shadow IT policy. 

Enforcement:

           When it comes to practical measures to this policy, then there are multiple options available for the department of management. One of the crucial practical steps for the company is to conduct regular training programs for the workers which are established by the Information Security department of the organization. The second major practical step is to ensure critical and appropriate evaluation of all the services and applications utilized by the company’s workers. Moreover, strict compliance is requiring to scrutinize the overall information technology system of the company. Critical check and balance are also essential when it comes to the assessment of software installation in the workstations under the spectrum of the company’s system management. The active role of the IT security team is required to regularly update all the software and instruments to timely detect any problematic area. 

3rd Policy: Management and Use of Corporate Social Media Accounts Policy

Policy Overview:

           The increasing trend of using social media by employees made it essential for the management of Red Clay Renovations Company to develop a proper guiding plan for all the employees. It is necessary for the management to timely indicate all the shareholders when it comes to creating a balance between using social media platforms and organizational work. This specific perspective is a critical practical step to guarantees the overall image of Red Clay Renovations Company. Misrepresentation of the company’s policy is a major issue that can prevail in case of improper use of social media services by the workers. Basic regulations need to consider referring to the approach of proper management of social media services utilized by employees working at different organizational levels. 

Scope:

           The implications of this policy need to be applied to all the workers to develop a proper mechanism of necessary scrutiny within the organizational setting. The role of management is crucial to prepare, develop, and transmit necessary guidelines to all the workers when it comes to using social media within the premises of Red Clay Renovations Company. 

Purpose:

           The main objective of this particular policy is to deliver fundamental guidelines for all the employees concerning the approach of using social media accounts in the company. The perspective of using social media account can be considered as the practical domains of blogs, message boards, chat rooms, newsletters, and other forms of digital applications ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"QWQI5qUF","properties":{"formattedCitation":"(Force & Initiative, 2013)","plainCitation":"(Force & Initiative, 2013)","noteIndex":0},"citationItems":[{"id":210,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/G92DB5D2"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/G92DB5D2"],"itemData":{"id":210,"type":"article-journal","title":"Security and privacy controls for federal information systems and organizations","container-title":"NIST Special Publication","page":"8-13","volume":"800","issue":"53","author":[{"family":"Force","given":"Joint Task"},{"family":"Initiative","given":"Transformation"}],"issued":{"date-parts":[["2013"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Force & Initiative, 2013). The development and application of proper policy are mandatory to meet the objective of data security within the company. 

Policy Statement:

           Establishment of proper policy is a crucial step for the management of the company to protect data security concerning the approach of using social media platforms by the employees. There are some significant instructions or guidelines that need to be shared with all the workers to successfully meet the central objectives of this specific policy. All the employees need to be informed that various corporate social media channels can only be used under the spectrum of Red Clay Renovations Company. Social media under the spectrum of the organization can never be considered for personal in case of all the workers. Assessment of different operations of the company revealed that different forms of social media accounts used mainly for marketing purposes. The management needs to develop a proper plan of actions and necessary guidelines for the workers when it comes to considering social media account for corporate purposes. 

Enforcement:

           It is important to ensure that any information shared on a social media platform never harm the overall reputation of the company. All the representatives of the company need to be vigilant when it comes to approaching potential customers through the instrument of social media. Additionally, it is integral for all the employees to always use secure file sharing programs to avoid any form of misuse of the company’s information ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"qw5Of510","properties":{"formattedCitation":"(Meister, 2013)","plainCitation":"(Meister, 2013)","noteIndex":0},"citationItems":[{"id":211,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/CJYEFBPB"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/CJYEFBPB"],"itemData":{"id":211,"type":"webpage","title":"The Future of Work: Why Updating Your Company's Social Media Policy is Required","container-title":"Forbes","author":[{"family":"Meister","given":"Jeanne"}],"issued":{"date-parts":[["2013"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Meister, 2013). All the social media should be completely and strictly controlled by the IT department of Red Clay Renovations Company. 

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organizations. NIST Special Publication, 800(53), 8–13.

Meister, J. (2013). The Future of Work: Why Updating Your Company’s Social Media Policy is Required. Retrieved from:

https://www.forbes.com/sites/jeannemeister/2013/02/07/the-future-of-work-why-updating-your-companys-social-media-policy-is-required/#5b77793e230d

National Institute of Standards and Technology. (2006). Information Security Handbook: A Guide for Managers. Retrieved from:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf

Nieles, M., Dempsey, K., & Pillitteri, V. (2017). An introduction to information security. National Institute of Standards and Technology.

Project #4 Audit Policy And Plans

Project #4: Audit Policy and Plans

[Author’s name]

[Institute’s name]

Project #4: Audit Policy and Plans

Executive Summary

The higher management of red Clay Renovations company is interested in successfully established the approach of information technology considering the application of proper cybersecurity systems. The technological forms of “smart home” and “Internet of Things” are adopted by the company to successfully updating its business services effectively and efficiently. The increasing trend of technology application made it essential for the company to appropriately document a security policy ensuring the prospect of a significant auditing domain. The approach of documented policy for IT needs to be effectively aligned with IT security policy compliance, facets of audit plans for policy awareness. Furthermore, the development of the audit plan in case of IT security policies is also one mandatory practical measure to ensure the successful form of the overall security plan of the company. The perspective of employee compliance evaluation is also critical to recognize suitable grounds in case of domains of audit plan documentation. Detailed documentation of the audit plan for the Red Clay Renovations company is also vital to enhance the awareness level of all employees. this form of understanding eventually helps them to meet the standards of IT security compliance. Proper implementation of the company’s security controls is only possible when IT security policies are easily understandable for all the employees. 

Issue Specific Policy for IT Security Policy Compliance Audits

Purpose

The central purpose of the auditing IT security policy compliance in the case of Red Clay Renovations company is to develop a successful form of compliance audits considering the domain of overall IT security policy. It is one core responsibility of the stakeholders to ensure proper documentation of IT security policies needs to be successfully aligned with the overall IT security policy developed in the case of Red Clay Renovations company. The aim of developing and executing various IT security policies is to enhance the understanding level of all workers considering the importance of information security for the company. A detailed review of IT security policies in the form of a compliance audit is a mandatory condition to analyze the practical organizational approach to ensure the application of regulatory guidelines. 

Scope 

The policy-relevant to IT security policy compliance audits apply to the functioning of all the employees under the broader domain of internal audit plan set by the higher management of Red Clay Renovations company. 

System Overview

           A brief description of the organization’s system approach is a necessary step to recognize the actual requirements of information security and compliance system. Information Technology Security Program (ITSP) by the organization of Red Clay Renovations company is the focal aspect of consideration. When it comes to the identification of system category in case of an organization’s information security, it is established its position as the domain of “moderate level” under the standards of FIPS 199/200 and specifications provided by NIST SP 800-53 Revision 4. 

           The main functions in the case of an organization’s system are mainly characterized as accounting & finance, customer relations, human resources, marketing, corporate management, and information technology services. The current status of the system is defined as the operational prospect considering the domain of Systems Development Lifecycle. It is noteworthy to mention that currently, the organization is not focusing to upgrade the system referring to the feature of major developments. 

Responsibilities/Requirements

           Detailed documentation of required responsibilities is an important step to meet policy goals and objectives in the desired manner. The perspective of requirements in the form of audit policy relevant to various aspects of consideration that requires necessary attention ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"fs9W0TFi","properties":{"formattedCitation":"(Hayes, 2003)","plainCitation":"(Hayes, 2003)","noteIndex":0},"citationItems":[{"id":141,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/BNQ5TZN6"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/BNQ5TZN6"],"itemData":{"id":141,"type":"webpage","title":"Conducting a Security Audit: An Introductory Overview","container-title":"Symantec.Connect","URL":"https://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview","author":[{"family":"Hayes","given":"Bill"}],"issued":{"date-parts":[["2003"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Hayes, 2003). The main responsibilities or roles under the domain of IT security compliance audit policy.  

Successful consideration of standards of audit practice is an essential step for the auditors to attain desired outcomes from the audit program. The team of auditors is responsible for developing, maintaining, and successfully managing the entire paradigm of the internal IT security audit program. 

Audit standards set by Information Standard Organization (ISO) follow in case of an information security audit program in case of the information system of Red Clay Renovations Company. 

Confidentiality is one prominent policy issue that needs to be a focus on the proper development of the audit plan for the company’s information security system. All the auditors are strictly restricted to never share important internal organizational information with unauthorized entities for the sake of any purpose ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"6rm4P7v6","properties":{"formattedCitation":"(Goodyear, Goerdel, Portillo, & Williams, 2010)","plainCitation":"(Goodyear, Goerdel, Portillo, & Williams, 2010)","noteIndex":0},"citationItems":[{"id":254,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/2B3B7KUH"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/2B3B7KUH"],"itemData":{"id":254,"type":"article-journal","title":"Cybersecurity management in the states: The emerging role of chief information security officers","container-title":"Available at SSRN 2187412","author":[{"family":"Goodyear","given":"Marilu"},{"family":"Goerdel","given":"Holly"},{"family":"Portillo","given":"Shannon"},{"family":"Williams","given":"Linda"}],"issued":{"date-parts":[["2010"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Goodyear, Goerdel, Portillo, & Williams, 2010). Confidentiality standards need to be aligned with the data protection for the organization as the primary aspect of consideration.  

Proper consideration of security controls in an organizational setting is a necessary condition to provide relevant security assurance. The broad idea of security controls actively linked with the protection of information assets and ensure data privacy. The phenomenon can also be observed in case of proper preservation of integrity and reliability of data by focusing on essential standards, policies, and regulations. 

One of the key objectives is to timely assess and report all forms of threats and vulnerabilities concerning the unexpected items and specific circumstances. Moreover, the purpose of evaluation can never be achieved without the delivery of engagement to all the shareholders and defines the actual objectives and scope of the audit process.  

The responsibilities of auditors further enhance when it comes to sharing findings and recommendations to the relevant entities after the execution of the complete procedure of internal audit in the organization. This approach only appeared when it is requested by the shareholders to attain the necessary advice by the audit team. 

Another critical aspect relevant to the practical idea of information security audit policy is to successfully enforce the objectives of proper integrity. It is critical to ensure complete protection of data in the forms of accuracy and completeness. Information should not be damaged by any unauthorized entity. 

The Option of Compliance Audit as Internal Audit

           The practical approach of compliance audit can be used by the organization to meet the objectives of an internal audit (Gao, 1991). This plan of audit linked with the adoption of a specific form of regulations and standards to timely identify all the security risk factors and adopt necessary measures. 

Compliance Audit Checklist

Identification of non-compliance aspects in the form of workers’ practices within an organizational setting. 

Obtain necessary evidence to determine specific features of irregularities during the audit process. 

Application of necessary action plans and strategies assigned to the relevant authorities. 

Proper documentation of all the observations and formulated suggestions accordingly

Accurate validation of the entire audit program is a necessary step to determine the authenticity of the auditing within an organizational context. 

Audit Plan for IT Security Policy Awareness and Compliance (Employee Survey)

Questions about Awareness of Key Policies

Is Email can be used as a simple and protective way to convey important organizational information?

Agree

Strongly agree

Neutral

Disagree

Strongly disagree

Are you able to timely recognize an issue concerning to IT security program of the organization?

Agree

Strongly agree

Neutral

Disagree

Strongly disagree

What is the major source of risk when it comes to the application of the information security program in your department?

Improper system applications

Human error

The threat of viruses

Is it mandatory for you to lock access to your workstation?

Yes

No

Do you have an understanding of all the protocols when it comes to using personal devices within an organizational setting?

Yes

Partially Yes

No

Questions about Awareness of Personal Responsibilities regarding Compliance

Do you use personal electronic devices for work purposes?

Yes

Sometimes yes

No

Do you successfully apply all the standards of IT security you learned through training?

Yes

No

Do you agree that it is okay to allow someone else to use your working system?

Yes

Unsure

No

Are you ensuring proper back-up of important organization’s data?

Yes

No

Do you believe is it okay to open different web links when it comes to completing the organization’s tasks?

There is no problem with it

I am unsure

No

Audit Plan for IT Security Policies Audit (Documentation Assessment Strategy)

 Comprehensive planning and development in the form of documentation assessment strategy are important to offer a significant form of IT security policies audit plan (Winnipeg.ca, 2008). This consideration aims to estimate and prioritize risks considering different operations of the Red Clay Renovations company. The approach of compliance relevant to three main and interrelated factors. These aspects are defined as the consideration of assets at risk, the magnitude of the threat, and the vulnerability of the system in case of dealing with the information security threat. 

Background Information on the Policy

A detailed examination of the existing form of audit policy in case of an organization’s information security program is a necessary measure to propose better strategies of compliance in the future. The assessment of the current audit domain of the organization revealed that audit policy is owned by the Chief Information Officer (CIO) to successfully assess all the reports and successfully established audit findings. The central focus of current audit domains within an organization setting is to consider the importance of technology infrastructure when it comes to determining the effectiveness and suitability of the company’s application of security controls. The broad idea of IT security policy considering the importance of employees’ awareness of IT security policies and the proper compliance with these policies. 

Application of Compliance Audit

Different practical options can be used by the audit team to ensure better outcomes from the approach of the IT security policy audit program. Different ways can be used to obtain the necessary information to meet the standards of the audit plan. Interview management is one option to collect necessary information about the potential risk of data theft or any form of misconduct. Critical analysis of the entire system and IT infrastructure is also mandatory in the organizational scenario. Additionally, a critical review of relevant documentation also helps to identify the potential IT security hazards. 

Exploration of all the valuable assets is first to step to ensure the successful realization of potential risk. The facets of valuable assets are recognized under the domains of servers, websites, information technology instruments, and the contact information of clients. 

A timely examination of potential risks in case of IT security is one of the first steps to meet the objectives of the audit compliance program. Moreover, it is also essential to determine the potential consequences that can be appeared in case of data security risks. These consequences are mainly established as data loss, the insignificant performance of system or application, legal complications, and inability to meet the organization’s objectives. 

Exploration of all the potential hazards and their aligned level is also an essential approach to successfully handle the situation of vulnerability of the IT security program. This form of application is a vital step to develop and deliver better recommendations under the spectrum of IT security audit process. 

In concluding remarks, it is vital to indicate that the active role of the CIO is immensely crucial to timely deliver assessment policies and program to other stakeholders. This form of consideration ultimately helps to propose necessary solutions in case of ensuring a better form of IT security within an organizational setting. 

References

Gao.gov. (1991). How to Get Action on Audit Recommendations? Retrieved from

https://www.gao.gov/special.pubs/p0921.pdf

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Goodyear, M., Goerdel, H., Portillo, S., & Williams, L. (2010). Cybersecurity management in the states: The emerging role of chief information security officers. Available at SSRN 2187412.

Hayes, B. (2003). Conducting a Security Audit: An Introductory Overview. Retrieved from Symantec.Connect website: https://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview

 Winnipeg.ca (2008). Assessment of Information Security Awareness. Retrieved from https://www.winnipeg.ca/audit/pdfs/reports/ITSecurityAwareness.pdf

Project 1

Project 1

Josephus West

School or Institution Name (University at Place or Town, State)

Introduction:

Open data is referred to as the data related to various fields of life made available to general public by the government. Such information made available to masses can create value and enable the delivery of services to the public more efficient. Although the concept of providing confidential data for public domain research and development the initiative has proved its potential in various fields of life. Researchers are able to consult the data made available by the government. Alongside the amazing benefits of making the data public there are growing concerns of information assurance ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"am1mn93t4l","properties":{"formattedCitation":"(Dove, 2018)","plainCitation":"(Dove, 2018)"},"citationItems":[{"id":1763,"uris":["http://zotero.org/users/local/gITejLE9/items/FZWERCGW"],"uri":["http://zotero.org/users/local/gITejLE9/items/FZWERCGW"],"itemData":{"id":1763,"type":"article-journal","title":"Collection and Protection of Personal Health Data","author":[{"family":"Dove","given":"Edward"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Dove, 2018). Information assurance deals with the confidentiality, integrity, availability, and non-repudiation of the data. It is inevitable for the government and executives to ensure the basic levels of information assurance for the open data. The paper describes the best practices for the executives of the government office to ensure the confidentiality, integrity, availability, and non-repudiation of the open data.

Benefits of the open data:

Open data made available to the public for research and development by governmental institutions has the potential to unlock $3 trillion to economic value across various sectors. Open data is being used by the crop scientists to understand the disease data over a large spectrum using big data analysis techniques. It has enabled the scientists and businesses to not only analyze the available data but to prepare future trends as well. Scientists can predict future disease patterns and can prepare cure for those diseases. Businesses are harnessing the power of the open data to provide customized services to their clients adding value to their existing product lines. As an example to the beneficial use of the open data is that electric power supply companies are now able to advise their users for energy saving tips based on the analysis of the big data available to them by the open data initiative ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"ag5rbh73h6","properties":{"formattedCitation":"(Lynskey, 2018)","plainCitation":"(Lynskey, 2018)"},"citationItems":[{"id":1764,"uris":["http://zotero.org/users/local/gITejLE9/items/FYDHSGAN"],"uri":["http://zotero.org/users/local/gITejLE9/items/FYDHSGAN"],"itemData":{"id":1764,"type":"book","title":"At the crossroads of data protection and competition law: time to take stock","publisher":"Oxford University Press","ISBN":"2044-3994","author":[{"family":"Lynskey","given":"Orla"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Lynskey, 2018). There are endless possibilities that the open data can add value to businesses across the spectrum. Healthcare providers are able to provide patients and general public with the ability to track their medical bills. They are even able to suggest future trends for the medical bills based on the similarities and correlation patterns of the available open data. A major breakthrough has been developed in the area of securities and exchange commissions because companies are able to investigate and suggest investment patterns to their potential clients. Analyzing the massive amounts of data and machine learning capabilities they are able to predict future market trends and investment growths for their clients and investors. They are able to build better relations with the investors and industry as well.

Security issues with the open data:

Alongside the very benefits of the making data available to the public there are growing security concerns as well. The initiative has placed a burden of ensuring the confidentiality, integrity, availability, and non-repudiation of the data. As the targeted attacks on large-scale organizations are not only growing in numbers but in complexity too it is inevitable to protect the data against criminal actors ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2gq3474d68","properties":{"formattedCitation":"(Kounadi, Resch, & Petutschnig, 2018)","plainCitation":"(Kounadi, Resch, & Petutschnig, 2018)"},"citationItems":[{"id":1765,"uris":["http://zotero.org/users/local/gITejLE9/items/HY4UWEDU"],"uri":["http://zotero.org/users/local/gITejLE9/items/HY4UWEDU"],"itemData":{"id":1765,"type":"article-journal","title":"Privacy Threats and Protection Recommendations for the Use of Geosocial Network Data in Research","container-title":"Social Sciences","page":"191","volume":"7","issue":"10","author":[{"family":"Kounadi","given":"Ourania"},{"family":"Resch","given":"Bernd"},{"family":"Petutschnig","given":"Andreas"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kounadi, Resch, & Petutschnig, 2018). Third parties having access to the open data can create ethical dilemmas by forging the data trends and misinterpreting the results if the analysis. It is difficult to ensure the confidentiality of the data. Once, data is obtained it can be transmitted or copied over insecure channels making it a potential target for malicious actors.

Data centers must have enough protective measure to ensure the confidentiality of the data. Adding layers of the confidentiality can hinder the availability of the data. Data sets containing personally identifiable information can be misused easily for nefarious purposes by the criminals. It would not be possible for the obtaining party to validate the authenticity of the data because it may be forged in transit. Digital channels are highly unpredictable therefore, the issuing authority may show reluctance to take any responsibility of forging of the open data results.

Best practices to protect the open data:

Given the potential of the open data for business value creation, it can be the critical asset of the state. Sophisticated encryption algorithms must protect the confidentiality of the data so, that it can be obtained and accessed by the intended recipients only. The attackers and malicious actors will not be able to understand the trends and patterns of the data due to sophisticated encryption even if they are aware of the algorithm as well ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"adi7p6o85j","properties":{"formattedCitation":"(Palm, Mann, & Metzger, 2018)","plainCitation":"(Palm, Mann, & Metzger, 2018)"},"citationItems":[{"id":1766,"uris":["http://zotero.org/users/local/gITejLE9/items/7RGM3FBI"],"uri":["http://zotero.org/users/local/gITejLE9/items/7RGM3FBI"],"itemData":{"id":1766,"type":"paper-conference","title":"Modeling Data Protection Vulnerabilities of Cloud Systems Using Risk Patterns","container-title":"International Conference on System Analysis and Modeling","publisher":"Springer","page":"1-19","author":[{"family":"Palm","given":"Alexander"},{"family":"Mann","given":"Zoltán Ádám"},{"family":"Metzger","given":"Andreas"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Palm, Mann, & Metzger, 2018). It will be true until the key to encryption is kept secret with the authorities and participating agencies. To ensure the authenticity and non-repudiation of the open data, a public key infrastructure will be made available as well. Public key infrastructure will ensure the integrity of the data in transit and there will be no modifications in the data unless authorized. Certificate-based public and private key pairs will be used for the access and authorization to the open data. It will ensure non-repudiation of the data as well because the executives in the government office will be able to authorize the data use by the authorized parties such as designated business.

Conclusion:

Open data is a valuable initiative by the government. However, protecting the confidentiality, integrity, availability, and non-repudiation of this data is also inevitable. Several steps must be applied as layers of the security to accomplish the basic goals of the information assurance including the encryption of the data sets and the public key infrastructure. It will protect the data in transit as well.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Dove, E. (2018). Collection and Protection of Personal Health Data.

Kounadi, O., Resch, B., & Petutschnig, A. (2018). Privacy Threats and Protection Recommendations for the Use of Geosocial Network Data in Research. Social Sciences, 7(10), 191.

Lynskey, O. (2018). At the crossroads of data protection and competition law: time to take stock. Oxford University Press.

Palm, A., Mann, Z. Á., & Metzger, A. (2018). Modeling Data Protection Vulnerabilities of Cloud Systems Using Risk Patterns. In International Conference on System Analysis and Modeling (pp. 1–19). Springer.

Project 2

Project 2

[Name of the Writer]

[Name of the Institution]

Project 2

The digital government which is also known as e-government refers to the governance which is affected due to the use of information technologies. Their role is to provide services and information to the people. There are different websites which were built by the digital government to assist people. Some of the digital government websites include Benefits.gov, Data.gov, Healthcare.gov, research.gov, foodsafety.gov, etc. It is important for the digital government to build a governance structure that enforces policies and provide standards which meet the requirements of the public. The digital government provides services or information to the viewers which include assistance on different tools, health issues, food safety, research on different topics and data, tools & resources to conduct research.

The concept of digital government that is closely connected to change in institutional and organizational is due to 3 fields which include political science, organization theory and connection of technology and structure of the organization. The most critical topics which are part of e-government include both social and technical challenges. These websites are basically used to serve the public which includes not only individuals but also organizations, firms and interest groups. These websites have a huge impact on the country like the United States. Digital government websites provide the public the opportunity to use different digital technologies which enable civic engagement and public deliberation (Fountain, 2004).

The agencies need to analyze their websites and categorize their websites to different impact levels. There are three impact levels which include low-impact, moderate-impact, or high-impact. These impacts are to fulfill the objectives of security for confidentially, integrity and availability of data. Since the impact levels are different for different websites security, so it is important first to analyze the sensitivity level of each website before assigning them to impact values for confidentiality, integrity and availability of data. The security issues which are common on these websites include access control, data and information integrity, etc. These security issues are a huge concern for the agencies, and it is difficult to built new websites for technical change, so they are finding security measures which are important for the security of their confidential data and privacy (Minimum Security Requirements for Federal Information and Information Systems, 2006).

There are different challenges which agencies are facing due to the involvement of cyber attacks. Some times attacks can be unintentional, and some times hackers do these attacks to create a bad impact on the reputation of the agency and get their confidential data for inappropriate use. The digital government faces a lot of challenges while delivering services via web applications. The most common security issues are for them is the integrity of their confidential data. Data of these agencies are very sensitive and only be accessible to the authorized persons, but some people try to access their data which may include criminals, hackers, terrorists, etc. There are also some unintentional threats which are involved in these web applications include hardware failure, software failure, or not proper training of users of these applications. These issues pose some crucial problems for the agencies because they adversely affect secret information, networks, operations, disruption in the work, and causes damage to national security (Wilshusen & Powner, 2009).

There are different frameworks which need to be implemented for the security of web application during the design, implementation, and operation of digital government websites. The most important thing when designing a web application is to analyze who will have access to the website and which measures are required to ensure that only authorized people can access sensitive data. NIST cybersecurity is the framework which is best to reduce the risk of cyber attacks and increase the security of web applications. There are many types of NIST frameworks which can be used to secure the web applications from cybersecurity threats. NIST framework must ensure to provide a cost-effective approach to control the web applications and take appropriate measures to secure the data of federal agency (Force & Initiative, 2013).

NIST framework uses business drivers to guide cybersecurity activities and focuses on managing risk which organizations are facing. The framework consists of three parts which include the framework core, framework profiles, and implementation tiers. The elements in the framework core provide a full guideline for developing organizational profiles at the individual level. NIST SP 800-53 is one of the NIST frameworks which is used to control the security of the web applications. To implement the NIST framework first organizations must identify the impact level with the help of FIPS 200 and then apply appropriate security controls using NIST SP 800-53. This framework is considered best for the organization because it helps in meeting the business requirements of the organization and allow organizations to take security measures relevant to security control baseline (Force & Initiative, 2013).

It is very important to ensure the security of web applications for the federal agencies because federal agencies website usually contains content which is very sensitive and should be accessible to only authorized people. There are different frameworks like NIST which include ISO IEC frameworks, COBIT, ASD, etc. These frameworks are necessary for the organizations to implement when creating a web application because they help organizations to reduce threats of cyber attacks. Different cybersecurity frameworks provide different functionality for meeting the requirements of the organization security. It is important first to analyze which frameworks are necessary for organization security and how they can help the organization to meet its business requirements during the designing and implementation of the web application. Web applications have a lot of security issues which needs to be resolved by taking appropriate measures, and the best way to analyze these issues is to implement cybersecurity frameworks which ensure the security of the web applications.

References

Minimum Security Requirements for Federal Information and Information Systems (2006). Nvlpubs.nist.gov. Retrieved from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

Fountain, J. E. (2004). Digital government and public health. Preventing chronic disease, 1(4).

Wilshusen, G. C., & Powner, D. A. (2009). Cybersecurity: Continued efforts are needed to protect information systems from evolving threats (No. GAO-10-230T). GOVERNMENT ACCOUNTABILITY OFFICE WASHINGTON DC.

Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organizations. NIST Special Publication, 800(53), 8-13.

Project 2 Securing Digital Government Services

Securing Digital Government Services

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Securing Digital Government Services

Introduction:

Government is providing various information services to the general public digitizing the infrastructure of information processing systems. Websites of government services act as the front end presented to the general public to ensure better user experience. Most of the sites operated by government departments provide users an interactive window to interact with the backend server. The server is considered to be the main source of information being offered by the website. Digital technologies have been revolutionized with the advent of web applications and web servers. Government is utilizing these web technologies as well to provide the general public with hassle-free service delivery ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"anf8bhirbh","properties":{"formattedCitation":"(Nica, 2015)","plainCitation":"(Nica, 2015)"},"citationItems":[{"id":1943,"uris":["http://zotero.org/users/local/gITejLE9/items/8SRZPW4G"],"uri":["http://zotero.org/users/local/gITejLE9/items/8SRZPW4G"],"itemData":{"id":1943,"type":"article-journal","title":"Sustainable development and citizen-centric e-government services","container-title":"Economics, Management and Financial Markets","page":"69","volume":"10","issue":"3","author":[{"family":"Nica","given":"Elvira"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Nica, 2015). As most of the time, government-owned digital services host critical information such as personally identifiable information of citizens and information related to national security. This type of information handling at the back end of digital services make them a potential target of cybercriminals. They are always devising new and improved attack methods to compromise such services.

As these services host, critical information assets their protection is the obligation of federal government as well. Increased penetration of internet technologies has changed the war fronts from physical grounds to cyber warfare. Rival states can hire services of criminals for state-sponsored attacks on digital government services such as websites related to defense department or department of homeland security ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a47i5iagjp","properties":{"formattedCitation":"(Carter, Weerakkody, Phillips, & Dwivedi, 2016)","plainCitation":"(Carter, Weerakkody, Phillips, & Dwivedi, 2016)"},"citationItems":[{"id":1945,"uris":["http://zotero.org/users/local/gITejLE9/items/M2JK29WD"],"uri":["http://zotero.org/users/local/gITejLE9/items/M2JK29WD"],"itemData":{"id":1945,"type":"article-journal","title":"Citizen adoption of e-government services: Exploring citizen perceptions of online services in the United States and United Kingdom","container-title":"Information Systems Management","page":"124-140","volume":"33","issue":"2","author":[{"family":"Carter","given":"Lemuria"},{"family":"Weerakkody","given":"Vishanth"},{"family":"Phillips","given":"Brandis"},{"family":"Dwivedi","given":"Yogesh K."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Carter, Weerakkody, Phillips, & Dwivedi, 2016). Hackers can compromise and take down any website if there are not enough protective layers to protect the critical assets of the nation. The paper describes the threats to digital government services such as data.gov, disasterassistance.gov, and healthcare.gov. The paper provides recommendations to harden the security of such government-owned digital services.

Information Services Provided by the Websites:

The government provides many digital services to the general public through designated websites. Three of such websites are reviewed in this paper. Data.gov is the initiative of the federal government that provides researchers access to the data collected by various departments of the government. Website host large data sets in the back end database server operated by the government departments. Data is stored in the back end server and can be accessed by the general public. The website is intended for researchers working in a variety of disciplines. As the website host massive amounts of sensitive data in the back end database server, it is categorized as a high impact website for security and privacy issues. As the critical nature of data being stored in the back end of the website make it an ideal target of cybercriminals. The site is vulnerable to hacking and malware attacks.

Second valuable digital service provided by the government is healthcare.gov providing healthcare professionals, and individuals extended healthcare facilities. The website enables individuals to register for or enroll in healthcare insurance schemes offered by the government. It maintains a record of eligible members as well as all of the new registrations. Users are required to create an account on the website that will serve as a dashboard for their healthcare needs. The account is secured by password-based authentication systems ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1051aqa6af","properties":{"formattedCitation":"(Abu-Salma et al., 2017)","plainCitation":"(Abu-Salma et al., 2017)"},"citationItems":[{"id":1948,"uris":["http://zotero.org/users/local/gITejLE9/items/9SE3G9PW"],"uri":["http://zotero.org/users/local/gITejLE9/items/9SE3G9PW"],"itemData":{"id":1948,"type":"paper-conference","title":"Obstacles to the adoption of secure communication tools","container-title":"2017 IEEE Symposium on Security and Privacy (SP)","publisher":"IEEE","page":"137-153","ISBN":"1-5090-5533-9","author":[{"family":"Abu-Salma","given":"Ruba"},{"family":"Sasse","given":"M. Angela"},{"family":"Bonneau","given":"Joseph"},{"family":"Danilova","given":"Anastasia"},{"family":"Naiakshina","given":"Alena"},{"family":"Smith","given":"Matthew"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Abu-Salma et al., 2017). The website is accessible and provides service at the national level and is not confined to a specific territory within the United States. Depending on the information the website is dealing with, it is categorized as a high impact for security and privacy as per the federal information protection standards framework of digital data security. The website can be compromised by phishing or spam campaigns deploying social engineering tactics.

Third valuable digital service offered by the government is disasterassistance.gov that provides assistance and advice in case of a national level disaster experienced by any state in the United States. Website stores historical data and provide access to it using the front end website. It is hosted on servers owned by the government department. The website provides services at the national level; any territory experiencing disaster can benefit from services offered. Based on the valuable data the website is storing, it is rated as a moderate category for security and privacy issues as per federal information protection standards and frameworks.

Inherent Security Issues of Web Applications:

As the internet itself was not designed with much security in mind, any service offered as an over the top service on the existing infrastructure of the internet will be inherently insecure. Web services are based on the backbone infrastructure of the internet which is not secure by design. So, all of the web services are inherently insecure. However, there are security solutions that can protect information being shared over the internet. All the websites either owned by the government or individuals are prone to hacking attacks. Although there may be some rigorous security checks in place all of the logical measures can be broken using sophisticated attack methods ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1as0isrblv","properties":{"formattedCitation":"(Grassi, Garcia, & Fenton, 2017)","plainCitation":"(Grassi, Garcia, & Fenton, 2017)"},"citationItems":[{"id":1951,"uris":["http://zotero.org/users/local/gITejLE9/items/2HP79ZJJ"],"uri":["http://zotero.org/users/local/gITejLE9/items/2HP79ZJJ"],"itemData":{"id":1951,"type":"article-journal","title":"Digital identity guidelines","container-title":"NIST special publication","page":"63-3","volume":"800","author":[{"family":"Grassi","given":"Paul A."},{"family":"Garcia","given":"Michael E."},{"family":"Fenton","given":"James L."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Grassi, Garcia, & Fenton, 2017). In digital initiatives like open data provided by the government the basic goal of securing the service is to protect the confidentiality, integrity, availability, and non-repudiation of the data. Confidentiality of the data can be compromised if the website security is breached by the criminals. Such websites are protected with firewall solutions, but these solutions are inherently insecure as a firewall only prevent outside attacks. Any network attack initiating from within the network can bypass firewall defense.

Website providing healthcare services provides username and password facility to authenticate and authorize users to access the records stored by the website. Password-based authentication systems are prone to man in the middle attack. Any attacker can sniff network packets to steal credentials. As the website uses transport layer security and secure sockets layer protocol to transfer information to and from the server such attacks may not be successful. However, a popular attack vector known as phishing can bypass the security seal. An attacker can design a website login page similar to the originals one impersonating valid page and asks for credentials of the user potentially compromising personal health records and insurance information of individuals. Such attacks are on the rise and rapidly changing in their design to obfuscate their presence and avoid detection by phishing filters on host machines.

Recommendations:

As it is evident by the above discussion that all of the web resources are prone to sophisticated attacks, there are some best practice based recommendations that can render most of the attacks useless against government’s digital services. Combining the password-based authentication system with certificate-based authentication systems can rule out the potential risk of phishing attacks on such services. Certificate-based authentication systems use public key infrastructure for encryption and decryption of data being transmitted over the network ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1lbfft702m","properties":{"formattedCitation":"(Bertot, Estevez, & Janowski, 2016)","plainCitation":"(Bertot, Estevez, & Janowski, 2016)"},"citationItems":[{"id":1954,"uris":["http://zotero.org/users/local/gITejLE9/items/CQ5FX6N6"],"uri":["http://zotero.org/users/local/gITejLE9/items/CQ5FX6N6"],"itemData":{"id":1954,"type":"book","title":"Universal and contextualized public services: Digital public service innovation framework","publisher":"Elsevier","ISBN":"0740-624X","author":[{"family":"Bertot","given":"John"},{"family":"Estevez","given":"Elsa"},{"family":"Janowski","given":"Tomasz"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Bertot, Estevez, & Janowski, 2016). A certificate is essentially a public key having a corresponding private key as an asymmetric encryption algorithm used in public key infrastructure uses different keys for encrypting and decrypting the data. Digital certificates and signatures authenticate any client to the server and vice versa. It also provides integrity of the data being transmitted on top of the confidentiality of the data.

To complement firewall solutions, an intrusion detection system can be implemented as well. The network-based intrusion detection system will monitor the network for any unusual network activity that may be a result of malware attacks on a particular host. Attackers can use code obfuscation or file less exploit to trick intrusion detection systems. The solution is to deploy reverse proxy and segregation of network resources. Segregation will protect the whole network from being compromised in a targeted attack. Reverse proxy will block forged access requests to a protected server such as one hosting the open data provided by the government. Cyber-attacks on web services are constantly evolving not only in number but in complexity as well. There is no single bullet to rule them out. However, the use of preventive technologies can reduce the damages caused by the attack if successful.

Summary:

All of the services offered over the backbone infrastructure of the internet are prone to malicious attack by various sources. It is not possible to protect any resource against all types of perceived attacks. However, best practice based recommendations and security solutions can reduce the risk of attack significantly. There is a tradeoff between security and usability of the system in this regard. A more secure system will be less useable by the public. For example, a most secure system will be one buried in concrete under the earth disconnected from everything even the power source as well. But practically that system will be the most useless system as well. So, the best practice is to use a balance between security and usability of the system. Best practice recommendations are based on this security and usability tradeoff.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Abu-Salma, R., Sasse, M. A., Bonneau, J., Danilova, A., Naiakshina, A., & Smith, M. (2017). Obstacles to the adoption of secure communication tools. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 137–153). IEEE.

Bertot, J., Estevez, E., & Janowski, T. (2016). Universal and contextualized public services: Digital public service innovation framework. Elsevier.

Carter, L., Weerakkody, V., Phillips, B., & Dwivedi, Y. K. (2016). Citizen adoption of e-government services: Exploring citizen perceptions of online services in the United States and United Kingdom. Information Systems Management, 33(2), 124–140.

Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). Digital identity guidelines. NIST Special Publication, 800, 63–3.

Nica, E. (2015). Sustainable development and citizen-centric e-government services. Economics, Management and Financial Markets, 10(3), 69.

Project 3

Database schema

Student’s Name

Institution

Date

Introduction

Large scale environmental problem is the difficult task to address. Business applies the use of database to address the management problem. According to Cox (2014), the data application in business impact performance hence most companies usually realize a huge profit. The type of data schema depends with the business structure and management level. And therefore, the data schema required for this business is based on the data flow in the organization. The database schema is based on the administration knowledge. It also illustrates how a real world entitles is structured into the system. The business is running a warehouse and therefore, the data schema should contain features, which would allow employees to enter data and process easily in the system.

Diagram 1: Data Schema for the business

Rational for the structure

The data schema in the diagram 1, has three sections, the calendar, fact table and bind style. The business is a warehouse and therefore, the kind of data, which will be entered into the system, includes customers, cost of goods, selling price, data of submission and the clients also come from different regions. These must be captured by the system for easy processing and therefore, the data schema reflects what the database shall contain. The business would enter information related to sales, products, supplier or customers contacts, where they can from and data and month when the product was brought to the store CITATION Lah14 \l 1033 (Laher, Surace, Grillmair, Ofek, & Levitan, 2014). This information would be captured best using the above data schema because of nature. The data nature contains four tables’ calendar, Fact table, customer and Bind Style. The calendar table would contains information related to dates especially when the product was brought to the store.

The primary key is located at the fact table in the first field of the table, which is the customer id. The customer ID is used to identify every customer in the database and it is also describe the relationship between the tables to ensure that the database could function well. When customers come to the store, each customer is assigned a unique identification number when the product is processed to the warehouse. The customer’s products, sales, cost and the amount owned by the company could be established using he customer key and therefore, the primary key is the customer ID.

The Referential Integrity is the accuracy and consistency of the data. The referential integrity would be achieved by ensuring that there is a foreign key which is associated with one of the tables CITATION Chu15 \l 1033 (Chung & Paredes, 2015). The foreign key can be established at the fact table to ensure that the four tables are connected. The parent table must have foreign key for success of complete processing of data when entered the system. Without foreign key the data can easily get lost and the incomplete information is brought back. From the database, the users would not be able to generate reports and queries cannot be sent as well.

Entity relationship

The entity relationship is the kind of relationship where graphical representation is used to illustrate the relationship between the tables or information. It describes the kind of information, which is stored CITATION Rüe18 \l 1033 (Rüegg, et al., 2018). The relationship is how the data is stored between tables, fields or entities. The data must have a proper link for it to work well and give positive feedback when processing queries or report. The business requires the relationship of one-to- many. This means that one table is linked to several other tables of the data. It means that the data entered at the warehouse of the company is associated with customer, and other data, which are closely related to the customer CITATION Lah14 \l 1033 (Laher, Surace, Grillmair, Ofek, & Levitan, 2014). It is established this way to ensure that there is efficiently in data process across several departments. The image below shows an example of how entity relationship operates to ensure that it operates well across the company.

The entity relationship will be established by linking FACT TABLE, CUSTOMER AND DATE tables together. This will ensure that there is proficient communication within the data level and therefore, the processing would be easy and faster. It ensures that there is consistency and accuracy of the data, which is being processed. The diagram is therefore, just as example of how the entity relationship works.

Data Flow Diagram

The data flow indicates how the data flow in the organization. It begins from where the data starts and the end process, which could be report generation or queries and even storage of the data. It describes the process, which involve in the system for the transfer of data from the entry point to the exit CITATION Chu15 \l 1033 (Chung & Paredes, 2015). The exit of the data processing could be either a report being generated or the data is stored for future use. It is described based on the logical data flow, which is required to established functionality of the system. The DFD is needed for processing, storage, manipulating, and the distribution of data to the system. It communicates with the system to ensure that the data flows from the beginning to the end. It is therefore, important to have a proper flow of data for the system to work well. And for this to be obtained the structure of the system must be well thought-out and clear. The data flow diagram is therefore, every essential for the operations of the database.

Bibliography

BIBLIOGRAPHY Chung, K. S., & Paredes, C. W. (2015). Towards a Social Networks Model for Online Learning & Performance. International Forum of Educational Technology & Society , 2-35.

Cox, M. (2014). Understanding large social-ecological systems: introducing the SESMAD project. International Journal of the Commons , 265-276 .

Laher, R. R., Surace, J., Grillmair, C. J., Ofek, E. O., & Levitan, D. (2014). IPAC Image Processing and Data Archiving for the Palomar Transient Factory. Publications of the Astronomical Society of the Pacific , 2-35.

Rüegg, J., Gries, C., Bond-Lamberty, B., Bowen, G. J., Felzer, B. S., McIntyre, N. E., et al. (2018). Completing the data life cycle: using information management in macrosystems ecology research. JOURNAL ARTICLE , 2-35.

Project 3



Project 3

[Name of the Writer]

[Name of the Institution]

Project 3

Mobile apps are becoming important for every industry including digital government. There are different mobile apps for the digital government which include MyTSA, WISER, Dolphin & Whale, USDA, Find a health center, FEMA, White House, etc. These are some top digital government mobile apps which can be used for different purposes (GovLoop, 2015). These applications are recognized as innovative and best for delivering information about the government. Such apps are very important for everyone and create new ways for a citizen to learn about different things.

Mobile apps are becoming not only necessary for individual or business companies but also for the federal government. However, there are huge concerns about security for the federal government mobile apps. Mobile apps security is a major concern which can cause vulnerabilities that can put sensitive government data and different resources at risk. NIST provided the guidelines to face security issues for the federal government. The federal government requires some serious security because they do have data of millions of people and it is their responsibility to secure that data (NIST Drafts Mobile App Security Guidelines, 2019).

It is important for federal agencies to find out what a mobile app really does before using it. They should be aware of security risks and privacy issues. There are many applications which can access more data of the user, and they don't even know about that which is why they fall victim of a cyber attack. Usually, the government takes advantage of third-party mobile applications to improve productivity, but they should not do that and built their own mobile apps. Government agencies should understand the security risks of mobile apps and should create a strategy to mitigate them. They need to provide training to employees regarding the privacy and security of apps and review the mobile app testing results to fulfill the objectives.

Mobile applications also required security just like web applications and desktop applications. Mobile app security requires security models that help to protect the data and information from an unauthorized person or people. The appropriate authentication methods are essential for the security of mobile applications. Antivirus and firewalls also play a key role in the security of mobile apps. It is the requirement for the security of mobile apps that connectivity options must be limited. One of the best methods these days use for mobile apps is the OTPs method which allows only a specific person to access the data and ensures the security of an individual. There are different methods which can help in protecting the mobile apps. However, it is important to implement those methods while creating mobile apps because different mobile apps require different security. A developer must be able to sort out the security of the software at the time of development (Mobile security reference architecture, 2013).

The security of mobile apps depends on their security needs. Mobile applications which are used to deliver government information and services requires a high amount of security because the data of government is always confidential. However, it is important to ensure the security of mobile apps at the time of development. Application developers can easily create mobile apps quickly with the help of different SDKs. It is the duty of the developer to check the security of apps at each phase of development. In the development team, there must be someone who is responsible for the security of the applications, who understands different between platforms and don't rely on a single platform to protect the security of the users. It is important to generate the credentials securely of mobile apps (Mobile security reference architecture, 2013).

There are different APIs which are used for the development of mobile apps, and they all have different functionality. Sometimes developers use APIs in their apps without searching on them which create problems for them as each API have different security features and developer must ensure that the security measures of the API they are implementing meet their requirement. A developer must use different encryption techniques at the time of development and encrypt sensitive data like username, passwords, contact, email, etc. of the user. It is also important to secure the servers and apply security measures to protect them. Application security also depends on the security of servers as the security of servers is very complex and required research (Federal Trade Commission, 2017).

A developer must take steps to secure the apps from vulnerabilities, cross-site scripting, and injection attacks. It is important for the developer not to use code from third parties because the third-party code isn't safe and is the biggest threat to the security of the applications. A developer must think like an attacker while building a mobile app because that is the only way they can find vulnerabilities in their application easily. It is also essential to secure data transmission between sender and receiver, and use tokens to handle sessions. A developer must implement tamper protection to protect the users and ensure the reputation of an app as a trustworthy application. These are some important recommendations which need to be considered at the time of development to ensure the security of the mobile app (Federal Trade Commission, 2017).

Mobile applications security has become a huge concern for everyone as there are many tricks which are attackers using to easily access the sensitive of the users from different mobile apps. The biggest risk these days is to the government agencies because their data is not secure these days and hackers easily access their data to make use of that for their own purposes. Usually, terrorists, these days try to access confidential data of federal agencies to observe their activities. However, there are different methods which can help agencies to protect their data and make their apps more secure.

References

Mobile security reference architecture (2013). S3.amazonaws.com. Retrieved from https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf

App Developers: Start with Security. (2017). Federal Trade Commission. Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/app-developers-start-security

NIST Drafts Mobile App Security Guidelines - InformationWeek. (2019). InformationWeek. Retrieved from https://www.informationweek.com/government/mobile-and-wireless/nist-drafts-mobile-app-security-guidelines/d/d-id/1306815

19 of the Coolest Government Mobile Apps | GovLoop. (2015). GovLoop. Retrieved from https://www.govloop.com/community/blog/cool-gov-mobile-apps/

Project 3 - System Security Plan (Field Office)

Project#3: System Security Plan (Field Office)

[Author’s name]

[Institute’s name]

Information System Security Plan

1. Information System Name/Title:

Red Clay Renovations Company’s Information Technology Security Program (ITSP)

2. Information System Categorization:

System Name

Confidentiality

Availability

Integrity

Interconnection

ITSP

High

Moderate

Low

Moderate

3. Information System Owner:

Name

Title

Agency

Address

Email Address

Phone Number

Natalie Randell

Chief of Staff

Red Clay Renovations Company

12 High Street Wilmington, DE 19801

nr@redclayrenovations.com

910-555-2152

4. Authorizing Official:

Name

Title

Agency

Address

Email Address

Phone Number

Anthony Morgan

Chief Information Officer (CIO)

Red Clay Renovations Company

12 High Street Wilmington, DE 19801

Morgan_Anthony@redclayrenovations.com

910-555-2150

5. Other Designated Contacts:

Title

Address

Email Address

Phone Number

Chief Information Security Officer (CISO)

12 High Street Wilmington, DE 19801

William_Spenser@redclayrenovations.com

910-555-2149

Information Systems Security Office (ISSO)

12 High Street Wilmington, DE 19801

Julia_Smith@redclayrenovations.com

910-555-2153

6. Assignment of Security Responsibility:

Name

Title

Address

Email Address

Phone Number

William Spenser

CISO

12 High Street Wilmington, DE 19801

William_Spenser@redclayrenovations.com

910-555-2149

7. Information System Operational Status: 

           The operational status of the information technology system of the company is recognized as the single prospect of Systems Development Lifecycles. It is noteworthy to mention that currently the organization of Red Clay Renovations Company currently does not have plans of system upgradation in the forms of major modification and under development. 

 8.0 Information System Type: 

           The core application of the company’s information technology system can be observed in the case of the approach of risk management. Currently, the company of Red Clay Renovations Company is facing immense risk hazards that require the adoption of a suitable information management system. Proper handling of cybersecurity is established as the major functional approach of information systems for the company. 

 9.0 General System Description/Purpose 

The central function of the overall information security system is to successfully contribute to the overall forms of risk management strategies adopted by the company. The active role of the IT security program of the company is important to meet the standards of security controls under the domain of FIPS 199/200 standards. The development of proper interconnections between different company’s field offices is another core perspective under the domain of IT systems. The updating functions of the company’s information system can also be observed in the remodeling of the use of “smart home” and “Internet of Things” technologies. The application of these technological advances is helpful to approach to develop a better connection between different security protection domains. 

 10. System Environment 

           The technical system of the company consisted of different interrelated technological forms. The technical factors for the company can be observed under the domain of managed or enterprise. This perspective is useful in case of an extensive agency system that is comprised of operational domains in case of different field offices. The application of hardware and software configurations plays a critical role in ensuring necessary forms of information system management between different workstations and servers. 

           The approach of primary hardware is further disseminated mainly in the forms of processor, primary data storage, secondary storage, input and output instruments. The functioning approach of hardware for the IT management system can also be considered in the forms of laptops and firewalls. It is noteworthy to mention that the purpose of considering processing in the form of the laptop is to successfully crafted and compile different networking reports. On the other hand, the focus of the approach of firewalls is to provide necessary protection to the security from various external resources. 

           The approach of software is another crucial aspect associated with the overall form of the technical system of the company. The perspective of software is used by the company for multiple reasons and practical applications. Diverse options of software are under consideration under the domain of software technology services. The option of software can be mainly observed in the case of Windows 10, Microsoft Office, Adobe Acrobat Reader, Adobe Flash Player. The core aim of all these software approaches is to ensure successful technical applications. Windows 10 is recognized as the preferred operating system that prevailed in the case of an information management system of the company. All the computers or servers are the brand of Dell manufacturing organization.

           Identification of communication equipment is also a critical condition to enhance overall understanding in the form of a technical system that prevails in the organization. Communication networking is a necessary condition to align operations of different fields under the domain of collective business objectives. The domain of internet services is characterized as the central form of communication networking that builds the necessary connection between different stakeholders. Telephones, fax machines, pager, etc. are characterized as the main forms of communication devices utilized by the technical information department of the organization. 

11. System Interconnections/Information Sharing 

The approach of interconnection/information sharing is used by the IT department of the company to develop the necessary connection between different operational networks. The central aim of the perspective of interconnections is to establish a direct interaction between two or more IT systems with the concern of distributing necessary information resources. It is crucial to indicate that the main Operations Center and the individual Field Offices are connected through the domain of the Internet via a business-grade Internet Services Provider. This approach of interconnection is adopted through the consideration of the standard Service Level Agreement ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"AQe0Q0n3","properties":{"formattedCitation":"(Bowen, Hash, & Wilson, 2007)","plainCitation":"(Bowen, Hash, & Wilson, 2007)","noteIndex":0},"citationItems":[{"id":224,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/TXX97PIH"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/TXX97PIH"],"itemData":{"id":224,"type":"paper-conference","title":"Information security handbook: a guide for managers","container-title":"NIST SPECIAL PUBLICATION 800-100, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY","publisher":"Citeseer","author":[{"family":"Bowen","given":"Pauline"},{"family":"Hash","given":"Joan"},{"family":"Wilson","given":"Mark"}],"issued":{"date-parts":[["2007"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Bowen, Hash, & Wilson, 2007). The main form of interconnections considered in the forms of Virtual Private Network associations between the Operations Center and the required form of Field Office. The approach of VPN is used by the information security department to meet the objectives of protecting the confidentiality and integrity of information. The individual network infrastructure is implemented in case of field office that is observed considering domains of wireless local area network, wireless access points, switches, firewall, and intrusion assessment system. 

The broader spectrum of Verizon Business services provided the services mainly in the forms of Wide Area Networking (WAN) and internet services. These spectrums of interconnection services explicitly define the overall network connections of the company. It is also significant to mention that the organization of Red Clay Renovations Company has its Active Directory server, multiple Web servers, Email Servers, Print Servers, and overall databases. All these approaches eventually played their role in the overall form of interconnections.

12. Related Laws/Regulations/Policies 

           Consideration and application of significant and relevant legal perspectives are necessary practical conditions to ensure better forms of integrity and confidentiality of important information. Legal practice is adopted by the field officer operational domain to attain useful information under the proper regulations. The security plan for the company is developed under the legal spectrum of the Privacy Act that prevails in the country. The operations are under control considering the legal approach of the Sarbanes-Oxley Act of 2002. This legal spectrum is considered by the management to determine the legal spectrum in case of a business approach ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"1xxgn7JA","properties":{"formattedCitation":"(Swanson, Hash, & Bowen, 2006)","plainCitation":"(Swanson, Hash, & Bowen, 2006)","noteIndex":0},"citationItems":[{"id":225,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/GRDUV7WJ"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/GRDUV7WJ"],"itemData":{"id":225,"type":"article-journal","title":"Revision Guide for Developing Security Plans for Federal Information Systems","container-title":"NIST Special Publication","page":"18","volume":"800","author":[{"family":"Swanson","given":"Marianne"},{"family":"Hash","given":"Joan"},{"family":"Bowen","given":"Pauline"}],"issued":{"date-parts":[["2006"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Swanson, Hash, & Bowen, 2006). The legal spectrum in case of operations of field center also actively linked with proper processing, storing, and transmission of Protected Health Information (PHI) considering the strict legal compliance of the HIPPA Security Rule. 

 13. Minimum Security Controls 

           Application of suitable forms of security controls is necessary to condition to meet the standard of information system security plan for the company. The approach of security controls associated with the three main forms of management controls, operational controls, and technical controls ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"1xxgn7JA","properties":{"formattedCitation":"(Swanson, Hash, & Bowen, 2006)","plainCitation":"(Swanson, Hash, & Bowen, 2006)","noteIndex":0},"citationItems":[{"id":225,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/GRDUV7WJ"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/GRDUV7WJ"],"itemData":{"id":225,"type":"article-journal","title":"Revision Guide for Developing Security Plans for Federal Information Systems","container-title":"NIST Special Publication","page":"18","volume":"800","author":[{"family":"Swanson","given":"Marianne"},{"family":"Hash","given":"Joan"},{"family":"Bowen","given":"Pauline"}],"issued":{"date-parts":[["2006"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Swanson, Hash, & Bowen, 2006). The selection of the most appropriate form in the form of a control family is an essential practical measure to define the entire spectrum of the security control system. 

 13.1 Management Controls

Management controls are developed to ensure the successful management of the information systems and the proper management of the entire risk prevails for the information system. It is significant to indicate that there are some aspects of technologies that are catered through the overall domain of management controls.

13.1.1 [first control family]

CA: Security Assessment and Authorization (Management Controls Category)

CA-1

Security Assessment and Authorization Policies and Procedures

CA-1

CA-2

Security Assessments

CA-2 (1)

CA-3

System Interconnections

CA-3 (5)

CA-5

Plan of Action and Milestones

CA-5

CA-6

Security Authorization

CA-6

CA-7

Continuous Monitoring

CA-7 (1)

CA-9

Internal System Connections

CA-9

Authorization is necessary condition to meet the objectives of developing necessary interconnection between different systems. This approach also helps to meet the objective of significant assessment considering the perspective of internal system connections between different system security activities ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"FHa4Mp9C","properties":{"formattedCitation":"(Force & Initiative, 2013)","plainCitation":"(Force & Initiative, 2013)","noteIndex":0},"citationItems":[{"id":210,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/G92DB5D2"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/G92DB5D2"],"itemData":{"id":210,"type":"article-journal","title":"Security and privacy controls for federal information systems and organizations","container-title":"NIST Special Publication","page":"8-13","volume":"800","issue":"53","author":[{"family":"Force","given":"Joint Task"},{"family":"Initiative","given":"Transformation"}],"issued":{"date-parts":[["2013"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Force & Initiative, 2013). The desired plan of action can only be achieved through the development of proper security evaluation plan.

13.1.2 [second control family]

PL: Planning (Management Controls Category)

PL-1

Security Planning Policy and Procedures

PL-1

PL-2

System Security Plan

PL-2 (3)

PL-4

Rules of Behavior

PL-4 (1)

PL-8

Information Security Architecture

PL-8

Appropriate planning is one crucial spectrum of the entire domain of information security system adopted by the company. Alignment of different and interconnected policy and procedures is necessary condition to attain the significant objectives and consideration from the overall system.

13.2 Operational Controls

Security methods are addressed under the main perspective of operational controls. The central aspect of consideration is to examine different mechanisms that are developed and established by concerned individuals. The option of operation controls is selected to enhance the overall performance of the security plan.

13.2.1 [first control family]

SI: System and Information Integrity (Operational Controls Category)

SI-1

System and Information Integrity Policy and Procedures

SI-1

SI-2

Flaw Remediation

SI-2 (2)

SI-3

Malicious Code Protection

SI-3 (1) (2)

SI-4

Information System Monitoring

SI-4 (2) (4) (5)

SI-5

Security Alerts, Advisories, and Directives

SI-5

SI-7

Software, Firmware, and Information Integrity

SI-7 (1) (7)

SI-8

Spam Protection

SI-8 (1) (2)

SI-10

Information Input Validation

SI-10

Protection of improper information modification is necessary condition to achieve the ultimate objective of system integrity. Adoption of family control class in the form of system and information integrity is essential instrument to safeguard the entire spectrum of all the relevant policy and procedures.

[second control family]

AT: Awareness and Training (Operational Controls Category)

AT-1

Security Awareness and Training Policy and Procedures

AT-1

AT-2

Security Awareness Training

AT-2 (2)

AT-3

Role-Based Security Training

AT-3

AT-4

Security Training Records

AT-4

The operational control family in the form of Awareness and Training (AT) is also selected in case of system security operations of the company. The central aim of this form of consideration is to provide necessary form of knowledge to all the shareholders effectively and efficiently. The objective of security awareness needs to be successfully implemented by offering different systematic aspects and practical considerations. The objective of individual accountability is also contained through the different classes under the domain of awareness and training.

13.3 Technical Controls

All the matters of security executions are addressed under the spectrum of technical controls set for the selected information management system. The application of computer systems is established through the practical idea of technical controls ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"efNKxGaQ","properties":{"formattedCitation":"(Nieles, Dempsey, & Pillitteri, 2017)","plainCitation":"(Nieles, Dempsey, & Pillitteri, 2017)","noteIndex":0},"citationItems":[{"id":209,"uris":["http://zotero.org/users/local/qLzeF6Hj/items/U5B732KR"],"uri":["http://zotero.org/users/local/qLzeF6Hj/items/U5B732KR"],"itemData":{"id":209,"type":"report","title":"An introduction to information security","publisher":"National Institute of Standards and Technology","author":[{"family":"Nieles","given":"Michael"},{"family":"Dempsey","given":"Kelley"},{"family":"Pillitteri","given":"Victoria"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Nieles, Dempsey, & Pillitteri, 2017). The main focal point of this form of controls is to ensure the successful application of automated protection in case of unauthorized access or improper use of information. It also provides aid to the overall security considerations.

[ first control family]

AC: Access Controls (Technical Controls Category)

AC-1

Access Control Policy and Procedures

AC-1

AC-2

Account Management

AC-2 (1) (2) (3) (4)

AC-3

Access Enforcement

AC-3

AC-4

Information Flow Enforcement

AC-4

AC-5

Separation of Duties

AC-5

AC-6

Least Privilege

AC-6 (1) (2) (5) (9) (10)

AC-7

Unsuccessful Logon Attempts

AC-7

AC-8

System Use Notification

AC-8

AC-11

Session Lock

AC-11 (1)

AC-12

Session Termination

AC-12

AC-14

Permitted Actions without Identification or Authentication

AC-14

AC-17

Remote Access

AC-17 (1) (2) (3) (4)

AC-18

Wireless Access

AC-18 (1)

AC-19

Access Control for Mobile Devices

AC-19 (5)

AC-20

Use of External Information Systems

AC-20 (1) (2)

AC-21

Information Sharing

AC-21

AC-22

Publicly Accessible Content

AC-22

The option of control family in the form of control access is selected for the operational domain of company on its location of Wilmington. The central aim of this form of consideration is to eliminate the option of improper use of different system resources concerning the connection between different interconnected systems. The prospect of access makes decisions about the accessible form for different entities in case of system-based access controls.

[ second control family]

IA: Identification and Authentication (Technical Controls Category)

IA-1

Identification and Authentication Policy and Procedures

IA-1

IA-2

Identification and Authentication (Organizational Users)

IA-2 (1) (2) (3) (8) (11) (12)

IA-3

Device Identification and Authentication

IA-3

IA-4

Identifier Management

IA-4

IA-5

Authenticator Management

IA-5 (1) (2) (3) (11)

IA-6

Authenticator Feedback

IA-6

IA-7

Cryptographic Module Authentication

IA-7

IA-8

Identification and Authentication (Non-Organizational Users)

IA-8 (1) (2) (3) (4)

Timely and successful exploration of all the aspects of authentication policy and procedural domain is necessary condition to meet the standards of technical control domain of the system. This form of defense mechanism is important to eliminate different risks of data theft or concerning the approach of system security. This form of control system eventually helps system control stakeholders to ensure successful form of authentication.

14. Information System Security Plan Completion Date:

The completion data of information security plan is 17th of November, 2019

15. Information System Security Plan Approval Date: _______________________

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Bowen, P., Hash, J., & Wilson, M. (2007). Information security handbook: A guide for managers. NIST SPECIAL PUBLICATION 800-100, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY. Citeseer.

Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organizations. NIST Special Publication, 800(53), 8–13.

Nieles, M., Dempsey, K., & Pillitteri, V. (2017). An introduction to information security. National Institute of Standards and Technology.

Swanson, M., Hash, J., & Bowen, P. (2006). Revision Guide for Developing Security Plans for Federal Information Systems. NIST Special Publication, 800, 18.

Project 3 Government Mobile Apps Security Assessment + Strategy

Government Mobile Apps Security Assessment and Strategy

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Government Mobile Apps Security Assessment and Strategy

Introduction:

During the last few decades' information and communication technologies have made tremendous improvements and the journey still continues. We are living in a mobile communication age. The advent of mobile phones and cellular networks was not thought to be that much powerful. People rely more and more on their handheld devices instead of mainframe computers. Modern mobile phones are more powerful than earlier supercomputers. They are capable of handling massive processing loads that were not manageable by third generation mainframe computers. That shows the immense power of mobile technologies and investments being made in the technology by global technology giants. Mobile phones are continuously being improved ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aho470r014","properties":{"formattedCitation":"(Abelson et al., 2015)","plainCitation":"(Abelson et al., 2015)"},"citationItems":[{"id":1927,"uris":["http://zotero.org/users/local/gITejLE9/items/KK2B8EYT"],"uri":["http://zotero.org/users/local/gITejLE9/items/KK2B8EYT"],"itemData":{"id":1927,"type":"article-journal","title":"Keys under doormats: mandating insecurity by requiring government access to all data and communications","container-title":"Journal of Cybersecurity","page":"69-79","volume":"1","issue":"1","author":[{"family":"Abelson","given":"Harold"},{"family":"Anderson","given":"Ross"},{"family":"Bellovin","given":"Steven M."},{"family":"Benaloh","given":"Josh"},{"family":"Blaze","given":"Matt"},{"family":"Diffie","given":"Whitfield"},{"family":"Gilmore","given":"John"},{"family":"Green","given":"Matthew"},{"family":"Landau","given":"Susan"},{"family":"Neumann","given":"Peter G."}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Abelson et al., 2015). Given the fact that digital paradigm has shifted from mainframes to mobile environments, the government has also decided to be mobile friendly. It is evident by the public law in which the federal government has regulated that any agency going to build a public website must ensure that it is mobile friendly. The regulation issued in 2017 is not directing government agencies to start from scratch, but any new public facing website must be mobile friendly.

The immense power of mobile phones is due to the application technologies that can be supported on a tiny platform. People rely more on their mobile devices from online shopping to anything digital that can be imagined. Modern mobile phones are capable of measuring heartbeats using sophisticated sensors and algorithms used in their driving applications. Various government agencies have already launched their mobile apps to bridge the gaps between the public and their representatives in power. These applications provide extensive possibilities form lodging complaints to get useful services. There is no need to visit any physical office of the state agency; their mobile app will address most of the cases remotely. Such as a useful mobile application developed by the federal government known as MyTSA that can solve queries related to the materials that can be allowed for air travel on an airplane ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a4ehu1q4ms","properties":{"formattedCitation":"(Enenkel et al., 2015)","plainCitation":"(Enenkel et al., 2015)"},"citationItems":[{"id":1930,"uris":["http://zotero.org/users/local/gITejLE9/items/IMP23ADJ"],"uri":["http://zotero.org/users/local/gITejLE9/items/IMP23ADJ"],"itemData":{"id":1930,"type":"article-journal","title":"Drought and food security–Improving decision-support via new technologies and innovative collaboration","container-title":"Global Food Security","page":"51-55","volume":"4","author":[{"family":"Enenkel","given":"Markus"},{"family":"See","given":"Linda"},{"family":"Bonifacio","given":"Rogerio"},{"family":"Boken","given":"Vijendra"},{"family":"Chaney","given":"Nathaniel"},{"family":"Vinck","given":"Patrick"},{"family":"You","given":"Liangzhi"},{"family":"Dutra","given":"Emanuel"},{"family":"Anderson","given":"Martha"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Enenkel et al., 2015). Most of the applications linked to governments services collect and process personally identifiable information of citizens such as name, sex, address, and social security numbers. Therefore, protecting such information is the obligation of the government as well. These applications must be based on secure architecture to ensure confidentiality, integrity, and availability of data being processed by the application. The government has provided application developers with the requirements of application security that must be ensured for an application compatible with government services.

Government’s Requirements for Mobile Applications Security:

The government has taken an initiative to be more mobile friendly by building mobile compatible websites and applications. As these applications deal with the personally identifiable information of citizens, these applications have become a potential target of cybercriminals. They can compromise mobile devices with malicious applications to gain access to an individual's data and breach privacy. In order to make the mobile ecosystem more user-friendly government has issued guidelines and security requirements for mobile applications security. Usually, mobile applications are provided to the general public through an application store hosted by the operating system vendor or any other third party ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aajbt4c2ja","properties":{"formattedCitation":"(Kotz, Gunter, Kumar, & Weiner, 2016)","plainCitation":"(Kotz, Gunter, Kumar, & Weiner, 2016)"},"citationItems":[{"id":1933,"uris":["http://zotero.org/users/local/gITejLE9/items/LUZS9KUL"],"uri":["http://zotero.org/users/local/gITejLE9/items/LUZS9KUL"],"itemData":{"id":1933,"type":"article-journal","title":"Privacy and security in mobile health: a research agenda","container-title":"Computer","page":"22-30","volume":"49","issue":"6","author":[{"family":"Kotz","given":"David"},{"family":"Gunter","given":"Carl A."},{"family":"Kumar","given":"Santosh"},{"family":"Weiner","given":"Jonathan P."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kotz, Gunter, Kumar, & Weiner, 2016). The federal government requires by law extensive testing of the application before its launch to the general public. Application developers must perform aggressive testing of the mobile application in real-world environments before releasing it at a larger scale. The testing phase of applications is known as the beta phase that is issued with a warning that it must be used with caution and should never be used on production devices as it may cause stability issues. Voluntary beta testers help application developers to identify and resolve any potential issues that can be targeted by criminals before the public release of the applications.

Most of the mobile applications require specific permissions on the target device on which they are being used. Such as an application that provides weather information may require access to the geolocation of the device. The government requires the application developers to explicitly ask for permission of the user as a particular user may not want to reveal geolocation of the device. As the applications collect usage data or certain patterns of the data, application developers are required to limit the data storage. For example, if an application does not require the access to the location of the mobile device, the data related to the location of the device must not be stored or processed by the developer ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2o4j4qaj1d","properties":{"formattedCitation":"(Downer & Bhattacharya, 2015)","plainCitation":"(Downer & Bhattacharya, 2015)"},"citationItems":[{"id":1936,"uris":["http://zotero.org/users/local/gITejLE9/items/UYDUFYGE"],"uri":["http://zotero.org/users/local/gITejLE9/items/UYDUFYGE"],"itemData":{"id":1936,"type":"paper-conference","title":"BYOD security: A new business challenge","container-title":"2015 IEEE International Conference on Smart City/SocialCom/SustainCom (SmartCity)","publisher":"IEEE","page":"1128-1133","ISBN":"1-5090-1893-X","author":[{"family":"Downer","given":"Kathleen"},{"family":"Bhattacharya","given":"Maumita"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Downer & Bhattacharya, 2015). Majority of mobile applications require users to create an account on the remote server of the developer to use the full functionality of the application. These user accounts are often accessed by a combination of usernames and passwords. Application developers are required by the government not to store passwords in plain text format. Storing credentials in plaintext format makes them potentially vulnerable to security and privacy threats.

Industry’s Requirements for Mobile Applications Security:

Mobile application development industry also provides guidelines to the application developers for securing mobile applications against possible security breaches. Any mobile application developer must not rely on the platform security features of the target device. Security must be built in the application as well to raise further the bar for cybercriminals to breach the security infrastructure of mobile devices. Most of the mobile applications are built using open source software libraries. Open source software is a piece of software that is provided to the general public, and it can be used in any way. There are benefits and drawbacks to this approach.

Open source code and software development kits allow programmers to base their work on proven architectures and technologies. On the other hand, it will be easier for criminals to use the same code to exploit the existing application infrastructure. Application developers are required to carefully examine the available code for security holes before using it as a baseline for new applications. It will help them in the identification of vulnerabilities in the system ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aqou1b7680","properties":{"formattedCitation":"(Serra, Carvalho, Ferreira, Vaz, & Freire, 2015)","plainCitation":"(Serra, Carvalho, Ferreira, Vaz, & Freire, 2015)"},"citationItems":[{"id":1939,"uris":["http://zotero.org/users/local/gITejLE9/items/N6JHP2C4"],"uri":["http://zotero.org/users/local/gITejLE9/items/N6JHP2C4"],"itemData":{"id":1939,"type":"article-journal","title":"Accessibility evaluation of e-government mobile applications in Brazil","container-title":"Procedia Computer Science","page":"348-357","volume":"67","author":[{"family":"Serra","given":"Leandro Coelho"},{"family":"Carvalho","given":"Lucas Pedroso"},{"family":"Ferreira","given":"Lucas Pereira"},{"family":"Vaz","given":"Jorge Belimar Silva"},{"family":"Freire","given":"André Pimenta"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Serra, Carvalho, Ferreira, Vaz, & Freire, 2015). Many applications send data and communicate with the server maintained either by the developer itself or any third party. The developers are required to verify the security of the server an application is connecting to. Any compromised server may contaminate the whole mobile ecosystem. Applications dealing with health-related data must comply with data protection regulations and standards of healthcare systems. Otherwise, applications and user data will be at higher risk of being stolen or misuse by criminals infiltrating the defense systems.

Recommendations:

All of the mobile applications connect to the corresponding server using wireless fidelity network. As the internet itself was not designed with much security in mind, any application relying on the network for proper functioning must implement cryptography to protect user information. Applications must not use Rivest Cipher version 4 of cryptography for communication. As the algorithm use symmetric keys and repeats the same key of encryption after five thousand internet packets to encrypt the contents of the packet. Therefore, an attacker can compromise such a system in just four hours analyzing sniffed packets from the network. Mobile devices must be physically secured as well. Most of the mobile devices allow manual disks for storage, all of these disks along with the internal storage of the device must be encrypted using sophisticated encryption algorithms. It will keep the data on the device secure and intact even if the device is lost or stolen. Criminals will not be able to recover any useful information from the encrypted device. Many modern devices are equipped with a trusted platform module that is a hardware component for cryptographic keys generation and credentials storage. Mobile applications must support trusted platform module chips to protect user information. These measures will reduce the attack surface of mobile devices and will reduce the risk of being compromised.

Summary:

People rely more on mobile devices and applications for their digital needs. The government has initiated to make government websites mobile friendly in an attempt to utilize the potential of mobile platforms. Government applications and other third-party applications are required by law to be secured. Applications must be designed based on the security frameworks designed by the government and industry specialists. Extensive testing and vulnerability management systems using mobile device management platforms will reduce the risk of security issues and privacy concerns of the users. Communications to the remote server must be protected by deploying transport layer security and cryptographic algorithms. Sticking to the requirements of security will help create a secure mobile ecosystem capable of handling future challenges as well.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., … Neumann, P. G. (2015). Keys under doormats: mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), 69–79.

Downer, K., & Bhattacharya, M. (2015). BYOD security: A new business challenge. In 2015 IEEE International Conference on Smart City/SocialCom/SustainCom (SmartCity) (pp. 1128–1133). IEEE.

Enenkel, M., See, L., Bonifacio, R., Boken, V., Chaney, N., Vinck, P., … Anderson, M. (2015). Drought and food security–Improving decision-support via new technologies and innovative collaboration. Global Food Security, 4, 51–55.

Kotz, D., Gunter, C. A., Kumar, S., & Weiner, J. P. (2016). Privacy and security in mobile health: a research agenda. Computer, 49(6), 22–30.

Serra, L. C., Carvalho, L. P., Ferreira, L. P., Vaz, J. B. S., & Freire, A. P. (2015). Accessibility evaluation of e-government mobile applications in Brazil. Procedia Computer Science, 67, 348–357.

Project 5



Project 5

Josephus West

School or Institution Name (University at Place or Town, State)

Introduction:

State governments hold personally identifiable information about citizens including social security numbers, tax payer's information, and driving license details, etc. Protection of such data against digital darks is the responsibility of state departments processing such type of information. State governments are responsible for ensuring the confidentiality, integrity availability, and non-repudiation of the data. Most of the state departments have their designated information security policies that include rules and regulations regarding data processing under various conditions. Storing of personally identifiable information records with state departments have become a potential target for cybercriminals ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"DZ5qUcyj","properties":{"formattedCitation":"(Graves, Acquisti, & Christin, 2016)","plainCitation":"(Graves, Acquisti, & Christin, 2016)","noteIndex":0},"citationItems":[{"id":116,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/A2P4BESK"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/A2P4BESK"],"itemData":{"id":116,"type":"article-journal","title":"Big data and bad data: on the sensitivity of security policy to imperfect information","container-title":"U. Chi. L. Rev.","page":"117","volume":"83","author":[{"family":"Graves","given":"James T."},{"family":"Acquisti","given":"Alessandro"},{"family":"Christin","given":"Nicolas"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Graves, Acquisti, & Christin, 2016). Therefore, it is the responsibility of the state governments to maintain public trust and security of data. Information security policies of Colorado-office of information security and Florida-Agency for health care administration are compared below for their strengths and weaknesses.

Similarities:

Both of the state agencies have policies regarding the protection of critical information technology infrastructure and data owned by the agencies. Data can be collected via various sources such as it may be required by some services to obtain personally identifiable information from the general public. Florida agency of health care administration requires the data to be encrypted using advanced encryption standards. Data cannot be transmitted by the healthcare facilities on in-secure channels without applying appropriate ciphertexts and encryption algorithms. In some specific facilities use of block, ciphers are also required. Personal health information cannot be disclosed to any third parties without written or prior permissions of the owner of the health record information ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"TkSiAklZ","properties":{"formattedCitation":"(Goodman, Straub, & Baskerville, 2016)","plainCitation":"(Goodman, Straub, & Baskerville, 2016)","noteIndex":0},"citationItems":[{"id":117,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/8HLJQNSR"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/8HLJQNSR"],"itemData":{"id":117,"type":"book","title":"Information security: policy, processes, and practices","publisher":"Routledge","ISBN":"1-315-28868-0","author":[{"family":"Goodman","given":"Seymour"},{"family":"Straub","given":"Detmar W."},{"family":"Baskerville","given":"Richard"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Goodman, Straub, & Baskerville, 2016). Access to health care facilities is only restricted to authorized personnel. The data processing infrastructure must be compliant with the framework of the national institute of standards and technology. It is essential to ensure the availability of the data to authorized health care professionals when required. Having a standardized infrastructure of data processing will make it easier to troubleshoot any data corruption.

Office of information security of Colorado has information security policies for various departments that help the organizations and state departments to ensure confidentiality integrity, availability and non-repudiation of data. Data encryption is mandatory where information is to be sent on wireless channels because wireless channels are highly unpredictable. Data sent on wireless channels is prone to eavesdropping like the man in the middle attacks in which messages sent without encryption can be intercepted by third parties ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"aXdpFcNC","properties":{"formattedCitation":"(Ortmeier, 2017)","plainCitation":"(Ortmeier, 2017)","noteIndex":0},"citationItems":[{"id":118,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/HM7LGXDX"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/HM7LGXDX"],"itemData":{"id":118,"type":"book","title":"Introduction to security","publisher":"Pearson","ISBN":"0-13-455892-8","author":[{"family":"Ortmeier","given":"Patrick J."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Ortmeier, 2017). As personally identifiable information can be used for targeted attacks protecting such information is crucial to maintaining public trust in State-owned organizations and their operations. These two requirements are shared by both the state policies. They require the data to be appropriately encrypted before its transfer over the internet.

Differences:

Bot the state agencies have strict rules and policies that are capable of protecting the data owned by state agencies against cyber-attacks. However, the Office of information security of Colorado requires the data to be encrypted using advanced encryption standard with keys of 256 bits in length. This strong encryption is considered to be the most secure in modern data encryption standards. Asymmetric nature of the encryption enforced by the policy is hard to break because different keys are used to encrypt and decrypt the data ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"5b8GHnu8","properties":{"formattedCitation":"(White, 2015)","plainCitation":"(White, 2015)","noteIndex":0},"citationItems":[{"id":119,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/M78VB8CU"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/M78VB8CU"],"itemData":{"id":119,"type":"book","title":"Managing information in the public sector","publisher":"Routledge","ISBN":"1-317-46550-4","author":[{"family":"White","given":"Jay D."}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (White, 2015). Florida-agency of health care administration differs in terms of access protection regulations as compared with the office of information security. It requires access to the infrastructure of health care facilities by two-factor authentication and essential public infrastructure. All the facilities of the health care infrastructure must be protected with logical measures.

Recommendations:

Almost all of the state departments outline the requirements of data protection in their information security policies. However physical security of critical infrastructure is crucial as well because all of the logical measures can be breached if there are no physical access restrictions. If hackers are able to physically compromise the system, then logical measure can be bypassed as well ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"uIEE1MXK","properties":{"formattedCitation":"(Da Veiga, 2016)","plainCitation":"(Da Veiga, 2016)","noteIndex":0},"citationItems":[{"id":120,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/Q7KFL9SU"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/Q7KFL9SU"],"itemData":{"id":120,"type":"article-journal","title":"Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study","container-title":"Information & Computer Security","page":"139-151","volume":"24","issue":"2","author":[{"family":"Da Veiga","given":"Adéle"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Da Veiga, 2016). Physical access restrictions like geo-fencing and digital surveillance must be deployed at state departments having critical information technology infrastructure. Moreover, information security strategic plans must be part of the business plans of the organizations that have to deal with personally identifiable information. Information security investments can be hard for organizations when there are no apparent benefits for the business, but the critical infrastructure cannot be left unprotected just because the probability of targeted attack is low. As long as there are threats for a system, there must be sufficient protection systems as well. As there is no single bullet to halt all of the digital darks all the state departments must have information security policies.

Conclusion:

Information security is crucial in every information processing system. Especially for state departments that require to store and process personally identifiable information to have their information security policies expertly laid out and enforced as well. All the state departments must have their customized information security policies as per the type of data they are handling. State departments must have their own infrastructure as the personal identity of information cannot be risked for protection by third party vendors.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Da Veiga, A. (2016). Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study. Information & Computer Security, 24(2), 139–151.

Goodman, S., Straub, D. W., & Baskerville, R. (2016). Information security: policy, processes, and practices. Routledge.

Graves, J. T., Acquisti, A., & Christin, N. (2016). Big data and bad data: on the sensitivity of security policy to imperfect information. U. Chi. L. Rev., 83, 117.

Ortmeier, P. J. (2017). Introduction to security. Pearson.

White, J. D. (2015). Managing information in the public sector. Routledge.

Project 5 Comp-Contr 2 State Govt IT Security Policies

Public-Private Partnerships for Cybersecurity

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Public-Private Partnerships for Cybersecurity

Introduction:

With exponential penetration of information and communication technologies in every aspect of life, most of the government facilities are also turned digital. The state government is not only promoting information technology but relying on the same technology for providing services to citizens. Governments have to deal with personal information of citizens in order to provide better services like any other private business organization. Storing and processing of critical information by the state departments make the information technology infrastructure of these departments a potential target for cyber-criminals ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1gt9to6d12","properties":{"formattedCitation":"(Carr, 2016)","plainCitation":"(Carr, 2016)"},"citationItems":[{"id":1957,"uris":["http://zotero.org/users/local/gITejLE9/items/KVXL4FIA"],"uri":["http://zotero.org/users/local/gITejLE9/items/KVXL4FIA"],"itemData":{"id":1957,"type":"article-journal","title":"Public–private partnerships in national cyber-security strategies","container-title":"International Affairs","page":"43-62","volume":"92","issue":"1","author":[{"family":"Carr","given":"Madeline"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Carr, 2016). Protection of such critical information assets is the responsibility of public sector organizations dealing with sensitive data. Public sector organizations always suffered a lack of resources in competition with private sector organizations. Specifically, in the field of cybersecurity solutions, private sector organizations have made tremendous improvements as compared to the public sector institutions.

Cyber-criminals are always trying to compromise existing layers of security in public organizations. With the advent of large-scale data centers, attackers have shifted their attack vectors form individual users to large-scale organizations. Cybercrimes are growing as the most profitable industry. Given the fact that cyber threat landscape is continually evolving and public sector organizations do not have enough resources, it is need of the hour to increase public-private partnerships to secure critical information assets of the nation ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a82bm9k9n9","properties":{"formattedCitation":"(Givens & Busch, 2013)","plainCitation":"(Givens & Busch, 2013)"},"citationItems":[{"id":1960,"uris":["http://zotero.org/users/local/gITejLE9/items/VMCC9HH2"],"uri":["http://zotero.org/users/local/gITejLE9/items/VMCC9HH2"],"itemData":{"id":1960,"type":"article-journal","title":"Realizing the promise of public-private partnerships in US critical infrastructure protection","container-title":"International Journal of Critical Infrastructure Protection","page":"39-50","volume":"6","issue":"1","author":[{"family":"Givens","given":"Austen D."},{"family":"Busch","given":"Nathan E."}],"issued":{"date-parts":[["2013"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Givens & Busch, 2013). A public-private partnership for cybersecurity means that a collaborative environment between the participants in terms of technology and intelligence sharing. As there are not enough resources available for the security of public information technology infrastructure, public sector institutions rely on cybersecurity solutions developed by independent security companies. Such reliance on third-party solutions for the protection of sensitive information of citizens has many ethical and legal issues. The paper describes the benefits of having a fruitful public-private partnership for cybersecurity instead of relying on solutions developed by the industry.

Public-Private Partnerships for Cybersecurity:

Private organizations and independent cybersecurity companies have instead in information security heavily during the last three decades. As cybercriminals have targeted public organizations as the data stored in their systems can be used in many ways, private firms helped organizations to secure their infrastructure against cyber-attacks. Targeted cyber-attacks have increased exponentially during the last five years. Most of the time targeted attacks on public infrastructure are sponsored by rival states to sabotage the information technology infrastructure of their enemies ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a13imr5397k","properties":{"formattedCitation":"(Busch & Givens, 2012)","plainCitation":"(Busch & Givens, 2012)"},"citationItems":[{"id":1963,"uris":["http://zotero.org/users/local/gITejLE9/items/LG6F2I32"],"uri":["http://zotero.org/users/local/gITejLE9/items/LG6F2I32"],"itemData":{"id":1963,"type":"article-journal","title":"Public-private partnerships in homeland security: Opportunities and challenges","author":[{"family":"Busch","given":"Nathan E."},{"family":"Givens","given":"Austen D."}],"issued":{"date-parts":[["2012"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Busch & Givens, 2012). It has been reported that public sector organizations have faced many issues regarding the security of information technology infrastructure. It is difficult for public organizations to hire and retain the required talent for cybersecurity. Private firms offer better monetary benefits to skilled persons and turn over for public organizations remain high. Modern cybersecurity positions require dynamic individuals having in-depth knowledge and experience of communication technologies.

Due to the budgetary issues in public sector organizations, there is an ongoing crisis for cybersecurity workforce. Cybersecurity professionals are in high demand. Beside budgetary issues there are technical issues as well such as public sector information technology infrastructure is not developed enough as compared to the private firms. To overcome these challenges, public-private partnerships have been made during the last few years. The initiative addressed many of the security issues but have raised new concerns as well ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a503lavra5","properties":{"formattedCitation":"(Bossong & Wagner, 2017)","plainCitation":"(Bossong & Wagner, 2017)"},"citationItems":[{"id":1966,"uris":["http://zotero.org/users/local/gITejLE9/items/CTJU8BGW"],"uri":["http://zotero.org/users/local/gITejLE9/items/CTJU8BGW"],"itemData":{"id":1966,"type":"article-journal","title":"A typology of cybersecurity and public-private partnerships in the context of the EU","container-title":"Crime, Law and Social Change","page":"265-288","volume":"67","issue":"3","author":[{"family":"Bossong","given":"Raphael"},{"family":"Wagner","given":"Ben"}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Bossong & Wagner, 2017). Public organizations have some in-house facilities and staff as well that require support for proper functioning of information technology departments. Public-private partnerships allow both the parties to share information and intelligence gathered by analysis of different security incidents. Through these partnerships, many useful frameworks of cyber security have been developed. Most of the infrastructure deployed in the public sector is not solely developed by the government itself. Therefore, the vulnerabilities in the system are beyond the control of in-house departments if there is no intelligence sharing on incidents ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a292bp58bq7","properties":{"formattedCitation":"(Harknett & Stever, 2011)","plainCitation":"(Harknett & Stever, 2011)"},"citationItems":[{"id":1969,"uris":["http://zotero.org/users/local/gITejLE9/items/ND67LSXI"],"uri":["http://zotero.org/users/local/gITejLE9/items/ND67LSXI"],"itemData":{"id":1969,"type":"article-journal","title":"The new policy world of cybersecurity","container-title":"Public Administration Review","page":"455-460","volume":"71","issue":"3","author":[{"family":"Harknett","given":"Richard J."},{"family":"Stever","given":"James A."}],"issued":{"date-parts":[["2011"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Harknett & Stever, 2011). For example, a public and private organization may have a similar infrastructure, and one of them is compromised, then the other can be protected against similar attack techniques if they have intelligence sharing partnerships. Lessons learned in one sector will help in improving the security of the other and vice versa.

Challenges in Public-Private Partnerships for Cybersecurity:

As per the discussion, public-private partnerships can bring many benefits, but there are some issues as well. When any government entity is collaborating or building a partnership with a private entity, then there are confidentiality issues as the government also have to play the role of regulator. Depending on the sensitivity of information stored in public sector information technology systems, the government may not provide granular visibility into the investigations of an attack on the system to the partner organization from the private sector. Similarly, private sector organization may be reluctant in providing information that can reveal an internal business process to state government ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a8u5oejuqa","properties":{"formattedCitation":"(Manley, 2015)","plainCitation":"(Manley, 2015)"},"citationItems":[{"id":1972,"uris":["http://zotero.org/users/local/gITejLE9/items/QWZSKJG6"],"uri":["http://zotero.org/users/local/gITejLE9/items/QWZSKJG6"],"itemData":{"id":1972,"type":"article-journal","title":"Cyberspace’s dynamic duo: Forging a cybersecurity public-private partnership","container-title":"Journal of Strategic Security","page":"85-98","volume":"8","issue":"3","author":[{"family":"Manley","given":"Max"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Manley, 2015). There can be legal restrictions as well. It has been observed in various advance persistent attack cases that private organizations collaborate with state departments when they are in crisis rather than building an on-going proactive partnership for fighting cyber-attacks ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1cuq4srr8h","properties":{"formattedCitation":"(Andreasson, 2011)","plainCitation":"(Andreasson, 2011)"},"citationItems":[{"id":1975,"uris":["http://zotero.org/users/local/gITejLE9/items/HLRZVCW9"],"uri":["http://zotero.org/users/local/gITejLE9/items/HLRZVCW9"],"itemData":{"id":1975,"type":"book","title":"Cybersecurity: public sector threats and responses","publisher":"CRC Press","ISBN":"1-4398-4663-4","author":[{"family":"Andreasson","given":"Kim J."}],"issued":{"date-parts":[["2011"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Andreasson, 2011). Trust issues may also restrict the cooperation in partnerships as the leader of the private organization may fear that government will interfere with internal business processes.

Private organizations try to remain independent when they experience any security incident, instead of seeking help from the government. The reason behind the reluctance is that companies want to ensure data privacy of their customers. If they are sharing internal process information with the government, then they may be accused by customers for working too closely with the government. Organizations will not afford to lose customer's trust in helping the government to fight against digital darks. Most of the private organizations deal with customers at the global level instead of the national level. Therefore, they may be subject to international data communication laws and regulations ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1otkhnbvhq","properties":{"formattedCitation":"(McCarthy, 2018)","plainCitation":"(McCarthy, 2018)"},"citationItems":[{"id":1978,"uris":["http://zotero.org/users/local/gITejLE9/items/6VEMNPKD"],"uri":["http://zotero.org/users/local/gITejLE9/items/6VEMNPKD"],"itemData":{"id":1978,"type":"article-journal","title":"Privatizing Political Authority: Cybersecurity, Public-Private Partnerships, and the Reproduction of Liberal Political Order","container-title":"Politics and Governance","page":"5-12","volume":"6","issue":"2","author":[{"family":"McCarthy","given":"Daniel R."}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (McCarthy, 2018). However, despite the difficulties, many partnerships have been successful. Government organizations have partnerships with private organizations and large scale cyber security giants such as McAfee and Symantec Corporation to help in investigations of security breaches. These organizations share intelligence and threat reports to build a secure ecosystem for information technology solutions.

Recommendations:

Public-private partnerships for cybersecurity are inevitable given the state of targeted attacks on significant information technology infrastructure. Challenges in building such partnerships can be overcome by utilizing incident response efforts and by enforcing standard frameworks. It can be clearly stated in agreements beforehand that up to what extent information will be revealed to the government in case of an incident investigation. Purpose of such partnerships along with the obvious reason of protection of critical information infrastructure should be the building of an innovative incident response mechanism ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a132qh4106l","properties":{"formattedCitation":"(Kaul et al., 2018)","plainCitation":"(Kaul et al., 2018)"},"citationItems":[{"id":1981,"uris":["http://zotero.org/users/local/gITejLE9/items/VUGC3Q5H"],"uri":["http://zotero.org/users/local/gITejLE9/items/VUGC3Q5H"],"itemData":{"id":1981,"type":"article-journal","title":"GOING DARKER 2.0: POLICY RECOMMENDATIONS FOR LAW ENFORCEMENT, THE INTELLIGENCE COMMUNITY AND THE PRIVATE SECTOR","author":[{"family":"Kaul","given":"Krystle Veda"},{"family":"Tucker","given":"Michelle"},{"family":"McNamara","given":"G. S."},{"family":"Hicks","given":"Jacqueline"},{"family":"Bliss","given":"Colin"},{"family":"Tosi","given":"Scott"},{"family":"Loethen","given":"Lora"}],"issued":{"date-parts":[["2018"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Kaul et al., 2018). Such a mechanism will help in combating the latest attack vectors proactively. Most of the private organizations have developed artificial intelligence and machine learning algorithms to fight against digital darks. These algorithms must have collaborated in public-private partnerships for cybersecurity as the aim is to create a secure infrastructure rather than competition in algorithm development. Such collaborations and intelligence sharing between the public and private sectors will help in building frameworks that can render the most common attack vectors useless.

As cyber threats are evolving continuously both in numbers and in complexity, partnerships between public and private organizations are inevitable. Both the sectors store and confidential process information and securing critical information assets is the obligation of involved parties. Collaborations between these sectors will help in educating individuals about safe practices while they surf, search, and socialize using information and communication technologies. Technology sharing will help in the improvement of the existing tools and development of new sophisticated prevention technologies leveraging artificial intelligence concepts.

Summary:

The information technology infrastructure of both public and private organizations are being targeted by the cybercriminals. During the last two years the rise in cryptographic malware attacks caused millions of dollars in loss. Targeted attacks locked individuals and organizations out of their systems. Data stored on the machines was encrypted, and attackers demanded ransom amount to decrypt the files. No security solution was able to stop the wave of such attacks unless significant damage was done by the attackers. Therefore, public-private partnerships are inevitable in securing the information technology infrastructure. Building such partnerships will complement each other’s deficiencies and will help people enjoy safer technology.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Andreasson, K. J. (2011). Cybersecurity: public sector threats and responses. CRC Press.

Bossong, R., & Wagner, B. (2017). A typology of cybersecurity and public-private partnerships in the context of the EU. Crime, Law and Social Change, 67(3), 265–288.

Busch, N. E., & Givens, A. D. (2012). Public-private partnerships in homeland security: Opportunities and challenges.

Carr, M. (2016). Public-private partnerships in national cyber-security strategies. International Affairs, 92(1), 43–62.

Givens, A. D., & Busch, N. E. (2013). Realizing the promise of public-private partnerships in US critical infrastructure protection. International Journal of Critical Infrastructure Protection, 6(1), 39–50.

Harknett, R. J., & Stever, J. A. (2011). The new policy world of cybersecurity. Public Administration Review, 71(3), 455–460.

Kaul, K. V., Tucker, M., McNamara, G. S., Hicks, J., Bliss, C., Tosi, S., & Loethen, L. (2018). GOING DARKER 2.0: POLICY RECOMMENDATIONS FOR LAW ENFORCEMENT, THE INTELLIGENCE COMMUNITY, AND THE PRIVATE SECTOR.

Manley, M. (2015). Cyberspace’s dynamic duo: Forging a cybersecurity public-private partnership. Journal of Strategic Security, 8(3), 85–98.

McCarthy, D. R. (2018). Privatizing Political Authority: Cybersecurity, Public-Private Partnerships, and the Reproduction of Liberal Political Order. Politics and Governance, 6(2), 5–12.

Project 5: Compare/Contrast State Govt IT Security Policies



Project 5: Compare / Contrast Two state Government IT Security Policies

Malintha Liyanage

School or Institution Name (University at Place or Town, State)

Project 5: Compare / Contrast Two state Government IT Security Policies

Introduction:

Information technology plays a role of utility not only in private sectors but in all of the state departments as well. It is hard to imagine a single department without the applications of information technologies. Most of the processes are now digital either related to management or policies. Increased reliance on information technologies has brought up many new challenges as well along with the benefits of usability of these technologies. Most of the information technology systems are being used to handle data sets that can be used to identify individuals. Such data sets are also known as personally identifiable information. It is the information that can be used to identify any biological subject. State departments rely on personally identifiable information for proper functioning ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2a2g3pqjkd","properties":{"formattedCitation":"(Collins, 2016)","plainCitation":"(Collins, 2016)","noteIndex":0},"citationItems":[{"id":"pJsv44Ic/W2l7GqQQ","uris":["http://zotero.org/users/local/gITejLE9/items/JVLDKJZX"],"uri":["http://zotero.org/users/local/gITejLE9/items/JVLDKJZX"],"itemData":{"id":1890,"type":"book","title":"Contemporary security studies","publisher":"Oxford university press","ISBN":"0-19-870831-9","author":[{"family":"Collins","given":"Alan"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Collins, 2016). Earlier the records were maintained in paper-based registers. Now a massive amount of data is stored in digital systems. Previous paper-based records are being transformed into digital records.

Increased digitalization of personally identifiable information by state governments has made their systems potential target of cybercriminals. Headlines are filled with news of successful data breaches on organizations. The data stored in the information technology systems are considered as the most critical asset. Therefore, the protection of the critical assets of the state is the responsibility of the State Government. Most of the state departments have designated cybersecurity policies and defined frameworks to protect critical assets. Each of the department may have a different set of rules and policies based on the nature of information systems being used by the department. Information security policies define the role of institutes, organizations, software, and hardware requirements to secure the data processing and transfer of information over a network.

Information security policies are equally important for resource-poor states and for rich states as well. States lacking appropriate information technology infrastructure must have information security policies defining the frameworks for future development. Security policies of States having less technical resources will include master plans for future technological developments. Such policies will serve as road maps for future developments. It is crucial for such states to develop comprehensive information security policies as the policies will shape the future transformations of the technical developments. States suffering from a lack of technical resources can define policies that will build technology with safety precautions in mind. Capability maturity models of information security frameworks can be considered as starting points towards the development of information security policy. It will benefit them to build their architecture as per the defined security principles.

On the other hand, states having enough resources must develop information security policies. It is inevitable for rich states to invest in improving information security, as their critical infrastructure is more prone to cyber-attacks. Moreover, rich states must join hands with developing states to create a secure ecosystem for critical information assets. Public-private partnerships can be helpful in overcoming the lack of resources either human or technical in the cyber-security domain for many states. Data stored in the systems of a state department is the critical asset to be protected from a wide variety of attacks; all of the state governments have information technology security policies. The paper evaluates the information technology security policies of Florida-Agency for State Technology and Michigan State Police for strengths and weaknesses of these security policies.

Similarities in IT Security Policies:

It is an agency of the State Government of Florida tasked with the protection of information of the Floridians. It describes the rules and policies for information technology systems of the State departments. Headed by the chief information officer of the state the agency was established in 2014. The agency provides the departments with guidelines and frameworks to protect critical information assets against cyber-attacks. After the initiative of the government to provide access to the open data, chief information officer issued a security policy standardizing the use of open data ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"af5pvi6ac7","properties":{"formattedCitation":"(Layton, 2016)","plainCitation":"(Layton, 2016)","noteIndex":0},"citationItems":[{"id":"pJsv44Ic/KqAxtmCS","uris":["http://zotero.org/users/local/gITejLE9/items/2XAMB9MQ"],"uri":["http://zotero.org/users/local/gITejLE9/items/2XAMB9MQ"],"itemData":{"id":1893,"type":"book","title":"Information Security: Design, implementation, measurement, and compliance","publisher":"Auerbach Publications","ISBN":"1-4200-1341-6","author":[{"family":"Layton","given":"Timothy P."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Layton, 2016). Open data is the database of statistics and State-owned information that is being provided for research and development purpose. It provides a one-stop solution to researchers to collect large sets of data from the government which will help them in the formulation of the research.

However, as access to open data will increase interoperability of State agencies it may have potential issues as well. It will be the responsibility of the State government to protect the confidentiality, integrity, and availability of the data. Confidentiality of the data requires that the access to the data must be authorized. In other words, the data will be provided to requesting parties only. The integrity of the data requires the data to be protected against malicious manipulations. Availability requires the data to be available to concerned parties whenever requested. The agency has provided a framework that ensures these primary goals of information security. The data will be segregated for different parties', e.g. public and private organizations. Not all of the parties or departments will be having similar access to the data sets made available under open data initiative.

Michigan State Police have similar information security policy protecting confidentiality, integrity, and availability of the data. The department store and process personally identifiable information for criminal investigations and digital forensic analysis purposes. The information security policy of the department provides a framework in which limited access can be provided to the authorized parties only such a forensic investigator. Both policies are similar in the aspects of data segregation. Not all types of data are available to all the officials such as the records of computer crime units cannot be accessed by investigators of street crimes. However, special access can be granted to the officials based on state laws to help in criminal investigations ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a1qhagldals","properties":{"formattedCitation":"(Shropshire, Warkentin, & Sharma, 2015)","plainCitation":"(Shropshire, Warkentin, & Sharma, 2015)","noteIndex":0},"citationItems":[{"id":"pJsv44Ic/c03C986e","uris":["http://zotero.org/users/local/gITejLE9/items/FH6PC2E9"],"uri":["http://zotero.org/users/local/gITejLE9/items/FH6PC2E9"],"itemData":{"id":1896,"type":"article-journal","title":"Personality, attitudes, and intentions: Predicting initial adoption of information security behavior","container-title":"Computers & Security","page":"177-191","volume":"49","author":[{"family":"Shropshire","given":"Jordan"},{"family":"Warkentin","given":"Merrill"},{"family":"Sharma","given":"Shwadhin"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Shropshire, Warkentin, & Sharma, 2015). Moreover, data is protected using sophisticated encryption algorithms to protect the confidentiality of the data. It is mandatory to make the data storage equipment secure enough to prevent targeted attacks by hackers trying to gain access to the databases. Data protection is strictly compliant to the policies of Michigan State. Both the States have the mentioned similarities in their information technology security policies.

Unique Aspects of Florida-Agency for State Technology IT Security Policy:

There are many unique aspects of the open data security policy issued by the state agency. According to the framework, public agencies and departments can access open data by following legal restrictions. For private sector organizations, the data will be provided in only machine-readable format. It is mandatory to protect the confidentiality and integrity of the data as only authorized persons will be able to manipulate machine-readable data. It will not be possible for malicious actors to understand the data set contents. The information regarding data sets will be provided and well documented for all the parties ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"GCUgJWUN","properties":{"formattedCitation":"(\\uc0\\u8220{}Cybersecurity Resources,\\uc0\\u8221{} n.d.)","plainCitation":"(“Cybersecurity Resources,” n.d.)","noteIndex":0},"citationItems":[{"id":52,"uris":["http://zotero.org/users/local/BeyJjeak/items/7IWXGVYG"],"uri":["http://zotero.org/users/local/BeyJjeak/items/7IWXGVYG"],"itemData":{"id":52,"type":"webpage","title":"Cybersecurity Resources","container-title":"Florida Agency for State Technology","URL":"https://www.ast.myflorida.com/cybersecurity-resources","language":"en-US","accessed":{"date-parts":[["2019",5,6]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“Cybersecurity Resources,” n.d.). However, high-level details of metadata associated with the data sets will not be disclosed because it may provide malicious actors with enough information to compromise the system. The documented data will provide general instructions such as limitations of the data sets and the purpose of the collection of the data. This information will not be harmful to the system as it is not related to the underlying data processing system ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a198ec85rm","properties":{"formattedCitation":"(White, Fisch, & Pooch, 2017)","plainCitation":"(White, Fisch, & Pooch, 2017)","noteIndex":0},"citationItems":[{"id":"pJsv44Ic/b8ccKMRJ","uris":["http://zotero.org/users/local/gITejLE9/items/AD4AMPCN"],"uri":["http://zotero.org/users/local/gITejLE9/items/AD4AMPCN"],"itemData":{"id":1900,"type":"book","title":"Computer system and network security","publisher":"CRC press","ISBN":"1-351-45872-8","author":[{"family":"White","given":"Gregory B."},{"family":"Fisch","given":"Eric A."},{"family":"Pooch","given":"Udo W."}],"issued":{"date-parts":[["2017"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (White, Fisch, & Pooch, 2017). Data sets will be updated as new data will be available to increase and maintain the value of data for research and development teams. These are the unique aspects of the information technology policy by the State governmental agency to protect the open data initiative.

Unique Aspects of Michigan State Police IT Security Policy:

As the department relies on extensive information processing systems the security policies implemented by the department are enough to achieve the basic security goals of confidentiality, integrity, and availability. The security policy enforces the department to use advanced encryption standard using 256-bit encryption algorithm ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"sOxe4yAF","properties":{"formattedCitation":"(\\uc0\\u8220{}MSP - Department Policies,\\uc0\\u8221{} n.d.)","plainCitation":"(“MSP - Department Policies,” n.d.)","noteIndex":0},"citationItems":[{"id":50,"uris":["http://zotero.org/users/local/BeyJjeak/items/XT88IW2J"],"uri":["http://zotero.org/users/local/BeyJjeak/items/XT88IW2J"],"itemData":{"id":50,"type":"webpage","title":"MSP - Department Policies","URL":"https://www.michigan.gov/msp/0,4643,7-123-1579_78902---,00.html","accessed":{"date-parts":[["2019",5,6]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (“MSP - Department Policies,” n.d.). An asymmetric encryption model relying on public key infrastructure ensures the integrity and confidentiality of the data owned by the state police. It also protects the data against duplication. The databases are all encrypted and storing encryption application will keep the data secure even if the system is breached by hackers ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"a2jiria3051","properties":{"formattedCitation":"(Trautman, 2015)","plainCitation":"(Trautman, 2015)","noteIndex":0},"citationItems":[{"id":"pJsv44Ic/irGyqbvE","uris":["http://zotero.org/users/local/gITejLE9/items/87KRHXJX"],"uri":["http://zotero.org/users/local/gITejLE9/items/87KRHXJX"],"itemData":{"id":1902,"type":"article-journal","title":"Cybersecurity: What about US policy","container-title":"U. Ill. JL Tech. & Pol'y","page":"341","author":[{"family":"Trautman","given":"Lawrence J."}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Trautman, 2015). As they will not be able to extract the data until the keys of encryption are kept secret. It requires a massive amount of computing resources to break encryption keys of advanced encryption standard that is theoretically impossible. Therefore, the security policies enforced are mature enough to protect the records and databases critical to the safety of citizens for a long period of time.

The data stored in the information technology infrastructure of the Michigan State Police experienced direct attacks as well. Hackers trying to bypass the access controls were exploiting security holes present in installed software systems. Although there was no serious risk of such attacks, however, the connectivity issues may arise due to congestion in the internal network of the department. To avoid such type of attacks in the department the information security policy requires the use or reverse proxy systems in the department. Reverse proxy systems block backward access to the internal infrastructure of the department. Therefore, critical databases cannot be accessed from outside of the designated networks. The unique aspect of the information security policy makes the cracking of access control systems even harder for cyber-criminals.

Better IT Security Policy:

As per the evaluation of security policies of both the state departments it can be considered that the security policy enforced by the Florida-Agency for State Technology is better than the security policy of Michigan State Police. Data segregation requirements imposed by the Florida-Agency for State Technology are more comprehensive as compared to the State Police of Michigan. It requires the data to be provided to private parties in a machine-readable format potentially protecting it against man in the middle attacks and eavesdropping if being transmitted on wireless channels ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"ymIQyekN","properties":{"formattedCitation":"(Ghai, Sharma, & Jain, 2015)","plainCitation":"(Ghai, Sharma, & Jain, 2015)","noteIndex":0},"citationItems":[{"id":49,"uris":["http://zotero.org/users/local/BeyJjeak/items/R7IKIJCS"],"uri":["http://zotero.org/users/local/BeyJjeak/items/R7IKIJCS"],"itemData":{"id":49,"type":"book","title":"Policy-based physical security system for restricting access to computer resources and data flow through network equipment","publisher":"Google Patents","author":[{"family":"Ghai","given":"Vikrant"},{"family":"Sharma","given":"Shailendra"},{"family":"Jain","given":"Ajay"}],"issued":{"date-parts":[["2015"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Ghai, Sharma, & Jain, 2015). State-owned departments will have access to human-readable format as well as they will be protected by strict policies and data protection equipment. The problem is the access granted to private parties, and that is covered by changing the format of data rendering hacking attacks useless against the system. Security policies of other stats lack this requirement that is why it is better as compared to other nation states.

As per the best practices for information security efforts, both of the information security policies can be improved by adding the requirement of intrusion detection or prevention systems. Intrusion detection or preventions systems can be host-based or network-based. They can work in conjunction with a firewall to prevent attacks arising from within the network. The problem with a firewall only solution is that a firewall can only block attacks initiating from outside of the internal network. However, any attack initiated from within the network can bypass firewall defenses and can cause damage to critical information systems. Host-based or network-based intrusion detection or prevention systems can control such attacks. The best practice of using intrusion prevention or detection systems can be made a part of the information security policies of the states.

Conclusion:

Data is the most critical asset owned by the states that include personally identifiable information of citizens. Any compromise of information technology systems of a particular state may result in irreparable damage to the overall infrastructure of the government. Depending on the exponential penetration of information technologies in State operations and critical nature of data stored in these systems, it is inevitable for all the nation states to have a comprehensive information technology security policy to protect critical assets of the nation ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"tbxJwSQW","properties":{"formattedCitation":"(Layton, 2016)","plainCitation":"(Layton, 2016)","noteIndex":0},"citationItems":[{"id":"pJsv44Ic/KqAxtmCS","uris":["http://zotero.org/users/local/gITejLE9/items/2XAMB9MQ"],"uri":["http://zotero.org/users/local/gITejLE9/items/2XAMB9MQ"],"itemData":{"id":"pJsv44Ic/KqAxtmCS","type":"book","title":"Information Security: Design, implementation, measurement, and compliance","publisher":"Auerbach Publications","ISBN":"1-4200-1341-6","author":[{"family":"Layton","given":"Timothy P."}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Layton, 2016). Some states as discussed have stronger information security policies, and some have slightly weaker security policies as discussed in the paper. However, each state must have an information technology security policy enforced for the proper functioning of the departments.

References

ADDIN ZOTERO_BIBL {"custom":[]} CSL_BIBLIOGRAPHY Collins, A. (2016). Contemporary security studies. Oxford university press.

Cybersecurity Resources. (n.d.). Retrieved May 6, 2019, from Florida Agency for State Technology website: https://www.ast.myflorida.com/cybersecurity-resources

Ghai, V., Sharma, S., & Jain, A. (2015). Policy-based physical security system for restricting access to computer resources and data flow through network equipment. Google Patents.

Layton, T. P. (2016). Information Security: Design, implementation, measurement, and compliance. Auerbach Publications.

MSP - Department Policies. (n.d.). Retrieved May 6, 2019, from https://www.michigan.gov/msp/0,4643,7-123-1579_78902---,00.html

Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers & Security, 49, 177–191.

Trautman, L. J. (2015). Cybersecurity: What about US policy. U. Ill. JL Tech. & Pol’y, 341.

White, G. B., Fisch, E. A., & Pooch, U. W. (2017). Computer system and network security. CRC press.

Project 6

Project 6

Josephus West

School or Institution Name (University at Place or Town, State)

Introduction:

Information technology plays the role of utility not only in the business but in all of the state departments. As all of the state departments have to deal with critical information, protection of such information from cyber-attacks is inevitable. Cybersecurity and threats landscape never remains the same, so it is not possible for any single entity to ensure the protection of critical infrastructure vital to the operations of the federal and state government. Significant developments in the field of information security are made by private sector security firms. To protect national critical infrastructure public-private partnerships are required. A public-private partnership is the cooperation of two entities for co-existence ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"LhcL7bob","properties":{"formattedCitation":"(Carr, 2016)","plainCitation":"(Carr, 2016)","noteIndex":0},"citationItems":[{"id":112,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/WZI7VP5D"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/WZI7VP5D"],"itemData":{"id":112,"type":"article-journal","title":"Public–private partnerships in national cyber-security strategies","container-title":"International Affairs","page":"43-62","volume":"92","issue":"1","author":[{"family":"Carr","given":"Madeline"}],"issued":{"date-parts":[["2016"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Carr, 2016). In public-private partnerships, a long-term contract or agreement is established between a government entity and private party to provide services to the public in which the private party shares a significant portion of the risk. A growing number of countries including the United States of America are developing enhanced public-private partnerships to protect the critical infrastructure of the nation against cyber-attacks.

Public-Private Partnerships for Cybersecurity:

Integration of information technology into governmental organizations for management and related policy enforcement purposes has made them a potential target for cyber-criminals. Most of the time criminals can be backed by rival states as well to sabotage the infrastructure of the opponents. Threat landscape for critical information technology infrastructure is always changing. Malicious actors are continuously developing sophisticated attacks to bypass the security infrastructure of large-scale organizations including the public infrastructure of facilities as well. In the dynamic world of protecting critical infrastructure intelligence sharing between public entities and related private parties is inevitable. Cyber-attacks cannot be geo-restricted or confined to a particular area.

Cyber-attacks backed by governments can destroy the critical infrastructure of the organizations at a massive scale as it is evident by the ransomware attacks during the last decade. It is an established fact that government and private sector experts need to collaborate to protect nation's security against cyber-attacks, but there are some concerns that need to be resolved regarding the policies ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"eg0AZ1BD","properties":{"formattedCitation":"(Givens & Busch, 2013)","plainCitation":"(Givens & Busch, 2013)","noteIndex":0},"citationItems":[{"id":113,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/3CQ87IVG"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/3CQ87IVG"],"itemData":{"id":113,"type":"article-journal","title":"Realizing the promise of public-private partnerships in US critical infrastructure protection","container-title":"International Journal of Critical Infrastructure Protection","page":"39-50","volume":"6","issue":"1","author":[{"family":"Givens","given":"Austen D."},{"family":"Busch","given":"Nathan E."}],"issued":{"date-parts":[["2013"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Givens & Busch, 2013). National Institute of Standards and Technology provides a framework that is applicable to most of the organizations for their cybersecurity needs. Legal and strategic implications often serve as obstacles to the increase in public-private intelligence sharing regarding cybersecurity due to cross-border issues such as inconsistent laws of cybersecurity.

Effects of Public-Private Partnerships for Cybersecurity:

Most of the time private firms have more resources to hire and utilize best talent in the field of cybersecurity to protect crucial information technology infrastructure as compared to the government. Therefore, increased and extended partnerships between public institutes and private organization have numerous benefits for both the parties in agreement. Intelligence shared by the private firms will help government institutions to formulate policies accordingly. A similar example is on the cybersecurity framework for organizations prepared by the national institute of standards and technology with the help of private sector organizations ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"G0ecYh68","properties":{"formattedCitation":"(Cherdantseva & Hilton, 2013)","plainCitation":"(Cherdantseva & Hilton, 2013)","noteIndex":0},"citationItems":[{"id":62,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/UB5NSQGW"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/UB5NSQGW"],"itemData":{"id":62,"type":"paper-conference","title":"A reference model of information assurance & security","container-title":"2013 International Conference on Availability, Reliability and Security","publisher":"IEEE","page":"546-555","author":[{"family":"Cherdantseva","given":"Yulia"},{"family":"Hilton","given":"Jeremy"}],"issued":{"date-parts":[["2013"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Cherdantseva & Hilton, 2013). Private organizations such as Symantec and McAfee employ top talent in the cybersecurity to protect commercial markets from cyber-attacks. Cybersecurity market intelligence sharing is not only occupied by public-private partnerships; there are partnerships between private companies as well. A small to the medium-sized organization may have different cybersecurity requirements as compared to the state-owned enterprise business. However, there are trust issues in such partnerships because a supply chain can also be compromised by criminals such as intelligence sharing networks of such partnerships.

Best Practices for Companies:

Partnerships between cybersecurity entities whether private or public are inevitable to build a strong defense against malicious actors targeting critical infrastructure of the nation. However, in a public-private partnership, a private firm may have concerns regarding data exposure to the federal government. Private entities may not agree to expose their internal infrastructures to the governmental agencies as they may be protected by the data protection regulations. Personally identifiable information of their clients may be exposed to the federal or state governments that may result in violation claims for privacy issues. Therefore, organizations must comply with the frameworks and policies made by the collaboration of the security firms such as the cybersecurity framework approved by the NIST ADDIN ZOTERO_ITEM CSL_CITATION {"citationID":"fYAlll1M","properties":{"formattedCitation":"(Busch & Givens, 2012)","plainCitation":"(Busch & Givens, 2012)","noteIndex":0},"citationItems":[{"id":115,"uris":["http://zotero.org/users/local/Ugrd7iAF/items/VH72N4AJ"],"uri":["http://zotero.org/users/local/Ugrd7iAF/items/VH72N4AJ"],"itemData":{"id":115,"type":"article-journal","title":"Public-private partnerships in homeland security: Opportunities and challenges","author":[{"family":"Busch","given":"Nathan E."},{"family":"Givens","given":"Austen D."}],"issued":{"date-parts":[["2012"]]}}}],"schema":"https://github.com/citation-style-language/schema/raw/master/csl-citation.json"} (Busch & Givens, 2012). Companies can deploy honey pot networks to detect and halt unauthorized access requests to the system and share intelligence gathered by neutralization of the attack. Effective sharing of knowledge and technical expertise will help the government to make information technology ecosystem secure. Extended partnerships also avoid the building of monopolies in particular area of cybersecurity practice such as in the field of intrusion detection systems.

Conclusion:

Building an effective public-private partnership to protect the critical infrastructure of the nation is inevitable. Major potential benefits of intelligence sharing and technical expertise development are prosecution framework of domestic and international cyber-criminals. It will be effective in preventing future attacks on critical infrastructure including state-sponsored targeted attacks. If the goal is not only to detect attacks as quickly as possible but to share the gathered evidence for the successful prosecution of the criminal, public-private partnerships will be very useful and cost-effective. Partnerships in either way are helpful in protecting Nation's infrastructure but to address privacy-related issues of private partners extended negotiations are required to be held on a regular basis. It will help the public as well as private sector to improve the cyber defense.

References

ADDIN ZOTERO_BIBL {"uncited":[],"omitted":[],"custom":[]} CSL_BIBLIOGRAPHY Busch, N. E., & Givens, A. D. (2012). Public-private partnerships in homeland security: Opportunities and challenges.

Carr, M. (2016). Public–private partnerships in national cyber-security strategies. International Affairs, 92(1), 43–62.

Cherdantseva, Y., & Hilton, J. (2013). A reference model of information assurance & security. In 2013 International Conference on Availability, Reliability, and Security (pp. 546–555). IEEE.

Givens, A. D., & Busch, N. E. (2013). Realizing the promise of public-private partnerships in US critical infrastructure protection. International Journal of Critical Infrastructure Protection, 6(1), 39–50.

Project Charter And Stakeholder Identification

Project Charter and Stakeholder Identification

[Name of the Writer]

[Name of the institution]

[Date]

Project Charter and Stakeholder Identification

Project Charter

Project Title

The Office Relocation Project

Brief Description

The XYZ company has recently decided to move the office to an entirely new location where it will be easy to access as compared to its old location. Previously the office of the company was on a 2nd floor of a congested building where it was hard for the customers to visit. They also wanted to expand their operations as they formed a new department where technical training will be provided to the new employees. This is the reason why this project is initiated and Mr. John is given the responsibility to lead the project team and perform the project successfully. This project will be very helpful to enhance the productivity of the employees and improve the performance of the company (Attwood, 1996).

Background

The idea of this project was proposed by Mr. Stewart who is the current Managing Director of the currently. From the past few months the organization was facing multiple issues related to the accessibility of procurements, unavailability of clients because of location and no separate area for training (Harrison & Lock, 2017). Due to this reason, the top management conducted many meetings and in the end decided to shift to a better commercial place with the relocation of entire office. Immediately with no time wasted, Mr. John was assigned the role of project manager for this project which should take least time required.

Project Goals

Following are the goals that must be met with the completion of the Office relocation project.

The foremost goal is to associate all the departments of the XYZ’s company at one commercial place by shifting the I.T department, Administration department, HR department and the Logistics department to one place.

To introduce a proper and separate training room for the newly hired employees in the new locality.

To manage the tasks and activities of the relocation and shifting effectively within the time frame provided to the project team.

To maintain a balance in the virtual move and physical move of the office without affecting the office work and performance of the company.

To apply the appropriate and reasonable costs to the movement of the office e.g. cost of transportation, painting cost, interior management cost and carpeting cost etc.

To explore the potential risks and address them in an effective way.

Project Scope

For the Office relocation project, detailed planning and effective management is needed to shift all the departments of XYZ Company into one building in a way that it does not affect the performance of the ongoing operations in the company. To ensure that the new location for the office is more appropriate and well-organized having enough room for changes in the future. The new office must be well-structured with proper setup for different departments and should be entirely furnished and carpeted.

Project Limitations/Constraints

There are certain limitations and constraints that are linked with the execution of this project. These constraints consist of the time management issues as the working environment and operations cannot be withhold for a much longer period of time in the process of office movement. Another limitation includes the costs involved with the whole movement process including transportation, carpeting and painting of the new office (Behren,Puhe & Chlond, 2018). There are chances of some other costs included that might be experienced later once the project gets started. Reliability and availability of contractors might also become a hurdle in the completion of the project successfully (Husnain, 1980). Risks are also involved in the successful movement of all the office supplies and heavy machinery and equipment without damaging them and accommodating them in the new place.

List of activities involved in Project

Following are the brief details of the activities that will take place in this project.

Proper planning

Exploring new site for relocation

Design the structure for the new site

Assessing the site in relation to the design and capacity

Discussion with consultants

Project Team building

Approaching Contractors and Vendors

Communicating with departments

Fixing wiring and basic utilities in the new place

Painting

Carpeting and Furnishing

Packing equipment in old site

Movement of machinery and equipment

Clean up of old office

Unpacking

Organization and setup

Arranging training room in new office

Purchasing furniture for training room

Setting the interior

Informing the stakeholders

Project Milestones

The office relocation consists of certain key milestones which are mentioned below.

First milestone

The first milestone will be achieved when the contractors for movement, painting and carpeting will be hired as this task is a bit difficult as compared to other activities. Once this millstone is achieved, it will become easy to follow the other activities and will officially begin the process of office relocation.

Second Milestone

Second Milestone includes the essential I.T utilities and services in the new office. Basic wiring will be done there so that the I.T department of the company do not face any problem in operating there after the movement.

Third Milestone

After the wiring procedure, painting of the new office and carpeting will be done and space will be managed for all the departments including the new room for training. This milestone will allow the office to shift.

Fourth Milestone

All the office equipment, machinery and supplies will be moved to the new location of the office.

Fifth Milestone

Office location is complete.

Project Team

Mr. John will undertake this project by leading with a team of for members.

Project Manager: Mr. John

Project Team members: Stephanie White, Helen Collins, Tony Welch, Emma Tse,

Project Key Stakeholders

The key stakeholders in this office relocation project are the following entities.

Top Management

Employees

Project Team

Vendors/Contractors

Consultants

Customers

The top management includes the Managing Director, Chief Executive and General Manager of the XYZ company. Employees are also the concerned stakeholders in the project as they are the integral part of the company that represents different departments of the company which are to be moved (Rolfo, 2018). Contractors and Vendors are the external stakeholders without whom the project will not be completed. Project Team are one of the key stakeholders as they need to be informed on every step to execute the project. Consultants say is also important in the project and customers’ needs to be informed too.

Project Budget

The project will comprise of different costs linked with every step and phase of the project. As the XYZ has around 150 employees therefore the cost charged for each computer system movement is $200 per employee. Their cabins are also included with additional boxes that are 80 in number for office equipment which needs to be shifted carefully. The painters and vendors hired for the cost of $12 per hour for the service and the cost of the paints are $300. Carrier Trucks will be hired for the movement and transportation for $1200. The interior will be organized and managed in the new office along with the wiring for the cost of $800.The furniture comprises of 160 chairs, 50 tables, 5 conference tables, 50 conference chairs and 5 projectors. So, the total estimated cost of the entire project will become $4000. The budget of $4,500 will be given to project team bear the costs within this budget as the $500 are extra, this amount be reserved for the additional charges to buy more furniture if needed.

Stakeholder Analysis

Below is the Stakeholder Analysis formed for the identification and understanding the key stakeholders of this project.

Name of Stakeholder

Contribution

Role and Responsibilities

Impact

Strategy for Engagement

Top Management

Initiated Project

Hiring authority

Hires project team

Approval

Decision Making

Consulting with other stakeholders

Approving important changes

Very High

Monthly round table meetings, weekly status reports and important phone calls

Employees

Preparation in movement

Corporation and coordination

Assessment of project

Following instructions from top management

Monitor the activities

Assist in relocation

Moderate

Weekly meetings, official emails, official calls and feedback

Project Team

Lead the project

Planning, managing and controlling

Monitor and control the scope of project

Make sure the goals meet

Perform the activities of the project

High

Daily stand up meetings, weekly meetings, official phone calls, feedback, prepare weekly status reports

Vendors/Contractors

Provision of required resources needed for the project

Perform tasks they are paid for.

Handles movement through transportation, painting and carpeting.

Reporting to project team

Implementation of required activities

Providing services

High

Meetings, calls and visits

Consultants

Informing issues to top management regarding the project

Approving vendors and contractors

Monitoring project

Consulting effective strategies

Provide information

Facilitate the project team

Assistance in Project

Guiding top management

Moderate

Round table conferences on weekly basis, official emails, daily coordination

Customers

No contribution in project process

Customer feedback

Contact employees regarding any complaints

Moderate

On phone calls and emails, visits

Examples of Failed Projects due to Stakeholder Issues

Sony Betamax

The reason for the failure was the lack of stakeholders follow up after the launch of the product.

New Coke

They failed to properly engage the customers in their project. Customers are the key stakeholders of any project and they were unable to assess customer requirements.

Apple Lisa

This project failed due to lack of transparency from the stakeholders’ side.

References

Attwood, D. A. (1996). The office relocation sourcebook: A guide to managing staff throughout the move (Vol. 1). John Wiley & Sons.

Harrison, F., & Lock, D. (2017). Advanced project management: a structured approach. Routledge.

Husain, M. S. (1980). Office relocation in Hamburg: the City-Nord project. Geography: Journal of the Geographical Association, 65(2), 131.

Rolfö, L. V. (2018). Relocation to an activity-based flexible office–Design processes and outcomes. Applied ergonomics, 73, 141-150.

Behren, S., Puhe, M., & Chlond, B. (2018). Office relocation and changes in travel behavior: Capturing the effects including the adaptation phase. Transportation Research Procedia, 32, 573-584.

Project Deliverable 1: Project Plan Inception

Project Deliverable 1: Project Plan Inception

Section 1: Project Introduction

Background information of the company.

Lansing Ophthalmology has been in a position to build a customer capacity of over one hundred thousand patients of which seventy-five thousand are seen every year. There is always need for a secure system. At home most of us use our computers for internet banking, ordering things online, and social connection. Without a safe mode, an individual can lose important data that can lead to fraud and identity theft. When an organization is not using a secure computer system, the vital information of the company is at the risk of landing to the wrong hands. Hackers can get the information and steal organizations revenue and also customer information which is risky. Organizations are required by law to protect the confidentiality, integrity, and authenticity of customer information.

The type of business in which the company is involved.

The issue with Lansing Ophthalmology is that it wanted to be in line with new management improvement techniques to ensure that it achieves its goals in the healthcare industry. Lansing Ophthalmology as a business organization wanted to implement improvement technique commonly known as six sigma and Lean manufacturing which are used in the identification and reduction of defects that are experienced in the production methods which were encountered in the organization for more than two decades

Databases

We look at identification and formulation of data flow diagrams (model) which constituted architectural design and the identification of data structure for the application which constituted data structure design of this project. It’s the integral part in working software that is worth implementing. It shows how different entities interact within the system.

-2825750Web browser

PHP

SQL database

SERVER

Web browser

PHP

SQL database

SERVER

System backend: The back end of the system consists of the SQL database and server. SQL is used as a storage media for data entries (made from the webpage module) and processed information. The user is not aware of this as he/she just interacts with the interface provided for them in the front end.

System front end: This is the interface that the user interacts with in order to enter data. It is made possible by using web browsers e.g. Mozilla Firefox and internet explorer.There are three design levels that will be applied in development of the system which are

Design Methodology

Architectural design

Component design

Interface Design

Database design

Systems Analysis

The entire development procedure for this system was based on incremental model of software development. The system was broken down into modules and subtasks. During the initial module development, an initial version of the system will be developed then submitted to supervisor and colleagues to criticize it. It’s from their criticism that it will able to know the user needs in details. During the development process, the system will go through the phases of feasibility study, requirements elicitation, requirements analysis, design, coding, verification and validation and implementation and support.

Security

Information is exposed to outer impacts since it very well may be gotten to remotely from wherever around the world, which uncovered specific information, for example, credit card data for web-based obtaining held by organizations to potential security breaks. This lessens the selection of big data computing framework in many developing organizations since the administrations set up needs to keep up security over the web, hindering its development particularly in the business environment. This is on account of distributed computing as an innovation includes the interconnection of different applications and systems, which are inclined to assaults accordingly decreasing the rates of data sending by numerous legislatures and organizations in a large portion of the businesses.

Networking

The system will generally interact with various entities from database server to user interface. This is as shown above.

Computer Infrastructure

Software requirement for development

Operating System (Windows 7 and above).

Web browsers: Mozilla, Google Chrome, Internet Explorer.

Integrate Development Environment (IDE) tool – Net Beans.

Gantt Project for project management.

WAMP (Windows Apache MySQL PHP) Server.

Ozeki Server (manager and monitor).

Macromedia Dreamweaver studio 8.

EDraw.

XAMPP (Windows SQL PHP) Server 1.8.0 [PHP 5.4.4].

Hardware Requirement for development

HP PC, PROCESSOR; AMD Athlon (tm) II P360, Dual-Core Processor 2.40 GHz, with 2GB RAM and 500 Hard disk and 64 –bit Operating System.

Flash disk.

Human Computer Interaction

The purpose of the project is to develop a computerized system that will address the above-mentioned problems, improve efficiency in carrying out management tasks in the e-commerce Sector and provide a reliable system to produce receipts and send short messages to the head of departments may be to send bills or make communication to the customers.

The human computer interaction aspects of the project include:

To secure all registered admin with a password.

SMS sending for communication purposes.

The person in charge of a department can produce a report.

Auto calculation of bills

Production of monthly receipts or on demand.

Web Design

In designing the systems’ interface, an attempt to emulate Jacob Nielsen’s usability heuristics as described below is used:

User control

The interface has been made to adapt to the needs of the user. I provided more than one way of doing same task. This is made possible by provision different links located at different parts for doing the same task

Match between system and real world

The web-page module was designed to emulate/resemble the normal requirements as it is in the educational sector.

Section 2: Gantt Chart / Project Plan

References

Näslund, Dag. "Lean, six sigma and lean sigma: fads or real process improvement methods?." Business Process Management Journal 14.3 (2008): 269-287.

Kopetz, Hermann. Real-time systems: design principles for distributed embedded applications. Springer Science & Business Media, 2011.

Project Deliverable 4: Infrastructure And Security

Architecture: Security Infrastructure

Name

Institution

Professor

Date

Architecture: Security Infrastructure

Security Infrastructure System

According Comizio, Dayanim & Bain (2016) information security system includes the firewall, routers, and proxy servers. The most common attack on this layer is the Denial of service attack which involves flooding the connection point to the outside world with unproductive traffic bringing communication with the internet to a halt. A firewall is located between a network of computers and the internet to protect the computer systems from threats posed by an internet connection. It prevents unauthorized access to the system it is configured to protect.

Routers are used to connect different networking segments forming the backbone of the internet. They operate by examining each received packet and use algorithm to determine the optimal path for data to reach its destination. To prevent security risk for routers, use of strict passwords and encryption communication when accessing a remote router is recommended. A proxy service firewall acts as a go-between the internet and the internal network of computers and is placed between the two environments. Proxy service ensures internal client computer do not interact directly to the outside resources.

Switches are the backbone of most Ethernet based local networks. They are more efficient than hubs since each port on a switch is a separate collision domain. Administrative access to switches must be controlled using passwords and enhanced communication protocol for remote access.

Host Protection

This ensures protection from threats from the internal workstations connected to the network. The threats include attack from within or attack on data by someone coming through the firewall. Formulating and implementing User Access Policy, updating regularly the patches for the workstation operating system, limiting the Network Resources Access from workstation, and installation and update of anti-virus are some of characteristics relating to workstation security.

Data Protection

Having different passwords for different accounts as well as enabling encryption for all laptops and desktops are all precautionary steps in information security. Implementation of security policies, processes, procedures, and products does not achieve security but reduces the likelihood of security failures to occur.

Physical threats

Physical threats predisposed to computer systems could be intentional, accidental and even natural. Considering the computer systems installed in a busy facilities such as a banking can be great affected by physical threats leading to damage of the storage facility, network connectivity and limiting the readability and effectiveness in delivering the services. It requires the establishment of physical security control measures. These physical threats range from internal, external or human. The potential physical threats includes fires, vandalism and theft, unstable power supply, floods and earthquakes, humidity level in the building, and intentionally generated errors from unauthorized access of the systems. Insider fraud is a stint consigned to a wide range of criminal activities committed by the banking workers or service provider, and normally falls into three groupings: theft from clients, theft from the organization, and exploitation of position. It is an emergent problem amongst business organizations. In addition, the integration of a third party in the banking premises is critical to virtually all business corporates, as significant they are, third parties expose firms to a wide variety of hazards (Kenney, 2016). It is particularly factual when it moves toward accessing key organization information and their imperative roles to sensitive matters of functions and critical projects to a business.

The development of a new payroll architecture system which covers multiple distance depend on the Wide Area Network so as to connect numerous smaller networks which includes local area network (LAN) or metro area networks (MANS). The WAN is created to allow the development of a payroll program for large organization that will serve the entire nation (USA). It only requires a small amount of data sets to help an engineer visualize the needs of an organization in the case of a system failure which are controlled remotely and separated from the rest of the system. Through architecture, it is possible for each organization to develop own payroll systems in consideration of their specifications.

The construction of a payroll program to facilitate the services of a large organization with widespread branches in the Unites States of America has significant changelings. Considerably, the administrator must select the appropriate application of architectural design to determine all the drawbacks experienced in the previous design system. On the other hand, the organization must have an extensive data center which connects to all offices via WAN. Therefore appropriate architecture to be applied in such a scenario requires a WAN diagram to facilitate project management and foster system documentation. Documentation of the information technology architecture will provide an enhanced visual illustration of the system network. It is primarily the function of a WAN to create a link between the local area networks of the offices spread across the USA.

In reference to the payroll program, the crucial elements are centered on the application of appropriate architecture that is effective in serving the purpose of the present situation. All requirements proposed by the organization must be met effectively. As such an effective system would help in the combination of all architectural elements and designs which are elastic, cost-effective, and technically sound so as to sustain and manage the organizations information needs. A comprehensively built payroll program proposed in the use case scenario will prompt increased speed and accuracy in the processing of wages. Automation of the system will significantly reduce error occurrence often experience in the employees’ checks, prompt efficiency and ease paperwork needed for information management.

Payroll software is a program that offers platform for the organization to easily access information concerning the employees, spend buildings, spend intervals and also inform on the daily registry of the workers. The payroll system makes its easier for the accountants to determine compensation as agreed by payment rate intervals; it is easier and efficient to create a structured paycheck.

The construction of high-end payroll software needs to be included in the resource planning of a larger enterprise to source an integrated software package tailored to serve the needs and demands of the subjective organization (Lokuge, Sedera & Grover, 2016). A payroll program is part of wider scope system, similar but superior to ERP which can be supplied by only one vendor (administrator) (Bradford, 2015) Considerably, it is a constituent of the HRMS, which is integrated with the financial systems that results creation of customized interfaces in the diverse systems.

Graphical Representation

Potential ethical issues

This could go a long way compromising and exposing the organization to numerous risks and violation to right to information privacy. Tentatively, change is proactive. In this respect, the introduction of a newer system will bring in new developments within the organization and some quarters may feel violated or compromised. When the architecture of the payroll program is outsourced, while in the previous time, the system was developed internally it brings in the question of job loss and if the corporate is doing enough to foster employee development through initiation of training programs to acquire appropriate skills.

Potential Logical Threats

Considering the probable high number of consumers seeking services and access to the banking premises and in reference to the computer systems there are preferential security vulnerabilities. For the banking to deliver to the consumers need there is huge dependence on the computer system to retrieve patient’s information and get advice on certain health conditions. To achieve the effectiveness in delivering services it requires the logical access of the systems in providing guidelines and technical control of information needed to utilize, running programs and modifying patient and the premise information. However they are prevalent challenges logical threats that include Trojan, spyware, denial of service attack, phishing, and worms.

Trojan

It refers to malicious activities subjected to the computer software and significantly affects system files. Trojan causes disruption of the business operations which exposes a computer system as it takes the form of legit software that could cause impressive but gradual harm. According to Cappelli et al. (2012), the Trojan facilitates the capturing of crucial log in details such as the password and username; thus sending malicious URLs to other computers. The infection is the directed to other computers within reach and could result to harm of extensive files and eventually leading to congestion in the systems connection. Further, it can lead to financial treats as the banking will depend on the internet to facilitate payment and access business emails.

Cybercrime Policies

In the apparent evolution of information age guided by technological advancement extensive research is now focused on developing ways and policies to deal with a real problem threatening the information management sector. The emergence of new interaction platforms and the institution of technological systems to control most of our process in order to bring effectiveness and efficiency (Wilson, 2003). However, that endeavor has continued to expose the codes of information technology due to increased cases of cyber-attacks targeting large corporations and institutions with a malicious intent of accessing the systems using unauthorized means. Subjectively, the world is faced with a new challenge especially to law enforcers and policy makers to develop effective measures to deal with cyber terrorism and cybercrime.

Current research has established that cybercrime laws with its transnational nature offer the world a real and sound response to deal with the prevalent threat. However, international cooperation is recognized as key steps to squarely address the issue. Our information systems are susceptible to cybercrimes due to the numerous vulnerabilities that are increasingly emerging due top much reliance on technology. In addition, the evolution of technology is rapid which takes the advantage of the complexities involved in laws ad policy making it easier for malicious characters to exploit the existing vulnerabilities (Edwards, 2001). The real obstacle to dealing with cybercrime prevalence is the lack of definite laws and lack of cooperation among world nations to effectively respond to the emerging technological threats. In sum, the failure to initiate global consensus to address cyber related crimes and cyber terrorism is the real issue preventing effective responses. It is for that reason that we are slowly giving the power to the malicious characters (Terrorists and cyber criminals) a convenient platform to exploit the vulnerabilities as there are no definite instituted laws providing technical, legal, political, or cultural guidance in dealing with this vast growing monster. In the attempt to evaluate the probable interventions, development of a matrix comes hand in hand to offer a path towards enhancing international cooperation and responding to the vulnerabilities (Tricker, 2015).

In the formation of the matrix, credible points will be considered towards the journey of eliminating the existing vulnerabilities. These interventions include the call to establish a National Cyberspace Security Response System, development of a Global Cyberspace Security Threat and Vulnerability Reduction Program, initiation of Cyberspace Security Awareness and Training Program at a global level, and formulation of international cybercrime law and policies (The National Strategy to Secure Cyberspace, 2003, p. 28).

Cybercrime security; cybercrime is highly related to most of the greatest crimes that occur in the banks and financial institutions. Individual, website wizards, hacks on bank systems accessing banks most valuable information. The access to the banks data facilitates the transfer of huge amount of money to unknown accounts where the criminals can access the cash. The problem of cybercrime can be solved by installation of robust software that are complicated to crack, frequent change of the systems and software and also educating the bank personnel on the importance of using complicated passwords on their computers and accounts too (Comizio, Dayanim & Bain, 2016).

Vandalism of Hardware or Infrastructure

To address the risks of vandalism it requires the banking to establish a central point to facilitate maintenance of the computer hardware. Security can be enhanced through deployment of security systems and infrastructure. The strategy will certainly help the banking to monitor the hardware in one place (Kouns and Minoli, 2011).

Unstable Power Supply

Installation of alternative power supply is a good intervention to be performed to avoid disruption of storage data processes that could lead to loss of information. It is an intervention for the banking to mitigate risks of losing crucial data. In addition, the act is cost effective and reduces risk prevalence.

The banking to act in harnessing the technology of cloud computing as it helps in crowd gathering, validating, and leveraging data from numerous external sources globally. It further helps in enhancing a shielding platform to counter the prevalent threats targeting business enterprises.

Conclusion

Developing comprehensive infrastructure for a secure information system is not a simple task since technological skills are rapidly dynamic. However, to keep threats at minimal risk assessment performance is critical. It helps to identify potential threats in advance. In the selection of the appropriate infrastructure that matches the organizations requirement and specifications, as the architecture and program developer, the essential thing is to keep a balance of the divergent options with the competing priorities. This will help develop an ideal system as expected to serve the clients need in relation to what is on offer in the market.

References

Bradford, M. (2015). Modern ERP: select, implement, and use today's advanced business systems. Lulu. com.

Kavanagh, M. J., & Johnson, R. D. (Eds.). (2017). Human resource information systems: Basics, applications, and future directions. Sage Publications.

Lokuge, S., Sedera, D., & Grover, V. (2016, June). Thinking inside the box: Five Organizational strategies enabled through Information Systems. In Pacific Asia Conference on Information Systems (PACIS 2016).

Cappelli, D. M., Moore, A., & Trzeciak, R. (2012). The certification and guide to insider threats: how to prevent, detect, and respond to information technology crimes. USA: Addison-Wesley Professional.

Comizio, V. G., Dayanim, B., & Bain, L. (2016). Cybersecurity as a Global Concern in Need of Global Solutions: An Overview of Financial Regulatory Developments in 2015. Journal of Investment Compliance, 17(1).

Durcekova, V., Schwartz, L., & Shahmehri, N. (2012). Sophisticated denial of service attacks aimed at application layer. In ELEKTRO, 20(12)55-60.

James A. Lewis (Eds), Security: Turning national solutions into international cooperation (pp. 1-12). Washington D.C.: The CSIS Press:

Kenney, A. (2016). Third-party risk: How to trust your partners. Journal of Accountancy, 221(5),56.

Kouns, J., & Minoli, D. (2011). Information technology risk management in enterprise environments: a review of industry practices and a practical guide to risk management teams. John Wiley & Sons.

Lord, S., Miller, L., & McLaughlin, E. (2015). GAO issues framework for managing fraud risks in federal programs. International Journal of Government Auditing, 42(4), 12.

Okeke, R., & Shah, M. (2016). Information Theft Prevention: Theory and Practice (Vol. 41). Routledge.

Rajput, R., Mishra, A., & Kumar, S. (2014). Optimize intrusion prevention and minimization of threats for stream data classification. The Communication Systems and Network Technologies (CSNT), 2014

Project Proposal

Project Proposal

Compact Cars

Student’s Name

Institution

Introduction

Compact cars are some of the expensive cars in the United States and Europe. The sales of these cars are different and each brand or model registers different sales pattern. Some of the compact cars are Chevy Cruze, Ford Focus, Hyundai Elanta, Honda Civic, Toyota Corolla and VW Jetta. The identification of the numbers of each model sold has been difficult and therefore, it is important to establish the best way to identify sales of each car brand. The goal of the study is to test whether the mean of the type of the car sold is different from the six models and whether or not the different of the mean of car sold per is different between the months. The purpose of report is to present the analysis if the sales of each car per month and the total sales of all the cars made every month in the six months period. The sales of the car are analyzed based on the model of the car and the sales per month.

Descriptive statistic

The statistical analysis of the sales of sic brands of compact cars established the mean of cars sold in the six months are different. The descriptive analysis indicates that the mean of the Chevy Cruze is 18441.17, Ford focus is 17830.83333, Hyundai Elantra mean is 16847.167, Honda Civic is 17125.33333, Toyota Corolla mean is 17119.16667, and VW Jetta mean is 17075. However, the analysis of the sales of the six brands of cars does not give a clear mode and therefore, it can concluded that there is not mode. The range of the sales for Chevy Cruze is 5467, Ford Focus is 5156, Hyundai Elantra is 6711, Honda Civic is 6372, Toyota Corolla is 6892, and VW Jetta is 5771. Moreover, the sales details including the mode, standard deviation and the range are provided in the descriptive statistic are illustrated in the table below:

Table 1: Descriptive Statistic

Chevy Cruze

Ford Focus

Hyundai Elantra

Honda Civic

Toyota Corolla

VW Jetta

Mean

18441.16667

Mean

17830.83333

Mean

16847.16667

Mean

17125.33333

Mean

17119.16667

Mean

17075

Range

5467

Range

5156

Range

6711

Range

6372

Range

6892

Range

5771

Standard deviation

1923.845047

SD

2090.287867

SD

2881.971229

SD

2524.778776

SD

2710.957057

SD

2105.071305

Mean

18104

Mean

16988.5

Mean

15383.5

Mean

16490.5

Mean

16308

Mean

16884

The descriptive analysis of the sales for each month for the compact cars is indicated in the table provided below. The investigation revealed that the mean of sales for compact cars for each January is 20670, standard deviation is 944.54 and the media is 20,996. The means for February is 19,569, standard deviation is 877,447, and the median is 19585. It is also obtained that the mean for March is 16713, median is 16,723 and the standard deviation is 808.087. The mean for April 15726, median is 14777, and the standard deviation is 2201.28. The mean for May is 16112, Standard deviation is 772.67 and the media is 15974. It is therefore, evident that the mean, media, range and standard deviation for each month is different. It could mean that the sales of registered by the company every month is different. However, it is important to point out that the mean of sales of compact cars are different and the sales of compact cars for each month are different as well.

Month

Chevy Cruze

Ford Focus

Hyundai Elantra

Honda Civic

Toyota Corolla

VW Jetta

Mean

Stdev

median

Mode

January

21,711

21,303

21,006

19,341

20,985

19,671

20,670

944.5349649

20,996

#N/A

February

18,274

19,385

19,992

20,872

19,785

19,105

19,569

877.4475293

19,585

#N/A

March

17,934

16,557

15,713

17,181

16,889

16,006

16,713

808.087289

16,723

#N/A

April

19,387

17,420

15,054

14,500

14,093

13,900

15,726

2201.280597

14,777

#N/A

May

17,097

16,147

15,023

15,800

15,727

16,875

16,112

772.6716638

15,974

#N/A

June

16,244

16,173

14,295

15,058

15,236

16,893

15,650

951.7666556

15,705

#N/A

Mean

18,441

17,831

16,847

17,125

17,119

17,075

Median

18,104

16,989

15,384

16,491

16,308

16,884

Mode

#N/A

#N/A

#N/A

#N/A

#N/A

#N/A

Stdev

1923.845047

2090.287867

2881.971229

2524.778776

2710.957057

2105.071305

Analysis

The business question being answered is the number of each model sold and the highest car model or brand sold. The analysis of the sales record or data of compact cars indicates that Chevy Cruze is the highest sold car among the six brands of compact cars. The second highest sold model is Ford Focus and the lowest sold car among the six models of compact cars is Hyundai Elantra car. It is because the mean of Chevy Cruze is 18,441, the means for Ford Focus and the mean for Hyundai Elantra is 16,847. It is therefore, evident that there are substantial different of mean among the six models of compact cars, and the highest sold car in the market is Chevy Cruze and the least sold compact car is Hyundai Elantra car.

It is evident that there mean different of the sales of compact car registered during the six months. The analysis of the sales data gathered for the six months indicates that a lot of sales of cars were made in January and February compared to the rest of the months. The highest sales of car were registered in January and the lowest sales were made in June and April of 2018.

Conclusion Recommendation

It is recommended for the company to improve the marketing of Hyundai in the market to improve its sales and other cars such as Toyota corolla, which registered the lowest sales. It is also recommended for the company to bring in several Chevy Cruze and Ford Focus to meet the high demand of these models of cars by customers. However, it is evident that the sales of cars are not the same and each different sales volume is registered by the company.

Appendix: Descriptive statistic

Chevy Cruze

Ford Focus

Hyundai Elantra

Honda Civic

Toyota Corolla

VW Jetta

Mean

18441.16667

Mean

17830.83333

Mean

16847.16667

Mean

17125.33333

Mean

17119.16667

Mean

17075

Standard Error

785.4064517

Standard Error

853.3564483

Standard Error

1176.559828

Standard Error

1030.736619

Standard Error

1106.743584

Standard Error

859.3917617

Median

18104

Median

16988.5

Median

15383.5

Median

16490.5

Median

16308

Median

16884

Mode

#N/A

Mode

#N/A

Mode

#N/A

Mode

#N/A

Mode

#N/A

Mode

#N/A

Standard Deviation

1923.845047

Standard Deviation

2090.287867

Standard Deviation

2881.971229

Standard Deviation

2524.778776

Standard Deviation

2710.957057

Standard Deviation

2105.071305

Sample Variance

3701179.767

Sample Variance

4369303.367

Sample Variance

8305758.167

Sample Variance

6374507.867

Sample Variance

7349288.167

Sample Variance

4431325.2

Kurtosis

0.993457071

Kurtosis

-0.037381403

Kurtosis

-1.557474099

Kurtosis

-1.254091371

Kurtosis

-1.402329598

Kurtosis

-0.356502093

Skewness

0.95369437

Skewness

1.12165585

Skewness

0.916339289

Skewness

0.637736356

Skewness

0.59653976

Skewness

-0.237381771

Range

5467

Range

5156

Range

6711

Range

6372

Range

6892

Range

5771

Minimum

16244

Minimum

16147

Minimum

14295

Minimum

14500

Minimum

14093

Minimum

13900

Maximum

21711

Maximum

21303

Maximum

21006

Maximum

20872

Maximum

20985

Maximum

19671

Sum

110647

Sum

106985

Sum

101083

Sum

102752

Sum

102715

Sum

102450

Count

6

Count

6

Count

6

Count

6

Count

6

Count

6

Project Quality And Risk Management

Project Risk Management Document

[Name of the Writer]

[Name of the Institution]

Project Risk Management Document

Introduction

The risk is an event or the condition that occurs during the project and it is bound to have either positive or negative effect during the project (Baccarini et al, 2017). The idea of the risk management is to make sure that the identification of the relevant risks is being done and then effort is being made to make sure that all the corresponding risks are being monitored and reported appropriately (Baccarini et al, 2017). The risk management plan in this is going to look at the underlying risks that are associated with the project and how the appropriate course of action is needed to be taken in this regard (Baccarini et al, 2017).

Risk Management Procedure

The first thing that is needed to be looked during the risk management plan is to make sure that the appropriate procedure is needed to be pointed out that considers all the risks that are faced by the project (Baccarini et al, 2017).

Risk Identification

Then comes the corresponding identification of all the risks that are faced by the business at the given point of time (Baccarini et al, 2017). The idea is to make sure that all the appropriate stakeholders are brought on board and evaluation is being carried out regarding all the risks that are faced by the business at the given point of time (Baccarini et al, 2017). Most of the times it is the responsibility of the project manager to make sure that they take all the risks into account and develop the correct course of action with regards to the project at the given point of time (Baccarini et al, 2017).

Risk Analysis

The idea of the risk analysis is to make sure that the identification of all the risks and the possible outcomes is being carried out and the qualification criterion is being determined to make sure that the some of the top risks that are identified at the level of the organization are considered in the appropriate manner (Baccarini et al, 2017). The key aspect of the risk analysis is to make sure that determination of the risks is being done at all the levels so that it can be made sure that the extent of the challenges that are faced by the organization can be understood at the given point of time (Aminbakhsh et al, 2016).

Risk Response Planning

The risk management is not about making sure that the identification of the risks is being carried out (Aminbakhsh et al, 2016). The other major aspect of the risk planning is to make sure that the appropriate planning is being done when it comes to the way risk management is supposed to be done (Kutsch & Hall, 2016). The idea is to make sure that each major risk that is faced by the organization at the given point of time is being understood and then effort is being made to make sure that the all these risks are being looked after in the appropriate manner. Some of the approaches that can be done to ensure that the mitigation of the risks is being done are as followed (Kutsch & Hall, 2016).

Avoid: Trying to make sure that all the corresponding risk threats are being removed at the level of the organization (Han & Huang, 2018).

Mitigate: Identify some of the ways through which the probability of the risk is being realized and then making an appropriate effort to bring down the impact of the risk (Han & Huang, 2018).

Accept: Having this understanding the that the extent and the nature of the risk is such that not a lot can be done with regards to the risk that is faced by the organization at the given point of time (Han & Huang, 2018).

Transfer: Making another party responsible for the risk that is faced by the entity at the given point of time, for instance, buying an insurance or outsourcing that responsibility to the third party (Kutsch & Hall, 2016).

Risk Monitoring and Reporting

One of the key things that is needed to be understood is to make sure that the level of risk is being tracked and reported at the level of the organization and assessment is being made in terms of the way project life cycle is needed to be worked out (Aminbakhsh et al, 2016). It must be noted that the all the project change requests are needed to be looked and effort is needed to be made to make sure that the possible impact of the risk is being identified in terms of the recent events that are faced by the organization at the given point of time (Aminbakhsh et al, 2016).

Tools and Practices

The other thing that is very important when it comes to the risk management is to make sure that the risk management log is being maintained at the end of the organization (Han & Huang, 2018). The idea is to make sure that the project managers consider the effort that goes into the project management and maintain an appropriate log in terms of the way risk management at the end of the organization is supposed to be done at the level of the organization (Han & Huang, 2018). The key thing that is needed to be noted when it comes to the risk management is needed to be done at the level of the organization is to make sure that the long running agenda items and the risk perspectives are kept in mind to make sure that true nature and the extent of the risk that is faced by the organization can be worked out in an appropriate manner to say the least (Aminbakhsh et al, 2016). The other thing that is very important in terms of the risk management is to ensure that the determination and the true nature of the risk is being worked out so that it can be made sure that clear perspective is being developed in this regard with the passage of time (Aminbakhsh et al, 2016).

Risk Management Plan Approval

Whenever there is a case that the acknowledgement is needed to be made about the risk management process, the key thing that is needed to be done is to make sure that the all the stakeholders are needed to be brought on board when such a change is being made (Aminbakhsh et al, 2016). To make sure that this whole process goes out in the appropriate manner, it is always a good idea to list down the individuals whose signatures are desired at such an instance. Some of the stakeholders that can be made part of such process are as followed.

Business Steward

Project Manager

Project Sponsor

These are specifically three important person that are needed to be made part of the whole process when the assessment of the risk is being made (Han & Huang, 2018). The broader idea is to make sure that all the corresponding stakeholders that are part of the risk management process are needed to be brought on board to make sure that the right decision is being made with regards to the risk that is faced by the business at the given point of time (Aminbakhsh et al, 2016).

References

Aminbakhsh, S., Gunduz, M., & Sonmez, R. (2016). Safety risk assessment using analytic hierarchy process (AHP) during planning and budgeting of construction projects. Journal of safety research, 46, 99-105.

Baccarini, D., Salm, G., & Love, P. E. (2017). Management of risks in information technology projects. Industrial Management & Data Systems, 104(4), 286-295.

Han, W. M., & Huang, S. J. (2018). An empirical analysis of risk components and performance on software projects. Journal of Systems and Software, 80(1), 42-50.

Kutsch, E., & Hall, M. (2016). Intervening conditions on the management of project risk: Dealing with uncertainty in information technology projects. International Journal of Project Management, 23(8), 591-599.

Appendices

APPENDIX A: REFERENCES

[Insert the name, version number, description, and physical location of any documents referenced in this document. Add rows to the table as necessary.]

The following table summarizes the documents referenced in this document.

Document Name and Version

Description

Location

<Document Name and Version Number>

[Provide description of the document]

<URL or Network path where document is located>

APPENDIX B: KEY TERMS

[Insert terms and definitions used in this document. Add rows to the table as necessary. Follow the link below to for definitions of project management terms and acronyms used in this and other documents.

http://www2.cdc.gov/cdcup/library/other/help.htm

The following table provides definitions for terms relevant to the DOCPROPERTY Title \* MERGEFORMAT Risk Management Plan.

Term

Definition

[Insert Term]

[Provide definition of the term used in this document.]

[Insert Term]

[Provide definition of the term used in this document.]

[Insert Term]

[Provide definition of the term used in this document.]