Computer Science CS661

Software Information

Christopher Slaton

Colorado Technical University

18/03/2021

Table of Contents Introduction 3 The Nature of the Origination 3 The company's size, location 3 Weak One: 4 Information Security Overview 4 An overview of the information security plan for DB Schenker 6 Week Two: 8 Risk Assessment 8 Week Three: 9 Security Standards for Development and Deployment 9 Week Four: 10 Vulnerability Management 10 The emerging technology driven applications 12 Week Five: 13 Assessment and Assurance 13 Conclusion 13 References 14

Security has become a fundamental and inescapable concern for programming structures. The earlier decade has seen a huge development in the sheer number of attacks just as the straightforwardness with which attacks can be performed on structures. We acknowledge that to guarantee an item or system against hurt (expected or not), thought ought to be given to its necessities. Like other structure properties and quality credits, security ought to be considered from inception, toward the day's end starting with necessities planning.

The organization which the information security will be applied is the transport and forwarding organization that is it deals with the transportation of goods and services. the system will be placed in DB Schenker to facilitate the organization forwarding system (Renata & John , 2012). The Security will be nonfunctional essential (NFR) that is logically fundamental in its importance, wonderful in its necessities, yet ought to regardless be composed with any excess pragmatic and non-valuable necessities and arranged into productive models, plans, and execution (Bilyana , Lillian , Quentin , & Adam , 2019). Like other nonfunctional essentials, the phenomenal nature and solicitations of security make it irksome and routinely unable to decide security concerns using "extensively valuable" necessities strategies, in this way security necessities planning is required. Under we explain all of these two thoughts, (for instance programming security, and security necessities planning).

The DB Schenker company is large and forwards goods and services to three quarters of USA. Security is interestingly perplexing and testing among non-practical necessities (NFRs); as Ian Alexander specifies, "security is not normal for any remaining regions in a detail, as somebody is intentionally and purposely attempting to break the framework. Security is a NFR that is progressively basic in its significance, extraordinary in its prerequisites, yet still should be coordinated with any remaining practical and non-useful necessities and planned into effective models, plans, and execution (Ariel , Shiliang , & Gilles , 2016).

Programming security will ensure that essential objectives three viewpoints (CIA), the safeguarding of the Confidentiality, Integrity, and Availability of the data resources and assets that the product makes, stores, measures, or communicates including the executing programs themselves (Lenin , Jitendra , & Sharad , 2012). In this sense, classification safeguarding alludes to the avoidance of unapproved divulgence; trustworthiness protection is tied in with forestalling unapproved modification; and accessibility conservation is tied in with forestalling unapproved annihilation or refusal of access or administration.

The DB Schenker security will involve basic unforeseen development, SQUARE was applied in a movement of client relevant examinations. Carnegie Mellon graduate understudies managed this Endeavor all through the pre-summer and fall of 2004 and the pre-summer of 2005. The relevant examination results were appropriated. Model gadgets were furthermore developed to help the collaboration. It involves 9 phases (Rohan , et al., 2014).

1. Yield to definitions: This movement serves to engage an undeniable correspondence between essentials engineers and accomplices.

2. Recognize security targets: Initially, the accomplices will state unmistakable security goals. In th (Lenin , Jitendra , & Sharad , 2012)is movement, the goals are changed, and conflicts are settled.

3. Make relics: The makers name the going with antiquated rarities that should be assembled: system designing blueprint, use case circumstances/diagrams, misuse case circumstances/graphs, attack trees, and standardized formats and constructions. These antiquated rarities structure the explanation behind the subsequent strides of the procedure.

4. Perform peril examination: In this movement, the shortcomings and risks related to the structure are recognized, similarly as the likelihood that the threats will incite attacks. The makers propose to apply existing threat evaluation procedures.

5. Select elicitation methodology: The technique picked in this movement will be applied in the ensuing stage to play out the veritable security requirements elicitation. Again, SQUARE recommends to apply a current methodology to be picked for the current Endeavor (Lenin , Jitendra , & Sharad , 2012).

6. Inspire security essentials: A basic point in this movement is to ensure that the necessities are verifiable and that they are not utilization or compositional restrictions as opposed to requirements.

7. Mastermind necessities: The evoked essentials are arranged (regardless) as demonstrated by the going with models: crucial, pointless, structure level, programming level structure restriction. Since the last are not considered as essentials, their unscripted TV dramas that the previous advances should be executed again.

8. Zero in on essentials: It is acknowledged that not all that necessities can be executed; therefore, the principal requirements ought to be perceived.

9. Requirements evaluation: In this last development, the necessities are checked for ambiguities, anomalies, stirred up assumptions, and such. Its result is the last security necessities chronicles for the accomplices.

The draft cycle was upgraded and base lined after the logical investigations were done; the base lined cooperation. On a fundamental level, Steps 1-4 are truly practicing that go before security requirements planning yet are imperative to ensure that it is productive. Brief depictions of every movement follow (Mead et al., 2005)

The objective of the Multilateral Security Requirements Analysis (MSRA) procedure is to apply the principles of multilateral security during the necessities planning time of structures improvement (Federico , Ruggero , & Matteo , 2013). This is done by exploring security and assurance needs of the large number of accomplices of a structure to-be, recognizing conflicts, and joining the assorted accomplice sees. The strategy gets both from hypotheses on multilateral security and point of view arranged necessities planning. To express the particular security needs of the accomplices, MSRA customers grow security essentials from the perspectives of the different accomplices in regards to bundled functionalities of a system.

Security requirements result from the trade off of multilateral security destinations (Paul & David , 2013). Security targets are browsed a rich logical classification got from the CIA set of three, which in like manner consolidates properties, for instance, obligation and pseudonymity, etc Security destinations, and later essentials, contain the attributes accomplices who have a premium in the need, counter-accomplices towards whom an essential is communicated, and different various credits that are portrayed in the going with entries (Bilyana , Lillian , Quentin , & Adam , 2019).

An accomplice is portrayed as any individual or affiliation that has an interest in the structure to-be. Therewith, the elaboration of the security necessities isn't limited to the utilitarian customers of the structure to-be, the last being suggested as performers (Federico , Ruggero , & Matteo , 2013). Or then again perhaps, a separation is made that allows the elaboration of both, the people who have a stake in the system security, and the people who will use the structure.

The variety Confidentiality Requirements Elicitation and Engineering of DB Schenker ponders just grouping necessities. Later work has focused in on the formalization of the protection necessities in CREE and the usage of defeasible reasoning to explore ambiguities and conflicts. Counter-accomplices insinuate those accomplices whom the security targets are focused on. These might actually be noxious aggressors or performers of the structure (Lenin , Jitendra , & Sharad , 2012). Further, MSRA works with an information model, the parts of which are the objects of the assorted security necessities. The information model is of a higher degree of reflection than a data model, as would be significant for a useful assurance of the system to-be.

Additional credits of a security need are: the owner of the security essential; the degree of comprehension among accomplices towards the security need; the goal of the essential. this is simply protection or consent); the information the essential areas; the seriousness, communicating if the security essential says something regarding the security of information that it isn't unequivocally tending to; and the thinking, articulating why the information ought to be gotten. Further, transitory authenticity, portraying how long the security concern ought to be saved, is seen as a quality (Ariel , Shiliang , & Gilles , 2016).

The Comprehensive Lightweight Application Security Process (Clasp) communicates that all requirements will be Smart necessities: express, quantifiable, appropriate, reasonable, and recognizable. Affix gives no models, in any case, with respect to what an ordinary security essential should take after (Ariel , Shiliang , & Gilles , 2016). He describes a security essential as "a positive need that executes a supplanting security technique." He suggests isolating security necessities into classes, such as recognizing confirmation, uprightness, and insurance requirements. For example, the essential "The application will perceive the aggregate of its client applications preceding allowing them to use its abilities" is a distinctive evidence need, however "The application won't allow unapproved individuals or ventures permission to any correspondences" is a security essential.

When the Personnel Information just to people from Human Resources Dept.". By conveying security essentials practically identical to unequivocal utilitarian necessities, they ensure that they can achieve adequate distinction to coordinate draftsmen and let them affirm that the requirements are truly fulfilled (Federico , Ruggero , & Matteo , 2013). These models in any case, we haven't found an overall recognized importance of "security essential" in the

WEEK THREE: SECURITY STANDARDS FOR DEVELOPMENT AND DEPLOYMENT

As much as organizations have moved so fast to adopt new technology, there is still frail understanding and compliance to information system standards and regulations. According to Ismail (2017), this has not only come due to ignorance to this standards and regulation or the hasty need to have competitive advantage with new technologies use but also due to slow formation of these standards, policies and framework in the pace of the developing technologies. Since information security entitles process and methods to protect data, storage, computer processes and transmission from risk and vulnerabilities, Information security standards and regulation designate the technical specifications or precise criteria harmonized and agreed upon to protect data, systems other computer hardware from potential risk and vulnerability (Ismail, 2017).

Regulations laws on the hand mean directives that any organization within the law jurisdiction should follow in implementation of information system. Standards and regulation in information security are very important. They not only set ground for efficiency and effectiveness of information security but also harmonize the different information security methods and process to promote innovation. Standardization also provides structured methods that make it not only easy to disseminate ground breaking ideas but also knowledge about the foremost strategies information security (Tirumala &Anjan, 2016)..

Standards

There are various standardization bodies for information security assurance, however, the International Standardization Organization (ISO) standards have become the must-read standards for any information security engineer and standards to be complied by most organization IT security systems. ISO standards mostly referred as ISO 27001 and ISO 27002; the latest version of ISO 27001 is international standards that describe the best Information security management system (ISMS) practices (Rajkumar &Paralikar, 2019). In a nutshell ISO 27001 a standard among the ISO 2700 series that describes information security implementation process. Overviews of this standard require that for any information security implementation organization must:

i. assemble a project team that would initiate the project

ii. should conduct a gap analysis which means the reasons behind the information security implementation

iii. should develop the scope of the ISMS

iv. Should initiate a high-level policy development for the ISMS

v. Perform a risk and vulnerability assessment

vi. Select and apply controls

vii. Develop a risk documentation

viii. To Conducts a staff awareness training program

ix. Conduct an international audit to assess and review the implemented ISMS

x. Lastly the organization should opt for certification audit

ISO 27002 is the newest ISMS implementation standards that include a supplementary standard that focuses on information’s security controls that should be followed the implementation of ISMS (Rajkumar &Paralikar, 2019). The controls are listed as Annex A, ISO 27001. This section explains in details how each control works, the objective of the controls and how an organization can implement the controls.

The BS ISO/ IEC 27004: 2009 is also an important information security management system standard. This standard does not only provide requirement for maintaining and improving ISMS but also provide guidance in the development of measure to assess the effectiveness of ISMS implementation in organization. BS ISO/ IEC 27004: 2009 is designed to be applicable in all organization (Tirumala &Anjan, 2016). Though the standard mostly align to the ISO/IEC 27001 standardization is currently being updated to align to ISO 27002; the new version of ISO 27001.

BS ISO/IEC 27003:2010; is a standard that provides the core Information security management systems design recommendations. The standard provides vivid instructions to planning of ISMS projects in organization of all sizes. Though BS ISO/IEC 27003:2010 is still based on the ISO 27001 it also being updated to align to the new ISO 27002 principals (Rajkumar &Paralikar, 2019).

Other important standards are the ISO/ IEC 18043:2006; which as standards that provide a framework for improving data protection and maintaining compliance of the ISO 27002. These standards legislate the best practice to maintain ISO 27001 and 27002 compliance.

Law/ Regulations

In the United States, there various laws associated with information security. These laws include the controlled Unclassified Information (CUI) Found in the Federal Information Security Management Act 2002 (FISMA). This law requires complaint of an information security system to the security controls required in the ISO 27001/ 2 and the USA NIST SP 800-171r1 (Rajkumar &Paralikar, 2019). These laws also come to create a uniform set of requirement for information security controls for securing security civilian data and sensitive government information. another law is the digital millennium copy right Act 1998 (DMCA) which requires any institution or organization manage a digital copyright compliance ISMS that comprise of the following: annual disclosure, strategy or strategies to combat the distribution of unauthorized materials, have an alternative source of the authorized copies of the copyrighted digital materials and lastly have strategic plan review

Why These Standards Are Applicable In the Organization

These standards and laws are applicable in this organization because of the required installation of security systems to curb the various security risk and vulnerability detected during the risk and vulnerability assessment. Accordingly, the standards would provide requirement for maintaining and improving ISMS and a guidance in the development of measure to assess the effectiveness of ISMS implementation in the organization. the federal information security management Act 2002 (FISMA) and digital millennium copy right Act 1998 (DMCA) will ensure uniformity in the set organization information security controls with other organizations’ security control and government information controls (Tirumala &Anjan, 2016).

Process That Would Be Affected by the Standards

These standards influence the organization’s ISMS process right from design, implementation and assessment. Accordingly, ISO 27001 a standard describes information security implementation process, ISO 27002 standards effect on information’s security controls, The BS ISO/ IEC 27004: 2009 provides requirement for maintaining and improving and guidance in the development of measure to assess the effectiveness of ISMS implementation in organization (Tirumala &Anjan, 2016).

Plan

I will start will with The BS ISO/ IEC 27004: 2009 which provides requirement for maintaining and improving and guidance in the development of measure to assess the effectiveness of ISMS implementation in organization. Then comply with ISO 27002 which starts the standards effect on information’s security controls and lastly follow the ISO 27002 that describes information’s security controls

WEEK FOUR: VULNERABILITY MANAGEMENT

Vulnerability management is a security process that is specifically designed and undertaken to proactively mitigate, solve and prevent the exploitation of information framework vulnerabilities that exist in an organization system. The practice involves several processes including; identifying vulnerability(s), classifying the vulnerability(s), finding a solution, and mitigating the identified vulnerability within the system. Vulnerability management is an integral process of information and network security and is conducted alongside risk management with other security management practices (Syed, 2020).

DB Schenker is a company that distribution of goods and services across the United States, the vulnerability on its system would be the information access points that may be exploited to corrupts its database or get crucial goods transport details. The vulnerability management in this scenario would be conducted in six phases; assets inventory, information management, risk assessment, vulnerability assessment, reporting and solution tracking, and response planning. This chapter will cover the six phases the challenges to be encountered in each section and the justifications for undertaking the vulnerability management.

Asset Inventory

The initial stage of vulnerability management is coming up with the company’s inventory, the DB Schenker devices inventory. However, a massive challenge in most companies they lack effective and updated asset register and inventory making the initial securing stage harder. For the DB Schenker case, the solution to the asset inventory will be assigning one personnel, an employee the task of asset inventory management to ensure that all company resources are recorded and the inventory is updated daily. Asset inventory management is a powerful tool that information security admins can use to quickly find and path devices and systems with security upgrades. Lack of effective, well maintained, and updated asset inventory will have to curb vulnerabilities or discover them during new security scanning or patches being installed or during upgrades.

Information Management

The second step in the vulnerability management process would be controlling how information is communicated into the organization, DB Schenker. The topmost critical information flow is internet traffic coming from the DB Schenker’s network. There has been an increase in the attacks through worms, viruses, and malware threat attacks that DB Schenker needs protection against. The traffic flow in and out of the DB Schenker local networks has been on the rise. The rise in the traffic flow has a high potential of bringing in more malware into the DB Schenker system. This implies that more attention needs to be directed to the flow of information to avoid such threats from getting in or out of the DB Schenker network.

Despite malware attacks being a major concern in information management, DB Schenker organization is crucial not to be leaked to the public. Information management ensures that the inorganization data is kept secret and secure from attacks.

Risk Assessment

The is a crucial step in vulnerability management, before any solutions of the risks recommended and assessed in the DB Schenker network, the security will conduct an extensive analysis of the vulnerabilities that the network faces. In a normal information security environment, the team will be able to attend to all vulnerabilities, as there will enough resources and time. However, in the real-world setting there are several limiting factors that they would encounter for DB Schenker's case the resistance from the board meaningless financial support. Making risk assessment crucial as the information security has to come up with a priority list of the vulnerabilities to handle first and those to deal with later. For DB Schenker the priority will be securing their network and organization data.

ISO 27001, clause 4.2.1, and ISO 27005 clause 7.4 outlines the main goals of the selection process of the technique and the process for risk assessment (Humphreys, 2008). The figure below outlines it:

Figure 1.

Vulnerability Assessment

Vulnerability and risk assessment are closely related; however, a vulnerability assessment is concerned with the identification of DB Schenker's vulnerable assets. To vulnerable assets in the DB Schenker network will involve conducting a series of ethical hacking and penetration tests. The devices on the DB Schenker network are targeted by this attack ranging from printers to servers. Penetration testing verifies the existences of vulnerabilities, the aim of a vulnerability assessment is done to uncover the existence of the vulnerabilities in the DB Schenker network. The aim is achieved through simulation of a real hacking environment using similar tools and methodologies that the attackers might use.

Reporting and Solution Tracking

The reporting stage is aimed at helping the information security team of DB Schenker to better comprehend the current security status and the areas which still pose high-security threats and point out the perpetrator of the vulnerabilities. The report also makes it easy for the team to present the current status to the board of the company. The solution finding or tracking intuits the end of the vulnerability management process. The process is prematurely terminated after analysis of the threats and vulnerabilities and noting of the acceptable risks.

Response planning

Despite being seen as the easiest stage, it is also as important as the rest of the phases in the vulnerability management of the DB Schenker network. Is seen to be easy as all the identification, analysis, and steps are already outlined, however, it is important failure to undertake it means the DB Schenker network will still be exposed to vulnerabilities.

Justification of Vulnerability Management

The vulnerability management strategy proposed will be beneficial to the DB Schenker company not only to the information security team but also to the whole organization. The implementation of the strategy implies that in case of vulnerabilities the company will have a fallback strategy to keep their daily activities running. The strategy ensured the company is safe from attacks and their information is secure. The process might be costly but the saves the company additional costs that may be incurred in case of an attack without the strategy.

Week Five:

Assessment and Assurance

Conclusion

References

Ariel , E., Shiliang , H., & Gilles , P. (2016). Remix: online detection and repair of cache contention for the JVM. Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, 251-265. Bilyana , L., Lillian , A., Quentin , E. H., & Adam , S. M. (2019). Applying Indications and Warning Frameworks to Cyber Incidents. International Conference on Cyber Conflict (CyCon), 900, 1-21. Dima, A. M., &Maassen, M. A. (2018). From Waterfall to Agile software: Development models in the IT sector, 2006 to 2018. Impacts on company management. Journal of International Studies, 11(2), 315-326. Federico , C., Ruggero , G., & Matteo , K. (2013). The effect of global supply chain configuration on the relationship between supply chain improvement programs and performance. International Journal of Production Economics, 143(2), 285-293. Humphreys, E. (2008). Information security management standards: Compliance, governance and risk management. Information Security Technical Report, 13(4), 247-255. doi: 10.1016/j.istr.2008.10.010 Jed , D. G., Paul , H., & Klara, K. P. (2017). Educating for the 21st-century health care system: an interdependent framework of basic, clinical, and systems sciences. Academic Medicine, 92(1), 35-39. Lenin , R., Jitendra , P., & Sharad , A. (2012). Appinsight: Mobile app performance monitoring in the wild. 10th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 12), 107-120. Ismail, U. (2017). Requirement Gathering for Open Source Software by Using SCRUM and Feature Driven Development (Doctoral dissertation). ISMAIL, U., QADRI, S., & FAHAD, M. (2015). Requirement Elicitation for Open Source Software By using SCRUM and Feature Driven Development. International Journal of Natural & Engineering Sciences, 9(1). Paul , L. D., & David , C. C. (2013). Information technology and business-level strategy: Toward an integrated theoretical perspective. Mis Quarterly, 483-509. Renata , F. M., & John , F. E. (2012). The acquisition of an artificial logographic script and bilingual working memory: Evidence for L1-specific orthographic processing skills transfer in Chinese–English bilinguals. Writing Systems Research, 4(1), 8-29. Rajkumar, A., &Paralikar, A. (2019, December). Test Driven Development: Process for AUTOSAR Software Development. In INCOSE International Symposium (Vol. 29, pp. 99-108). Rohan , G., Hongqiang , H. L., Y , C. H., Jitendra , P., Lihua , Y., & Ming , Z. (2014). Duet: Cloud scale load balancing with hardware and software. ACM SIGCOMM Computer Communication Review, 44(4), 27-38. Syed, R. (2020). Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. Information & Management, 57(6), 103334. doi: 10.1016/j.im.2020.103334 Tirumala, S., Ali, S., &Anjan, B. G. (2016). A Hybrid Agile model using SCRUM and Feature Driven Development. International Journal of Computer Applications, 156(5), 1-5. Zima, D. (2015). Modern methods of software development. Task Quarterly, 19(4), 481-493.