Type: Individual Project
Unit: Finalizing Your Presentation
Don't use plagiarized sources. Get Your Custom Essay on
CYBR10
Just from $13/Page
Due Date: Wed,2/12/20
Grading Type: Numeric
Points Possible: 250
Points Earned:
Deliverable Length: 500-700 words
View objectives for this assignment
Go To:
·
Assignment Details
·
Scenario
·
Learning Materials
·
Reading Assignment
My Work:
Online Deliverables:
·
Submissions
Looking for tutoring?
Go to Smarthinking
Collapse All | Expand All Collapse All | Expand All
Assignment Details
Assignment Description
Key Assignment
As a cybersecurity manager, you have been gathering information regarding best practices for an organization to consider to reduce the risk of information and cybersecurity threats. You have identified various methods for communicating these threats and the best practices used to mitigate them to various stakeholders. The management team, as well as your peers, are happy with your progress.
In Weeks 1–4, the following assignments were completed; be sure to incorporate any feedback previously received from your instructor and peer reviews into them:
· Unit 1 IP: Communicating cybersecurity requirements to multiple stakeholders
· Be sure that you have addressed how the digital age has impacted professional communication. (Add an additional slide if this was not included in your previous submissions.)
· Unit 2 IP: Evaluating and communicating cybersecurity operational requirements
· Unit 3 IP: Identifying and communicating the importance of a cybersecurity training and awareness program
· Unit 4 IP: Applying an information classification scheme to IT systems to reduce the risks associated with breaches
The last and final step is to twofold.
Part 1:
Submit your final paper comprised of IP1 through IP4, which has been updated with feedback received from both the instructor and peers (specifically in DB4).
New Content:
In 500-700 words, explain the how to brief management. Be sure to include the following factors:
· How much time does management typically allot for briefings?
· How many slides should be included?
· What is the best approach in terms of the level of detail included on the slides themselves?
· How much technical information should be included?
· What factors are management most interested in?
Part 2:
Create a briefing that highlights all of the topics you have covered throughout this course related to cybersecurity best practices to be communicated to the board of directors of the organization. You will complete the following:
· Summarize the work you have accomplished throughout the term into a single presentation.
· Develop a cybersecurity program briefing to the board of directors that will identify the potential threats and describe the solutions you developed to address them.
· Include a list of references at the end of your presentation.
The final PowerPoint presentation should be between 5-10 slides with at least 10 words of speaker notes per slide. The intention is for you as the cybersecurity manager to identify cybersecurity threats and solutions and to translate technical issues into business language so that the board understands the threat landscape and how to properly fund, resource, and support it.
Name the document “Yourname_CYBR609_IP5 ”
Please submit your assignment.
For assistance with your assignment, please use your text, Web resources, and all course materials.
Reading Assignment
Unit 5: CYBR609 CTU Library Guide
Wells, A. (2018).
The Tech Professional’s Guide to Communicating in a Global Workplace: Adapting Across Cultural and Gender Boundaries.
New York, NY: Apress.
Assignment Objectives
·
Apply the relevant cybersecurity theoretical and practical knowledge behind communication and persuasive speaking
· Construct persuasive messages to apply across various audiences, especially those with differing levels of cybersecurity and technical expertise
· Demonstrate presentation skills
· Practice critical thinking to construct and evaluate cybersecurity claims and arguments with positive outcomes
Other Information
There is no additional information to display at this time.
Computing systems
Mohamed Conteh
Cecile Jackson
CYBR609-2001A-01
Colorado Technical University
January 22, 2020
Overview
Overview of the organization’s computing environment and networks
Environmental factors are becoming a major challenge to the company’s computer systems. Companies have become vulnerable in a way that they are easily affected by malicious attacks. Information technology has grown rapidly due to the growing technology. The more technology is on the rise, the more risks are increasing. It is something that is likely to affect the organization’s computing systems in a way that it will hinder the normal functioning of the organization. It is something that needs to be dealt with in a way that it will help come up with solutions affecting most organizations. In this case, the organization is most affected as its systems are not secure. The company’s network systems has been affected for a while inflicting the organization into serious threats.
2
risks
Computer systems considered to be of high risk.
Types of threats
The computer system within the organization is likely to be affected by different threats. The threats may either be physical or non physical. The physical threats that are likely to affect the computer systems are either classified to be internal, external or human threats. The internal factor that will affect the organization include high humidity in the rooms that houses the hardware system, fire and unstable power supply. The computer systems can also be affected by earthquakes, lightning and floods. The other physical risks that are likely to affect computer systems are classified to be human risks such as intentional errors, vandalisms, disruption and theft.
3
Risks
Non-physical threats
The computer systems within the organization are also likely to be affected by non-physical threats. Non physical threats are those threats caused by third parties. One of the threats that disrupt the normal function of the organization are cyber security breaches, loss of system data, losing sensitive information, disrupting business operations that mostly rely on computers and illegal monitoring of activities taking place in the computer systems. Non physical threats are also considered to be logical threats. There are number of other threats likely to affect the organization including worms, virus, adware, phishing, key loggers, Trojans and distributed denial of service attacks.
4
vulnerability
Definition of vulnerability
Different types of vulnerabilities
How to scan the vulnerabilities
Vulnerabilities can be defined as defects within a computer system which will create room for an attack. They can also be termed as types of weaknesses which are present within a computer. It involves a number of procedures hence anything can invade the system’s information security exposing it into different threats. There are different types of vulnerabilities likely to affect the computer system. Some of the vulnerabilities include; missing data encryption, bugs, SQL injection, weak passwords, use of broken algorithms, buffer overflow and OS command injection. There are possible ways that can be used to scan the vulnerabilities. One of the ways is through regular scanning and updating the security patches.
5
Implementation
Explaining the patches
How to implement the patches
A patch can be identified as different changes directed to a computer program. It helps support data that is meant to improve the computer system and help in the process of updating the computer. Patches include fixing bugs, security vulnerabilities which are identified as bug fixes. They play a better role in improving the system functionality, performance and usability. The patches often get installed in a programmed form that is controlled by human programmers using a debugger. It will help in different program files such as computer memory and storage device. A patch management strategy will play a key role in ensuring that the company is well protected and free from vulnerabilities.
6
Effective vulnerability
Coming up with effective vulnerability management program
It is essential for organizations to consider an effective vulnerability management program. The program will aid the organization come up with better ways of preventing the vulnerabilities. The vulnerabilities may be harmful in a way that they will barer company activities from taking place. The management program will help the management determine how to come up with different ways of protecting its systems. One thing to consider is how the vulnerabilities are introduced into the system and how they can be reduced. The management program will also stipulate the best methods of introducing protective measures that will help curb the vulnerability.
7
Explaining the differences
Differentiating patches and why its best to implement.
Patches can be stated in different forms. They need to be tested from time to time to ensure that they are running well. The difference between testing and production of the networks is that testing allows one to determine whether the networks are correctly working. They help one know whether the networks have been inflicted by any kind of threats. Testing is therefore meant to help the company determine how effective their systems are.
On the other hand, production of networks is where the management comes up with networks that are free from patches. The networks that are free from vulnerabilities.
8
References
Threats and Vulnerabilities. (2015). Computer Security Handbook, II.1-II.2. doi:10.1002/9781118851678.part2
Wang, L., Yan, J., & Ma, Y. (2019). Cloud Computing in Remote Sensing. doi:10.1201/9780429488764-3
Watson, V., Lou, X., & Gao, Y. (2017). A Review of PROFIBUS Protocol Vulnerabilities – Considerations for Implementing Authentication and Authorization Controls. Proceedings of the 14th International Joint Conference on e-Business and Telecommunications. doi:10.5220/0006426504440449
Running Head: COMMUNICATIONS IN CYBERSECURITY
1
COMMUNICATIONS IN CYBERSECURITY 11
Mohamed Conteh
Cecile Jackson
CYBR609-2001A-1
Colorado Technical University
February 12, 2020
Communications in Cybersecurity
Although current organizations have experienced a tremendous improvement in terms of adopting technology in daily operations like it, cloud computing, and the development of automated software, this is not only an advantage but also a disadvantage towards ordinary business operations. Advancement in technology has widened the surface through which attacks can be channeled to. Technology advancement, adoption, and implementation in organizations have opened an avenue through which organizations are exposed to cyber-attacks (Wang & Wang, 2018). To address the rising number of cyber-attacks, there is a need for the cybersecurity department, and the cybersecurity manager, in particular, to ensure that they partner well with other business units within the organization. This will ensure that cyber threats are well dealt with. In this light, the paper sought to find out ways through which cybersecurity managers can successfully communicate with other business units within an organization to ensure that potential cyber threats are at their minimum.
One of the best strategies through which an organization can address cybersecurity-related challenges is through inducing cybersecurity culture within the business. Having such a culture in place helps in ensuring that the security posture of an organization is well maintained. One of the easiest ways of initiating this is ensuring that the cybersecurity unit within a business. One of the best ways cybersecurity managers can communicate with other business entities is through embedding cybersecurity into ordinary business activities. There are several normal activities within a business that cybersecurity can take part in — for instance, active participation in the risk review board. If the cybersecurity management can actively engage in the risk review process, they are in a better position of suggesting solutions that can limit cyberattacks since they are experts in this area (Sanders, 2016). The team can also take part in the project management committee. Involving them will ensure that any project initiated will have taken good care of cyber threats. This will enhance the overall security of the business organization. Another activity that the cybersecurity discipline can actively take part in is procurement and activity tasks. By so doing, the specialists will offer their insights about the security aspect of the procedure, which can be followed.
Another way through which the cybersecurity unit can uphold a relationship is by fostering collaboration with the groups present. The unit should avoid singling out itself in several activities that they engage in. Partnership welcomes new insights and ideas of what other units think about the security status of the organization. This, in general, enhances the security of the organization. The selection of a collaborative communication strategy ensures that every individual or unit, in this case, matters a lot. However, a collaborative communication strategy comes with several advantages and disadvantages. Benefits include enhancing of complete security of an organization as all members are considered, positively supports business performance, and also helps in addressing issues that matter a lot. Cons, on the other hand, might include unhealthy competition between business units, resistance to change from specific individuals, and cultural mismatch within the business, among others (Cockburn, Smith & Cockburn, 2018).
Importance of Cybersecurity Training
Today, every company is vulnerable to cyber security. The risk of vulnerability increases with the level of cybersecurity awareness of the employees or users. It is important to determine various user groups in an organization so as to tailor a training program that is suitable for each of them. Generally, the two main categories of users are privileged users and regular users. A privileged usually has a broad access of an organization’s information system (Crouse, 2014). Since companies are relying heavily on technology to carry out activities, every other employee in an organization qualifies as a regular user.
The requirement for each group is slightly different. A lot of emphasis regarding how to prevent, identify and mitigate cyber threats should be given to the privileged users since he/she is more prone to cyber threats. Similarly, regular users should be taught how to identify, prevent and address cyber threats.
A training program is meant to empower employees to protect themselves and the company against cybercrime. Therefore, these programs should address key elements of cyber security. First, employees should be made aware of types of cyber security threats such as social engineering and malware among others. Second, users should be educated about various protective mechanisms against cyber threats such as installing and updating anti-virus software’s on regular basis and creating strong passwords. Third, users should be taught how to recognize and handle cyber threats such as phishing. Lastly, employees should be informed and cautioned against reckless behavior that can compromise cybersecurity such as use of unsecured personal devices, unsecured wife’s and failure to adhere to company’s cyber security policies or guidelines (Feather, 2019).
Even after employees have undergone cyber security training programs, it is important to incorporate other methods of raising awareness and encouraging adoption of acceptable behaviors. One key method of reinforcing training programs is the use of drills. Drills involve actual attempts to breach the company’s cyber security to test the employees’ ability to recognize and address the threat. This strategy is useful to test the employees’ preparedness by assessing their strengths and weaknesses. In addition, cyber security is a field that is changing rapidly. Therefore, it is important that the organization encourages its employees to attend external conferences, forums and training programs about cyber security. This approach will ensure that employers are up-to-date with recent developments and bring valuable skills and information to the company.
It is dangerous for a company to fail to train its employees on organizational cybersecurity. According to Ramarchandran (2019), employees are the biggest risk to a company’s information systems. They are usually the target of cyber criminals and often become victims of social engineering and phishing among others. However, employees who are trained on organizational cybersecurity are able to handle cyber threats effectively. Therefore, failure to train employees on cyber security increases a company’s vulnerability to cyber threats in various ways. First, employees lack the self-driven motivation and accountability to protect themselves and the company since this aspect is usually inculcated during training. Second, employees lack the ability to identify and address cyber threats. As a result, they are easily tricked by cybercriminals and also lack the ability to handle cyber-attacks.
In conclusion, cyber threats are rampant in the digital era. They pose a huge threat to organizations. People or users are the primary targets of most cybercriminals. Therefore, it is important that organizations train their employees on cybersecurity as a way of empowering them to handle cybersecurity threats more effectively.
Reducing Risk: Organizational Data
Data classification offers a rigid basis for information security plan because it enables organizations to identify vulnerable areas in the IT network, both externally and internally. In this sense, for several reasons, it is of the essence for organizations to develop a data classification scheme. First, data classification helps in securing critical data. For organizations to secure their data, they need to understand their data (Real Security, 2018). For instance, the firms should be able to know what sensitive data they possess, where the crucial data resides, the parties that can find, alter, and erase it, and how it may affect business if leaked. Understanding all these aspects helps firms in prioritizing data to protect.
Secondly, data classification assists firms to act in accordance with regulatory mandates. Usually, compliance standards require firms to secure clearly defined information, such as health records (HIPAA), cardholder information (PCI DSS), and financial data. Data classification can help an organization identify the location of such data and ensure that necessary protection is in place. Another benefit of data classification is that it demonstrates a high level of organizational commitment. Organizations that develop data classification schemes display concern and commitment towards protecting their data which is a very important characteristic of any organization.
Data Classification Policy
Purpose and Scope
The purpose of this data classification policy is to offer the foundation for securing the confidentiality of information at the Sinopec Company by setting up a data classification system. Additional standards and policies will seek to specify managing requirements for information regarding their classification. The scope of this policy states that the policy applies to all information or data that is designed, gathered, processed or stored by the Sinopec Company, in non-electronic or electronic formats.
Policy
All data such as onboarding information relevant to new hires, data on research and design for new products, press releases concerning new business units’ acquisitions, and operational, financial reports will be stored either under restricted, sensitive or open classification. Gatherings of distinct data are required to be grouped as to the safest classification category of an individual’s data component with the collected information.
Restricted Level
Under this level, the information in any type gathered, formulated, kept or controlled by or on behalf of the organization, or within the domain of company activities, that are subject to clearly defined protections under state or federal law or under executable contracts or regulations is stored here. For example, onboarding information related to recent hires such as emergency number, driver’s license, social security number, medical number, employee records, resume, and application.
Sensitive Level
The sensitive level usually comprises of information whose loss or unauthorised revelation would greatly impair the activities of the company, bring about significant reputational or financial loss or cause legal liability. Such information is very crucial to the organization and its protection is of significance. Examples of data under this category include, but are not limited to, operational, financial reports, research and design information for new product lines, security data, and strategy documents required in the process of securing the company’s data.
Open Level
The open level comprises information that does not fit into any of the other data classifications. Such information can be availed without formal or designee approval and cannot harm the organization in any way. For instance, but not limited to, press releases on new business units, publication titles, policies and regulations, university catalogues, job opening announcements, and advertisements.
Communication Strategy and the Importance of Data Classification Scheme Policy
The most suitable strategy that an organization can use in identifying and proposing an appropriate policy to support data classification and mitigate risks is through proper asset classification to protect itself from the risk of information breaches and accidental release or loss of information (Fischer, 2017). Additionally, companies must depend greatly on compliance and regulatory requirements, and try to define discrepant categories of information into their distinct networks.
References
Cockburn, T., Smith, P., & Cockburn, G. (2018). Draft 2a: Collaboration and Conflict in Three Workplace Teams’ Projects. Available at SSRN 3385491. Retrieved from
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3385491
Sanders, R. (2016). Embedding Cybersecurity into Your Company’s DNA. People & Strategy, 39(1), 8-10. Retrieved from
https://go.galegroup.com/ps/i.do?id=GALE%7CA552253088&sid=googleScholar&v=2.1&it=r&linkaccess=abs&issn=19464606&p=AONE&sw=w
Wang, S., & Wang, H. (2019). Knowledge Management for Cybersecurity in Business Organizations: A Case Study. Journal of Computer Information Systems, 1-8. Retrieved from
https://www.tandfonline.com/doi/abs/10.1080/08874417.2019.1571458
Crouse, M. (2014). How to protect yourself against privileged user abuse. Retrieved January 27, 2020, from https://www.networkworld.com/article/2369733/how-to-protect-yourself-against-privileged-user-abuse.html
Feather, N. (2019). New employees can be a cybersecurity risk. Here are five simple practices you can teach them during on boarding. Retrieved January 27, 2019, from
https://www.inc.com/neill-feather/new-employees-can-be-a-cybersecurity-risk-here-are-5-simple-practices-you-can-teach-them-during-onboarding.html
Fischer, T. (2017). Why Data Classification Should be Your Security Strategy. Retrieved 3 January 2020 from http://www.dbta.com/Editorial/Think-About-It/Why-Data-Classification-Should-Drive-Your-Security-Strategy-118542.aspx
Real Security. (2018). Data Classification: Why it is important and how to do it. Retrieved 31 January 2020 from https://www.real-sec.com/2018/07/data-classification-what-it-is-important-and-how-to-do
Computing systemsMohamed ContehCecile JacksonCYBR609-2001A-01Colorado Technical UniversityJanuary 22, 2020
Computing systems
Mohamed Conteh
Cecile Jackson
CYBR609-2001A-01
Colorado Technical University
January 22, 2020
Overview
Overview of the organization’s computing environment and networks
Environmental factors are becoming a major challenge to the company’s computer systems. Companies have become vulnerable in a way that they are easily affected by malicious attacks. Information technology has grown rapidly due to the growing technology. The more technology is on the rise, the more risks are increasing. It is something that is likely to affect the organization’s computing systems in a way that it will hinder the normal functioning of the organization. It is something that needs to be dealt with in a way that it will help come up with solutions affecting most organizations. In this case, the organization is most affected as its systems are not secure. The company’s network systems has been affected for a while inflicting the organization into serious threats.
2
risks
Computer systems considered to be of high risk.
Types of threats
The computer system within the organization is likely to be affected by different threats. The threats may either be physical or non physical. The physical threats that are likely to affect the computer systems are either classified to be internal, external or human threats. The internal factor that will affect the organization include high humidity in the rooms that houses the hardware system, fire and unstable power supply. The computer systems can also be affected by earthquakes, lightning and floods. The other physical risks that are likely to affect computer systems are classified to be human risks such as intentional errors, vandalisms, disruption and theft.
3
Risks
Non-physical threats
The computer systems within the organization are also likely to be affected by non-physical threats. Non physical threats are those threats caused by third parties. One of the threats that disrupt the normal function of the organization are cyber security breaches, loss of system data, losing sensitive information, disrupting business operations that mostly rely on computers and illegal monitoring of activities taking place in the computer systems. Non physical threats are also considered to be logical threats. There are number of other threats likely to affect the organization including worms, virus, adware, phishing, key loggers, Trojans and distributed denial of service attacks.
4
vulnerability
Definition of vulnerability
Different types of vulnerabilities
How to scan the vulnerabilities
Vulnerabilities can be defined as defects within a computer system which will create room for an attack. They can also be termed as types of weaknesses which are present within a computer. It involves a number of procedures hence anything can invade the system’s information security exposing it into different threats. There are different types of vulnerabilities likely to affect the computer system. Some of the vulnerabilities include; missing data encryption, bugs, SQL injection, weak passwords, use of broken algorithms, buffer overflow and OS command injection. There are possible ways that can be used to scan the vulnerabilities. One of the ways is through regular scanning and updating the security patches.
5
Implementation
Explaining the patches
How to implement the patches
A patch can be identified as different changes directed to a computer program. It helps support data that is meant to improve the computer system and help in the process of updating the computer. Patches include fixing bugs, security vulnerabilities which are identified as bug fixes. They play a better role in improving the system functionality, performance and usability. The patches often get installed in a programmed form that is controlled by human programmers using a debugger. It will help in different program files such as computer memory and storage device. A patch management strategy will play a key role in ensuring that the company is well protected and free from vulnerabilities.
6
Effective vulnerability
Coming up with effective vulnerability management program
It is essential for organizations to consider an effective vulnerability management program. The program will aid the organization come up with better ways of preventing the vulnerabilities. The vulnerabilities may be harmful in a way that they will barer company activities from taking place. The management program will help the management determine how to come up with different ways of protecting its systems. One thing to consider is how the vulnerabilities are introduced into the system and how they can be reduced. The management program will also stipulate the best methods of introducing protective measures that will help curb the vulnerability.
7
Explaining the differences
Differentiating patches and why its best to implement.
Patches can be stated in different forms. They need to be tested from time to time to ensure that they are running well. The difference between testing and production of the networks is that testing allows one to determine whether the networks are correctly working. They help one know whether the networks have been inflicted by any kind of threats. Testing is therefore meant to help the company determine how effective their systems are.
On the other hand, production of networks is where the management comes up with networks that are free from patches. The networks that are free from vulnerabilities.
8
References
Threats and Vulnerabilities. (2015). Computer Security Handbook, II.1-II.2. doi:10.1002/9781118851678.part2
Wang, L., Yan, J., & Ma, Y. (2019). Cloud Computing in Remote Sensing. doi:10.1201/9780429488764-3
Watson, V., Lou, X., & Gao, Y. (2017). A Review of PROFIBUS Protocol Vulnerabilities – Considerations for Implementing Authentication and Authorization Controls. Proceedings of the 14th International Joint Conference on e-Business and Telecommunications. doi:10.5220/0006426504440449
