Respond to below in 150 words Profit MaximizationA manager may contribute to the profit maximization goal of a firm by having a strong background or education in managerial economics. By understandin
Information Assurance Homework
• Presentation slides/video
• Final report paper
Scenario
Several computers in your company have recently been compromised. It was discovered that
the company network had been under attack for several months. However, these attacks had
not been previously detected. The attackers exploited both network and host vulnerabilities.
The head of your company decides that security needs to be improved. The company
network should be modified to prevent a majority of further attacks. Attacks that cannot be
prevented should be at least detected. However, solutions for tolerating undetected attacks
should also be envisioned. The head of the company tasks you to come up with a plan. A
rough estimate of the maximum cost of this task is: $500K for equipment and software and
at least 1 full-time security administrator (first year salary only included in initial estimate).
However, the head of your company indicates that these numbers could change based on your
proposal. Your goal is to propose the best plan that would provide the best level of security
for adequate cost and resources.
The company already has a network of Linux computers for scientific research and a
network of Windows computers for administrative tasks. Both networks should be made
more secure. Both networks should also be able to securely communicate. Additionally,
the company relies on its web server to advertise and sell some of its products, as well as
providing a customer support portal.
Write a paper of 17-20 pages (double-spaced) on the security solution you would recommend. Be sure to explain why your solution provides the best level of security for the given
scenario and constraints. Assess the cost and the required resources of your solution.
Purpose/objective
View the problem as if you’ve just been designated head of information security for the
organization or you’ve been hired as a consultant to evaluate and propose a solution.
The scenario description has some information, but you will likely need to or will want to
assume additional things to help define the problem. Please discuss and/or clearly state any
assumptions being made.
Comments
Some things you’ll probably need to do:
• Identify, describe, and document the current state of things and start to define the
problem and scope to be addressed. This may include:
– Identifying and/or speculating likely causes or issues relating to the recent compromises.
• Identify/list/describe some or all of the objectives a proposed solution should try to
meet or address. Discuss how the objectives might be prioritized in the context of
the company’s core business operations. (Does it matter if it’s a financial, medical,
engineering, education, etc. type company? If so, you may want to indicate what the
company does and how this may affect priorities.)
• Identify what kinds of things (equipment, personnel, policies, procedures, etc.) may
already be in place or available (and perhaps not being fully utilized) and can be
improved upon. Identify where there may be gaps or aspects that are currently not
being addressed.
• Propose a plan to address and improve security. Discuss how various components will
be implemented and how they are expected to improve the current state of things.
• Discuss if there are ways to measure or gauge if the implemented changes help or improve
security. Also consider if implemented changes may also affect other operational aspects
of the company (either positively or negatively) and whether or not this can be measured
or estimated in some way.
• Discuss if there are alternatives to some of the components in the proposed plan and if
or when the alternatives might be considered or why the alternatives are not a good fit
for the organization and its operations. You can consider alternative components or
alternative implementations of components. For example, you may decide a firewall
or IDS should be part of the proposal, however, there may be different places where a
firewall or IDS might be placed depending on what should be protected or other factors.
• While it is unlikely you would need to discuss or use some of the formal models covered,
there are aspects of them that may be applicable. For example, if a company deals
with sensitive information, you may want to cover how it could be compartmentalized
to minimize the impact from any future compromises. Does the company need to be
concerned about conflicts of interests regarding clients? If so, how can this be handled
internally?
• The cost constraint is included because there will be resource constraints which need to
be weighed against the priorities and objectives of the company. Cost figures do not
need to be exact or precise, but try to make reasonable estimates when possible. If you
have a source or reference for a cost, that’s great. If not, no problem, but just make it
clear that the cost value is something you came up with. This is not a cost estimation
project, so don’t spend much time on trying to come up with detailed or referenced
cost figures.
Think of the proposed budget as a tool that relates to or is influenced by the priorities
and objectives of the organization. It should be useful for answering questions such as:
– Why two firewalls instead of five (or some other component)? (From the budget,
it can be seen how much three additional firewalls might cost and other ways that
money might be spent to provide better improvements.)
– Given an addition of $X, how would you alter your current proposal to get the
most additional improvement?
– Given a reduction of $Y, how would you alter your current proposal to minimize
impact on security?
Slides
Think of the slides as sort of a “storyboard” or outline for the paper (or an overview if you’ve
already started writing or have finished the paper by the time the slides are due). You should
have enough slides for a 10-12 minute presentation and overview of your proposal. Almost all
of the content should be reusable as part of the paper.
You can structure it as collection of figures, diagrams, tables, etc. where the paper ends
up being a narrative to explain the different elements and to tie them together. Or you can
structure it as an outline with bullet points for key items (which will become paragraphs or
sections of the paper). Or it can be some combination of both.
***NEW SPRING 2019*** Presentations should be submitted as a video or recording
of some sort along with the slides. Presentations exceeding 12 minutes will lose points.
In-class students should be available to answer questions and respond to feedback when their
presentation is played for the class.
Final thoughts
The above items should not be interpreted as a template or checklist for the project paper.
It is just a list of things that can be considered or included. However, if you are not sure
where to start, you can use it as a guide.
This is a design project. There is no single best design that your proposal will be compared
against. It is important to identify what the design needs to address (for the given scenario
and assumptions you make and describe) and then to provide support and context for how
your design and design decisions address these things.
Additional scenario ideas
The original scenario is for an engineering type company. Alternate scenarios could be for
things such as:
• Healthcare (such as a hospital) – where regulatory requirements, such as HIPAA in
the US, might apply. You could consider a range of desktops and workstations used
for various adminstrative roles, patient record and billing systems, and various medical
equipment and devices that may be networked in some way or otherwise connect with
some of the computing infrastructure. Ransomware is a realistic example providing
initial motivation for an assessment of current security practices and proposal for an
improvement plan.
• Financial (such as a community bank) – where regulatory requirements, such as the
Gramm-Leach-Bliley Act in the US, might apply. You could consider things such as
workstations and equipment used by tellers, bank managers, loan officers, etc., ATM
systems, systems storing account information and customer records, servers and web
sites for online and mobile banking and other systems. There are several types and
variants of malware that target banking systems and accounts. Recent incidents could
provide motivation for an assessment of current security practices and proposal for an
improvement plan.
• Industrial setting (such as a power plant) – someplace where things like Industrial
Control Systems (ICS) may be prevalent. These may be on isolated networks but
there may be components or parts of the system that allow for remote access (using
something like a VPN, ...or not). Some of the systems involved may be limited in terms
of processing power or other resources and this may provide constraints on the options
available to secure some of the devices at the endpoints (on the devices themselves).
Also, monitoring the integrity of the system and being able to respond quickly may be
of critical importance as well. Some of these environments rely on some less common
or less well known types of communications (such as Zigbee for wireless) which may
impose some limitations or constraints in terms of security options.
If your scenario includes an area where either voluntary industry requirements or mandatory regulatory requirements apply, you can research and include aspects of these requirements.
You do not need to have an in-depth focus on the requirements, but the idea is to include
different aspects relevant to the organization that should be considered. Different aspects
to consider may involve technology, regulations, and core business functions. Your proposal should not focus solely on technical aspects, but should try to take into account the
environment in which it will be applied.
Rubic
-----------------
(A) What are the assets the company wants to protect and why?
Simply listing a computer as an asset and saying it needs to be
protected needs to have more context (in how it may impact the
business). Is a computer (or other resource) important because
of what is stored on it, how it is used, what it has access to,
etc.? For example, a desktop computer may not have any important
information stored on it, but if it gets infected with malware,
the disruption to clean or reimage it may impact worker productivity.
Along with identifying assets, may also want to consider how a
particular company or organization may prioritize their assets.
(B) What are some of the threats the company wants to protect
against? Some types of threats may be more specific to the
function or industry a company or organization is involved in.
External threats may be more of a focus, but for some industries,
internal threats may also deserve some attention.
(C) What are some of the current gaps or weaknesses? If you
are proposing something that should improve or increase security,
it is important to include or mention some assessment of the
current state. If you are making the assumption that there is
currently no security measures in place, that's fine, but you
should explicitly state this, otherwise it's not clear how what
is being proposed is any different than what may already be in
place. Perhaps the organization already has an expensive IDS/IPS
but lacks resources to monitor or tune it (and the high-rate of
false positives just causes it to be ignored or disabled).
(D) Link components of proposed solutions to the identified
assets that need to be protected (from the perspective of the
company or organization) as well as considering their relative
priorities, if applicable. Can also include mention or discussion
of how components relate to particular threats and how those threats
relate to assets. Indicate how plan protects assets (either directly
or indirectly).
(E) Please try to include some type of cost or budget estimate
component. It's more of a planning tool, so accuracy is not
a high priority, but it should be usable to illustrate trade-offs
if priorities shift or if budget constraints change.
(F) For budget/cost estimates, keep in mind that many software
products require licenses per install. So if in your scenario
you have 40 Windows computers that you want to include AV software
for, if you are using an individual license cost for reference, you
need to multiply it by the total number of computers it will be
installed on, or you need to make sure that your price reference
is for some kind of volume or blanket type license that allows
the software to be installed on multiple devices for a single
license.