Assignment
Case Study: Problem 1
JCI has hired you, a consultant, to assist them with a comprehensive look at their database and application security environment. After an initial meeting with the president and chief information officer (CIO), it was determined that your first deliverable will be twofold. First, you will identify the types of information and data processed by the company, and second, you will look at project life cycles for systems within the company and outline what security measures should be taken at each phase.
Key Assignment Overview
Throughout this course, you will work on several aspects of data and application security that will result in a Data and Applications Security Impact Analysis and Mitigation Report for a company of your choosing. This course is comprised of a series of Individual Project assignments that will contribute to a Key Assignment submission at the end of the course. Each Part, you will complete a part of a Data and Applications Security Impact Analysis and Mitigation Report. You will select an organization (real or fictitious), and apply your research to the development of the Data and Applications Security Impact Analysis and Mitigation Report that would be appropriate for implementation within the organization. The goal of this course project is to develop the policies and procedures that are necessary for the data and application security in an enterprise.
Organization and Project Selection
The first step will be to select an organization as the target for your Data and Applications Security Impact Analysis and Mitigation Report. This organization can be real or hypothetical, and it will be used as the basis for each of the assignments throughout the course. It should conform to the following guidelines:
• Sensitivity: The selected organization should be large, and it should contain sensitive data requiring the implementation of security measures.
• Familiarity: You should be familiar enough with the organization and typical security needs without significant time required for security research and education.
• Accessibility: You should have good access to security officers and management or incident response personnel in the organization because these resources will provide direction as they progress throughout the development of the report.
• Note: The selected organization may already have a security plan in place and a well-functioning project life cycle to be used as the basis for the project in this course.
Select an organization that fits these requirements, and submit your proposal to your instructor before proceeding further with the assignments in the course. Approval should be sought within the first several days of the course. Your instructor will tell you how to submit this proposal and what notification will be given for project approval.
Assignment Details
For the assignments in this course, you will develop a comprehensive Data and Applications Security Impact Analysis and Mitigation Report structure where you must identify the security measures to be taken at the planning, requirements, design, development, integration and testing, and installation and acceptance phases of the project life cycle.
Task 1
Create the shell document for the final project deliverable that you will be working on throughout the course. As you proceed through each assignment, you will add content to each section of the final document to gradually complete the final project delivery. Appropriate research should be conducted to support the analysis in your plan, and assumptions may be made when necessary.
The overall Data and Applications Security Impact Analysis and Mitigation Report project will consist of the following deliverables:
• Part 1: Project Outline and Requirements
• Part 1: Project Life Cycle Security Measures
• Part 2: Security Vulnerability Assessment
• Part 3: Virtualization Security Impact
• Part 4: Cloud Computing Security
• Part 5: Risk Mitigation Strategies for Applications and Databases
The project outline for the complete deliverable is as follows:
Part 1: Submit Data and Applications Security Impact Analysis and Mitigation Report shell for approval.
• Use Word
o Title page
o Course number and name
o Project name
o Student name
o Date
• Table of contents (TOC)
o Use an autogenerated TOC.
o Use separate pages.
o It should be a maximum of 3 levels deep.
o Update the fields of the TOC so that it is up-to-date before submitting your project.
• Section headings (create each heading on a new page with "TBD" as the content, except for sections listed under "New content" below)
o Project Outline and Requirements
o Project Life Cycle Security Measures
o Security Vulnerability Assessment
o Virtualization Security Impact
o Cloud Computing Security
o Risk Mitigation Strategies for Applications and Databases
• New content (to be completed in this Part 1 delivery)
o Project Outline and Requirements
- Give a brief description of the company (can be hypothetical) where the Data and Applications Security Impact Analysis and Mitigation Report will be implemented. Include the types of information and data that are processed by the company, the company size, location(s), and other pertinent information.
o Project Life Cycle Security Measures
- Give a summary of the security measures to be taken at the planning, requirements, design, development, integration and testing, and installation and acceptance phases of the project life cycle to include the following:
- Planning phase: Identify what work products the team will have that will change, or are likely to change, and the functional relationships between those products.
- Requirements phase: Identify the requirements and the functional software verifying the identity of a user. Provide any requirements that are applicable to your cryptographic module. FIPS PBU140-2 Security Requirements for CryptographicModules can be used as a guideline.
- Design phase: Describe how the design team ensures that the software component has trusted modules.
- Development phase: Describe how developers will ensure that the application being developed for the cryptographic algorithm will be secure and protective of sensitive data.
- Integration and test phase: Identify what will be tested during this phase and the general integration and test procedures that will be used.
- Installation and acceptance phase: Identify the purpose of the installation and acceptance phase for both the user and the organization.