Discussion & Assignment

PFA.. With all details.

1) Discussion

Don't use plagiarized sources. Get Your Custom Essay on

Just from $13/Page

Order Essay

– 500 words

– APA

– 2 scholarly references

2) Assignment

– 500 words
– APA
– 2 scholarly references

CLOUDSECURITY

Assignment

What are some current major issues or problems with cloud security?

· Apply APA Edition 6 formatting. You do not need an abstract or Table of Contents but include an introduction and summary.

· Use at least three properly documented references (do NOT use wikis). Correctly cite your references using APA Edition 6 formatting.

· Your paper should be at least 500 words in length using good grammar. Use complete sentences and paragraphs. Do not use bullets.

· Be sure and use a spelling and grammar checker.

· Your paper will checked by SafeAssign for originality. With the exception of quoted material, all writing should be your own.

Reference & Text Book

1. Jamsa – Chapter 9

2. Erl – Chapter 6 (Sections 6.1 and 6.4 Only)

References:

Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.

Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.

Discussion – CRYPTOGRAPHY

Chapter 1

Computer and Network Security Concepts

After reading chapter 1, compare and contrast two fundamental security design principles. Analyze how these principles and how they impact an organizations security posture.

APA Format – 500 Words – 2 scholarly references

Textbook

Title: Cryptography and Network Security

Authors: Stallings, Williams

Publisher: Pearson

Publication Date: 2018

Edition: 8th

Cryptography and Network Security: Principles and Practice

Eighth Edition

Chapter 1

Information and Network Security Concepts

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Lecture slides prepared for “Cryptography and Network Security”, 8/e, by William Stallings. Chapter 1, “Information and Network Security Concepts”.
This book focuses on two broad areas: cryptography and network security. This overview chapter first looks at some of the fundamental principles of security, encompassing both information security and network security. These include the concepts of security attacks, security services, and security mechanisms. Next, the chapter introduces the two areas of cryptography and network security. Finally, the concepts of trust and trustworthiness are examined.
1

Learning Objectives
Describe the key security requirements of confidentiality, integrity, and availability.
Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets.
Provide an overview of keyless, single-key, and two-key cryptographic algorithms.
Provide an overview of the main areas of network security.
Describe a trust model for information security.
List and briefly describe key organizations involved in cryptography standards.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cybersecurity (1 of 3)
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
It would be useful to start this chapter with a definition of the terms cybersecurity, information security, and network security. A reasonably comprehensive definition of cybersecurity is found in ITU-T (International Telecommunication Union Telecommunication Standardization Sector) Recommendation X.1205 (Overview of Cybersecurity, 2014).
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets. Organization and users’ assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyberspace environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality.
3

Cybersecurity (2 of 3)
Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and users’ assets against relevant security risks in the cyberspace environment. The general security objectives comprise the following: availability; integrity, which may include data authenticity and nonrepudiation; and confidentiality

Cybersecurity (3 of 3)
Information Security
This term refers to preservation of confidentiality, integrity, and availability of information. In addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved
Network Security
This term refers to protection of networks and their service from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
As subsets of cybersecurity, we can define the following:
◆ Information security: This term refers to preservation of confidentiality, integrity, and availability of information. In addition, other properties, such as authenticity, accountability, nonrepudiation, and reliability can also be involved.
◆ Network security: This term refers to protection of networks and their service from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side effects.
Cybersecurity encompasses information security, with respect to electronic information, and network security. Information security also is concerned with physical (e.g., paper-based) information. However, in practice, the terms cybersecurity and information security are often used interchangeably.
5

Security Objectives (1 of 2)
The cybersecurity definition introduces three key objectives that are at the heart of information and network security:
Confidentiality: This term covers two related concepts:
Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals
Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The cybersecurity definition introduces three key objectives that are at the heart of information and network security:
◆ Confidentiality: This term covers two related concepts:
◆ Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals.
6

Security Objectives (2 of 2)
Integrity: This term covers two related concepts:
Data integrity: Assures that data and programs are changed only in a specified and authorized manner. This concept also encompasses data authenticity, which means that a digital object is indeed what it claims to be or what it is claimed to be, and nonrepudiation, which is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information
System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
Availability: Assures that systems work promptly and service is not denied to authorized users

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
◆ Integrity: This term covers two related concepts:
◆ Data integrity: Assures that data (both stored and in transmitted packets) and programs are changed only in a specified and authorized manner. This concept also encompasses data authenticity, which means that a digital object is indeed what it claims to be or what it is claimed to be, and nonrepudiation, which is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.
◆ System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
7

Figure 1.1 Essential Information and Network Security Objectives

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
These three concepts form what is often referred to as the CIA triad. The three
concepts embody the fundamental security objectives for both data and for information
and computing services. For example, the NIST standard FIPS 199 (Standards
for Security Categorization of Federal Information and Information Systems ) lists
confidentiality, integrity, and availability as the three security objectives for information
and for information systems. FIPS 199 provides a useful characterization of
these three objectives in terms of requirements and the definition of a loss of security
in each category:
• Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.
• Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss
of integrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well established, some
in the security field feel that additional concepts are needed to present a complete picture (Figure 1.1).
Two of the most commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after action
recovery and legal action. Because truly secure systems are not yet an
achievable goal, we must be able to trace a security breach to a responsible
party. Systems must keep records of their activities to permit later forensic
analysis to trace security breaches or to aid in transaction disputes.
8

Computer Security Challenges
Security is not simple
Potential attacks on the security features need to be considered
Procedures used to provide particular services are often counter-intuitive
It is necessary to decide where to use the various security mechanisms
Requires constant monitoring
Is too often an afterthought
Security mechanisms typically involve more than a particular algorithm or protocol
Security is essentially a battle of wits between a perpetrator and the designer
Little benefit from security investment is perceived until a security failure occurs
Strong security is often viewed as an impediment to efficient and user-friendly operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Computer and network security is both fascinating and complex. Some of the
reasons follow:
1. Security is not as simple as it might first appear to the novice. The requirements
seem to be straightforward; indeed, most of the major requirements
for security services can be given self-explanatory, one-word labels: confidentiality,
authentication, nonrepudiation, or integrity. But the mechanisms used
to meet those requirements can be quite complex, and understanding them
may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always
consider potential attacks on those security features. In many cases, successful
attacks are designed by looking at the problem in a completely different way,
therefore exploiting an unexpected weakness in the mechanism.
3. Because of point 2, the procedures used to provide particular services are
often counterintuitive. Typically, a security mechanism is complex, and it is
not obvious from the statement of a particular requirement that such elaborate
measures are needed. It is only when the various aspects of the threat are
considered that elaborate security mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where
to use them. This is true both in terms of physical placement (e.g., at what points
in a network are certain security mechanisms needed) and in a logical sense
(e.g., at what layer or layers of an architecture such as TCP/IP [Transmission
Control Protocol/Internet Protocol] should mechanisms be placed).
5. Security mechanisms typically involve more than a particular algorithm or
protocol. They also require that participants be in possession of some secret
information (e.g., an encryption key), which raises questions about the creation,
distribution, and protection of that secret information. There also may
be a reliance on communications protocols whose behavior may complicate
the task of developing the security mechanism. For example, if the proper
functioning of the security mechanism requires setting time limits on the transit
time of a message from sender to receiver, then any protocol or network
that introduces variable, unpredictable delays may render such time limits
meaningless.
6. Computer and network security is essentially a battle of wits between a perpetrator
who tries to find holes and the designer or administrator who tries to
close them. The great advantage that the attacker has is that he or she need
only find a single weakness, while the designer must find and eliminate all
weaknesses to achieve perfect security.
7. There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in
today’s short-term, overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system
after the design is complete rather than being an integral part of the design
process.
10. Many users and even security administrators view strong security as an impediment
to efficient and user-friendly operation of an information system or use of
information.
9

O S I Security Architecture
Security attack
Any action that compromises the security of information owned by an organization
Security mechanism
A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack
Security service
A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization
Intended to counter security attacks, and they make use of one or more security mechanisms to provide the service

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
To assess effectively the security needs of an organization and to evaluate and
choose various security products and policies, the manager responsible for security
needs some systematic way of defining the requirements for security and characterizing
the approaches to satisfying those requirements. This is difficult enough in a
centralized data processing environment; with the use of local and wide area networks,
the problems are compounded.
ITU-T Recommendation X.800, Security Architecture for OSI, defines such a
systematic approach. The OSI security architecture is useful to managers as a way
of organizing the task of providing security. Furthermore, because this architecture
was developed as an international standard, computer and communications vendors
have developed security features for their products and services that relate to this
structured definition of services and mechanisms.
For our purposes, the OSI security architecture provides a useful, if abstract,
overview of many of the concepts that this book deals with. The OSI security architecture
focuses on security attacks, mechanisms, and services. These can be defined
briefly as
• Security attack: Any action that compromises the security of information
owned by an organization.
• Security mechanism: A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security attack.
• Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they
make use of one or more security mechanisms to provide the service.
10

Threats and Attacks
Threat
A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the literature, the terms threat and attack are commonly used, with the following meanings:
■ Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
■. Attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.

Figure 1.2 Key Concepts in Security (1 of 2)

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The following three sections provide an overview of the concepts of attacks, services, and mechanisms. The key concepts that are covered are summarized in Figure 1.2.

Figure 1.2 Key Concepts in Security (2 of 2)

Security Attacks
A means of classifying security attacks, used both in X.800 and R F C 4949, is in terms of passive attacks and active attacks
A passive attack attempts to learn or make use of information from the system but does not affect system resources
An active attack attempts to alter system resources or affect their operation

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
A useful means of classifying security attacks, used both in X.800, is in terms of passive attacks and active attacks (Figure 1.2a). A passive attack attempts to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.

Passive Attacks
Are in the nature of eavesdropping on, or monitoring of, transmissions
Goal of the opponent is to obtain information that is being transmitted
Two types of passive attacks are:
The release of message contents
Traffic analysis

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Passive attacks are in the nature of eavesdropping on, or monitoring
of, transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release of message contents and
traffic analysis.
The release of message contents is easily understood. A telephone conversation,
an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we
had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity
of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect, because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an apparently
normal fashion, and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to prevent
the success of these attacks, usually by means of encryption. Thus, the emphasis
in dealing with passive attacks is on prevention rather than detection.
15

Active Attacks
Involve some modification of the data stream or the creation of a false stream
Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities
Goal is to detect attacks and to recover from any disruption or delays caused by them
Masquerade
Takes place when one entity pretends to be a different entity
Usually includes one of the other forms of active attack
Replay
Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
Data Modification
Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect
Denial of service
Prevents or inhibits the normal use or management of communications facilities

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Active attacks involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.
A masquerade takes place when one entity pretends to be a different entity.
A masquerade attack usually includes one of the
other forms of active attack. For example, authentication sequences can be captured
and replayed after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by impersonating an
entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
Data modification simply means that some portion of a legitimate message is altered,
or that messages are delayed or reordered, to produce an unauthorized effect. For example,
a message stating, “Allow John Smith to read confidential file accounts” is modified to say,
“Allow Fred Brown to read confidential file accounts.”
The denial of service prevents or inhibits the normal use or management of
communications facilities. This attack may have a specific target; for
example, an entity may suppress all messages directed to a particular destination
(e.g., the security audit service). Another form of service denial is the disruption
of an entire network, either by disabling the network or by overloading it with
messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely
because of the wide variety of potential physical, software, and network vulnerabilities.
Instead, the goal is to detect active attacks and to recover from any disruption
or delays caused by them. If the detection has a deterrent effect, it may also
contribute to prevention.
16

Figure 1.3 Security Attacks

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.3 illustrates the types of attacks in the context of a client/server interaction. A passive attack (Figure 1.3b)
does not disturb the information flow between the client and server, but is able to observe that flow.
A masquerade can take the form of a man-in-the-middle attack (Figure 1.3c). In this type of attack, the attacker intercepts masquerades as the client to the server and as the server to the client. We see specific applications of this attack in defeating key exchange and distribution protocols (Chapters 10 and 14) and in message authentication protocols (Chapter 11). More generally, it can be used to impersonate the two ends of a legitimate communication. Another form of masquerade is illustrated in Figure 1.3d. Here, an attacker is able to access server resources by masquerading as an authorized user.
Data modification may involve a man-in-the middle attack, in which the attacker selectively modifies communicated data between a client and server (Figure 1.3c). Another form of data modification attack is the modification of data residing on a serve or other system after an attacker gains unauthorized access (Figure 1.3d).
Figure 1.3e illustrates the replay attack. As in a passive attack, the attacker does not disturb the information flow between client and server, but does capture client message. The attacker can then subsequently replay any client message to the server.
Figure 1.3d also illustrates denial of service in the context of a client/server environment. The denial of service can take two forms: (1) flooding the server with an overwhelming amount of data; and (2) triggering some action on the server that consumes substantial computing resources.

Authentication (1 of 2)
Concerned with assuring that a communication is authentic
In the case of a single message, assures the recipient that the message is from the source that it claims to be from
In the case of ongoing interaction, assures the two entities are authentic and that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties
Two specific authentication services are defined in X.800:
Peer entity authentication
Data origin authentication

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The authentication service is concerned with assuring that a communication is
authentic. In the case of a single message, such as a warning or alarm signal, the
function of the authentication service is to assure the recipient that the message
is from the source that it claims to be from. In the case of an ongoing interaction,
such as the connection of a terminal to a host, two aspects are involved. First,
at the time of connection initiation, the service assures that the two entities are
authentic, that is, that each is the entity that it claims to be. Second, the service
must assure that the connection is not interfered with in such a way that a third
party can masquerade as one of the two legitimate parties for the purposes of
unauthorized transmission or reception.
Two specific authentication services are defined in X.800:
• Peer entity authentication: Provides for the corroboration of the identity
of a peer entity in an association. Two entities are considered peers if they
implement to same protocol in different systems; for example two TCP modules
in two communicating systems. Peer entity authentication is provided for
use at the establishment of, or at times during the data transfer phase of, a
connection. It attempts to provide confidence that an entity is not performing
either a masquerade or an unauthorized replay of a previous connection.
• Data origin authentication: Provides for the corroboration of the source of a
data unit. It does not provide protection against the duplication or modification
of data units. This type of service supports applications like electronic mail,
where there are no prior interactions between the communicating entities.
18

Authentication (2 of 2)
Peer entity authentication
Provides for the corroboration of the identity of a peer entity in an association. Two entities are considered peers if they implement the same protocol in different systems. Peer entity authentication is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection
Data origin authentication
Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail, where there are no ongoing interactions between the communicating entities

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
■. Peer entity authentication: Provides for the corroboration of the identity of a peer entity in an association. Two entities are considered peers if they implement the same protocol in different systems; for example, two TCP modules in two communicating systems. Peer entity authentication is provided for use at the establishment of, or at times during the data transfer phase of, a connection. It attempts to provide confidence that an entity is not performing either a masquerade or an unauthorized replay of a previous connection.
■ Data origin authentication: Provides for the corroboration of the source of a data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail, where there are no ongoing interactions between the communicating entities.
19

Access Control
The ability to limit and control the access to host systems and applications via communications links
To achieve this, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the context of network security, access control is the ability to limit and control
the access to host systems and applications via communications links. To achieve
this, each entity trying to gain access must first be identified, or authenticated, so
that access rights can be tailored to the individual.
20

Data Confidentiality
The protection of transmitted data from passive attacks
Broadest service protects all user data transmitted between two users over a period of time
Narrower forms of service includes the protection of a single message or even specific fields within a message
The protection of traffic flow from analysis
This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications facility

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Confidentiality is the protection of transmitted data from passive attacks. With
respect to the content of a data transmission, several levels of protection can be
identified. The broadest service protects all user data transmitted between two
users over a period of time. For example, when a TCP connection is set up between
two systems, this broad protection prevents the release of any user data transmitted
over the TCP connection. Narrower forms of this service can also be defined,
including the protection of a single message or even specific fields within a message.
These refinements are less useful than the broad approach and may even be more
complex and expensive to implement.
The other aspect of confidentiality is the protection of traffic flow from analysis.
This requires that an attacker not be able to observe the source and destination, frequency,
length, or other characteristics of the traffic on a communications facility.
21

Data Integrity
Can apply to a stream of messages, a single message, or selected fields within a message
Connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent with no duplication, insertion, modification, reordering, or replays
A connectionless integrity service, one that deals with individual messages without regard to any larger context, generally provides protection against message modification only

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
As with confidentiality, integrity can apply to a stream of messages, a single message,
or selected fields within a message. Again, the most useful and straightforward
approach is total stream protection.
A connection-oriented integrity service, one that deals with a stream of messages,
assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The destruction of data is also covered under
this service. Thus, the connection-oriented integrity service addresses both message
stream modification and denial of service. On the other hand, a connectionless integrity
service, one that deals with individual messages without regard to any larger
context, generally provides protection against message modification only.
We can make a distinction between service with and without recovery.
Because the integrity service relates to active attacks, we are concerned with detection
rather than prevention. If a violation of integrity is detected, then the service
may simply report this violation, and some other portion of software or human
intervention is required to recover from the violation. Alternatively, there are
mechanisms available to recover from the loss of integrity of data, as we will review
subsequently. The incorporation of automated recovery mechanisms is, in general,
the more attractive alternative.
22

Nonrepudiation
Prevents either sender or receiver from denying a transmitted message
When a message is sent, the receiver can prove that the alleged sender in fact sent the message
When a message is received, the sender can prove that the alleged receiver in fact received the message

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Nonrepudiation prevents either sender or receiver from denying a transmitted message.
Thus, when a message is sent, the receiver can prove that the alleged sender in
fact sent the message. Similarly, when a message is received, the sender can prove
that the alleged receiver in fact received the message.
23

Availability Service
Protects a system to ensure its availability
This service addresses the security concerns raised by denial-of-service attacks
It depends on proper management and control of system resources and thus depends on access control service and other security services

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Availability is the property of a system or a
system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is available
if it provides services according to the system design whenever users request
them). A variety of attacks can result in the loss of or reduction in availability. Some
of these attacks are amenable to automated countermeasures, such as authentication
and encryption, whereas others require some sort of physical action to prevent
or recover from loss of availability of elements of a distributed system.
X.800 treats availability as a property to be associated with various security
services. However, it makes sense to call out specifically an availability service. An
availability service is one that protects a system to ensure its availability. This service
addresses the security concerns raised by denial-of-service attacks. It depends
on proper management and control of system resources and thus depends on access
control service and other security services.
24

Security Mechanisms (1 of 2)
Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.
Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.2c lists the most important security mechanism discussed in this book. These mechanisms will be covered in the appropriate places in the book. So, we do not elaborate now, except to provide the following brief definitions.
■ Cryptographic algorithms: We can distinguish between reversible cryptographic mechanisms and irreversible cryptographic mechanisms. A reversible cryptographic mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. Irreversible cryptographic mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
■ Data integrity: This category covers a variety of mechanisms used to assure the integrity of a data unit or stream of data units.
■ Digital signature: Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.
■ Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.
■ Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
■ Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.
■ Notarization: The use of a trusted third party to assure certain properties of a data exchange
■ Access control: A variety of mechanisms that enforce access rights to resources.
25

Security Mechanisms (2 of 2)
Authentication exchange: A mechanism intended to ensure the identity of an entity by means of information exchange.
Traffic padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
Routing control: Enables selection of particular physically or logically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain properties of a data exchange
Access control: A variety of mechanisms that enforce access rights to resources.

Figure 1.4 Cryptographic Algorithms

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Cryptographic algorithms can be divided into three categories (Figure 1.4):
Keyless: Do not use any keys during cryptographic transformations.
Single-key: The result of a transformation are a function of the input data and
a single key, known as a secret key.
Two-key: At various stages of the calculation, two different but related keys are used, referred to as private key and public key.
27

Keyless Algorithms
Deterministic functions that have certain properties useful for cryptography
One type of keyless algorithm is the cryptographic hash function
A hash function turns a variable amount of text into a small, fixed-length value called a hash value, hash code, or digest
A cryptographic hash function is one that has additional properties that make it useful as part of another cryptographic algorithm, such as a message authentication code or a digital signature
A pseudorandom number generator produces a deterministic sequence of numbers or bits that has the appearance of being a truly random sequence

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Keyless algorithms are deterministic functions that have certain properties useful for cryptography.
One important type of keyless algorithm is the cryptographic hash function. A hash function turns a variable amount of text into a small, fixed-length value called a hash value, hash code, or digest. A cryptographic hash function is one that has additional properties that make it useful as part of another cryptographic algorithm, such as a message authentication code or a digital signature.
A pseudorandom number generator produces a deterministic sequence of numbers or bits that has the appearance of being a truly random sequence. Although the sequence appears to lack any definite pattern, it will repeat after a certain sequence length. Nevertheless, for some cryptographic purposes this apparently random sequence is sufficient.

Single-Key Algorithms (1 of 3)
Single-key cryptographic algorithms depend on the use of a secret key
Encryption algorithms that use a single key are referred to as symmetric encryption algorithms
With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data
A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Single-key cryptographic algorithms depend on the use of a secret key. This key may be known to a single user; for example, this is the case for protecting stored data that is only going to be accessed by the data creator. Commonly, two parties share the
secret key so that communication between the two parties is protected. For certain applications, more than two users may share the same secret key. In this last case, the algorithm protects data from those outside the group who share the key.
Encryption algorithms that use a single key are referred to as symmetric encryption algorithms. With symmetric encryption, an encryption algorithm takes as input some data to be protected and a secret key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the same secret key and recovers the original data. Symmetric encryption takes the following forms:
■ Block cipher: A block cipher operates on data as a sequence of blocks. A typical block size is 128 bits. In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks.
■ Stream cipher: A stream cipher operates on data as a sequence of bits. Typically, an exclusive-OR operation is used to produce a bit-by-bit transformation. As with the block cipher, the transformation depends on a secret key.

Single-Key Algorithms (2 of 3)
Symmetric encryption takes the following forms:
Block cipher
A block cipher operates on data as a sequence of blocks
In most versions of the block cipher, known as modes of operation, the transformation depends not only on the current data block and the secret key but also on the content of preceding blocks
Stream cipher
A stream cipher operates on data as a sequence of bits
As with the block cipher, the transformation depends on a secret key

Single-Key Algorithms (3 of 3)
Another form of single-key cryptographic algorithm is the message authentication code (M A C)
A M A C is a data element associated with a data block or message
The M A C is generated by a cryptographic transformation involving a secret key and, typically, a cryptographic hash function of the message
The M A C is designed so that someone in possession of the secret key can verify the integrity of the message
The recipient of the message plus the M A C can perform the same calculation on the message; if the calculated M A C matches the M A C accompanying the message, this provides assurance that the message has not been altered

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Another form of single-key cryptographic algorithm is the message authentication code (MAC). A MAC is a data element associated with a data block or message. The MAC is generated by a cryptographic transformation involving a secret key and, typically, a cryptographic hash function of the message. The MAC is designed so that someone in possession of the secret key can verify the integrity of the message. Thus, the MAC algorithm takes as input a message and secret key and produces the MAC. The recipient of the message plus the MAC can perform the same calculation on the message; if the calculated MAC matches the MAC accompanying the message, this provides assurance that the message has not been altered.

Asymmetric Algorithms
Encryption algorithms that use a single key are referred to as asymmetric encryption algorithms
Digital signature algorithm
A digital signature is a value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity
Key exchange
The process of securely distributing a symmetric key to two or more parties
User authentication
The process of authenticating that a user attempting to access an application or service is genuine and, similarly, that the application or service is genuine

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Two-key algorithms involve the use of two related keys. A private key is known only to a single user or entity, whereas the corresponding public key is made available to a number of users. Encryption algorithms that use a single key are referred to as asymmetric encryption algorithms. Asymmetric encryption can work in two ways:
An encryption algorithm takes as input some data to be protected and the private key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the corresponding public key and recovers the original data. In this case, only the possessor of the private key can have performed the encryption and any possessor of the public key can perform the decryption.
An encryption algorithm takes as input some data to be protected and a public key and produces an unintelligible transformation on that data. A corresponding decryption algorithm takes the transformed data and the corresponding private key and recovers the original data. In this case, any possessor of the public key can have performed the encryption and only the possessor of the private key can perform the decryption.
Asymmetric encryption has a variety of applications. One of the most important is the digital signature algorithm. A digital signature is a value computed with a cryptographic algorithm and associated with a data object in such a way that any recipient of the data can use the signature to verify the data’s origin and integrity. Typically, the signer of a data object uses the signer’s private key to generate the signature, and anyone in possession of the corresponding public key can verify that validity of the signature.
Asymmetric algorithms can also be used in two other important applications. Key exchange is the process of securely distributing a symmetric key to two or more parties. User authentication is the process of authenticating that a user attempting to access an application or service is genuine and, similarly, that the application or service is genuine. These concepts are explained in detail in subsequent chapters.
32

Figure 1.5 Key Elements of Network Security

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Network security is a broad term that encompasses security of the communications pathways of the network and the security of network devices and devices attached to the network (Figure 1.5).

Communications Security
Deals with the protection of communications through the network, including measures to protect against both passive and active attacks
Communications security is primarily implemented using network protocols
A network protocol consists of the format and procedures that governs the transmitting and receiving of data between points in a network
A protocol defines the structure of the individual data units and the control commands that manage the data transfer
With respect to network security, a security protocol may be an enhancement that is part of an existing protocol or a standalone protocol

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
In the context of network security, communications security deals with the protection of communications through the network, including measures to protect against both passive and active attacks (Figure 1.3).
Communications security is primarily implemented using network protocols. A network protocol consists of the format and procedures that governs the transmitting and receiving of data between points in a network. A protocol defines the structure of the individual data units (e.g., packets) and the control commands that manage the data transfer.
With respect to network security, a security protocol may be an enhancement that is part of an existing protocol or a standalone protocol. Examples of the former are IPsec, which is part of the Internet Protocol (IP) and IEEE 802.11i, which is part of the IEEE 802.11 Wi-Fi standard. Examples of the latter are Transport Layer Security (TLS) and Secure Shell (SSH). Part Six examines these and other secure network protocols.
One common characteristic of all of these protocols is that they use a number of cryptographic algorithms as part of the mechanism to provide security.
34

Device Security (1 of 2)
The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers
The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The other aspect of network security is the protection of network devices, such as routers and switches, and end systems connected to the network, such as client systems and servers. The primary security concerns are intruders that gain access to the system to perform unauthorized actions, insert malicious software (malware), or overwhelm system resources to diminish availability. Three types of device security are noteworthy:
■ Firewall: A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern.
■ Intrusion detection: Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner.
■ Intrusion prevention: Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target.
These device security capabilities are more closely related to the field of computer security than network security. Accordingly, they are dealt with more briefly than communications security in Part Six. For a more detailed treatment, see [STAL18].
35

Device Security (2 of 2)
Three types of device security are:
Firewall
A hardware and/or software capability that limits access between a network and device attached to the network, in accordance with a specific security policy. The firewall acts as a filter that permits or denies data traffic, both incoming and outgoing, based on a set of rules based on traffic content and/or traffic pattern
Intrusion detection
Hardware or software products that gather and analyze information from various areas within a computer or a network for the purpose of finding, and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner
Intrusion prevention
Hardware or software products designed to detect intrusive activity and attempt to stop the activity, ideally before it reaches its target

Trust Model (1 of 2)
One of the most widely accepted and most cited definitions of trust is:
“the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party”

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
One of the most widely accepted and most cited definitions of trust in the organizational science literature is from [MAYE95], which defines trust as follows: the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party.
Three related concepts are relevant to a trust model:
■ Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust.
■ Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others.
■ Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.
37

Trust Model (2 of 2)
Three related concepts are relevant to a trust model:
Trustworthiness: A characteristic of an entity that reflects the degree to which that entity is deserving of trust
Propensity to trust: A tendency to be willing to trust others across a broad spectrum of situations and trust targets. This suggests that every individual has some baseline level of trust that will influence the person’s willingness to rely on the words and actions of others
Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence

Figure 1.6 Trust Model

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Figure 1.6, adapted from [MAYE95], illustrates the relationship among these concepts. Propensity can also be expressed as the level of risk that an entity (individual or organization) is prepared to tolerate.
Typically, a trustor uses a number of factors to establish the trustworthiness of an entity. Three general factors are commonly cited:
■ Ability: Also referred to as competence, this relates to the potential ability of the evaluated entity to do a given task or be entrusted with given information.
■ Benevolence: This implies a disposition of goodwill towards the trusting party. That is, a trustworthy party does not intend to cause harm to the trusting party.
■ Integrity: This can be defined as the trustor’s perception that the trustee adheres to a set of principles that the trustor finds acceptable. Integrity implies that a benevolent party takes such measures are necessary to assure that it in fact does not cause harm to the trusting party.
The goal of trust, in the model of Figure 1.6, is to determine what course of action, if any, the trusting party is willing to take in relation to the trusted party. Based on the level of trust, and the perceived risk, the trusting party may decide to take some action the involves some degree of risk taking. The outcome of the risk taking could be a reliance on the trusted party to perform some action or the disclosure of information to the trusted party with the expectation that the information will be protected as agreed between the parties.
39

The Trust Model and Information Security
Trust is confidence that an entity will perform in a way that will not prejudice the security of the user of the system of which that entity is a part
Trust is always restricted to specific functions or ways of behavior and is meaningful only in the context of a security policy
Generally, an entity is said to trust a second entity when the first entity assumes that the second entity will behave exactly as the first entity expects
In this context, the term entity may refer to a single hardware component or software module, a piece of equipment identified by make and model, a site or location, or an organization

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Trust is confidence that an entity will perform in a way that will not prejudice the security of the user of the system of which that entity is a part. Trust is always restricted to specific functions or ways of behavior and is meaningful only in the context of a security policy. Generally, an entity is said to trust a second entity when the first entity assumes that the second entity will behave exactly as the first entity expects. This trust may apply only for some specific function. In this context, the term entity may refer to a single hardware component or software module, a piece of equipment identified by make and model, a site or location, or an organization.
40

Trustworthiness of an Individual (1 of 2)
Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems
With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas:
Human resource security
Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Organizations need to be concerned about both internal users (employees, on-site contractors) and external users (customers, suppliers) of their information systems. With respect to internal users, an organization develops a level of trust in individuals by policies in the following two areas [STAL19]:
■ Human resource security: Sound security practice dictates that information security requirements be embedded into each stage of the employment life cycle, specifying security-related actions required during the induction of each individual, their ongoing management, and termination of their employment. Human resource security also includes assigning ownership of information (including responsibility for its protection) to capable individuals and obtaining confirmation of their understanding and acceptance.
■ Security awareness and training: This area refers to disseminating security information to all employees, including IT staff, IT security staff, and management, as well as IT users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control.
For external users, trust will depend on the context. In general terms, the factors of perceived trustworthiness and the trustor’s propensity, as depicted in Figure 1.6, determine the level of trust. Further, the issue of trust is mutual. That is, not only must an organization determine a level of trust towards external users, but external users need to be concerned about the degree to which they can trust an information resource that they use. This mutual trust involves a number a practical consequences, including the use of a public-key infrastructure and user authentication protocols. These matters are explored in Part Five.
41

Trustworthiness of an Individual (2 of 2)
Security awareness and training
This area refers to disseminating security information to all employees, including I T staff, I T security staff, and management, as well as I T users and other employees. A workforce that has a high level of security awareness and appropriate security training for each individual’s role is as important, if not more important, than any other security countermeasure or control

Trustworthiness of an Organization
Most organizations rely on information system service and information provided by external organizations, as well as partnerships to accomplish missions and business functions (examples are cloud service providers and companies that form part of the supply chain for the organization)
To manage risk to the organization, it must establish trust relationships with these external organizations
N I S T S P 800-39 (Managing Information Security Risk, March 2011) indicates that such trust relationships can be:
Formally established, for example, by documenting the trust-related information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security agreements
Scalable and inter-organizational or intra-organizational in nature
Represented by simple (bilateral) relationships between two partners or more complex many-to-many relationships among many diverse partners

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Most organizations rely, to a greater or lesser extent, on information system service and information provided by external organizations, as well as partnerships to accomplish missions and business functions. Examples are cloud service providers and companies that form part of the supply chain for the organization. To manage risk to the organization, it must establish trust relationships with these external organizations. NIST SP 800-39 (Managing Information Security Risk, March 2011) indicates that such trust relationships can be:
■ Formally established, for example, by documenting the trust-related information in contracts, service-level agreements, statements of work, memoranda of agreement/understanding, or interconnection security agreements;
■ Scalable and inter-organizational or intra-organizational in nature; and/or
■ Represented by simple (bilateral) relationships between two partners or more
complex many-to-many relationships among many diverse partners.
The requirements for establishing and maintaining trust depend on mission/business requirements, the participants involved in the trust relationship, the criticality/sensitivity of the information being shared or the types of services being rendered, the history between the organizations, and the overall risk to the organizations participating in the relationship.
As with individuals, trust related to organizations can involve the use of public-key infrastructure and user authentication, as well as the network security measures described in Part Six.

Trustworthiness of Information Systems
S P 800-39 defines trustworthiness for information systems as
“the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats”
Two factors affecting the trustworthiness of information systems are:
Security functionality: The security features/functions employed within the system. These include cryptographic and network security technologies
Security assurance: The grounds for confidence that the security functionality is effective in its application. This area is addressed by security management techniques, such as auditing and incorporating security considerations into the system development life cycle

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
SP 800-39 defines trustworthiness for information systems as the degree to which information systems (including the information technology products from which the systems are built) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the systems across the full range of threats. Two factors affecting the trustworthiness of information systems are:
■ Security functionality: The security features/functions employed within the system. These include cryptographic and network security technologies discussed throughout this book.
■ Security assurance: The grounds for confidence that the security functionality is effective in its application. This area is addressed by security management techniques, such as auditing and incorporating security considerations into the system development life cycle [STAL19].
44

Establishing Trust Relationships
Validated trust:
Trust is based on evidence obtained by the trusting organization about the trusted organization or entity. The information may include information security policy, security measures, and level of oversight
Direct historical trust:
This type of trust is based on the security-related track record exhibited by an organization in the past, particularly in interactions with the organization seeking to establish trust
Mediated trust:
Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a given level of trust between the first two parties
Mandated trust:
An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
The methods used by an organization to establish a trust relationship with various entities will depend on a variety of factors, such as laws and regulations, risk tolerance, and the criticality and sensitivity of the relationship. SP 800-39 describes the following methods:
■ Validated trust: Trust is based on evidence obtained by the trusting organization about the trusted organization or entity. The information may include information security policy, security measures, and level of oversight. An example for one organization to develop an application or information system and provides evidence (e.g., security plan, assessment results) to a second organization that supports the claims by the first organization that the application/system meets certain security requirements and/or addresses the appropriate security controls.
■ Direct historical trust: This type of trust is based on the security-related track record exhibited by an organization in the past, particularly in interactions with the organization seeking to establish trust.
■ Mediated trust: Mediated trust involves the use of a third party that is mutually trusted by two parties, with the third party providing assurance or guarantee of a given level of trust between the first two parties. An example of this form of trust establishment is the use of public-key certificate authorities, described in Chapter 14.
■ Mandated trust: An organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority. For example, an organization may be given the responsibility and the authority to issue public key certificates for a group of organizations.
An organization is likely to use a combination of these methods to establish relationships with a number of other entities.
45

Standards (1 of 2)
National Institute of Standards and Technology:
N I S T is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, N I S T Federal Information Processing Standards (F I P S) and Special Publications (S P) have a worldwide impact
Internet Society:
I S O C is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (I E T F) and the Internet Architecture Board (I A B). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (R F C s).

Copyright © 2020 Pearson Education, Inc. All Rights Reserved.
Many of the security techniques and applications described in this book have been specified as standards. Additionally, standards have been developed to cover management practices and the overall architecture of security mechanisms and services. Throughout this book, we describe the most important standards in use or being developed for various aspects of cryptography and network security. Various organizations have been involved in the development or promotion of these standards. The most important (in the current context) of these organizations are as follows:
■ National Institute of Standards and Technology: NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use and to the promotion of U.S. private-sector innovation. Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact.
■ Internet Society: ISOC is a professional membership society with worldwide organizational and individual membership. It provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (RFCs).
■ ITU-T: The International Telecommunication Union (ITU) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU. ITU-T’s mission is the development of technical standards covering all fields of telecommunications. ITU-T standards are referred to as Recommendations.
■ ISO: The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. ISO is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. ISO’s work results in international agreements that are published as International Standards.
46

Standards (2 of 2)
I T U-T:
The International Telecommunication Union (I T U) is an international organization within the United Nations System in which governments and the private sector coordinate global telecom networks and services. The I T U Telecommunication Standardization Sector (I T U-T) is one of the three sectors of the I T U. I T U-T’s mission is the development of technical standards covering all fields of telecommunications. I T U-T standards are referred to as Recommendations
I S O:
The International Organization for Standardization (I S O) is a worldwide federation of national standards bodies from more than 140 countries, one from each country. I S O is a nongovernmental organization that promotes the development of standardization and related activities with a view to facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual, scientific, technological, and economic activity. I S O’s work results in international agreements that are published as International Standards

Summary
Describe the key security requirements of confidentiality, integrity, and availability
List and briefly describe key organizations involved in cryptography standards
Provide an overview of keyless, single-key and two-key cryptographic algorithms
Provide an overview of the main areas of network security
Describe a trust model for information security
Discuss the types of security threats and attacks that must be dealt with and give examples of the types of threats and attacks that apply to different categories of computer and network assets

Copyright
This work is protected by United States copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from it should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

.MsftOfcThm_Text1_Fill {
fill:#000000;
}
.MsftOfcThm_MainDark1_Stroke {
stroke:#000000;
}

Discussion – Initiating the project

Chapter 9 – Resourcing Projects

Provide a graduate-level response, utilizing material from the weekly reading, to each of the following questions:

1) Describe the five factors that may limit how fast a project can be completed. Give an example of each.

2) Discuss at least four potential problems in creating accurate duration estimates for activities and two methods for dealing with each potential problem.

3) List at least four factors a project manager should consider when identifying individuals to work on a project. Why is each important?

The main body of your initial post should be at least 500+ words and in APA format (including Times New Roman with font size 12). Do not post any title section within the discussion forum.

Your initial post should be based upon the assigned reading for the week, so the textbook should be a source listed in your reference section and cited within the body of the text. The textbook needs to be well utilized in answering all of the questions. Other sources are not required but feel free to use them if they aid in your discussion. However, do not substitute other sources for the textbook.

Textbook:

Title: Contemporary Project Management

ISBN: 9781337406451

Authors: Timothy Kloppenborg, Vittal S. Anantatmula, Kathryn Wells

Publisher: Cengage Learning

Publication Date: 2018-02-08

Edition: 4th

Suggested Books and Resources

A Guide to the Project Management Body of Knowledge (PMBOK(R) Guide-Sixth Edition / Agile Practice Guide Bundle (HINDI)

ISBN: 9781628255393

Authors: Project Management Institute

Publisher: Project Management Institute

Publication Date: 2019-08-05

CONTEMPORARY PROJECT MANAGEMENT, 4E

Timothy J. Kloppenborg

Vittal Anantatmula

Kathryn N. Wells

© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

‹#›

Resourcing Projects

Chapter 9

‹#›

Chapter 9 Core Objectives:
Show resource assignments on a RACI chart, Gantt chart, & resource histogram
Develop an effective project schedule, considering resource constraints
Describe methods of resolving resource overloads
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Chapter 9 Behavioral Objectives:
Create a Human Resources Management Plan including role descriptions & staffing management plan
Assign roles & responsibilities based on strengths
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Chapter 9 Technical Objectives:
Compress a project schedule using crashing and fast tracking & describe advantages and disadvantages of each
Compare various alternative scheduling methods
Using MS Project, assign resources, pinpoint overloads, & describe methods of dealing with them
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

From manufacturer to service provider
Patti A. Soldavini, director, Corporate Marketing, Schawk, Inc.
“We identify and help remove process bottlenecks, offer online collaborative project management tools, and provide knowledgeable human talent to deliver what we call brand point management. Brand point management helps companies create compelling and consistent brand experiences across brand touch points.”
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Successful projects balance…
Technical
Abilities
Behavioral
Abilities
Must complement each other to develop a workable resource-based schedule that people will accept
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Technical Abilities Needed when Resourcing Projects
Identify person(s) with work overloads
Estimate resource demands
Compress a project schedule
Assign person(s) to each activity
Create a staffing management plan
Schedule a project with limited resources
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Behavioral Abilities Needed when Resourcing Projects
Select the right people
Identify needs to be accomplished
Ensure performance capability
Deal with work schedules
Schedule overtime
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Behavioral Abilities Needed when Resourcing Projects
Estimate amount of work per activity
Assemble effective team
Deal with people from diverse backgrounds
Decide where each person will work
Establish effective virtual relationships
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Key Resourcing Considerations
Project tradeoffs and priorities
Resource limitations
Personnel skill development
People cost
Project cost
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Activity vs. Resource Dominated Schedule Basis Comparison
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Use when client does not understand their needs
Rapid rate of change expected on projects
Team members should remain on project for at least one iteration
Budget is set based on people, and product is produced at pace team can maintain
Agile team is cross-functional with general expertise
Develop skills as needed
Work flows to the team rather than vice versa

Estimate Resource Needs
How many resources of each type & skill or knowledge level are needed?
Consider support needs such as information systems & human resources
Consider constraints placed upon how people are hired, scheduled, & released
Estimating activity resources– a process of assessing all types of resources—people, materials, tools, & equipment (along with quantities)—required for each activity to complete it as specified in project scope.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Plan Resource Management

Identify potential resources
Determine resource availability
Decide timing issues
Staffing management plan – a proposal focused on acquiring, developing, and retaining human resources for as long as you need them on the project.
Plan Resource Management – the process of identifying resources and required skills for a project, defining and assigning roles and responsibilities to all resources, developing a reporting hierarchy, and communicating expectations.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Plan Resource Management
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Identify Potential Resources

Work functions
Professional discipline
Skill level
Physical location
Organizational/administrative unit
job titles and range of
responsibilities
degrees and professional
certifications
experience and performance ratings
willingness to relocate and travel
costs & contractual issues
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Identify Potential Resources
Identify an adequate number and mix of people
Core team should participate in chartering the project
Available People
Resource needs
Available vs. needed
Specific skill gaps
Resource Breakdown structure (RBS)– grouping all resources into main categories in level one and populating each main category with resources based on either function or skill level….see Exhibit 9.3 in textbook
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Identify Potential Resources
Key subject matter experts (SMEs)
Diversity allows for more perspectives
Make opportunities equally available to qualified candidates
You may not get the specific people you want for your project, so it makes sense to identify all possible resources!
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Determine Resource Availability
Identify availability of desired people
Secure commitment
Full and part time resources
Internal vs. external resources
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Decide Timing Issues when Resourcing Projects
When to bring people on board
Get team functioning effectively
Plan for keeping team motivated & on schedule
When to reward & recognize the project team
When & how to release project participants
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Staffing Management Plan Issues
How will they deal with timing issues of building up & then releasing the project workforce?
How will project planners identify potential people for the project?
How will they determine which people are available & secure their services?
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Project Team Composition Issues
Cross-functional?
Co-located?
Virtual?
Outsourced?
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Assign a Resource to each Activity
Show resource responsibilities on RACI chart
Show resource assignments on Gantt Chart
Summarize resource responsibilities with histogram
WBS Activity Who 1? Who 2?
The work breakdown structure Project activities that correspond to the WBS Who will be involved May be more than one person

Show Resource Responsibilities on RACI Chart
RACI is a form of RAM

Agile team members decide among themselves who will do each work activity; when finished, they begin next- highest-priority work
Responsibility assignment matrix (RAM) – a matrix depicting work packages & assigned resources for completing activities required to produce work packages
RACI – a popular form of RAM that presents roles of key stakeholders and their roles defined as responsible (R), accountable (A), consult (C), and inform (I) for project activities in a matrix form
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Partial RACI Chart Example
Only one person accountable for each task
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Breakout session!
Create a RACI chart for your project. Each row may have several people involved, but be sure there in only 1 person Accountable (A) for each task
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Show Resource Assignments on Gantt Chart
Person responsible for each activity is listed next to the activity in the Gantt Chart Schedule
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Summarize Resource Responsibilities by Time Period With Histogram
Add up demands for each worker at each time period
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Dealing with Resource Overloads
Identify which activities are involved
Compare resource histogram to Gantt Chart Schedule
Project scheduling software pinpoints when overloads occur for each worker
Management decisions required to solve the problem
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Partial Schedule and Resource Histogram Example
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Methods of Resolving Resource Overloads

Reorder activities
Acquire or borrow additional resources
Reduce project scope or extend project schedule
Inform sponsor of severe overloads
Resource- level the overloaded person’s schedule
Assign certain activities to other workers
Split an activity into two activities
Perform 1st part as scheduled
Delay 2nd part of activity
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Resource Leveling
Delay activities so person doesn’t perform as many activities at the same time (most common)
Delay noncritical activities by an amount no more than their slack
Allow project to slip
If non-critical activities must be completed at rate of effort in original schedule, reassign activities to another worker
Resource leveling is a combination of art & science

Resource Leveling – a project execution technique of adjusting the use of resources based on availability and the amount of float on activities to accomplish work as soon as possible, given the limited resource availability.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Resource Leveling Example
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Partially Leveled Resource Schedule
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Breakout session!
Practice Scheduling & Resource Leveling by hand (without software), using either Exercise 5 or another provided by your instructor
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Compress the Project Schedule
Actions to reduce the critical path
Crashing
Fast tracking
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Actions to Reduce the Critical Path
Reduce project scope and/or quality.
Overlap sequential activities
Partially overlap sequential activities
Increase number of work hours/days
Schedule activities at same time.
Shorten activities by assigning more resources.
Shorten activities that cost least to speed up.

Compress the project schedule
Crashing may cost more money to speed up the schedule
Fast tracking may increase the risk to speed up the schedule

In agile, crashing is called “swarming,” since team members swarm on a problem to help get back on track
Crashing – speeding up the critical path often by adding additional resources or employing existing resources for longer hours and/or more days per week
Fast Tracking – a method to expedite a project by executing activities at the same time that would ordinarily be done one after the other
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Crashing
Certain activities are performed at a faster than normal pace
Which activities are on the critical path?
Which critical path activity costs the least on a per day basis to speed up?
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Crashing
The enumeration method was used to identify each path and its duration.

© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Crashing
Activity B on the critical path is the least expensive choice

© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Crashing
After 2 rounds, both critical paths are 23 days.

© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Crashing – “All-Crash” Mode
Continuing to crash activities until it is not worthwhile
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

If there is a bonus of $225 per day for finishing early, what would I crash and how fast would I get done?
Crashing Consideration Questions
How fast can the project be completed?
To crash the project one day, what activity would be crashed and what would it cost?
To crash the project two days, what activities would be crashed and what would it cost in total?
If there is a bonus of $125 per day for finishing early, what would I crash and how fast would I get done?
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Breakout session!
Practice Crashing, using Exercise 2 at the end of this chapter in your textbook
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Fast tracking
Activities normally performed in series are performed at the same time

Alternative Scheduling Methods
Critical Chain Project Management (CCPM)
Reverse Phase Schedules
Rolling Wave Planning
Agile Project Planning
Auto/Manual Scheduling
Methods are not mutually exclusive!
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Critical Chain Project Management (CCPM)
Incorporates calculations on resource availability
The resource most in demand is identified
Keep that resource appropriately busy on critical chain activities
Critical chain method – an alternative scheduling technique that modifies project schedule by taking resource constraints into account…allows the project team to place buffers on any project schedule path to account for uncertainty and limited resources
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

CCPM Components
Avoid multitasking
Estimate aggressively activity completion time
Feed time buffer in front of critical chain activities
Put time reserved for uncertainty at project end
Finish activities early if possible
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Reverse Phase Schedules
a.k.a. Last Planner System
Developed by people closest to the work
Start with final project deliverables
Ask what needs to be completed prior to starting work on this deliverable
Think from end of the project to the beginning
Often used in construction projects
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Rolling Wave Planning
Plan first part of project in detail
Plan later parts at a high level/ use placeholders
Focus on the near term
Extreme of rolling wave planning is Agile
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Agile Project Planning
Collaborative approach with workers and stakeholders
Stakeholders want cost, schedule, & functionality data before approving a project
Avoid stringent change control
Projects planned in short increments called sprints
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Auto/Manual Scheduling
MS Project now allows manual scheduling
Enables users to emulate MS Excel
When showing few milestones without dates (i.e. during Chartering), manual scheduling may be good option
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Using MS Project for Resource Allocation
Defining resources
Set up a Resource Calendar
Assigning resources
Finding Over-allocated resources
Dealing with Over-allocations
Crashing a Critical Path Activity
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

1. Defining Resources
Describe available resources in the MS Project data base
As a single unit or a pool of like units
Resources include:
People
Buildings
Materials
Facilities
Supplies
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

1. Defining Resources
Enter resource information before time of assignment to a task
Minimum field requirements for defining resources
Name
Max Units
If costs are to be modeled, must provide:
Rates
Cost per Use
Accrue At values

1. Defining Resources
Max Units Field
Determined before resource is assigned to activities
Defines availability of a resource for project work
Default 100%, but individual resources not usually 100% available
Considerations:
What is considered project work?
What is not considered project work?
Organizational holidays accounted for in the Standard (Project) calendar.
Vacation days accounted for in each resource calendar.

1. Defining Resources
On View tab>> Resource Views group, click Resource Sheet.
In first blank row, enter resource name in Resource Name cell.
In Initials cell, enter initials of the resource.
Click Max Units cell and enter resource’s maximum availability.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

2. Set up a Resource Calendar
View Tab>>Resource Sheet
Double-click row of resource to activate dialog
Click Change Working Time…
Make Revisions

Use to block out vacation days and other resource-specific non-working days
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

3. Assigning Resources
Allocate resources to an activity
MS Project generates assignment information using default or modified settings
See detailed instructions, pp.312-315 in textbook
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

3. Assigning Resources

3. Assigning Resources
Data for creating assignments
Time units between the activity start & end
Availability of a resource for work each day
Multiply Duration by Units
Switch determines which value changes.
Duration
Units
Work
Task type
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Basic Assignment Calculation with Fixed Units Selected (Default)
Activity with no prior resource assignments – Uses Duration and Units values & sums into Work field
Activity with one or more resources already assigned – MS Project holds Duration value constant & adjusts activity Work value.
Removal of resources works in reverse.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Modifying an Assignment
MS Project maintains relationship among the Duration, Units, & Work values.
If you don’t like MS Project adjusting Duration automatically based on resources, switch “Task type” to “Fixed Work”
See detailed instructions p.315 of textbook
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

4. Finding Over-Allocated Resources
Occurs when a resource is assigned to 2+ activities whose start & finish dates overlap
Also occurs if an assignment Units value is greater than resource’s Max Units value
Will display a red stick figure if over-allocated
Click Resource Tab>> Level Resources to resolve over-allocations
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Resource Allocation View
See Detailed instructions on p.316 of textbook
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

4. Finding Over Allocated Resources
To analyze over-allocated resources in Resource Allocation View:
Set timescale to the start of the schedule.
Slowly scroll timescale toward the end of the schedule.
Analyze each instance of cell values displayed in red for cause & severity.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

5. Dealing with Over- Allocations
MS Project good at identifying over-allocations, but PM is responsible for deciding how to deal with them
Each action has risks and may “break” something down the line
Protect your critical path!!!
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Some choices for dealing with Over-Allocations:
Replace over-allocated resource with one that has time for assignment
Reduce Units assignment, extending activity duration
Lessen scope of one or more activities
Ignore overload if resource impact is temporary
Try Resource Tab>>Level Group>>Level Resource or Level All & see how timeline is affected
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

6. Crashing a Critical Path Activity
Crashing adds resources to a task to shorten time
Only makes sense to “crash” tasks on critical path
Crashing is just one option & not appropriate in all cases
See Detailed instructions pp.317-318 in textbook
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Summary
PM needs to look at listed activities & estimate resources needed to perform each.
Resource assignments often posted directly on a Gantt Chart schedule.
RACI charts depict work activities on a vertical scale
Use responsibility histograms to determine overloads
Use critical path schedule, resource assignments, & the resource histogram to determine who is overloaded, when, & by what activities.
Use resource leveling to reduce peak demands by postponing non-critical activities
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Summary
Look for methods of accelerating (compressing) the project schedule.
Crashing—decision to pay extra money to speed up certain activities on critical path
Fast tracking—allows activities normally conducted in sequence to be performed in parallel
Alternative scheduling methods:
Critical chain
Reverse phase
Rolling wave
Agile
Auto/manual
Project scheduling software such as Microsoft Project 2016 is useful when determining resources for a project.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Managing Software Development with Agile Methods and Scrum
Holistic approach to managing new product development (scrum)
Attempt to minimize risk via Sprints
Time boxes are from 1-4 weeks
Benefits:
Scalability
Ability to re-evaluate priorities incrementally
Scrum master organizes project – acts as a productivity buffer
PM IN ACTION
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Scrum Elements
Dynamic backlog of prioritized work to be accomplished
Use of short iterations of Sprints
Daily Scrum sessions
Brief planning session to prioritize backlog of items
Brief retrospective for reflections about the Sprint
PM IN ACTION
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Managing Software Development with Agile Methods
Teams include all resources necessary to complete tasks & finish software product
Metric for progress is working software
Schedules based on accomplishing Sprints
Produce very little written documentation
Reduce development time, foster innovation, & reduce development risk
PM IN ACTION
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

The Scrum Approach
PM IN ACTION
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

PMBOK Exams
Resourcing questions will be mostly hands-on
Keep in mind how resourcing relates to other project work (i.e. scheduling, budgeting, risk management, etc.)
Use WBS to identify all resource needs
Know as much as possible about the critical path & how to maintain it
Be familiar with all steps of Plan Resource Management
Understand the staffing management plan & resource breakdown structure
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Casa de Paz Development Project
At this point, this project is staffed entirely by volunteers.
How do you suggest reducing the risk of this project being late?
Project planners “eyeball” the amount of work instead of looking at detail to estimate if there are severe overloads.
© 2019 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

What Will You Get?

We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.

Premium Quality

Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.

Experienced Writers

Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.

On-Time Delivery

Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.

24/7 Customer Support

Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.

Complete Confidentiality

Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.

Authentic Sources

We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.

Moneyback Guarantee

Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.

Order Tracking

You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.

Order Now Talk to Us

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Trusted Partner of 9650+ Students for Writing

From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.

Preferred Writer

Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.

Grammar Check Report

Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.

One Page Summary

You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.

Plagiarism Report

You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.

Free Features $66FREE

Most Qualified Writer $10FREE
Plagiarism Scan Report $10FREE
Unlimited Revisions $08FREE
Paper Formatting $05FREE
Cover Page $05FREE
Referencing & Bibliography $10FREE
Dedicated User Area $08FREE
24/7 Order Tracking $05FREE
Periodic Email Alerts $05FREE

Our Services

Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.

On-time Delivery
24/7 Order Tracking
Access to Authentic Sources

Academic Writing

We create perfect papers according to the guidelines.

Professional Editing

We seamlessly edit out errors from your papers.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

Delegate Your Challenging Writing Tasks to Experienced Professionals

Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!

Check Out Our Sample Work

Dedication. Quality. Commitment. Punctuality

It May Not Be Much, but It’s Honest Work!

Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate

Process as Fine as Brewed Coffee

We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.

Call Us +1 (877) 657-8180 Discuss Order Details Now

See How We Helped 9000+ Students Achieve Success

We Analyze Your Problem and Offer Customized Writing

We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.

Clear elicitation of your requirements.
Customized writing as per your needs.

We Mirror Your Guidelines to Deliver Quality Services

We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.

Proactive analysis of your writing.
Active communication to understand requirements.

We Handle Your Writing Tasks to Ensure Excellent Grades

We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.

Thorough research and analysis for every order.
Deliverance of reliable writing service to improve your grades.

Place an Order Start Chat Now

Discussion & Assignment

What Will You Get?

Premium Quality

Experienced Writers

On-Time Delivery

24/7 Customer Support

Complete Confidentiality

Authentic Sources

Moneyback Guarantee

Order Tracking

Areas of Expertise

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Areas of Expertise

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Trusted Partner of 9650+ Students for Writing

Preferred Writer

Grammar Check Report

One Page Summary

Plagiarism Report

Free Features $66FREE

Our Services

Academic Writing

Professional Editing

Thorough Proofreading

Thorough Proofreading

Delegate Your Challenging Writing Tasks to Experienced Professionals

Check Out Our Sample Work

It May Not Be Much, but It’s Honest Work!

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate

Process as Fine as Brewed Coffee

Share Your Requirements

Place Order & Deposit Funds

Release Payment to Your Writer

See How We Helped 9000+ Students Achieve Success

We Analyze Your Problem and Offer Customized Writing

We Mirror Your Guidelines to Deliver Quality Services

We Handle Your Writing Tasks to Ensure Excellent Grades