Question

An enterprise security plan is a document that explains the security exposure that an entity would encounter in a specific marketplace. A committee of people typically writes this document over a span of a few months. Many times the drafts begin with developing a high-level overview of strategic objectives that address how to secure the enterprise inside and outside the enterprise.

The CEO asks you to explain the core principles of enterprise security and respond to five strategic objectives as part of the overall enterprise system security plan draft. They are:

• Data loss prevention

• Access controls

• Data management

• Risk management

• Cloud technology

For each of the five strategic objectives,write a response that addresses the following:

• Key initiative: Why is this topic important to Auburn Regional?

• Objectives: What is the desired outcome to this effort?

• Description: What is the specific strategic objective? Provide a high-level explanation.

• Benefits: What will be the benefits of this effort?

• Outcome: What will be done to meet this objective?

Include any charts, graphics, or infographics created in previous weeks that support your findings.

Compile your response with the following:

• An updated executive summary

• A final recommendation

• At least three new references throughout your plan overview, cited according to APA guidelines.

Incorporate feedback and use previous assignments as a resource. As a guideline, an overview of this nature is typically 3 to 4 pages long.

Answer 1

Popular DLP Tools

Symantec DLP
Symantec DLP gives businesses the ability to see how and where information is kept in an organization. It is a scalable software suite that can monitor mobile, cloud and multiple endpoints. This system is effective even when employees are offline.

McAfee DLP
McAfee’s DLP solution (a part of Intel Security) protects intellectual property, and helps compliance efforts by protecting sensitive information. Monitors data on premises, in the cloud, or at endpoints.

Check Point DLP
Check Point DLP educates businesses and individuals so that they can act efficiently and quickly to prevent data loss. It offers a centralized management console and provides preconfigured rules for easier implementation.

Digital Guardian DLP
Digital Guardian DLP is compatible with Mac, Windows and Linux endpoints and can manage a large number of workstations. Available as a cloud-based or on-premise system.

Basic Components of an Access Control System

Access control systems vary widely in type and complexity. However, most card access control systems consist of at least the following basic components:

Access Cards

The access card may be thought of as an electronic "key". The access card is used by persons to gain access through the doors secured by the access control system. Each access card is uniquely encoded. Most access cards are approximately the same size as a standard credit card, and can easily be carried in a wallet or purse.

Card Readers

Card readers are the devices used to electronically "read" the access card. Card readers may be of the "insertion" type (which require insertion of the card into the reader), or may be of the "proximity" type (which only require that the card be held in a 3" to 6" proximity of the reader. Card readers are usually mounted on the exterior (non-secured) side of the door that they control.

Access Control Keypads

Access control keypads are devices which may be used in addition to or in place of card readers. The access control keypad has numeric keys which look similar to the keys on a touch-tone telephone.

The access control keypad requires that a person desiring to gain access enter a correct numeric code. When access control keypads are used in addition to card readers, both a valid card and the correct code must presented before entry is allowed.

Where access control keypads are used in place of card readers, only a correct code is required to gain entry.

Electric Lock Hardware

Electric lock hardware is the equipment that is used to electrically lock and unlock each door that is controlled by the access control system.

There are a wide variety of different types of electric lock hardware. These types include electric locks, electric strikes, electromagnetic locks, electric exit devices, and many others. The specific type and arrangement of hardware to be used on each door is determined based on the construction conditions at the door.

In almost all cases, the electric lock hardware is designed to control entrance into a building or secured space. To comply with building and fire codes, the electric lock hardware never restricts the ability to freely exit the building at any time.

Access Control Field Panels

Access control field panels (also known as "Intelligent Controllers") are installed in each building where access control is to be provided. Card readers, electric lock hardware, and other access control devices are all connected to the access control field panels.

The access control field panels are used to process access control activity at the building level. The number of access control field panels to be provided in each building depends on the number of doors to be controlled. Access control field panels are usually installed in telephone, electrical, or communications closets.

Access Control Server Computer

The access control server computer is the "brain" of the access control system. The access control server computer serves as the central database and file manager for the access control system; and is responsible for recording system activity, and distributing information to and from the access control field panels.

Normally, a single access control server computer can be used to control a large number of card-reader controlled doors.

The access control server computer is usually a standard computer which runs special access control system application software. In most all cases, the computer is dedicated for full-time use with the access control system.

A Simple Access Control System

To explain the concept of a simple access control system, we will use a fictitious building, called the "Administration Building", as an example.

The management of the Administration Building has decided to install an access control system to improve security conditions at the building. Mary Simpson, the “security coordinator” for the building, has been assigned responsibility for implementing and managing the access control system.

There are two primary entrance doors to the Administration Building; one at each end of the building. Mary wants to control access through each of these doors.

There is a computer room located on the First Floor of the Administration Building. A single door leads from the main hallway into the computer room. Because of the sensitive nature of the equipment in the computer room, Mary wants to control access through this door.

Mary contacts the access control vendor to arrange for the installation of her system. The vendor, working with Mary, determines that three card readers will be required: one at the front building entrance door, one at the back building entrance door, and one at the door to the computer room. Mary decides to use insertion type card readers without keypads.

In addition to the card readers, each of the controlled doors will require the installation of electric lock hardware. A survey of the doors indicates that standard electric door strikes can be used.

To operate the three card readers at the Administration Building, one access control field panel is required. Mary decides to have this panel installed in a telephone closet that is centrally located within the building. Wiring will be installed between each of the card reader controlled doors and the access control field panel.

The vendor recommends that the Administration Building install a stand-alone access control server computer to operate the control system. Because Mary will be responsible for managing the access control system, she decides to locate the access control server computer in her office.

Mary makes arrangements with the vendor for the purchase of the system, and schedules to have the installation begin.

Access Control System Set-up and Operation

The vendor has completed the installation of the access control system at the Administration Building.

Mary, as security coordinator, will have day-to-day responsibility for managing the system. Before the system can be put into use, Mary must set-up or "define" the access control system software.

Set-up of the access control software is accomplished at the host computer. Set-up of the software involves setting various access control system parameters to meet the specific requirements of the building in which the system is installed.

Mary has already issued access cards to each of the tenants who will have access to the Administration Building. The first step in setting up the access control system is to "validate" each of the access cards. To validate the access cards, Mary must tell the access control system at what doors each of the cards can be used, and at what times.

The access control system allows a great deal of flexibility in "tailoring" the access privileges assigned to each card:

• Doors: The system can allow the card to work at all card reader controlled doors; or only at specific doors.
• Time Of Day: The system can allow the card to work 24 hours per day; or only during certain time periods (7:00 P.M.- 12:00 P.M. only, for example)
• Day of Week: The system can allow the card to work seven days per week, or only on certain days (Monday, Wednesday, and Friday only, for example.)
• Holidays: The system can allow the card to work differently on days defined as holidays.
• Start and Stop Dates: The system can allow the card to only work during certain defined ranges of time (June 1 through June 15, for example.)

Mary sits down in front of the access control server computer and begins to validate each of the access cards. Here are several examples of the different access card privileges that Mary will assign:

Sally Strong:

Sally is a regular office worker at the Administration Building. Sally normally works Monday through Friday, 8:00 A.M. to 5:00 P.M.

Mary assigns privileges to Sally's card to allow access Monday through Friday, 7:00 A.M. to 6:00 P.M. at the building entrance doors. Sally does not require access to the computer room, so her card does not allow access through that door.

Susan Bright:

Susan is also a regular office worker at the Administration Building. Sally normally works Monday through Friday, 8:00 A.M. to 5:00 P.M.. Every Wednesday afternoon, Susan substitutes for a computer operator who works in the computer room.

Mary assigns privileges to Susan's card to allow access Monday through Friday, 7:00 A.M. to 6:00 P.M. at the building entrance doors. In addition, Susan's card is also defined to allow access into the computer room door from 11:00 A.M. to 5:00 P.M. on Wednesdays only.

John Smith:

John is the manager of computer operations, and requires seven day a week, 24 hour per day access to all doors of the Administration Building, including the computer room.

Mary assigns privileges to John's card to allow 24 hours per day, 365 day per year access through all doors.

Bill Nelson:

Bill is a part-time worker that comes in to work only on Monday and Tuesday nights.

Mary assigns privileges to Bill's card that allows access Monday and Tuesday, 5:00 P.M. to 11:00 P.M., at the building entrance doors to the Administration Building. Bill does not work in the computer room, so his card will never allow access through that door.

Mike Able:

Mike is a technician for a computer company. Mike is working on a computer installation in the Administration Building computer room. The computer installation is expected to begin on June 1st, and is expected to be completed by June 15th. Mary assigns Mike's card access privileges for the computer room door, Monday through Friday, 8:00 A.M. to 5:00 P.M. Mike's access privileges will begin on June 1, and will automatically expire on June 15.

As Mary begins to validate each of the access cards, she soon realizes that many of the cards in her system will receive identical access privileges. For example, all of the regular office workers will be given the same access privileges as Sally Strong.

To save time, the access control software allows the creation of "clearance codes". Clearance codes are pre-defined sets of access privileges. Once a clearance code has been created, it can be assigned to any number of access cards. Clearance codes can be given a name. Usually this name is a short description that corresponds with the intended use of the clearance code.

For example, Mary might create a clearance code and name it "Regular Office". She would set this clearance code to allow access Monday through Friday, 7:00 A.M. to 6:00 P.M. at the building entrance doors.

When validating Sally Strong's card, Mary would simply assign it the clearance code "Regular Office". This would give Sally exactly the access privileges that she needs. All of the other office workers who required access privileges identical to Sally's would also be assigned the "Regular Office" clearance code.

Mary will create several clearance codes corresponding to the various categories of tenants that have access to the Administration Building.

Validating each of the access cards requires at least three entries: the access card number, the cardholder's name, and at least one clearance code. The use of standard clearance codes will allow Mary to validate a large number of access cards in a short period of time.

Mary finishes entering the information for all of the access cards, and the access control system at the Administration Building is now ready for use.

Mary makes arrangements to conduct orientation sessions for all tenants of the building, and establishes a date when the access control system will be placed into service.

   DATA MANAGMENT SYSTEM

Data management is the practice of collecting, keeping, and using data securely, efficiently, and cost-effectively. The goal of data management is to help people, organizations, and connected things optimize the use of data within the bounds of policy and regulation so that they can make decisions and take actions that maximize the benefit to the organization. A robust data management strategy is becoming more important than ever as organizations increasingly rely on intangible assets to create value.

Data Capital Is Business Capital

In today’s digital economy, data is a kind of capital, an economic factor of production in digital goods and services. Just as an automaker can’t manufacture a new model if it lacks the necessary financial capital, it can’t make its cars autonomous if it lacks the data to feed the onboard algorithms. This new role for data has implications for competitive strategy as well as for the future of computing.

Given this central and mission-critical role of data, strong management practices and a robust management system are essential for every organization, regardless of size or type.

Learn more about The Rise of Data Capital (PDF)

Managing digital data in an organization involves a broad range of tasks, policies, procedures, and practices. The work of data management has a wide scope, covering factors such as how to

• Create, access, and update data across a diverse data tier
• Store data across multiple clouds and on premises
• Provide high availability and disaster recovery
• Use data in a growing variety of apps, analytics, and algorithms
• Ensure data privacy and security
• Archive and destroy data in accordance with retention schedules and compliance requirements

A formal data management strategy addresses the activity of users and administrators, the capabilities of data management technologies, the demands of regulatory requirements, and the needs of the organization to obtain value from its data.

Data Management Systems Today

Today’s organizations need a data management solution that provides an efficient way to manage data across a diverse but unified data tier. Data management systems are built on data management platforms and can include databases, data lakes and warehouses, big data management systems, data analytics, and more.

All these components work together as a “data utility” to deliver the data management capabilities an organization needs for its apps, and the analytics and algorithms that use the data originated by those apps. Although current tools help database administrators (DBAs) automate many of the traditional management tasks, manual intervention is still often required because of the size and complexity of most database deployments. Whenever manual intervention is required, the chance for errors increases. Reducing the need for manual data management is a key objective of a new data management technology, the autonomous database.

Data Management Challenges

Data Management Principles and Data Privacy

Most of the challenges in data management today stem from the faster pace of business and the increasing proliferation of data. The ever-expanding variety, velocity, and volume of data available to organizations is pushing them to seek more-effective management tools to keep up. Some of the top challenges organizations face include the following:

• They don’t know what data they have. Data from an increasing number and variety of sources such as sensors, smart devices, social media, and video cameras is being collected and stored. But none of that data is useful if the organization doesn’t know what data it has, where it is, and how to use it.
• They must maintain performance levels as the data tier expands. Organizations are capturing, storing, and using more data all the time. To maintain peak response times across this expanding tier, organizations need to continuously monitor the type of questions the database is answering and change the indexes as the queries change—without affecting performance.
• They must meet constantly changing compliance requirements. Compliance regulations are complex and multijurisdictional, and they change constantly. Organizations need to be able to easily review their data and identify anything that falls under new or modified requirements. In particular, personally identifiable information (PII) must be detected, tracked, and monitored for compliance with increasingly strict global privacy regulations.
• They aren’t sure how to repurpose data to put it to new uses. Collecting and identifying the data itself doesn’t provide any value—the organization needs to process it. If it takes a lot of time and effort to convert the data into what they need for analysis, that analysis won’t happen. As a result, the potential value of that data is lost.
• They must keep up with changes in data storage. In the new world of data management, organizations store data in multiple systems, including data warehouses and unstructured data lakes that store any data in any format in a single repository. An organization’s data scientists need a way to quickly and easily transform data from its original format into the shape, format, or model they need it to be in for a wide array of analyses.

   RISK MANAGEMENT

Definition

Risk management is a process that allows individual risk events and overall risk to be understood and managed proactively, optimising success by minimising threats and maximising opportunities.

General

All projects, programmes and portfolios are inherently risky because they are unique, constrained, based on assumptions, performed by people and subject to external influences. Risks can affect the achievement of objectives either positively or negatively. Risk includes both opportunities and threats, and both should be managed through the risk management process.

Risk is defined at two levels for projects, programmes and portfolios. At the detailed level, an individual risk is defined as ‘an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more objectives’. In addition, at the higher level of the project, programme or portfolio, overall risk is defined as ‘exposure of stakeholders to the consequences of variation in outcome’ arising from an accumulation of individual risks together with other sources of uncertainty.

The high-level process, as illustrated in figure 3.12 starts with an initiation step that defines the scope and objectives of risk management. A key output from the initiation step is the risk management plan, which details how risk will be managed throughout the life cycle.

Risk management process

Risks are then identified and documented in the risk register. The relative significance of identified risks is assessed using qualitative techniques to enable them to be prioritised for further attention. Quantitative risk analysis may also be used to determine the combined effect of risks on objectives.

The process continues with risk response planning, aiming to avoid, reduce, transfer or accept threats as well as exploit, enhance, share or reject opportunities, with contingency (time, cost, resources and course of action) for risks which cannot be managed proactively. The final step is the implementation of agreed responses.

The whole process is iterative. For example, assessment or response planning can lead to the identification of further risks; planning and implementing responses can trigger a need for further analysis, and so on.

It is also important to identify and manage behavioural influences on the risk process, both individual and group, since these can have a significant impact on risk management effectiveness.

Risk management at project, programme or portfolio level must not be conducted in isolation and must interface with the organisation. Risks at project level may need escalation to programme and portfolio. Risks can also be delegated from higher levels to lower levels.

In addition, P3 risk management must contribute, as appropriate, to both business risk assessments and organisational governance requirements. The P3 manager must be aware of risks that have an effect outside their scope of responsibility, e.g. those that could affect the organisation’s reputation.

The management of general health and safety risks is usually excluded from P3 risk management, as the management of these risks is traditionally handled by a separate function within the organisation.

Project

Risk management at project level is most often focused on individual risks that, should they occur, will affect the project’s objectives. It is, however, also important for the project manager to understand the overall risk exposure of the project, so that this can be reported to the project sponsor and other stakeholders.

Risk management must be closely aligned to schedule management. Cost, time and resource estimates should always take risks into account.

The project manager is accountable for ensuring that risk management takes place. Depending on the size and complexity of the project, a specialist risk manager may be appointed to oversee and facilitate the risk management process.

Programme

The programme will establish a common framework and standards for risk management across the programme. This will enable comparison of risk, reduce the time taken to initiate management processes at project level, and help identify interdependencies between risks across the programme. The common framework will be set out in the programme risk management plan.

Programme risk management is made up of two distinct areas of focus:

• project risk escalation and aggregation;
• wider business risk and risks to benefit achievement.

Programme risk management addresses any individual risks at project level that, if realised, will have a wider impact. Project risks that cannot be effectively managed within projects and within contingency are escalated to the programme for attention and/or action. In addition, related or common risks within individual projects may combine or aggregate to have an effect at programme level, in which case they also need to be escalated.

Programme risk management also considers any risks delegated from the portfolio or strategic level, as well as risks arising directly at the level of the programme itself. Programme risks are likely to focus on prioritisation of programme components, allocation of resources, interfaces and interactions between programme components, the ability to deliver change management activities within the programme, and cumulative risks arising from the combined impact of the project risks.

Portfolio

Risks at portfolio level are often of such scale that they may have significant impact on the ability of the organisation to operate. Portfolio risk management will focus on two areas:

• risks escalated from projects or programmes and from areas of day-to-day business;
• risks that impact upon the objectives of the portfolio and the host organisation.

Project and programme risks that cannot be effectively managed at their originating level may be escalated to the portfolio for responses unavailable at project or programme level.

The portfolio will establish common frameworks and standards for risk management, which will be cascaded to projects and programmes to ensure a common approach and reporting structure. This enables effective comparison of risk, reduces the time taken in initiating risk management processes, and assists with identification of potential conflict in selected responses across the portfolio.

The consideration of risk efficiency is of particular importance to portfolio risk management. The principles of risk efficiency have been established in financial portfolios for many years. They are equally relevant to portfolios of projects and programmes. Ensuring that the portfolio does not expose an organisation to too much risk and is efficient is an important function in the ‘balance’ phase of the portfolio life cycle.

All risk management processes follow the same basic steps, although sometimes different jargon is used to describe these steps. Together these 5 risk management process steps combine to deliver a simple and effective risk management process.

Step 1: Identify the Risk. You and your team uncover, recognize and describe risks that might affect your project or its outcomes. There are a number of techniques you can use to find project risks. During this step you start to prepare your Project Risk Register.

Step 2: Analyze the risk. Once risks are identified you determine the likelihood and consequence of each risk. You develop an understanding of the nature of the risk and its potential to affect project goals and objectives. This information is also input to your Project Risk Register.

Step 3: Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk magnitude, which is the combination of likelihood and consequence. You make decisions about whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk rankings are also added to your Project Risk Register.

Step 4: Treat the Risk. This is also referred to as Risk Response Planning. During this step you assess your highest ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. How can you minimize the probability of the negative risks as well as enhancing the opportunities? You create risk mitigation strategies, preventive plans and contingency plans in this step. And you add the risk treatment measures for the highest ranking or most serious risks to your Project Risk Register.

Step 5: Monitor and Review the risk. This is the step where you take your Project Risk Register and use it to monitor, track and review risks.

Risk is about uncertainty. If you put a framework around that uncertainty, then you effectively de-risk your project. And that means you can move much more confidently to achieve your project goals. By identifying and managing a comprehensive list of project risks, unpleasant surprises and barriers can be reduced and golden opportunities discovered. The risk management process also helps to resolve problems when they occur, because those problems have been envisaged, and plans to treat them have already been developed and agreed. You avoid impulsive reactions and going into “fire-fighting” mode to rectify problems that could have been anticipated. This makes for happier, less stressed project teams and stakeholders. The end result is that you minimize the impacts of project threats and capture the opportunities that occur.

   CLOUD TECHNOLOGY

What is cloud COMPTING?

Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS).

Who is using cloud computing?

Organizations of every type, size, and industry are using the cloud for a wide variety of use cases, such as data backup, disaster recovery, email, virtual desktops, software development and testing, big data analytics, and customer-facing web applications. For example, healthcare companies are using the cloud to develop more personalized treatments for patients. Financial services companies are using the cloud to power real-time fraud detection and prevention. And video game makers are using the cloud to deliver online games to millions of players around the world.

Organizations of every type, size, and industry are using the cloud for a wide variety of use cases, such as data backup, disaster recovery, email, virtual desktops, software development and testing, big data analytics, and customer-facing web applications. For example, healthcare companies are using the cloud to develop more personalized treatments for patients. Financial services companies are using the cloud to power real-time fraud detection and prevention. And video game makers are using the cloud to deliver online games to millions of players around the world.

Agility

The cloud gives you easy access to a broad range of technologies so that you can innovate faster and build nearly anything that you can imagine. You can quickly spin up resources as you need them–from infrastructure services, such as compute, storage, and databases, to Internet of Things, machine learning, data lakes and analytics, and much more.

You can deploy technology services in a matter of minutes, and get from idea to implementation several orders of magnitude faster than before. This gives you the freedom to experiment, test new ideas to differentiate customer experiences, and transform your business.

Elasticity

With cloud computing, you don’t have to over-provision resources up front to handle peak levels of business activity in the future. Instead, you provision the amount of resources that you actually need. You can scale these resources up or down to instantly to grow and shrink capacity as your business needs change.

Cost savings

The cloud allows you to trade capital expenses (such as data centers and physical servers) for variable expenses, and only pay for IT as you consume it. Plus, the variable expenses are much lower than what you would pay to do it yourself because of the economies of scale.

Deploy globally in minutes

With the cloud, you can expand to new geographic regions and deploy globally in minutes. For example, AWS has infrastructure all over the world, so you can deploy your application in multiple physical locations with just a few clicks. Putting applications in closer proximity to end users reduces latency and improves their experience.

Types of cloud computing

The three main types of cloud computing include Infrastructure as a Service, Platform as a Service, and Software as a Service. Each type of cloud computing provides different levels of control, flexibility, and management so that you can select the right set of services for your needs.

The three main types of cloud computing include Infrastructure as a Service, Platform as a Service, and Software as a Service. Each type of cloud computing provides different levels of control, flexibility, and management so that you can select the right set of services for your needs.

Infrastructure as a Service (IaaS)

IaaS contains the basic building blocks for cloud IT. It typically provides access to networking features, computers (virtual or on dedicated hardware), and data storage space. IaaS gives you the highest level of flexibility and management control over your IT resources. It is most similar to the existing IT resources with which many IT departments and developers are familiar.

Infrastructure as a Service (IaaS)

IaaS contains the basic building blocks for cloud IT. It typically provides access to networking features, computers (virtual or on dedicated hardware), and data storage space. IaaS gives you the highest level of flexibility and management control over your IT resources. It is most similar to the existing IT resources with which many IT departments and developers are familiar.

Platform as a Service (PaaS)

PaaS removes the need for you to manage underlying infrastructure (usually hardware and operating systems), and allows you to focus on the deployment and management of your applications. This helps you be more efficient as you don’t need to worry about resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application.

Platform as a Service (PaaS)

PaaS removes the need for you to manage underlying infrastructure (usually hardware and operating systems), and allows you to focus on the deployment and management of your applications. This helps you be more efficient as you don’t need to worry about resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application.

Software as a Service (SaaS)

SaaS provides you with a complete product that is run and managed by the service provider. In most cases, people referring to SaaS are referring to end-user applications (such as web-based email). With a SaaS offering, you don’t have to think about how the service is maintained or how the underlying infrastructure is managed. You only need to think about how you will use that particular software.

Software as a Service (SaaS)

SaaS provides you with a complete product that is run and managed by the service provider. In most cases, people referring to SaaS are referring to end-user applications (such as web-based email). With a SaaS offering, you don’t have to think about how the service is maintained or how the underlying infrastructure is managed. You only need to think about how you will use that particular software.