Title
Creating And Communicating A Security Strategy
Professor: Kourosh Samia
By: LaSha May
January 23, 2020
Communicating Security Strategy
Business Environment
The business that is set up at the mall is a Fin-tech organization identified as Cash Link Company. Fin-tech technology entails development areas such as wealth management, crowdfunding, lending, payment, and provides more personalized services than traditional firms (Leong and Sung, 2018). Hence Fin-tech is a financial technology in the form of software and other technologies that are used by firms that provide improved and automated financial services. Cash Link is a fast and innovative mobile payment system that allows tech-savvy customers that require their lending, money transfer, loan management, and investing to be scalable, secure, and effortless, without any assistance or visit to the bank. Cash Link Inc. provides a branch at the mall where customers can come and inquire or access the technical teams if there are issues with their funds or transactions.
Because of the sensitivity of the organization’s model where it handles many customers as well as their money that they transact, the organization must protect the customers. Information can be attacked from the outside, but there is also a chance that there can be personnel that can access unauthorized information from within, leading to leakages. Ahmad, Maynard, and Chan (2015), a majority of information security professionals agree that there is little that is being done to tackle data leakage in organizations. The focus has been on financial, technical, and physical security instead of human factors. Ahmad et al. (2015) add that a common approach to safeguard information is compartmentalizing sensitive company information and processes, which entails that only the staff that “need to know” can access the information. Such techniques reduce the needless circulation of sensitive information and limit the risk of leakage. In the memo, Cash Link Inc will provide policies, standards, and practices that will ensure that there is a restriction in access to sensitive information to only the employees that are authorized.
Policies
1. Purpose
In the development of the policies for Cash Link Inc., the aim is to institute and maintain the confidentiality and security of networks and applications, information systems, and information held or owned by Cash Link Organization.
2. Employees
IT operations shall assume responsibility for the maintenance of the logs mentioned below for a minimum of 40 days for each server supported:
Activity Logs: Only activities that the system administrators perform
Operating system access logs: Note attempts that are invalid in accessing operating systems resources
System access logs: Note both unsuccessful and successful attempts to log on
3. User access authorization and controls
There shall be a restriction to access of data to authorized users that have a credible business need to access the data.
The database and application service teams shall preserve the list of restricted databases and applications and their matching business owners.
Approval for access to the restricted business databases and applications must be allowed by the nominated business owner.
There must be an electronic mail from the mail account of the business owner granting permission for the appropriate access for the authorization.
4. Cash Link Company shall ensure that there are appropriate information classification controls that shall be based on the outcomes of a formal risk assessment and guidance:
Information classified Confidential: Shall be used for information that is passing between the companys employees, and employees of other appropriate organizations.
Documentation that is classified Restricted: Shall be used for sensitive documents that include contractual and financial records. Such documents are marked as restricted because their disclosure can result in:
Challenges in the maintenance of the operational effectiveness of the company
Negatively affect the reputation of the company or its officers or significant distress to the client
Standards
1. Purpose
1.1. The aim of this information us to facilitate teams to operate using a defined set of security requirements that enable solutions to be managed, deployed, and developed according to the security standards of the department that is based on the international best practice for information security.
2. Scope
2.1. This standard contains security control requirements that are product agnostic and apply to all IT systems, service implementations, or applications that are provided for use in the departments.
2.2. More controls can be applied based on the security classification of the data that is being processed by the Departments IT service implementation, application or system,
3. General Security Control Requirements
3.1. There MUST be the implementation of controls to limit access to business computing devices, network services, information systems, applications, and any data processed and stored in them.
3.2. The Agencies and Department MUST ensure the implementation of authentication and identification controls for the management of the risk of unauthorized access and to maintain the correct management of user accounts and allow auditing.
3.3. All individual Departments, networks and services, applications, and information systems MUST be maintained and be equipped with a System Access Control Policy that MUST be approved by the authorized Information Asset Owners.
3.4. The System Access Control Policy MUST ensure that there is information for the individuals that are involved in using, operating, developing the system, service, or application will require so that to ensure that:
a) The service, application or system is developed with the authorized security mechanisms in place
b) Those procedures are developed to support the operation of the service, application, or system following the appropriate security standard and policies.
4. Access and Identity
4.1. Access and identity management arrangements MUST provide a reliable set of methods for:
a) Identification of users using unique UserIDs
b) Authentication of users using smartcards, biometrics or passwords
c) Identification equipment such as MAC-based authentication
d) The user ID procedure
e) Authorizing user access privileges
f) Administering user access privileges
4.2. User profiles MUST contain the following details:
a) Unique/Primary USER-ID
b) If required to access remote and local resources
c) Any protected encryption servers, encryption key data or credential
d) Key dates (such as reactivation, last-changed, termination, account start)
e) Full name
f) Other USER-ID
g) Address
h) User status (on leave, terminated, suspended, and recertification required)
i) Job, group or other roles codes that permit indirect resource access authorization
j) All authorized access rights
Practices
One of the best practices that can be implemented to control the individuals that have access to the business systems is the use of the principle of least privilege benefits (Veinovi, 2016). According to the principle, each application, service, or user requires only the permission to carry out their role and nothing else. It is one of the fundamental approaches in network and system security. No matter the proficiency of the user, they should be authorized to only the network they need to conduct their duty.
One of the critical reasons for minimizing the level of access of each user is that one can significantly lower the security risk and attack surface (Veinovi, 2016). Through strict limitations of the individuals that can access the critical systems, one lowers the risk of malicious or unintentional data leaks or changes whether by the users or by hackers who can access their credentials. To be specific, there are limitations to the possibilities of malware, viruses, or rootkits from being installed because a majority of the accounts will not have administrative privileges needed for installing them.
Another benefit that comes with the implementation of privilege is the attainment of regulatory compliance. Many standards require a firm to provide users with the privileges that are required to conduct their functions, particularly the privileged users. Even if the business is not required to follow such regulations, implementation of the privilege principle constitutes smart practice.
Additionally, the least privilege approach simplifies configuration and change management. Each time an individual with administrative privileges logs in, there is a likelihood that the configuration of the system can be inappropriately changed, either accidentally or deliberately (Veinovi, 2016). Least privilege assists the organization in maintaining the required configuration of a system by being in control who can change what.
It is the role of the management and the IT department to ensure that each department and employee has the appropriate authorization to any login that is needed for them to conduct their duties. Mainly the IT department should ensure that the policies, standards, and practices are adhered to, and any anomaly is reported and documented. Besides, the organization should ensure that it is the organizational culture for each individual to understand their limits when it comes to accessing data. There should also be a habit of ensuring that any sensitive information is handled as such to prevent any consequences that can fall on the employee or the organization.
References
Ahmad, A., Maynard, S., and Chan, S. (2015). Memo to business: information security is not just ITsproblem. The Conversation. Retrieved from https://theconversation.com/memo-to-business-information-security-is-not-just-its-problem-38838
Leong, K., & Sung, A. (2018). FinTech (Financial Technology): what is it and how to use technologies to create business value in fintech way?.International Journal of Innovation, Management, and Technology,9(2), 74-78. Retrieved from https://s3.amazonaws.com/academia.edu.documents/60183957/BH865-PDF-ENG__Fintech__Ecosystem__business_models_20190801-95998-19ksrtq.pdf?response-content-disposition=inline%3B%20filename%3DScienceDirect_Fintech_Ecosystem_business.pdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWOWYYGZ2Y53UL3A%2F20200122%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200122T160518Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e2ac8c8ba3d708fe190fe5fdbff41711e7806d312b8013dd857156b693b71b92
Veinovi, M. (2016). Privileged Identities-Threat to Network and Data Security. InSinteza 2016-International Scientific Conference on ICT and E-Business Related Research(pp. 154-160). Singidunum University. Retrieved from http://portal.sinteza.singidunum.ac.rs/Media/files/2016/154-160.pdf You are on the right track with your paper. You separated the organization’s description from Policies, standards, and practices. However, the contents of those sections need to be updated. I would like to see a fake organization’s description and not an organization from other resources. For example, you have been hired as a security expert for a real state company. In this company, there are X number of employees working off-site, and they have their own laptops trying to connect to the companies servers. The company has on-premises servers with no firewall. They also are using cloud for some storage. I was hoping you could talk about that company and come up with the technical description and what they do, for example.
Then you will come up with some policies related to the technical issues you think are associated with their current infrastructure and setup, then standards, and at the end the practices. Please pay attention to the differences between these three, as it also has been mentioned in your assignment’s description.
I can see that you are trying to keep these three parts in your paper, but somehow you are not to target with technical parts and issues associated with your organization you have mentioned.Also, I found some typos and formatting mistakes in your paper. Try to use SWS or APA format. You can resubmit for a better grade before next week Monday at 6 pm. Please let me know if you have any questions or problems. CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 1 of 7
Assignment 1: Creating and Communicating a Security Strategy
Draft Due Week 4, worth 40 points
Final Due Week 6, worth 60 points
As an IT professional, youll often be required to communicate policies, standards, and practices in the
workplace. For this assignment, youll practice this important task by taking on the role of an IT
professional charged with creating a memo to communicate your companys new security strategy.
The specific course learning outcomes associated with this assignment are:
Analyze the importance of network architecture to security operations.
Apply information security standards to real-world implementation.
Communicate how problem-solving concepts are applied in a business environment.
Use information resources to research issues in information systems security.
Write clearly about network security topics using proper writing mechanics and business formats.
Preparation
1. Review the essential elements of a security strategy
A successful IT administration strategy requires the continuous enforcement of policies, standards, and
practices (procedures) within the organization. Review these elements to see how they compare:
Policy The general statements that direct the organizations internal and external
communication and goals.
Standards Describe the requirements of a given activity related to the policy. They are more
detailed and specific than policies. In effect, standards are rules that evaluate the
quality of the activity. For example, standards define the structure of the password
and the numbers, letters, and special characters that must be used in order to
create a password.
Practices The written instructions that describe a series of steps to be followed during the
performance of a given activity. Practices must support and enhance the work
environment. Also referred to as procedures.
2. Describe the business environment
You are the IT professional in charge of security for a company that has recently opened within a
shopping mall. Describe the current IT environment at this business. You can draw details from a
company you work for now or for which you have worked in the past. Youll need to get creative and
identify the details about this business that will influence the policies youll create. For example, does the
company allow cell phone email apps? Does the company allow web mail? If so, how will this affect the
mobile computing policy? Describe all the details about this business environment that will be necessary
to support your strategy.
CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 2 of 7
3. Research sample policies
Familiarize yourself with various templates and sample policies used in the IT field. Do not just copy
another companys security policy, but rather learn from the best practices of other companies and apply
them to yours. Use these resources to help structure your policies:
Information Security Policy Templates
Sample Data Security Policies
Additional Examples and Tips
Instructions
With the description of the business environment (the fictional company that has opened in a shopping
mall) in mind and your policy review and research complete, create a new security strategy in the format
of a company memo (no less than three to five pages) in which you do the following:
1. Describe the business environment and identify the risk and reasoning
Provide a brief description of all the important areas of the business environment that youve
discovered in your research. Be sure to identify the reasons that prompted the need to create a
security policy.
2. Assemble a security policy
Assemble a security policy or policies for this business. Using the memo outline as a guide,
collect industry-specific and quality best practices. In your own words, formulate your fictional
companys security policy or policies. You may use online resources, the Strayer Library, or other
industry-related resources such as the National Security Agency (NSA) and Network World. In a
few brief sentences, provide specific information on how your policy will support the business’
goal.
3. Develop standards
Develop the standards that will describe the requirements of a given activity related to the policy.
Standards are the in-depth details of the security policy or policies for a business.
4. Develop practices
Develop the practices that will be used to ensure the business enforces what is stated in the
security policy or policies and standards.
Format your assignment according to the following formatting requirements:
This course requires use of Strayer Writing Standards (SWS). The format is different than other
Strayer University courses. Please take a moment to review the SWS documentation for details.
Review this resource to learn more about the important features of business writing: The One
Unbreakable Rule in Business Writing.
You may use the provided memo outline as a guide for this assignment, or you may use your
own. Get creative and be original! (You should not just copy a memo from another source.) Adapt
the strategy you create to your company specifically. In the workplace, it will be important to use
company standard documents for this type of communication.
Do not cut and paste someone elses strategy. Plagiarism detection software will be used to
evaluate your submissions.
https://www.sans.org/security-resources/policies
https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-example-data-security-policies-na.pdf?la=en
http://www.nsa.gov/
https://www.networkworld.com/category/security/
https://blackboard.strayer.edu/bbcswebdav/institution/STANDARDIZED/StrayerWritingStandards/Strayer_Writing_Standards.pdf
http://libdatab.strayer.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=118683852&site=eds-live&scope=site
http://libdatab.strayer.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=118683852&site=eds-live&scope=site
CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 3 of 7
Note: This assignment will be run through SafeAssign plagiarism detection software and an originality
report will automatically be sent to the instructor.
Rubric
Grading for this assignment will be based on answer quality, logic/organization of the memo, and
language and writing skills, using the following rubric.
Points:
40 Draft/
60 Final
Assignment 1: Creating and Communicating a Security Strategy
Criteria Unacceptable
Below 60% F
Meets
Minimum
Expectations
60-69% D
Fair
70-79% C
Proficient
80-89% B
Exemplary
90-100% A
1. Describe the
business and
identify the risk
and reasoning
Weight: 20%
Does not
describe the
business and
does not
submit or
incompletely
identifies the
risk and
reasoning.
Insufficiently
describes the
business.
The risk is
unclear and
there is not a
clear
connection to
a reason.
Partially
describes the
business.
The risk is
stated but the
reasoning needs
more supporting
details.
More details and
a clear
connection to
the risk would
improve this
section.
Satisfactorily
describes the
business.
The risk is
identified and the
reasoning has
some supporting
details.
Thoroughly
describes the
business.
The risk is
clearly
identified and
the reasoning
has well-
supported
detail to
connect the
risk to the
reasoning.
2. Assemble a
security policy
or policies for
the business
Weight: 25%
Does not
submit or
incompletely
assembles a
security policy
or policies for
the business.
The policy is
missing major
elements and
does not
communicate
how it would
support the
business goal.
The policy
includes some
elements and
partially
indicates how it
would support
the business
goal, but was
lacking
supporting
details.
The policy
includes most
elements and
satisfactorily
indicates how it
would support the
business goal,
but was lacking
supporting
details.
The policy
includes all
the necessary
elements and
clearly
indicates how
it will support
the business
goal.
3. Develop
standards
Weight: 25%
Does not
submit or
incompletely
develops
standards.
The standards
are not fully
developed and
do not
describe the
requirements
of the activity.
The standards
partially
describe some
of the
requirements of
the activity but
lack the details
necessary to
make them
complete.
The standards
satisfactorily
describe many of
the requirements
of the activity but
could use more
details.
The standards
thoroughly
describe all
the
requirements
of the activity
and include
sound, in-
depth details.
CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 4 of 7
Points:
40 Draft/
60 Final
Assignment 1: Creating and Communicating a Security Strategy
Criteria Unacceptable
Below 60% F
Meets
Minimum
Expectations
60-69% D
Fair
70-79% C
Proficient
80-89% B
Exemplary
90-100% A
4. Develop
practices
Weight: 25%
Does not
submit or
incompletely
develops
practices.
The practices
do not include
enough
description to
ensure the
business can
enforce what
is stated in the
policies and
standards.
The written
instructions do
not include
steps or
enough steps
to make them
complete.
The practices
partially
describe how to
ensure the
business can
enforce what is
stated in the
policies and
standards.
The written
instructions
include some
steps, but they
could be
expanded to
make them
complete.
The practices
satisfactorily
address how to
ensure the
business can
enforce what is
stated in the
policies and
standards.
The written
instructions
include many of
the necessary
steps, but
additional steps
and details would
improve the
instructions.
The practices
thoroughly
address how
to ensure the
business can
enforce what
is stated in the
policies and
standards.
The written
instructions
include all the
necessary
steps and
have well-
supporting
details.
5. Clarity,
writing
mechanics,
and business
formatting
requirements
Weight: 5%
The writing
lacks clarity.
Formatting is
not
appropriate
for business.
The writing
lacks some
clarity.
Formatting is
not
appropriate for
business.
The writing is
beginning to
show clarity.
Business
formatting is
partially applied.
The writing is
mostly clear and
business
formatting is
apparent.
Some minor
adjustments
would improve
the overall
format.
The writing is
professional
and clear.
The formatting
is excellent
and aligned
with business
requirements.
CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 5 of 7
Additional Examples and Tips
Example 1: XYZ Inc. Company-Wide Employee Password Strategy
Policies
All users must have a password.
Passwords must be changed every six months.
Standards
A password must have a minimum of six characters.
A password must have a maximum of 12 characters.
A password must contain letters, numbers, and special characters other than $.
Practices-Employee
Create a password. The UserID should be an EmployeeID already generated by HR.
Send a request to create the account to the Information Technology (IT) department.
User receives a temporary password.
Users must change their temporary password the first time they log in.
Example 2: Security Policy and Standards
Password Policy: Passwords are an important part of computer security at your organization. They often
serve as the first line of defense in preventing unauthorized access to the organizations computers and
data.
In order to define the password policy, it is important to identify the standards.
1. Multi-factor authentication
2. Password strength standard
3. Password security standards; how to keep the password secure
Tips and Points to Consider When Identifying Risks or Security Vulnerabilities
Flaws in operating systems due to constant attack by malware
Denial of services attacks
Employees data theft
User set a weak password or password that is easy to guess, such as a birthday or childs name.
User leaves sensitive data on an unlocked, unattended computer
Organization allows sensitive data on a laptop that leaves the building
Data can be accessed remotely without using proper security
CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 6 of 7
Memo Outline
Network Security Associates of Atlantis, Inc.
123 Watery Lane
Atlantis, USVI 91199
From: IT Security Dept.
Re: Security Policy
Date:
Section 1: General Policies and Motivation
Section 2: Passwords
Section 3: Biometrics
Section 4: Tokens
Section 5: Physical Security
Section 6: Email Policies
Section 7: Breach Reporting Responsibilities
Section 8: Mobile Policy and BYOD (Bring Your Own Device)
CIS333 Assignments and Rubrics
2017 Strayer University. All Rights Reserved. This document contains Strayer University Confidential and Proprietary information
and may not be copied, further distributed, or otherwise disclosed in whole or in part, without the expressed written permission of
Strayer University.
CIS333 Faculty Version 1178 (03-22-19) Page 7 of 7