Question 1 & 2 on Workplace Security - Introduction to security: Operations and management

profileMzjc
unitivsg.pdf

BCJ 4385, Workplace Security 1

UNIT IV STUDY GUIDE

Information, Communications, and Computer Security

Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:

1. Examine the function of information security management and how it plays a role in assessing vulnerabilities to critical information.

2. Analyze various information protection strategies and how these can play a role in the prevention of cybercrimes.

3. Outline strategies for safeguarding information including the protection strategies of physical security, administrative controls, and logical controls.

Unit Lesson General Overview Information is an asset for organizations that exists in various forms (critical, propriety, intellectual, and digitized). Thus, securing the various forms of information are priorities for organizations. Laws such as the Fair Credit Reporting Act were created to help protect information from improper use, but such measures are insufficient in providing the level of protection needed to secure organizational information. Organizations use various tools and strategies to ensure information security (INFOSEC) which is the protection of “information assets and systems against any internal or external threat that might endanger them” (Ortmeier, 2013, p.135). INFOSEC risk assessments and analyses are conducted to identify the threats against organizational information that may exist and information protection strategies are implemented to protect against and respond to the identified threats. Protection strategies range from control strategies (discretionary access control, mandatory access control: hierarchical and non-hierarchical, operations security) to personnel security (information protection-related agreements) which includes information security legislation (e.g., National Security Decision Directive 298), classification systems for business information (e.g., sensitive compartmented information protocols), information security policies, and copyrights, patents, and trademarks. Communication security (COMSEC) is important for any information transmitted regardless of the medium (e.g., voice, electronic, impulses, microwave, etc.). Computer security is concerned with information accessible through computers. Maintaining computer security is a complicated task because information can be accessed locally and remotely through numerous means. The term cybercrime was coined to identify the crimes that are associated with using the internet to illegally gain access to information that is used in crimes (e.g., hacking, email wiretappings, phishing, and vishing). Thus one can image that one of the greatest challenges related to computer security is securing computer databases from internal and external threats. Government agencies have added issues of protection threats against their agencies and their personnel. To aid all organizations in maintaining computer

Reading Assignment Chapter 6: Information, Communications, and Computer Security

Learning Activities (Non-Graded) See information below.

Key Terms Refer to the key terms within the textbook.

BCJ 4385, Workplace Security 2

security various computer protection strategies are utilized (physical security, administrative controls, and logical controls: passwords, firewalls, malware). Research has suggested strategies for safeguarding sensitive computer information (e.g., Carroll’s 10 strategies) and the federal government has enacted legislation to research and develop cyber security measures (e.g., the Cyber Security Research and Development Act of 2002). Existing strategies and the continued development of future strategies are necessary to ensure that information, communication, and computer security is maintained in organizations.

References: Ortmeier, P.J. (2013). Introduction to security: Operations and management

(4th ed.). Upper Saddle River, NJ: Pearson. Questions to Consider

1. What types of information assets are used by organizations? 2. What types of information security tools and strategies do

organizations use to secure their information assets? 3. What types of legislation has been enacted in the United States to

assist with information security and what policies have resulted? 4. What is communication security? What is computer security? How are

communication and computer security related? 5. What are the various types of cybercrime that exist? 6. What are the challenges associated with maintaining computer

security? 7. What computer protection strategies and policies have been suggested

and enacted? 8. What additional research and development is needed in the area of

cyber security?

Learning Activities (Non-Graded)

1. Think about the various organizations in your community that process a lot of information. Pick one organization and conduct an INFOSEC risk assessment and analysis. You can search the internet for ideas about what specific criteria are assessed, instructions about how the assessments and analyses are conducted, and examples of the finished product. Were there any identified risks that surprised you? Were there risks that you expected to find that you did not?

2. As a continuation of activity #1, brainstorm about the information protection strategies that you would utilize to protect the organization’s information assets. What control strategies would you use? What information security legislation is relevant and what related policies would you implement? How would you ensure personnel security associated with the organization’s information assets?

3. As a continuation of activity #2, select one of the current hacking examples and explore the computer protection strategies that were implemented, should have been implemented, and will need to be implemented in the future. Are any of Carroll’s 10 strategies applicable? What type of security research is needed and what types of strategies, policies and/or programs should be developed?

Non-graded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information.