Essay Instructions: Project Title
Risk Management and Analysis - Process and Policy before Technology
According to studies released by the FBI and the Computer Security Institute (CSI), over 70% of all attacks on sensitive data and resources reported by organizations occurred from within the organization itself. Implementing an internal security policy appears to be just as important as an external strategy. The objective of this report is to highlight the necessity of internal processes and policy alongside technology when managing and mitigating risk. The author narrates the problems of security from the unseen forces in an individual that influence thought, behavior and personality. Computers do not yet have the intelligence to question human reasoning, understand the human psyche and then take action based upon logical deduction. The subject matter for this dissertation is based the author’s own personal working experiences, modules taught in the Master of Software Engineering and course materials used.
Background (maybe part of opening Chapter 1)
Many of the firms in question that I worked for invest significant sums of money per annum into technology, with the newfound belief that software creates the competitive advantage and brings business value to the market place. These assets some of which are tangible require many forms of security to protect them from vandals, hackers, thieves and yes, even competitors. It is the traditional techniques of using hardware and software to manage this risk that the author believes to be the underlying problem of safe keeping their information commodities.
There is not yet a computer with the artificial intelligence, to understand, that one person accessing a system with another person’s credentials maybe alarm for suspicion. It cannot discuss this with another peer computer or explain the extra sensory feelings it has to its human superior. It does not have the ability to correlate the company’s compliance rule regarding computer access against the activity a person is performing on a machine it knows does not belong to that person.
Just as computers need rules and boundaries in order to operate in, so do people, as a society we remain sure of this. We cannot however assume that the person knows the consequences of their actions, and understands that what they are doing may be wrong based upon the rules which have been put in place by the company. We have to educate and teach first, discipline and enforce last.
The report should demonstrate the use of software engineering subject matter taught in –
1. Practical Software Engineering
2. People and Security
3. Security Risk Analysis and Management
4. Security Principles
5. Software Development Management
- An Oxford layout
- At the start of each (proper) chapter I'd expect to see a paragraph along the lines of "In this chapter we're going to do X. We're going to start by thinking about Y and then we'll move on to tackle Z.
- The theory of nature versus nurture in software engineering should be the central point to this project. I am trying to theorise that a persons genetic make up and social up bringing (both parental and cultural), has a definative role to play in software engineering. Is it not logical that our traits and imperfections are carried over to become part of the things we create? If so how do we analise this and what do we do to mitigate and manage the risk involved?
Questions to think about
- Why does a person hack computer systems? What makes them do this? Is their a median hacker age? What stats can prove this? If there is an age pattern would that be part of a process company's would implement to help prevent internal hacking based on age, gender, chemical make up? What are the moral implications of such a thing?
Examples would be to analyse some of the major software engineering failures, such as the following, and ask if better process could have been implemented to prevent this from happening -
The AT&T network collapse (1990)
In 1990, 75 million phone calls across the US went unanswered after a single switch at one of AT&T's 114 switching centers suffered a minor mechanical problem, which shut down the centre. When the centre came back up soon afterwards, it sent a message to other centres, which in turn caused them to trip and shut down and reset.
The culprit turned out to be an error in a single line of code -- not hackers, as some claimed at the time -- that had been added during a highly complex software upgrade. American Airlines alone estimated this small error cost it 200,000 reservations.
Mars Climate Observer metric problem (1998)
Two spacecraft, the Mars Climate Orbiter and the Mars Polar Lander, were part of a space program that, in 1998, was supposed to study the Martian weather, climate, and water and carbon dioxide content of the atmosphere. But a problem occurred when a navigation error caused the lander to fly too low in the atmosphere and it was destroyed.
What caused the error? A sub-contractor on the Nasa programme had used imperial units (as used in the US), rather than the Nasa-specified metric units (as used in Europe).
Mariner I space probe
A bug in the flight software for the Mariner 1 causes the rocket to divert from its intended path on launch. Mission control destroys the rocket over the Atlantic Ocean. The investigation into the accident discovers that a formula written on paper in pencil was improperly transcribed into computer code, causing the computer to miscalculate the rocket's trajectory.
Article that reflects my thoughts for this dissertation
However, I’ve seen this particular assertion — “all programming languages are the same because they’re all Turing complete” — used repeatedly as long as I’ve been a programmer. It drives me nuts.
Sure, it’s true on a technical level. Any computer language we write gets interpreted and compiled down to machine code, so at a practical level a C program with a for(;;) loop and a Python list comprehension might end up with the same values flowing over my registers and the same instructions dropping into the CPU. But this reductionist view of programming completely ignores the incredibly important role that language plays in thought.
The traditional view of languages — human or computer — is that they’re a tool we use to express thought. But modern literary and linguistic theory holds that it’s a two way street: our thought drives our language, but the language we use leaves an indelible imprint on our thought processes. I’m not a linguist, but from what I can tell the Sapir-Whorf hypothesis is the main designator for this idea of language influencing thought.
The hypothesis postulates that a particular language's nature influences the habitual thought of its speakers: That is, different language patterns yield different patterns of thought. This idea challenges the possibility of perfectly representing the world with language, because it implies that the mechanisms of any language condition the thoughts of its speaker community.
There’s no question in my mind that this applies full-force to software development: different languages make it easier or harder to conceive of certain types and classes of algorithms. So-called “syntactic sugar” can make a big difference in efficiency: one language might naturally lend itself to writing a something close to the theoretically optimal case, while another might lead you towards a different, less efficient, solution.
Most importantly, though, is the way that computer languages intersect with our own thoughts. You’ll often a developer talk about how his favorite language “fits my brain” or “matches the way I think.” As a group of analytical types, we often dismiss these types of assertions in favor of more quantitative measurements of performance or memory consumption. But that’s a huge mistake: we’ll always be more productive in a language that promotes a type of thought with which we’re already familiar.
According to the theory of neuroplasticity, thinking, learning, and acting actually change both the brain's physical structure, or anatomy, and functional organization, or physiology from top to bottom.
In other words, what you think changes what you *will* think.
At least 50 or more, here are some that I have been researching already
[ja1] John Soat, 2008, Tomorrow’s CIO: Process Before Technology, http://www.informationweek.com/blog/main/archives/2008/06/tomorrows_cio_p.html
[ja2] Matt Blaze, 2004, Safecracking for the computer scientist, http://www.crypto.com/papers/safelocks.pdf
[b1] Bruce Schneier, 2000, Secrets and Lies: Digital Security in a Networked World, ISBN 1, John Wiley
[b2] Drew Miller, Michael Bednarczyk, 2005, Black Hat Physical Device Security: Exploiting Hardware and Software, ISBN X, Syngress
[b3] Harold F. Tipton, Micki Krause, 2007, Information Security Management Handbook, ISBN 2, CRC Press
[b4] Pierpaolo Degano, 2007, Programming Languages and Systems: 12th European Symposium on Programming, ESOP 2003, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 7-11, 2003 : Proceedings, ISBN 1, Springer
[b5] James S. Tiller, Tiller S. Tiller, 2005, The Ethical Hack: A Framework for Business Value Penetration Testing, ISBN X, CRC Press
[b6] Albert-László Barabási, 2003, Linked: The New Science of Networks, ISBN 9, Basic Books
[b7] Watts S. Humphrey, 1997, Introduction to the Personal Software Process, ISBN 7, Addison-Wesley
[b8] Thomas A. Birkland, 2005, An Introduction to the Policy Process: Theories, Concepts, and Models of Public Policy Making, ISBN 8, M.E. Sharpe
[b9] G. David Garson, 1995, Computer Technology and Social Issues, ISBN 4, Idea Group Inc (IGI)
[b10] Louis A. Poulin, 2005, Reducing Risk with Software Process Improvement, ISBN X, CRC Press
[b11] Bruce Schneier, 2003, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, ISBN X, Springer
[b12] Kevin David Mitnick, 2002, The Art of Deception: Controlling the Human Element of Security, ISBN 4, John Wiley and Sons
[b13] Eric Gander, 2003, On Our Minds: How Evolutionary Psychology is Reshaping the Nature-versus-nurture Debate, ISBN 8, JHU Press
[b14] Lorrie Faith Cranor, Simson Garfinkel, 2005, Security and Usability: Designing Secure Systems that People Can Use, ISBN 9, O'Reilly
[b15] Ross Anderson, 2001, Security Engineering: A Guide to Building Dependable Distributed Systems, ISBN 3, John Wiley and Sons
World Wide Web
[www1] Wikipedia, (2008), Wile E. Coyote and Road Runner, http://en.wikipedia.org/wiki/Wile_E._Coyote_and_Road_Runner
[www2] Wikipedia, (2008), Cash is King, http://en.wikipedia.org/wiki/Cash_is_king
[www3] Wikipedia, (2008), Disk Cloning, http://en.wikipedia.org/wiki/Disk_cloning
[www4] Wikipedia, (2008), Firewall, http://en.wikipedia.org/wiki/Firewall
[www5] Wikipedia, (2008), Intrusion detection system, http://en.wikipedia.org/wiki/Intrusion-detection_system
[www6] Wikipedia, (2008), Virtual private network, http://en.wikipedia.org/wiki/Vpn
[www7] Wikipedia, (2008), Smart Card, http://en.wikipedia.org/wiki/Smart_card
[www8] Wikipedia, (2008), Anti-virus, http://en.wikipedia.org/wiki/Antivirus
[www9] Wikipedia, (2008), Encryption, http://en.wikipedia.org/wiki/Encryption
[www10] Wikipedia, (2008), Nature versus nurture, http://en.wikipedia.org/wiki/Nature_versus_nurture
[www11] Kimberly Powell, (2008), Nature vs. Nurture - Are We Really Born That Way?, http://genealogy.about.com/cs/geneticgenealogy/a/nature_nurture.htm
Excerpt From Essay:
Essay Instructions: Please write 2 (two) pages research for the following three discussion questions:
1. Describe security principles and objectives and how they relate to the different components of the system-of-systems described in the readings.
2. Discuss how the security objectives of confidentiality, integrity, and availability are prioritized in a Smart Grid environment.
3. Discuss the "Internet of Things" and its likely consequences for developing an enforceable information assurance (IA) policy and implementing a robust security architecture.
Please sources using APA style and formatting, title page and abstract is not required; use following recourses if you can.
Chapters 1, 14, Appendix B. Ciampa, M. (2010). Security+ Guide to Network Security Fundamentals, 4th edition
ISBN-10: 1-111-64012-2 | ISBN-13: 978-1-111-64012-5
Nelson, B., Phillips, A., Steuart, C. (2010). Guide to Computer Forensics and
Investigations, Fourth Edition.
ISBN-10:6 | ISBN-13:9789
Chapter 3. Thomson, L. (Ed.). (2011). Data breach and encryption handbook. Chicago, IL: American Bar Association. ISBN: 978-1-60442-989-3
Falco, J., Scarfone, K., & Stouffer, K. (June 2011). Guide to industrial control systems (ICS) security. Recommendations of the National Institute of Standards and Technology. Special Publication, 800-82.
Guidelines for Smart Grid cyber security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements (NISTIR 7628 Vol. 1).
Customer is requesting that (jonsmom2) completes this order.
Excerpt From Essay:
Total Pages: 2 Words: 790 Works Cited: 2 Citation Style: APA Document Type: Essay
Essay Instructions: Request an 2 page essay on Employee Prescreening and Termination Processes for my CIS305 course in Information Security Principles and practices. The following need to be addressed.
1. Develop a list of recommended steps to include in a pre-employment hiring process.
2. Develop a list of recommended steps to include in an employee termination process.
3. Which areas within the organization need to be included?
4. Suggest some ways for the security department to communicate with these other departments to assure that nothing falls through the cracks.
5. How would you help to assure that outside departments follow these recommendations?
Excerpt From Essay:
Total Pages: 4 Words: 1292 Bibliography: 4 Citation Style: MLA Document Type: Research Paper
Essay Instructions: Class: Information Technology
In order for an organization to develop an effective business continuity plan or disaster recovery plan, it must know what information assets it has, their impact on business operations, and the criticality and priorities associated with the information systems and assets. The primary objective of a business impact analysis (BIA) is to identify the assets that are required for continued business operations in the event of an incident or disaster. Thus, a critical step in the development of an effective BIA includes establishing component priorities and determining component reliance and dependencies. Additionally, organizational personnel must know their responsibilities during recovery efforts.
Write a four page paper in which you:
1. Describe the methods for establishing component priorities, including:
a. Business functions and processes
b. BIA scenarios and components
c. Financial and service impact of components not being available
d. Recovery time frameworks
2. Describe the methods for determining component reliance and dependencies, including:
a. Component dependencies
b. Resources required to recover component in the event of failure
c. Human assets needed to recover components
3. Provide recommendations for the development of the BIA, management and other personnel responsibilities, and educating company personnel that would be involved in the recovery efforts.
4. Use the following resources in this assignment:
2. Security policies and Implementations issues(see attachment)
3. Information Security principles and practices(see attachment)
4. Choose one more
Please follow these formatting requirements:
? Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA format.
Excerpt From Essay:
I really do appreciate HelpMyEssay.com. I'm not a good writer and the service really gets me going in the right direction. The staff gets back to me quickly with any concerns that I might have and they are always on time.
I have had all positive experiences with HelpMyEssay.com. I will recommend your service to everyone I know. Thank you!
I am finished with school thanks to HelpMyEssay.com. They really did help me graduate college..