Week 1: Submit Data and Applications Security Impact Analysis and Mitigation Report shell for approval.
Use Word
Title page
Course number and name
Project name
Student name
Date
Table of contents (TOC)
Use an autogenerated TOC.
Use separate pages.
It should be a maximum of 3 levels deep.
Update the fields of the TOC so that it is up-to-date before submitting your project.
Section headings (create each heading on a new page with "TBD" as the content, except for sections listed under "New content" below)
Project Outline and Requirements
Project Life Cycle Security Measures
Security Vulnerability Assessment
Virtualization Security Impact
Cloud Computing Security
Risk Mitigation Strategies for Applications and Databases
New content (to be completed in this Week 1 delivery)
JCI has hired you, a consultant, to assist them with a comprehensive look at their database and application security environment. After an initial meeting with the president and chief information officer (CIO), it was determined that your first deliverable will be twofold. First, you will identify the types of information and data processed by the company, and second, you will look at project life cycles for systems within the company and outline what security measures should be taken at each phase.
Key Assignment Overview
Throughout this course, you will work on several aspects of data and application security that will result in a Data and Applications Security Impact Analysis and Mitigation Report for a company of your choosing. This course is comprised of a series of Individual Project assignments that will contribute to a Key Assignment submission at the end of the course. Each week, you will complete a part of a Data and Applications Security Impact Analysis and Mitigation Report. You will select an organization (real or fictitious), and apply your research to the development of the Data and Applications Security Impact Analysis and Mitigation Report that would be appropriate for implementation within the organization. The goal of this course project is to develop the policies and procedures that are necessary for the data and application security in an enterprise.
Organization and Project Selection
The first step will be to select an organization as the target for your Data and Applications Security Impact Analysis and Mitigation Report. This organization can be real or hypothetical, and it will be used as the basis for each of the assignments throughout the course. It should conform to the following guidelines:
Sensitivity: The selected organization should be large, and it should contain sensitive data requiring the implementation of security measures.
Familiarity: You should be familiar enough with the organization and typical security needs without significant time required for security research and education.
Accessibility: You should have good access to security officers and management or incident response personnel in the organization because these resources will provide direction as they progress throughout the development of the report.
Note: The selected organization may already have a security plan in place and a well-functioning project life cycle to be used as the basis for the project in this course.
Select an organization that fits these requirements, and submit your proposal to your instructor before proceeding further with the assignments in the course. Approval should be sought within the first several days of the course. Your instructor will tell you how to submit this proposal and what notification will be given for project approval.
Assignment Details
For the assignments in this course, you will develop a comprehensive Data and Applications Security Impact Analysis and Mitigation Report structure where you must identify the security measures to be taken at the planning, requirements, design, development, integration and testing, and installation and acceptance phases of the project life cycle.
Task 1
Create the shell document for the final project deliverable that you will be working on throughout the course. As you proceed through each assignment, you will add content to each section of the final document to gradually complete the final project delivery. Appropriate research should be conducted to support the analysis in your plan, and assumptions may be made when necessary.
The overall Data and Applications Security Impact Analysis and Mitigation Report project will consist of the following deliverables:
Week 1: Project Outline and Requirements
Give a brief description of the company (can be hypothetical) where the Data and Applications Security Impact Analysis and Mitigation Report will be implemented. Include the types of information and data that are processed by the company, the company size, location(s), and other pertinent information.
Week 1: Project Life Cycle Security Measures
Give a summary of the security measures to be taken at the planning, requirements, design, development, integration and testing, and installation and acceptance phases of the project life cycle to include the following:
Planning phase: Identify what work products the team will have that will change, or are likely to change, and the functional relationships between those products.
Requirements phase: Identify the requirements and the functional software verifying the identity of a user. Provide any requirements that are applicable to your cryptographic module. FIPS PBU140-2 Security Requirements for Cryptographic Modules can be used as a guideline.
Design phase: Describe how the design team ensures that the software component has trusted modules.
Development phase: Describe how developers will ensure that the application being developed for the cryptographic algorithm will be secure and protective of sensitive data.
Integration and test phase: Identify what will be tested during this phase and the general integration and test procedures that will be used.
Installation and acceptance phase: Identify the purpose of the installation and acceptance phase for both the user and the organizatio
Week 2: Security Vulnerability Assessment
For the development phase of the life cycle, identify software vulnerabilities, associated poor programming practices, and the overall impact that they have on security with your selected organization.
Identify best practices for fixing vulnerabilities and insecure interactions as introduced by poor coding.
Provide a conclusion to summarize the importance of correcting the current vulnerabilities and programming practices.
Week 3: Virtualization Security Impact
Provide an impact analysis that identifies the impact of moving an organization's applications and databases to virtualization. Identify how
this move impacts network security.
Include the services being implemented in the virtualization solution.
Include the strategies needed to mitigate security vulnerabilities that are associated with the organizational virtualization effort (e.g., current virtualization security vulnerability and security risks related to hypervisor security, host or platform security, and securing communications).
Include the configuration management policies and practices that are applicable to the virtualization security implementation.
Week 4: Cloud Computing Security
Identification of security risks to be addressed in the cloud computing environment:
Operating system and other infrastructure complexity
Unauthorized user access
Increased administrator roles
Legal compliance
Issues related to programmer service mapping to the cloud
Accesses to services moved to the cloud
Describe the application that is being released into the cloud computing environment and how this affects security from a standpoint of network communications, system configuration, security controls, and user responsibilities.
Describe the migration of corporate resources to various types of clouds, such as the private, public, hybrid, and community clouds, and the associated deployment model.
Describe how services are related to cloud computing (e.g., software, platforms, and infrastructure services).
Describe how organizations are placing controls and access policies on their data to control accesses to data and their locations on servers and off-site data locations.
Week 5: Risk Mitigation Strategies for Applications and Databases
Risk Management of Software from a Business Perspective
Creates a basis for understanding what software risks are critical; current business goals, operational, and technical priorities; circumstances of taking certain business actions must be identified and understood
Business and Technical Risk
Identification of what risks financially affect which organizational goals; reputation, liability concerns, and increased development cost; business and software risks must be quantified
Risk Prioritization
Determines which business goals are critical or important and which technical risks may affect business operations
Risk Mitigation Strategy
Strategy takes into account time, resources, likelihood of operational success, and overall impact; involves metrics and validation procedures to ensure the risks are mitigated
Repair Problems With Architecture, Requirements, and Design
Involves the study of open risks, evaluating quality metrics, and judging progress against any existing riskst.