College of Information Systems & Technology
CMGT/430
Enterprise Security
Copyright © 2010, 2009, 2008, 2006, by University of Phoenix. All rights reserved.
Course Description
This course covers the managerial and technical considerations related to access controls, authentication, external attacks, and other risk areas facing the enterprise. This course will also survey the techniques to prevent unauthorized computer and facility access as well the concepts for protecting the hardware and software assets of the enterprise.
Policies
Faculty and students/learners will be held responsible for understanding and adhering to all policies contained within the following two documents:
University policies: You must be …show more content…
logged into the student website to view this document.
Instructor policies: This document is posted in the Course Materials forum.
University policies are subject to change. Be sure to read the policies at the beginning of each class. Policies may be slightly different depending on the modality in which you attend class. If you have recently changed modalities, read the policies governing your current class modality.
Course Materials
Beekman, G., & Beekman, B. (2010). Tomorrow’s technology and you (9th ed.). Prentice Hall.
Dunn, C. L., Cherrington, J. O., & Hollander, A. S. (2004). Enterprise information systems: A pattern-based approach (3rd ed.). New York, NY: McGraw-Hill.
McCarthy, M. P., Flynn, T. P., & Brownstein, R. (2004). Risk from the CEO and board perspective. New York, NY: McGraw-Hill.
McNurlin, B. C., Sprague, R. H., & Bui, T. (2009). Information systems management in practice (8th ed.). Upper Saddle River, NJ: Pearson Education.
O’Brien, J. A., & Marakas, G. (2009). Management information systems (9th ed.). New York, NY: McGraw-Hill.
Article References:
Shaw, R. (2009). Intrusion prevention systems market trends. Faulkner Information Services.
Barr, J. G. (2009). RFID technology. Faulkner Information Services.
Barr, J. G. (2007). The standard of good practice for information security. Faulkner Information Services.
Ferraiolo, D. F., Chandramouli, R., Ahn, G., & Gavrila, S. I. (2003). The role control center: Features and case studies. Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, 12-20.
Drumheller, R. (2008). Biometrics: Fingerprint technology. Faulkner Information Services.
Greiner, L. (2007). Iris scan technology. Faulkner Information Services.
Drumheller, R. (2007). Conducting a business impact analysis. Faulkner Information Services.
Ulasien, P.
(2008). IT security audits best practices. Faulkner Information Services.
All electronic materials are available on the student website.
Week One: Enterprise System Architecture—Overview
Details
Due
Points
Objectives
1.1 Understand the unique design, operation, and management conditions associated with an Enterprise System Architecture (ESA).
1.2 Identify core operational priorities associated with the development and management of cross-functional enterprise systems.
1.3 Recognize the major elements of Enterprise Application Architecture (EAA).
1.4 Examine major security issues associated with Enterprise Application Integration (EAI) and Enterprise Collaboration Systems (ECS).
Readings
Read Ch. 1, “Our Digital Planet”, in Tomorrow’s Technology and You.
Read Ch. 2, “Hardware Basics: Inside the Box”, in Tomorrow’s Technology and You.
Read Ch. 3, “Hardware Basics: Peripherals”, in Tomorrow’s Technology and You.
Read Ch. 4, “Software Basics: The Ghost in the Machine”, in Tomorrow’s Technology and You.
Read Ch. 7, “E-Business Systems”, in Management Information Systems.
Read the Week One Read Me First.
Read this week’s Electronic Reserve …show more content…
Readings.
Participation
Participate in class discussion.
07/13
2
In Class Quiz
Reading Quiz on readings.
07/13
2
Learning Team Instructions
Learning Team Charter
Complete the Learning Team Charter.
07/13
2
Learning Team Instructions
The study of enterprise security is not complete without an exercise attempting to build a credible assessment of various risks as they affect enterprise security.
This Learning Team Project requires students to develop a semi-quantitative, weighted analysis that generates a comprehensive threat/vulnerability analysis of enterprise security, along with appropriate security measures and recommendations. Additionally, the readings provide background information supporting various techniques, as well as how to do assessments, how to create rankings, and so forth. These readings should be previewed as early as possible, rather than waiting for the specific week. The Enterprise Security Plan is due in Week
Five.
Select one of the companies in the Virtual Organization Portal.
As a Learning Team, brainstorm the risks that an Enterprise IT organization faces. Provide examples of risks, in no particular order, to be considered:
An employee downloads and uses unauthorized software—for example, instant messaging tools—accesses personal e-mail via web mail, or uses USB drives to transfer information to and from work.
Company’s outward facing for customer access has to access internal database systems to view products available for ordering, order processing, and customer order processing.
The company makes internal e-mail systems available through the web to traveling executives.
Week Two: Enterprise System Risks, Controls, and Access
Details
Due
Points
Objectives
2
2.1 Identify components of internal control systems.
2.2 Apply enterprise-level risk assessment methodologies.
2.3 Recognize a universal framework for Enterprise Security Architecture (ESA) development.
2.4 Distinguish the technical and operational differences between Authentication and Access principles.
2.5 Identify various access control concepts: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC).
Readings
Read Ch. 5, “Productivity Applications”, in Tomorrow’s Technology and You.
Read Ch. 6, “Graphics, Digital Media, and Multimedia”, in Tomorrow’s Technology and You.
Read Ch. 7, “Database Applications and Privacy Implications”, in Tomorrow’s Technology and You.
Read Ch. 14, “Enterprise System Risks and Controls”, in Enterprise Information Systems: A Pattern-Based Approach.
Read the Week Two Read Me First.
Read this week’s Electronic Reserve Readings.
Participation
Participate in class discussion.
07/20
2
In Class Quiz
Reading Quiz on readings.
07/20
2
Learning Team Reflection Summary
Collaborate with your learning team to discuss the previous week’s objectives.
Discuss what you learned, what could be applicable to your workplace or personal life, and how your knowledge has increased as a result of what you experienced through the learning activities in the previous week.
Submit your team summary of the discussion in a 1- to 2-page Microsoft® Word document.
07/20
2
Learning Team Instructions
Discuss the enterprise system, logical, and physical vulnerabilities associated with your Learning Team’s Enterprise Security Plan.
Consider the following vulnerabilities:
Physical (DoS)
System (e-mail servers)
Logical (software; for example, SQL injection attacks a software vulnerability)
Individual Assignment
When specifying security policies for an enterprise, setting security on an individual-by-individual basis provides the tightest and most personalized security. The tradeoff, however, is the increased amount of administration effort in setting up the security and maintaining it on an ongoing basis. You have been brought in as a consultant from Smith Systems Consulting to advise Riordan Manufacturing on what it will take to establish adequate enterprise security policies. You will need to prepare a 3-5 page paper that highlights why they should establish separation of duties via role assignment and how this will provide safeguards to protecting the data in their information systems.
07/20
15
Week Three: Distributed Systems: Architecture, Threats, Control, and Roles
Details
Due
Points
Objectives
3
3.1 Recognize security issues and considerations associated with Distributed Computing Environments (DCEs).
3.2 Identify seven types of distributed systems.
3.3 Understand enterprise role life-cycle concepts as related to security management.
3.4 Apply role-based security principles through case study analysis.
Readings
Read Ch. 8, “Networking and Digital Communication”, in Tomorrow’s Technology and You.
Read Ch. 9, “The Evolving Internet”, in Tomorrow’s Technology and You.
Read Ch. 5, “Designing Corporate IT Architecture”, in Information Systems Management in Practice.
Read the Week Three Read Me First.
Read this week’s Electronic Reserve Readings.
Participation
Participate in class discussion.
07/27
2
In Class Quiz
Reading Quiz on readings.
07/27
2
Learning Team Reflection Summary
Collaborate with your learning team to discuss the previous week’s objectives.
Discuss what you learned, what could be applicable to your workplace or personal life, and how your knowledge has increased as a result of what you experienced through the learning activities in the previous week.
Submit your team summary of the discussion in a 1- to 2-page Microsoft® Word document.
07/27
2
Learning Team Instructions
Create a quantitatively forced ranking of the risks versus vulnerabilities by using a matrix.
Forced ranking can use H, M, or L—or numeric rankings 1, 2, or 3.
Aspects of the forced ranking will consist of the following:
Impact of the risk against the vulnerable asset.
Probability of the risk actually occurring for that asset.
Using this matrix, risks are categorized according to the following:
High probability/high impact
High probability/medium impact
High probability/low impact
Medium probability/high impact
Medium probability/medium impact
Medium probability/low impact
Low probability/high impact
Low probability/medium impact
Low probability/low impact
Against these categories, technologies and policies are to be proposed to mitigate risks against the more vulnerable of the IT resources and to provide contingencies in the event that one happens.
As an example, IT staff could decide that access to web e-mail poses a high risk to a company’s assets. The solution could be simply, eliminate employee access to the Internet; however, that is not an employee-friendly solution.
Individual Assignment
Refer to the Ferraiolo et al. article (2003), and examine the concepts of role graphs. Develop a similar role graph for the human resource information systems (HRIS) used by Riordan Manufacturing. Refer to Figure 7 of the article as a point of reference Consider there are four primary roles: HR clerk, HR supervisor, HR Manager and IT support staff. Write 3-5 page paper discussing the roles in terms of required access, restrictions, and policies of all types that would need to be implemented. Attach your role graph to the paper.
07/27
15
Week Four: Securing Distributed Computing Environments
Details
Due
Points
Objectives
4
4.1 Consider security issues associated with different enterprise network storage and processing architectures.
4.2 Understand and apply strategies for securing eBusiness networks and enterprise website assets.
4.3 Understanding distributed trust management systems.
4.4 Understanding virtual private network (VPN) vulnerabilities.
4.5 Security issues associated with enterprise network storage and processing architectures, especially in the context of fee-for-service arrangements, where network storage is outsourced.
Readings
Read Ch. 10, “Computer Security and Risks”, in Tomorrow’s Technology and You.
Read Ch. 11, “Computers at Work, School, and Home”, in Tomorrow’s Technology and You.
Read the Week Four Read Me First.
Read this week’s Electronic Reserve Readings.
Participation
Participate in class discussion.
08/03
2
In Class Quiz
Reading Quiz on readings.
08/03
2
Learning Team Reflection Summary
Collaborate with your learning team to discuss the previous week’s objectives.
Discuss what you learned, what could be applicable to your workplace or personal life, and how your knowledge has increased as a result of what you experienced through the learning activities in the previous week.
Submit your team summary of the discussion in a 1- to 2-page Microsoft® Word document.
08/03
2
Learning Team Instructions
Continue working on the Enterprise Security Plan due in Week Five.
Discuss the recommendations for technologies and policies that mitigate risks and contingencies for those high-impact risks deemed most likely to occur. In particular, were there multiple solutions or justifications of how one was picked over another?
Individual Assignment
A major concern within enterprise environments is trust management. This concern crosses multiple domains: business to business (B2B), think eBay and PayPal; business to consumer (B2C), such as online banking, intra-enterprise applications (HR, finance, manufacturing, purchasing, and accounting). Pick one of these domains and write a 3-5 page paper describing the enabling role and challenges of distributed-trust-based management.
08/03
20
Week Five: Enterprise Security
Details
Due
Points
Objectives
5
5.1 Comprehend core principles associated with an enterprise security.
5.2 Comprehend Enterprise Security Architecture (ESA) risk analysis, management, and control.
5.3 Understand and apply high-level access control design methodologies.
5.4 Recognize enterprise vulnerabilities associated with eBusiness networks and other web-based technologies.
Readings
Read Ch. 12, “Information Systems in Business”, in Tomorrow’s Technology and You.
Read Ch. 13, “Electronic Commerce and E-Business: The Evolving Internet Economy”, in Tomorrow’s Technology and You.
Read Ch. 11, “Holistic, Integrated Approaches to Risk Management”, in Risk from the CEO and Board Perspective.
Read Ch. 12, “The End of the Beginning”, in Risk from the CEO and Board Perspective.
Read the Week Five Read Me First.
Read this week’s Electronic Reserve Readings.
Participation
Participate in class discussion.
08/10
2
In Class Quiz
Reading Quiz on readings.
08/10
2
Learning Team Reflection Summary
Collaborate with your learning team to discuss the previous week’s objectives.
Discuss what you learned, what could be applicable to your workplace or personal life, and how your knowledge has increased as a result of what you experienced through the learning activities in the previous week.
Submit your team summary of the discussion in a 1- to 2-page Microsoft® Word document.
08/10
2
Learning Team
Enterprise Security Plan Project
The final paper and presentation should represent practical ESP.
The ESP format is to be determined by the Learning Team, using concepts from ESA design in conjunction with standard ERM guidelines. The final paper and presentation should consist of the methodology the Learning Team went through in completing this exercise, the results, and the recommendations.
Write a final paper. At a minimum, include the following:
The risk and vulnerability exercises and the initial lists that were created, including the items considered but not actually included. Make sure the rationale for decisions is discussed.
The forced-ranking exercise, justifications for the decisions made, and any final adjustments that were made (of particular interest are the grey areas).
The recommendations for technologies and policies that mitigate risks and contingencies for those high-impact risks deemed most likely to occur. In particular, were there multiple solutions or justifications of how one was one picked over another?
08/10
10
Learning Team
Enterprise Security Presentation
Prepare a Microsoft PowerPoint® presentation summarizing the Enterprise Security Plan Paper.
08/10
10
Copyright
University of Phoenix® is a registered trademark of Apollo Group, Inc. in the United States and/or other countries.
Microsoft®, Windows®, and Windows NT® are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other company and product names are trademarks or registered trademarks of their respective companies. Use of these marks is not intended to imply endorsement, sponsorship, or affiliation.
Edited in accordance with University of Phoenix® editorial standards and practices.