Information Technology

Question One

A policy can be defined as a statement of intent that is implemented as a protocol. It means that it is a basis which guides an organization. In general, a policy is mandatory and has the consideration of being equal to specific laws governing an institution. Policies make use of authoritative words signaling the need not to overlook the subject in question. As such, they set the aims and objectives that assist in the determination of the right direction. Furthermore, policies contain values as well as reasons outlining why they were prepared and the motive. Moreover, policies could be defined as planned decisions in situations where one experiences challenging situations. For example, Tolerable Use policy covers regulations pertaining to suitable application of computing facilities.

On the other hand, a guideline is, to some extent, a process that decides the necessary course of action to obtain a certain outcome while handling some situations. Basically, it is a compilation of procedures meant to be implemented following a given order as well as in a logical manner. Again, unlike policies, guidelines do not carry a mandatory authority with them (Technology, 2014). An example of a guideline is ‘Employee training on computing skills.’

Question Two

AC-3, Access Enforcement security control, provides the policy as well as the procedures necessary for successful execution of the chosen security and enhancement controls. It is particularly significant during the access to family control. Furthermore, it assists in managing information systems in several ways, including identification of account types as well as establishment of conditions necessary for each group membership. Basically, individuals in an organization will only have access to data necessary to fulfill their duties and will not be able to log into someone else’s account (Technology, 2014). Again, anonymous access will be curtailed. Besides, permission is required for those seeking to open, activate, disable or modify an account.

Additionally, accounts rendered unnecessary or those of transferred or retired users can easily be deactivated. AC, Information Flow Enforcement, on the other hand, offers authorizations that control the nature of data flow inside a system. It can do so as well between the interconnected methods according to applicable policies. CM-06, Configuration Settings, creates compulsory configuration settings for IT products being used in an information system. They also construct the settings that favor restrictive mode that goes steadily with operational requirements. Again, it enforces them to all parts of the system.

Question Three

The Three Parts of NIST Cyber Security Framework include the Profile, the Core, and the Implementation Tiers. Each of these three frameworks is considered as a risk-based set of guidelines intended to assist organizations in assessment of current capabilities of cyber-security practices. Again, they help create a draft prioritizing a roadmap toward improvement of such applications. The profile component facilitates an organization to position as well as advance cyber-security practices on the basis of risk tolerance levels, individual business needs, and the available resources. Therefore, an organization creates a Current Profile through assessment of existing programs as opposed to the suggested applications that relates to Framework Core (PROTIVITI FLASH REPORT, 2014). On the other hand, Framework Core can be simply defined as a compilation of cyber-security activities as well as applicable references created via synchronized and uninterrupted functions.

The tasks include identification, protection, detection, response, and recovery. They offer a strategic analysis of an organization’s running of cyber-security risk lifecycle. It involves continuous description of institutional processes that comprise effective cyber-security. On its part, Implementation Tiers assist in creation of an environment enabling companies to properly understand their existing cyber-security risk management competences. The Tiers can be classified into Partial, Risk Informed, Repeatable, and Adaptive.

Question Four

The Cyber-Security Framework established by NIST through an executive order and released on February 12, 2014, focuses on the improvement of Critical Infrastructure in this field. The framework performs this function by assisting in the description of the existing cyber-security posture as well as the target state. Besides, the common taxonomy also enables identification and prioritization of opportunities necessary for the improvements. It is implemented from the perspective of a constant as well as repeatable process. Again, the arrangement will also make an assessment of the advancement toward the state being targeted. Furthermore, the framework helps ease the communication among internal as well as external stakeholders on matters pertaining to cyber-security risks.

The framework offers a structure necessary for regulators, customers, and organizations to create, assess, improve, and guide complex cyber-security programs. Additionally, it creates an enhanced and cost-effective common language with an aim of addressing as well as managing cyber risks. It is performed on the basis of the companies’ needs without placing extra regulatory necessities on the businesses. The framework also aids in determining the existing levels as well as setting goals for cyber-security, particularly those in sync with the business environment. With the help of it, they can improve or maintain the security.

Question Five

The three selected controls include AU-2 (Auditable Events), IA-2 (Identification and Authentication, Organizational Users), and IA-3 (Device Identification and Authentication). Each of the controls have different ways in which to ensure system protection. For example, for the Auditable Events, the activities performed using the system can easily get reviewed to establish any point when there has been fraud or the system has been ignored. On the other hand, Identification and Authentication of organizational users is beneficial as it allows to know who has access and to what extent they enjoy such rights. Consequently, unauthorized individuals do not gain entry to secured data.

Finally, Device Identification and Authentication provides an opportunity to establish what device has been utilized by an individual to log into the organizational account. Therefore, gadgets with simple seurity features that can easily be hacked do not gain entry to the site. Again, intruder devices are limited by the feature. The controls are selected so as to establish ways of dealing with information theft right from the gadgets to personnel. Furthermore, the controls play a crucial role in both implementation and maintenance.

Question Six

Physical Security

The exterior of the buildings should be reviewed on numerous occasions to ascertain that there are no broken windows or unlocked doors. Moreover, the main entrances should have security guards positioned around them to ensure that all the individuals that enter have their status verified. Furthermore, it becomes critical to protect high value target areas, such as data center and server rooms, where visitors should not be allowed to trespass. Such areas should be well-monitored by installation of CCTV cameras and provided with an effective and efficient response team manning them in the case of intrusion.  

Personnel Security

For the purpose of employee protection, it becomes necessary for organizations to request their workers to sign a non-disclosure agreement. Such action will enable them to gain access to background data. Moreover, all the individuals gaining entry to the organization should be badged. During the badging process, the colors could be different for workers and visitors, as well as the areas each of them is authorized to access. Furthermore, the possibility of authorized non-employees has become eminent for various corporations. In order to make sure that their presence does not threaten the information security, time schedules of their visits should be established. Besides, their access to the network should require they be granted permission and discouraged from logging in while in remote locations. 


It becomes vital to establish who feeds data to the system and the extent of their access. Sometimes, critical data would require that whoever enters the information do not enjoy the right to make changes, and that is only a preserve of their seniors. In addition, the people filling and gaining access to sensitive information should sign non-disclosure agreements to legally bide them from passing it to unauthorized third parties. Furthermore, any login needs to be registered with the actual time, location, and nature of data reviewed. Furthermore, changes should always be highlighted with the actual time of their occurrence.

Question Seven

During the crafting of the cyber-security system, the need to review corporate culture becomes instrumental. The process will require establishment of the most significant areas considered as necessary by the organization. Such action ensures that major sectors are not avoided or overlapped. In addition, the nature of employees as well as interconnectivity of their duties should get reviewed. Organizational success is anchored in the workers and their responses; moreover, the ability to use the new system should be ascertained. This allows an opportunity for consultations, thus ensuring that everybody gets on board. Besides, the core reasons or drivers for the new installation should be established.

Moreover, the environment in which the company operates should be well-understood. Such comprehension includes management, other workers, and finances. A well-skilled workforce may seem to make quicker responses to the changes as opposed to less trained ones. Furthermore, company politics and power games should also get checked as they play an important role in acceptance of the changes. On the other hand, the need to determine the required amount of cash is significant as it provides an opportunity to conduct the analysis and know the return on investment as well as its cost-effectiveness.

Question Eight

In order to ensure that the presentation reaches the audience in a clear manner, several factors should be considered. Firstly, the use of short structured sentences helps the listener or reader capture the main points at ease. Secondly, the presented document requires proof-reading to correct all the grammatical errors that could be present in it. Thirdly, during the presentation, it is vital to maintain proper pronunciation of the words. In most situations, wrong word articulation can make the listeners feel uneasy and thus shift their attention, or even convey a distorted meaning at worse. Therefore, the use of emphasizing words could be necessary to draw attention to the major points.

In addition, the use of the right tenses will allow the audience to have an understandable flow of the presentation. Furthermore, it should be coherent and employ a language that is known and easily understood by the listeners or the viewers. An extremely difficult language creates the necessity for extra explanations which could confuse the intended audience. Additionally, the analysis data being presented should be simple and precise. Complex information will make it harder to explain, while a bulky presentation may be boring and tiresome to the listeners. Moreover, repetitive information needs to be eliminated to avoid redundancy that could confuse the addressees. In case of a visual presentation, it has to be easily perceivable.

Question Nine

Developing a business continuity plan would require to follow several important steps. The first thing would be the identification of the scale of the plan. It involves establishing the area of coverage, the quantity of the data to be shared as well as the number of people involved. Secondly, the most important areas of the business should be recognized. This stage is vital to ensure that whatever data that becomes necessary for the continuity of company activities does not get omitted. If vital information gets misplaced, there is likely to arise the possibility of wrong conclusion.

Thirdly, the identification of the key functions is critical. It will help ensure that the devices meant for meeting are well-synchronized to allow the ease of use. The fourth step will involve recognition of dependences existing among different business functions as well as areas. It makes sure that every function gets aligned with their respective area of business. In addition, it will involve the determination of acceptable timeframe for all the significant functions. Timing allows everyone’s participation without absenteeism or interruptions. Finally, there will be the establishment of operations maintenance plan. The aim of the arrangemment is to ensure that all the processes engaged in the business continuity plan get achieved.

Question Ten

The business continuity plan is a lifecycle involving maintenance, analysis, solution design, implementation, testing, and acceptance. The analysis entails impact scrutiny, threat study as well as impact scenarios. These measures assist in differentiation of urgent and non-urgent data. The pressing functions have got two values present, including recovery point and time objectives, which ensure maximum data tolerance. Solution design offers a cost-effective solution. It is mostly articulated as the smallest application, informational requirements, and the period at which minimum application and related data become available. Implementation phase entails policy changes, staffing, and testing, as well as material acquisition.

On the other hand, testing and organizational acceptance achieves the solution that satisfies the requirements’ recovery. However, there could be failure to meet expectations owing to insufficient recovery requirements, flaws in solution design as well as errors in solution implementation. Finally, maintenance involves testing, verification of company’s recovery procedures as well as established technical solutions that recover operations (Guttman, 1997). In addition, it also covers manual information confirmation and raising of employees’ awareness. Moreover, it entails special training activities for critical individuals. In most cases, matters arising during the testing stage occasionally get reintroduced in the analysis segment.

Question Eleven

The most significant considerations for security baseline include hazard recognition, mission identification, and support system realization. Others comprise system reconstitution, establishment of interconnections as well as interdependencies within the system, and determination of vulnerabilities. Furthermore, system interdependency, workers and their respective responsibilities, tolerance ability as well as the planned system changes could be critical. For a security risk to arise, the nature of threat should be established early enough to allow for preparations to handle it. It means that a mission is prepared to counter the emerging threat. A support realization system is then setup. In addition, analyzing the system to understand interconnectivity as well as interdependency works to strengthen it as well as reduce the chances of unauthorized individuals access.

Question Twelve

At times, organizational threat may emanate from the inside through employees for several reasons. Workers could be vulnerable due to some behaviors that they portray or the organizational culture and environment in which they operate. One of such conducts that could threaten the entire organization and create vulnerability is laziness. Sometimes, employees tend to assume that the outlined security guidelines are long and thus may have shortcuts. For example, it becomes evident when those who are supposed to frisk or screen all those entering the facility fail to do so and let anyone through without thorough checks. That would lead to a situation when individuals who pose security threat to the business gain entry.

Secondly, workers could be gullible. Susceptible employees with little know-how can easily get tricked into providing information to conmen who pose as employees or associates of the company. Consequently, individuals may use deception to access the company when they realize workers carelessness or failure to be alert (Caballero, 2009). Furthermore, where rules are not strictly implemented, employees tend to individually upgrade the system or make changes, which may be meant for their seniors or experts only. That may threaten the effectiveness of the system and protection from hackers or other intruders.

Question Thirteen

Getting the managers on board would require applying different approaches. Firstly, it would be vital to make a logical appeal to the management, entailing the benefits that the organization will derive from the project. In this case, the benefits to top management would be explained. Secondly, one can make an emotional appeal, connecting the massage and the goal relating to the project with those that are individual. The project description would be done with enthusiasm and express confidence in a manager’s ability to improve their working environment as well as achieve success. However, that requires caution in approach as it could backfire. The next one is the cooperative approach.

Managers like to feel appreciated and accorded with respect of their office; therefore, a move that regards them as senior players would gladly encourage them to show support. Furthemorer, the project should demonstrate to the managers their ability to oversee the activities of the company at ease. Moving around to supervise workers or go through their paperwork or huge data may be tiresome. However, with a proper and secure system, the executives can gain access to performance of each employee. Another way to attract the managers to the system is by proving to them the advantage that they will achieve over competitors should they implement the scheme. 

Question Fourteen

The scale of threat in computer forensics could be determined by several factors. Firstly, the threat may increase or decrease depending on whether it is external or internal. Threats from outside appear as more harmful to an organizational cyber framework as opposed to those performed from the inside. It is due to the fact that those who are within may have the interest in the company’s continuity, while those on exterior could be wishing for total collapse. Secondly, the award received by the invader could increase the magnitude of the threat (Dimattia, November 15, 2001). The higher the nature of the risk posed, the higher the prize to be paid. Consequently, the attackers will get motivated by enormous money or payment.

Thirdly, the nature of organization could increase the scale of hazard. Some institutions get considered by attackers as more important than others. For example, financial industry has become a core target of the cyber-crime attackers as compared to some others where money returns could be minimal. Finally, the type of information security system could determine the velocity of the attack. While the modern methods could not guarantee to be exclusively safe, the rate of accessing data from them illegally is down as compared to traditional ones.