Report on Capstone Simulation Round 1
- Authorized Software Policy
Type of software permitted for use by employees: Approved software
Software evaluation frequency in months: 6
Violation penalties: Focus on warnings
- Backup RAID levels: 0
Remote backup spending: $ 250,000
- Database Security
Frequency of forcing password changes in days: 15Degree of separation of roles for admin and operator roles: CompleteControl privileges: RestrictedOS services and associated ports: EnableDatabase honeypots: Enable
- Remote Access Policy
- Systems Development Testing
Intensity of quality assurance testing: HighDegree of reliance on external vendor: Comprehensive testing
- Training
Training by funding: $50,000
- Training and Auditing
Frequency of physical audits of the equipment: Every six monthsFocus on training area: network vulnerabilities 25%Focus on training area: controls 25%Focus on training area: encryption 25%Focus on training area: penetration testing 25%
- Training Incentives Average compensation bonus as a fraction of technical certification fees 100% of fees
Link training outcomes to promotion: YesLink training outcomes to evaluation: Yes
- Virtualization OR Cloud Computing Choose virtualization or cloud computing Cloud computing
Rationale on the decisions made
The decision to use approved software that is to be evaluated bi-annually ensures the software shall remain in a sound state and perform optimally. The back-up spending on the system has been set at $250,000 in order to make the system affordable and increase the profitability of the venture. By setting the frequency of changing the password to 15 days, this increases the security of the system and incase the password is hacked the less damage is done. Restrictions on the security of the database also make sure that the cyber-security systems are safe from unauthorized access (Norquist, 2004). In regard to training of staff limiting the amount spent to $50,000 is within the limits of ensuring that the staff is adequately trained while limiting the cost of the whole project to ensure remains affordable and profitable. By opting for virtualization instead of cloud computing the system shall be more secure. Virtualization will allow us to consolidate and run several applications onto fewer physical servers (Barlas, 2004). This will drive up server utilization rates and reduce the cost of operation. It will also allow quick deployment and provision enhanced availability and resilience as well as improve workload balancing (Goodman, Lin & National Research Council (U.S.) 2007).
In making the above decisions we considered the impacts of our decisions on the three themes of Cyber-security Capstone Simulation (CCS); Cyber-security, profitability and Collaboration (Carswell, 2012). By limiting the people who have a right to the technical and the tactical formulation of cyber-security measures, we shall increase cyber-security (Hale, 2012). The more the people with access to databases and other control tools the more the cyber-security measures are prone to counteracts and “in-house” breach (The Center for Technology and National Security Policy. 2006).
The decisions we made in regard to bringing in different entities at the operational level such as the government, state agencies, regulators and investors increases collaboration. It also ensures that the business sense of our strategies shall be well catered for to ensure profitability. The Center for Technology and National Security Policy (2006) warns that the regulators and the government agencies should be accommodative and not prohibitive. This ensures that people who invest in cyber-security businesses are able to obtain high profits. The profits not only sustain them in the dynamic industry but ensure that they are able to conduct adequate research and development on cyber-security (United States, 2004). The more we are able to develop specific cyber-security measures, the lesser the costs involved and the higher the profitability of the venture (Maiwald, 2004).
The choices we made relate to the sector briefing report. We noted that cyber attack and crimes are on the increase. We also noted that cyber-security measures should be more of preventative rather than counteractive measures. In addition we noted that different entities (the government, state agencies, investors and regulators) ought to collaborate in the development of measures to ensure cyber-security. All the decisions we made were collectively aimed at addressing these concerns.
References
Barlas, S. (2004) “Mission: Critical”, Information Security, September 2004, Retrieved July 3, 2013 from: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss467_art974,00.html
Carswell, A. (2012). Cyber security capstone simulation - introduction. Retrieved from University of Maryland University College website: http://tychousa5.umuc.edu/CSEC670/1306/9023/class.nsf/Menu?OpenFrameSet&Login
Goodman, S. E., Lin, H., & National Research Council (U.S.). (2007). Toward a safer and more secure cyberspace. Washington, DC: National Academies Press.
Hale, B. (2012) Cyber-security- A Practical Approach to Actionable Intelligence. Retrieved 3 July 2013 from: http://www.digitalgovernment.com/media/Knowledge-Centers/asset_upload_file536_2024.pdf
Maiwald, E. (2004) Fundamentals of Network Security. McGraw Hill. Pp. 625.
Norquist, B. (2004) SANs Institute InfoSec Reading Room: Governmental Effects Upon the Cyber Security Decision Making Cycle. Retrieved 3 July 2013 from http://www.sans.org/reading_room/whitepapers/modeling/governmental-effects-cyber-security-decision-making-cycle_1575
The Center for Technology and National Security Policy. 2006. “Complexity and Critical Infrastructure Vulnerabilities”, National Defense University, pages 3-4. http://www.ndu.edu/ctnsp/Complexity Book.pdf
United States. (2004). Technology assessment: Cyber security for critical infrastructure protection. Washington, D.C: U.S. General Accounting Office (441 G St. NW, Room LM, 20548.