Replies and Critical analysis needed

profileJohn_matt
replies_needed.docx

Please don’t give me a two to three sentence replies. It has to look burky. At least 7 to 8 sentences. Thank you

Reply needed 1

john,

You provided a great explanation of what the MS-ISAC does for the organizations that it supports. Cities have a daunting task of trying to comply with federal regulations and laws as it tries to secure all of the sensitive data that it stores. There are several organizations that cities can partner up with to enhance security of their networks such as Cyber Security Research Alliance (CSRA), Microsoft, MITRE, and more. These partners can assist in planning and developing networks and other smart services. By partnering up with different organizations it will allow them to combat the many threats it faces.

 Hall, A. (2015, February 03). Microsoft partners with cities and governments to improve cybersecurity for citizens. Retrieved July 04, 2016, from https://blogs.microsoft.com/cybertrust/ 2015/02/03/microsoft-partners-with-cities-and-governments-to-improve-cybersecurity-for-citizens/

Partnership. (n.d.). Retrieved July 04, 2016, from https://www.mitre.org/capabilities/ cybersecurity/partnership

Reply needed 2

With such resources available it’s hard to believe cyber-attacks are continuously successful at such a high rate.  Swimlane.com published shocked 2015 stats and the numbers are enormous. To name a couple, there were over $169 million personal records compromised and some companies lost and upward of $300 for every personal record lost (Cornell, 2016). I’m also curious to know what type of insurance is provided by cybersecurity companies such as MS-ISAC. If a company suffers a loss due to a cyber breach with their operation were under the monitoring and maintenance of such a company, does the company cover the cost? Something I’ll research.  

R,

E.W.

Reply needed 3

Hard to believe.  Really.  Do you know anyone that goes against their company policies and checks their personal email or better yet has to check their Facebook page?  What about someone that clicks on a link within an email from a bank they do not have an account with.  All the security controls in the world will not work if users of the system can circumvent them.  Sure companies and agencies can automate and lock down most things; however, they try to maintain some level of balance for their workers so they accept a certain level of risks.  Remember security is a responsibility of everyone not just cyber security and IT professionals.

Reply needed 4

Working with the Multi-State Information Sharing and Analysis Center (MS-ISAC)

States collect, process, transmit, and store large amounts of private information about individuals and businesses and require assistance with cyber threat prevention, protection, response and recovery of this data (CIS 2016). MS-ISAC assist state governments with improving their overall cyber security posture, by providing opportunities for collaboration and information sharing among members, private sector partners and the U.S. Department of Homeland Security (DHS).  The organization utilizes its relationships with major Internet Service Providers, cyber security firms, researchers, and software developers, as well as federal partners, the Federal Bureau of Investigations, the Secret Service and others to share information on emerging threats.

To join the MS-ISAC complete a membership agreement.  Once you become a member you will have access to (CIS Catalog 2016):

· 24/7 security operations center

· Incident response resources

· Cyber security advisories

· Cyber event notifications

· Daily cyber tips

· Network monitoring

· Alert status map

· Advisory services

· Vulnerability assessment

· Top attacking sites

· Monthly newsletters

· Bi-monthly webcasts

· Monthly webcast meetings

· Annual membership meeting

· Monthly threat briefings

· Cyber security exercises

· Awareness/education materials

· Training discounts

· Secure portals for communication and document sharing

· Security Device Monitoring: Managed Security Services (MSS)*

· Security Device Monitoring: Netflow Monitoring & Analysis

· DHS initiatives coordination

There is no cost to join the MS-ISAC.  However there are costs associated with fee-based services such as MSS, vulnerability assessment services, and Center for Internet Security (CIS) consulting services.  States must assess the benefits of utilizing managed services versus in-house services.  They may have to take a hybrid approach by utilizing some managed services and hosting some services internally.  The resources available to MS-ISAC members include training videos, webcasts, white papers and reports, cybersecurity guides, best practices and guidelines, workforce development, consulting services, toolkits, remediation kits, and links to other resources. 

The National Association of State Chief Information Officers (NASCIO), National Association of Counties (NACo), National Cyber Security Alliance, Cyber Threat Intelligence Coordinating Group (CTICG) , United States Computer Emergency Readiness Team ( US-CERT ), National Council of ISACs , Public/Private Sector Cyber Security Workgroup , and National Governors Association all provide resources to states.  US-CERT have categorized resources for easy access.  The categories include resources to identify, resources to protect, resources to detect, and resources to respond.  They even include links to geographically-specific resources from various levels of government to help identify and manage cyber risk (US-CERT 2016).

States can minimize data breaches by identifying security vulnerabilities, improving internal security policies and procedures, assessing, measuring and reporting on overall compliance, implementing benchmark guidance, and measuring security performance recommended by MS-ISAC (MS-ISAC 2016).  They should also take advantage of the CIS aggregate discounted purchasing program to purchase security products at a reduced costs.  States that utilize MS-ISAC resources and services, and implement the recommendations and industry best practices will significantly improve their security posture thus reducing the risks of data breaches. 

References:

Center for Internet Security (2016), MS-ISAC Catalog of Services , Retrieved from:  https://msisac.cisecurity.org/about/services/

Center for Internet Security (2016), MS-ISAC Multi-State Information Sharing & Analysis Center, Retrieved from: https://msisac.cisecurity.org/

The Multi-State Information Sharing and Analysis Center (MS-ISAC) (2016), MS-ISAC Services Guide v1.0 (pdf)-attached in student portal

United States Computer Emergency Readiness Team (US-CERT) (2016), Resources for State, Local, Tribal, and Territorial (SLTT) Governments, Retrieved from: https://www.us-cert.gov/ccubedvp/sltt

Reply needed 5

The Multi-State Information Sharing and Analysis Center (MS-ISAC) aims to improve overall cybersecurity functions for local, state, and federal governments for information sharing. In addition, the center objectives aim to improve two-way sharing of information, a process to gather cybersecurity incidents, and to promote awareness of cyber and physical critical infrastructure (MS-ISAC, 2016). With the increasing amount of cyber-attacks harming corporations and federal agencies infrastructures, these corporations are looking for new ways to resolve these issues that they face. In fact, the U.S. Department of Homeland Security designated the MS-ISAC as a key cybersecurity resource (Lohrmann, 2015). Corporations that create a partnership with the MS-ISAC could be able to reduce the risk of security breaches in their organization.

There is a need to create more partnerships and finding practical security answers to resolving these constant cyber threats. Before many corporations and federal agencies worked alone to address their cybersecurity issues in their infrastructures (Lohrmann, 2014). These companies tend to fail into assess their cybersecurity risks that can still in around in their infrastructures. For instance, corporations can create smaller groups to start out with the MS-ISAC (Lemos, 2012). This will help the corporation to be able to build a trust over time by collaborating and classifying their cybersecurity breaches.

The majority of successful corporations are well aware of the common cybersecurity issues that can harm their infrastructure and data. In addition, local and state governments can partner with other corporations at global cyber events to discuss the risk and breaches that have occurred in their infrastructure. Attending a global event such as a Cybersecurity summit can be able to help governments collaborate with security experts from around the globe (Cybersecurity Summit, 2016). Corporations and Government agencies can be able to learn about the latest defense measures and they can have the ability to engage with others about the issues of cyber security.

Reply needed 6

a) If faced with increasing pressure to get a project done ahead of time, what steps should a project manager take if he feels this will jeopardize project quality?

If a Project Manager is pressured to finish a project early, there are a couple things he or she could say to the executive. The Project Manager could explain to the executive that shortcuts can cause long term damage to a project or even the company as a whole. The Project Manager could also suggest eliminating aspects of the project that may shorten the amount of time it would take to complete. A third option, if the executive was willing, would be to suggest hiring an initial employee or employees to assist in completing the project.

b)    Suppose that rather than time, the pressure is to do more with less, that is to accomplish the same scope with staff cuts and budget cuts.  Does that change your answer?  That is, what steps should a PM take if he feels this will jeopardize project quality?

The answer would be fairly similar. The Project Manager can refer to damage from shortcuts or eliminating aspects. The alternative in this case would be to recommend extending the timeline of the project, allowing the work to get done properly even with the loss of staff due to budget cuts.

c)    In addition to the effects that a rushed project might have on project quality, what kind of short-term and long-term effects might it have on project team members?

A rushed project can have a detrimental effect on employees in a variety of ways. Short term effects can include stress, disillusionment and low morale, and lack of retention of skilled employees. Stress can lead to health problems such as weight loss or gain, trouble sleeping, and memory problems. Over the long term, these health problems can cause years to be taken off a person’s life.

d)    What kind of short-term and long-term effects might it have on the organization or corporation itself?

A rushed project can set the tone for future endeavors. In the short term, if the project is flawed, there could be monetary or publicity issues for the company. If the pattern continues, the company could lose its reputation and potentially lose employees or future employees.

Reply needed 7

Balancing requires project stakeholders to face the facts about what is possible and what is not.  Project management techniques are intended to ensure projects are performed the fastest, cheapest, and best way.  Balancing requires thought, strategy, innovations, and honesty.  Parkinson’s Law from 1957 states “work expands so as to fill the time available for its completion.”  It implies that task goals have a reinforcing effect between pressure and performance: higher level of pressure leads to higher goals, and higher goals generate better performance (i.e. type of pressure relief) (Nan, Harter, & Thomas, 2005).  Software quality is a dimension of project performance.  Quality refers to the lack of errors and bugs and also the extent to which the software meets client’s requirements.  Under an optimal level of pressure, software development PMs can maintain quality while applying schedule pressure to reduce project duration.  Focusing on quality has long term benefits but include a longer project cycle (Hoffman, 2004).  Project managers must ensure the project scope can be realistically achieved under a compressed time frame as business leaders constantly urge the teams to cut corners to deliver needed functionality on time. 

Communicating with executive management to defend the schedule, team and work being done, a PM can encourage the team to find trade-off.  Striving to achieve good development principles early will help development stay ahead of the quality curve.  Following best practices can make a difference in the resulting quality.  Engaging the project owner to discuss quality concerns and the potential risks of deployment typically results in three things (How do you balance between "do it right" and do it ASAP: in our daily work?, 2012):

· The project owner will not accept the risks and will move the schedule to allow more time

· The project owner will not accept the risk but cannot move the schedule. If this happens, negotiation on what features/functionality will be removed from the project scope to spend more time on quality for the other areas.

· The project owner will accept the risks and the low quality software will go out on schedule. Sometimes the business risk of deploying nothing or late is much greater than the risk of deploying low quality software.  Only the project owner can make this decision.

Often a drop in project quality results from overworked team members or excessive schedule pressure.  Quality can also be specifically associated with the scope as scope defines the quality of the project (finished product).  Scope creep can affect both cost and schedule constraints.  Maintaining project quality when there is scope creep typically requires increases in cost and/or schedule (Management-and-the-Triple-Constraints/, 2014).  A PM must clearly define the expectations of the program sponsor or client.  Quality is affected by all three constraints and is therefore, a central theme. 

A project manager must accurately assess the user’s or client’s expectations and determine what is wanted and then deliver it (Millman, 2000).  Deciding between fast and right depends on the project’s and the client’s requirements.  Often most PMs will first reduce costs, then maintain or accelerate the schedule, and finally balance resources but not at the expense of quality. 

Successful PMs will use one constraint as a gauge for the condition of the other two constraints.  Project managers must become good facilitators and help business executives understand the risks of cutting corners.  Often scope changes can result in schedule improvement as adding resources will not improve the schedule.  A lot of distrust exists between those receiving the product and the actual team doing the work.  Sometimes the better question for management is “how much money are you willing to game for this amount of scope?”, instead of “when will this be done?”.

References

Hoffman, T. (2004, February 16). Balancing act. Retrieved July 4, 2016, from Computerworld: http://www.computerworld.com/article/2574985/it-management/balancing--act.html

How do you balance between "do it right" and do it ASAP: in our daily work? (2012, December 5). Retrieved July 4, 2016, from Programmers Stack Exchange: http://programmers.stackexchange.com/questions/178352/how-do-you-balance-between-do-it-right-and-do-it-asap-in-your-daily-work

Management-and-the-Triple-Constraints/. (2014, October 14). Retrieved July 4, 2016, from Ten Six: https://tensix.com/2014/10/management-and-the-triple-constraints/

Millman, H. (2000, Setember 18). Choosing Fast vs. Right. Retrieved July 4, 2016, from InfoWorld: https://books.google.com/books?id=Ez8EAAAAMBAJ&pg=PT46&lpg=PT46&dq=balancing+speed,+cost,+and+money+%2B+project+manager&source=bl&ots=51hODfNCKA&sig=aicqZLAha7_Fwv4IBc_26ri53AQ&hl=en&sa=X&ved=0ahUKEwie9Jfwj9rNAhVHyT4KHWjvAg0Q6AEIUjAI#v=onepage&q=balancing

Nan, N., Harter, D. E., & Thomas, T. (2005, May 3). Impact of Schedule and Budget Pressure on Software Development Performance. Retrieved July 4, 2016, from Tulane University: http://info.freeman.tulane.edu/iom/seminarpapers/pressure_05_03_05.pdf

Reply needed 8

In project management there is something called the triple constraint, or project management triangle.  Key attributes of this triangle are; time, cost and quality.  Basically no matter how hard you try, whatever you do to one side WILL affect the other.  Most of the time, the key stakeholders are the reasons why one side gets affected.  It is imperative that the project manager explain this system to the stakeholders so that they understand when the budget or time is cut, it will affect the quality of the project.  More often than not, this will cause the stakeholders to reconsider their actions or adjust something (Tomtsongas, 2011). (Tomtsongas, 2011)

As for how a rushed project would affect team members both short and long term, it will certainly make their lives more stressful and could even damage their career if the project fails.  However, this will be a perfect opportunity for managers and staff to make the most of what they’ve been given.  “Creative solutions in a crisis are where professionals can stand out” (Crowe, 2016). 

Short term effects on the organization would be that if the project was a failure due to budget/schedule/staff cuts, they would be hesitant to start another project any time soon.  The organization might also be hurting financially.  In the long term, hopefully the organization will have learned from their mistakes and not make the same ones for future projects. 

References:

Crowe, A. (2016, March 23). Your project budget just got slashed, now what? How to do more with less. Retrieved from https://www.liquidplanner.com/blog/less-project-gets-slashed/

Tomtsongas. (2011, May 2). Scope, time and cost – Managing the triple constraint. Retrieved from https://programsuccess.wordpress.com/2011/05/02/scope-time-and-cost-managing-the-triple-constraint/

Reply needed 9

a)    If faced with increasing pressure to get a project done ahead of time, what steps should a project manager take if he feels this will jeopardize project quality?

The very first thing that has to done is notify the executives of the consequences of getting the project done ahead of time, at this point. Those consequences should include the level of technical expertise that will possibly not be available, due to change in the time line and detail how this change may be small to them, but would drastically affect the quality of the entire project. Explain how cutting the time cuts the quality and therefore will cause additional cost in re-accomplishing the entire or major parts of the project sooner than they may be planning to perform upgrades or additions.

b)    Suppose that rather than time, the pressure is to do more with less, that is to accomplish the same scope with staff cuts and budget cuts.  Does that change your answer?  That is, what steps should a PM take if he feels this will jeopardize project quality?

Yes, it does change part of my answer. Working with less money is different than cutting corners for time sake. I would sit down with the executive and show them based on their initial requirements and new budget, what we could accomplish without sacrificing quality. It may be a situation where we will have to do their overall project in stages or phases in order to work within their budget. I would not sacrifice my name or business by just saying yes and know that I wouldn’t be able to do the job in the allotted time and not deliver quality product or services.

c)    In addition to the effects that a rushed project might have on project quality, what kind of short-term and long-term effects might it have on project team members?

If your project team pool is limited, it is very important to make sure that you aren’t overworking or over extending your personnel or resources. If they are in overdrive for too long, that in itself can cause their quality of work to drop or be negatively affected. If you always have your team rushing while working projects, that a sign that you as PM are not managing your team effectively or managing customer expectations. I feel that short periods of time of working longer hours are okay as long as that is not the standard. Sometimes unexplained circumstances or situations arise that drive or push up a project’s time line. Proper planning helps to minimize these types of issues.

d)    What kind of short-term and long-term effects might it have on the organization or corporation itself?

I think that when you are talking about the effects on an organization from rushing time-lines, you are talking about a corporation’s bottom line. If you are talking about how you are affected, both long and short term as the PM/contractor, you are putting your reputation on the line. Word of mouth is the best way of advertising whether it’s done at a cookout, little league game or on the golf course at a corporate event. Negative feedback or advertising from someone you know or who may be in your circle via an extension, can severely impact a business and ultimately cost money. Isolated incidents are a little easier to overcome than repeated history of overworked employees and broken suspense and timelines. People spend money with people they are comfortable with, who they feel that they can trust with their business and resources. I would rather be known as honest and dependable, verse meek and inconsistent.

 

Darnall, R., & Preston, J. (2010). Project Management from Simple to Complex.

Reply needed 10

Explain this statement: “While it is possible to develop a perfectly secure IS, it is highly unlikely and usually not cost effective to do so”. Provide some examples.

While it is possible to develop a perfectly secure Information Security, it is highly unlikely and usually not cost effective to do so. It is no small risk to have unsecured IS. In the textbook there was a survey by the Ponemon Institute from 2009 that reported “data breaches cost enterprise organizations an average of $6.6 million per year with an average of $202 per record compromised in a breach” (Lane, 2011). Breaches like this definitely highlight the cost of risk, but there is also a substantial cost for mitigating risk. Due to security’s profile of never being discussed until something is wrong, a lot of enterprises will cut IS’s budget. This business attitude makes it highly unlikely that IS will be perfectly secure. Another factor into why risk mitigation is more effective than pure risk elimination is the correlating restrictions it puts on business tasks. For example, a previous company of mine had a very good spam filter. However, sometimes a malicious email would reach the inbox of a user. At one time, there was one very convincing whaling email that got through. Whaling is a phishing email that involves a hacker pretending to be an executive. This “executive” asks an employee to pay company money or confirm company information. Whaling is a socially engineered attack that preys on those who will react immediately at an email from an executive (Boulton, 2016). At my old company, a hacker had spoofed the CEO in an email, and asked an accounting manager to go to a banking site and confirm payment information. Due to a security awareness program at that company, the accounting manager was suspicious of this spoofed email. Training the employees to be aware of red flags in emails is mitigating risk. How would one eliminate risk in this situation? It would be highly unlikely that a company would forego email communications just to ensure no further whaling emails were received. Removing email from a company would also be extremely damaging to business communications, and therefore not cost-effective. One other example of a never-perfect Information Security is the internet. Many businesses require internet usage to communicate with vendors, research information on websites, and maintain financials through SaaS. There are many threats to using the internet: bots, keyloggers, Trojans, even toolbars can all be downloaded without the user realizing it. To give some more information about potential threats, keyloggers can steal information right off the user’s computer and sell it (Brandt, 2006). This is extremely damaging to a company. Would a company be willing to remove all internet use to create a perfectly secure IS? No, because that would be extremely damaging to the company as well. Instead of implementing a 100% secure IS, risk mitigation is a much more realistic strategy. Mitigating risk is the balance between allowing business to work as intended, and protecting company information and infrastructure. Mitigation will allow most high-threat risks to be blocked, but also allow business to work as intended.

References Boulton, l. (2016, April 21). Whaling emerges as major cybersecurity threat. Retrieved from CIO:

http://www.cio.com/article/3059621/security/whaling-emerges-as-major-cybersecurity-threat.html

Brandt, A. (2006, June 22). The 10 Biggest Security Risks You Don't Know About. Retrieved from

PCWorld: http://www.pcworld.com/article/126083/article.html

Lane, D. (2011). The Chief Information Officer's Body of Knowledge: People, Process, and Technology.

Hoboken, New Jersey: John Wiley & Sons.

Reply needed 11

“While it is possible to develop a perfectly secure IS, it is highly unlikely and usually not cost effective to do so”.  Provide some examples.

I like the statement above because some non-IT bosses do not understand the relationship between perfect security and user access. For those not familiar with the DOD networks, we have 3 main ones (there are more, but no need to get into the weeds) which are Non-classified Internet Protocol (NIPR), Secret Internet Protocol (SIPR), and Joint Worldwide Intelligence Communications System (JWICS). The NIPR contains the For Official Use Only data and has the majority of DOD users, SIPR requires a need to know and will be required for those in key positions (Operations Officer, Company Commanders, and so forth). JWICS is typically associated with Top Secret information and requires a need to know and has the smallest amount of users. With NIPR and SIPR you'll be granted network access and provided an email address, but with JWCIS just because you have access to specific information doesn't mean you have an email account.

All three systems are independent of each other and, in general (there are exceptions) one network is not accessible to any of the others. In 2008 the DOD was seeing a lot of virus on SIPR due to users not following protocol and connecting usb flash drives between networks. I remember having to format all drivers and reinstall the operating system on all our equipment. The issue we ran into was there is a need for us to use the usb port. For example we conduct reconnaissance and need to transfer the pictures from the digital camera to our tactical laptops, then transmit those pictures over a tactical radio signal, but due to the current restrictions our capability became reduced.

Prior to 2008 many small unit leaders were willing to accept the risk of connecting a tactical radio network into their enterprise network. After 2008, the ability of small unit leaders to assess and accept or decline risks to the network was taken away. Some understood and others questioned the usb connectivity order. This made my task of enforcing the rule and finding alternate methods very time consuming.

I think this was a good time to see how a perfectly secure network actually is and how difficult it becomes to accomplish daily tasks are. Operations depended on the photos we took in the field as it helped formulate a cohesive plan. When usb devices were banned from the network, we had to revert to using words in describing what a single picture could do. For this situation we used a personal laptop to transfer pictures, then use a government issued tactical laptop with an internal webcam to take a picture of the personal laptop screen with the image. This was our method for getting the pictures to the think shed while not breaking any rules.

About a year later we were able to connect certain devices to the usb port and I feel that many understood that a perfectly secure network is not a very user friendly one.

https://www.wired.com/2008/11/army-bans-usb-d/