**CASE STUDY ATTACHED**This assignment requires that you adapt the analysis done for P1/P2/P3/P4 to a new environment. Use your prior work, i.e. the recommendation memo and network diagram, to develop a high-level plan for implementing the required controls, changes, etc. to mitigate vulnerabilities and convergence issues in the new environment. You may need to do additional analysis to address issues specific to the second case study’s environment. Your high-level plan should include all the system development life cycle (SDLC) gates/decision points and all relevant tasks. Describe and relate the implementation solution to CIA and incorporate, people, processes and technology to this plan.This is a combination of a paper and a detailed list of steps and resources that you would follow to implement and complete this project. Think about all of the actions, resources, and tasks that you would need in order to effect a successful implementation. These should also be included as part of the plan. The instructor may provide a template to use with this assignment. The minimum structure for this assignment is below:INTRODUCTIONPurpose of PlanGOALS AND OBJECTIVESBusiness Goals and ObjectivesProject Goals and ObjectivesSCOPEScope DefinitionItems Beyond ScopePROJECTED EXPENSESSystem Development Life Cycle/ScheduleMilestonesASSUMPTIONSProject AssumptionsCONSTRAINTSProject ConstraintsCritical Project BarriersThe Plan will be a minimum 5 page, double-spaced paper using Times New Roman 12 font and APA style formatting for citations and references. It will also include a minimum of 5 references. The Title/Cover page, illustrations (tables/charts/graphs), network diagram, and references are not part of the page count but are required for the assignment. The grading rubric provides additional details as to what should be included in the paper. Your instructor may provide an APA style template to use for this paper.*** Make sure that you include in detail the steps you would take to secure the project.GRADING RUBRIC:Purpose / Goals and Objectives 10 pointsExpertly defines goals and objectivesScope of Security Issues 10 pointsClearly describes and relates information security and other technology issues. Synthesizes and applies material and document relationships.Costs Related to Security Effort/Solution 5 pointsClearly identifies and articulates the cost of overall security solution.SDLC Schedule 10 pointsSynthesizes and applies logical SDLC processes and schedule to overall solution deployment.Use of Network diagram and illustrations 10 pointsNetwork diagram and accompanying illustration are strongly linked to proposed solution and contentMilestones 5 pointsEach defined milestone is directly related to overall strategy/solution and clearly mitigates the risk or issue.Assumptions 10 pointsClearly identifies security solutions and assumptions that consist of people, processes and technologies that relate to the risks. Covers all three requirements.Constraints 5 pointsClearly describes the linkage and constraints associated with solutionSDLC Tasks 5 pointsClear and detailed SDLC tasks that logically leads to the proposed solutionsPrioritize Tasks 5 pointsMajor tasks are clearly prioritized according their importance to mitigating the risks and issues found.Define Resources 5 pointsClearly defined people resources (by type) that support each task in the timeline.Use of Authoritative Sources5 pointsUsed at least 5 authoritative or scholarly sources in paper. No APA style errors in sourcesCitation of Sources 5 pointsAll sources cited. No errors in citing material in paper.Formatting 5 pointsPrepared MS Word document, used consistent formatting, section subheadings, submitted one file, used instructor provided template, correct coversheet and separate reference page and meets minimum page count of 5 pages.5 pointsNo grammar errors, use of first/second person, spelling or punctuation errors.
20161001004833project_5___detailed_assignment_description_v4.docx
20161001004833project_case_study.pdf
Unformatted Attachment Preview
Project #5 Detailed Assignment Description
This assignment requires that you adapt the analysis done for P1/P2/P3/P4 to a new environment.
Use your prior work, i.e. the recommendation memo and network diagram, to develop a highlevel plan for implementing the required controls, changes, etc. to mitigate vulnerabilities and
convergence issues in the new environment. You may need to do additional analysis to address
issues specific to the second case study’s environment. Your high-level plan should include all
the system development life cycle (SDLC) gates/decision points and all relevant tasks. Describe
and relate the implementation solution to CIA and incorporate, people, processes and technology
to this plan.
This is a combination of a paper and a detailed list of steps and resources that you would follow
to implement and complete this project. Think about all of the actions, resources, and tasks that
you would need in order to effect a successful implementation. These should also be included as
part of the plan. The instructor may provide a template to use with this assignment. The
minimum structure for this assignment is below:
INTRODUCTION
o Purpose of Plan
GOALS AND OBJECTIVES
o Business Goals and Objectives
o Project Goals and Objectives
SCOPE
o Scope Definition
o Items Beyond Scope
PROJECTED EXPENSES
o System Development Life Cycle/Schedule
o Milestones
ASSUMPTIONS
o Project Assumptions
CONSTRAINTS
o Project Constraints
o Critical Project Barriers
The Plan will be a minimum 5 page, double-spaced paper using Times New Roman 12 font and
APA style formatting for citations and references. It will also include a minimum of 5 references.
The Title/Cover page, illustrations (tables/charts/graphs), network diagram, and references are
not part of the page count but are required for the assignment. The grading rubric provides
additional details as to what should be included in the paper. Your instructor may provide an
APA style template to use for this paper.
*** Make sure that you include in detail the steps you would take to secure the project.
GRADING RUBRIC:
Purpose / Goals and Objectives
10 points
Expertly defines goals and objectives
Scope of Security Issues
10 points
Clearly describes and relates information security and other technology issues. Synthesizes and
applies material and document relationships.
Costs Related to Security Effort/Solution
5 points
Clearly identifies and articulates the cost of overall security solution.
SDLC Schedule
10 points
Synthesizes and applies logical SDLC processes and schedule to overall solution deployment.
Use of Network diagram and illustrations 10 points
Network diagram and accompanying illustration are strongly linked to proposed solution and
content
Milestones
5 points
Each defined milestone is directly related to overall strategy/solution and clearly mitigates the
risk or issue.
Assumptions 10 points
Clearly identifies security solutions and assumptions that consist of people, processes and
technologies that relate to the risks. Covers all three requirements.
Constraints 5 points
Clearly describes the linkage and constraints associated with solution
SDLC Tasks 5 points
Clear and detailed SDLC tasks that logically leads to the proposed solutions
Prioritize Tasks
5 points
Major tasks are clearly prioritized according their importance to mitigating the risks and issues
found.
Define Resources
5 points
Clearly defined people resources (by type) that support each task in the timeline.
Use of Authoritative Sources 5 points
Used at least 5 authoritative or scholarly sources in paper. No APA style errors in sources
Citation of Sources 5 points
All sources cited. No errors in citing material in paper.
Formatting
5 points
Prepared MS Word document, used consistent formatting, section subheadings, submitted one
file, used instructor provided template, correct coversheet and separate reference page and meets
minimum page count of 5 pages.
5 points
No grammar errors, use of first/second person, spelling or punctuation errors.
Journal of Information Technology Education:
Innovations in Practice
Volume 11, 2012
Disaster at a University:
A Case Study in Information Security
Ramakrishna Ayyagari and Jonathan Tyks
University of Massachusetts-Boston, Boston, MA, USA
r.ayyagari@umb.edu; downtime6@gmail.co
Executive Summary
Security and disaster training is identified as a top Information Technology (IT) required skill that
needs to be taught in Information Systems (IS) curriculums. Accordingly, information security
and privacy have become core concepts in information system education. Providing IT security
on a shoestring budget is always difficult and many small universities are challenged with balancing cost and effectiveness. Many colleges and universities have additional security challenges,
such as relaxed working environments, less formalized policies and procedures, and employees
that “wear many hats.” Therefore, it is not surprising to note that majority of data breaches since
2005 occur in educational settings. So, it is imperative that this segment (i.e., educational settings) be represented in classroom discussions to prepare future employees.
To this end, we present a case that addresses a data breach at a university caused by lax security
policies and includes an element of social engineering. The data breach at the university resulted
in a number of students’ losing personally identifiable information. The resulting aftermath
placed a significant financial burden on the university as it was not prepared to handle an information security disaster. This case can be used as a pedagogical tool as it uniquely captured a data
breach in a university setting. Readers of the case will identify that at the management level the
case raised a number of issues regarding the security culture at the university and management of
security function. The case also highlights the issues of lack of training and access control.
Keywords: Information Security, Disaster Recovery, Data Breach.
Introduction
Security and disaster training is identified as the top IT required skill that needs to be taught in IS
curriculums (Kim, Hsu, & Stern, 2006). Accordingly, information security and privacy have become core concepts in information system education (Hentea, Dhillon, & Dhillon, 2006; Kroenke, 2012; Laudon & Laudon, 2010). Instructors have several approaches to teach security and
privacy concepts. One can take a more traditional lecture based approach or a more hands-on approach that utilizes labs, case studies, etc. (Gregg, 2008). It is important to note that advances in
pedagogical research place emphasis on
Material published as part of this publication, either on-line or
hands-on or active learning. Imparting
in print, is copyrighted by the Informing Science Institute.
knowledge based solely on lectures is
Permission to make digital or paper copy of part or all of these
criticized as there is less opportunity for
works for personal or classroom use is granted without fee
students to be actively engaged (Bok,
provided that the copies are not made or distributed for profit
or commercial advantage AND that copies 1) bear this notice
1986).
in full and 2) give the full citation on the first page. It is permissible to abstract these works so long as credit is given. To
copy in all other cases or to republish or to post on a server or
to redistribute to lists requires specific permission and payment
of a fee. Contact Publisher@InformingScience.org to request
redistribution permission.
Accordingly, active learning has gained
prominence among educators and researchers (Meyers & Jones, 1993). Students are eager and seek opportunities to
Editor: Uolevi Nikula
Information Security Disaster
apply their knowledge to simulate realistic situations (Auster & Wylie, 2006). Research shows
that students find learning achieved through active participation to be more meaningful and valuable (Mitchell, 2004; Pariseau & Kezim, 2007; Wingfield & Black, 2005). One of the ways in
which students can be engaged is through case studies (Bradford & Peck, 1997; Shapiro, 1984;
Pariseau & Kezim, 2007). Case studies provide the students a unique opportunity to assume the
roles of participants in the cases (Richards, Gorman, Scherer, & Landel, 1995). This provides an
opportunity for students to reflect on their learning and apply it to crystallize their thoughts and
arguments. Students are put into situations that can be ambiguous and force students to make decisions dealing with uncertainties (Richards et al., 1995). In fact, a recent study about learning
preferences indicates that students place high value for case studies (Goorha & Mohan, 2009).
Raising awareness regarding security issues faced by educational institutions is important because
the majority of reported breaches occur in educational settings. An analysis of all the data breaches from 2005 indicates that 21% of breaches occur in academic settings resulting in more than 8
million individual records being compromised (Privacy Rights Clearinghouse, 2011). It should be
noted that the ‘education’ industry has the most number of breaches compared to any other industry category including medical, businesses, and government agencies (Privacy Rights Clearinghouse, 2011). Further, fundamental differences exist between academic and business settings. It is
common practice in businesses to protect trade secrets, intellectual property, etc. However, educational settings are based on values of information sharing. As Qayoumi and Woody (2005, page
8) point out, “…the concept of information security runs counter to the open culture of information sharing – a deeply held value in academe.” Therefore, it is important to raise awareness about
the severity of security issues facing university settings. However, a brief review of published
cases in prominent outlets reveals that typical cases are geared towards business settings as presented below.
Literature Review of Security Case Studies
Most of the prominent security case studies focus on how businesses deal with data breaches or
privacy issues. For example, McNulty (2007) discusses the impact of a data breach on customers
in a retail electronics setting. The case deals with issues of the best way to communicate the
breach with customers and, overall, forces the participants to consider disaster response strategy
before a disaster occurs. Similarly, Haggerty and Chandrasekhar (2008) highlight the events leading to and the fallout due to a data breach at TJX. These cases highlight the issues of enormous
amount of data that retailers generate and the onus on firms to protect the sensitive information.
Eisenmann’s (2009) case addresses the severity of growing dependence on technology in the
medical industry. The case setting is a hospital (medical industry) where the access to medical
records is denied, putting numerous lives at risk. As the hackers try to extort money, the case
raises ethical and legal questions and forces participants to make tough decisions.
Coutu (2007) raises ethical questions about the growing issue of lack of privacy in the networked
world. The case addresses whether the information found on Internet about a person can become
a burden in advancing the person’s careers. Ethical and privacy questions related to confidentiality of data and data reuse in business settings are also raised (Davenport & Harris, 2007; Fusaro,
2004; Schenberger & Mark, 2001). Davenport and Harris (2007) present a case that deals with the
issue of data reuse. It is a common practice for businesses to share customer data with the businesses’ affiliates. The case in question asks at what stage is the sharing of information detrimental
to customers? In a similar vein, Fusaro’s (2004) case asks at what stage do the data collected for
customization cross the boundary and become invasion of privacy? DoubleClick’s profiling issues and breach of privacy are also well known (Schenberger & Mark, 2001). Complaints filed
with the Federal Trade Commission had a severe impact on the shares of DoubleClick and led to
the development of privacy policies (Schenberger & Mark, 2001).
86
Ayyagari & Tyks
As this review points out, security case studies generally focus on business settings even though
educational institutions experience a fair share of security incidents. We address this gap by first
presenting a case study of a security breach at a university. We conclude by providing discussion
points and the lessons learned from this case study.
Disaster at a University – A Case Study
Turn Key University (TKU) is a medium sized public university located in Idaho. The institution
is situated on a beautiful 25 acre campus, just north of a major city. The University consists of
over 6,000 students mostly from the surrounding region. The institution is a liberal arts college
that offers over 30 undergraduate majors and a dozen graduate degrees. The school has a reputation for producing quality graduates for the surrounding community. The University is a major
employer in the area, providing jobs for over 900 employees.
Organization Hierarchy
The institution was organized as a typical university bureaucracy, with the President’s office
overseeing the Academic Affairs, Administrative Support Services, Human Resources, Finance,
and Information Technology divisions as shown in Figure 1. The IT, Finance, and Administrative
Support divisions are the primary focus of this case.
President’s
Office
Academic
Affairs
Administrative
Support services
Finance
Human Resources
Information
Technology
Figure 1: TKU’s Organizational Hierarchy
As shown in Figure 2, the Information Technology division consisted of six departments — Institutional Projects, Media Services, Teaching Support, Computing Systems, Web Services, and
Network & Telecom. Each of these departments was managed by a Director who reported to the
Chief Information Officer (CIO). The Information Technology Division managed all aspects of
computing on the University campus. The IT division employed over 70 permanent members and
several temporary/student employees. The IT division required a large server farm to manage a
transaction management system and other systems. TKU centralized all server functions in the
Computing Systems department.
87
Information Security Disaster
CIO
Director
Institutional
Projects
Director
Computing
Systems
Director
Media
Services
Director
Web Services
Director
Teaching
Support
Director
Network &
Telecom.
Figure 2: IT Division Hierarchy
Administrative Support Services supported the ancillary services offered by the college. Among
other things, this division managed relationships between the on-campus and off-campus vendors.
On-campus vendors include the post office, GoodFood (the student meal plan provider), CollegeBooks (the bookstore operator), and FastSnack (the snack machine provider). The snack machines were an important part of students’ life as many students relied on late night RedBull®
runs to make it through a last minute cram session. Off-campus vendors include restaurants, tanning parlors, and gas stations. Compared to the IT division, Administrative Support Services was
relatively small, with approximately one-fifth the numbers of personnel in the IT division.
The Finance Division was responsible for managing and reporting the financial state of the University. The division was made up of five departments: Financial Affairs, the Budget Office, Accounts Receivable, Accounts Payable, and Student Services. All financial information reporting
was overseen by the Financial Affairs department. Overall, the Finance division employed 30
permanent employees and several part-time members on a need basis.
System Description
Since 2000, TKU used a transaction management system for student meal plans. There were three
different meal plan tiers: a lower volume plan that was aimed towards commuters, a middle volume plan that was targeted for full time students who leave on the weekends, and a high volume
plan that was designed for students who eat all meals on campus. Out of the three plans, the middle volume plan was the most popular among students and responsible for the majority share of
the transactions.
In addition to the meal plans, the transaction management system handled virtual dollars. Virtual
dollars can be thought of as a prepaid credit card. At the beginning of the semester students were
given a balance based on their meal plan, and students drew down the balance by purchasing
items from vendors. Students and parents were also able to add additional funds on the card
through an online portal. Students paid for items using virtual dollars at a variety of vendors –
they spent it on books from the bookstore, stamps from the post office, drinks from the snack ma-
88
Ayyagari & Tyks
chines, and on food from neighborhood restaurants. Virtual dollars were a hit with students as
they enjoyed having the freedom and convenience to pick what they wanted, when they wanted.
The transaction management system was more than a way for students to purchase food; it was
also a profit center for the college. From a fiscal perspective, the system was able to generate annual profits of $600,000 for TKU. Most of the revenues were from commissions on sales to vendors. Due to corporate cultural issues (as discussed below), the control of the system spanned
across the IT, Administrative Support Services, and Finance divisions, although none of the divisions received commissions. All the money generated from the system went into a central fund
managed by the President’s Office.
History of the System: Reflection of Corporate Culture
The Transaction Management System (TMS) had been in place for over ten years at the writing
of this case and within that time frame it had changed hands multiple times. Initially the system
was handled by the Computing Systems department in the Information Technology Division. The
typical system administrator learned about the system on-the-job in an informal fashion, and there
was a lack of process or steps that could be reproduced when system administrators changed. Further, when the system was implemented, security was an afterthought and security responsibilities
played a minor role in system administrators’ job duties. As a result, the current state of the system was that (1) there was a lack of formal process in managing the system and (2) the system
was never secured. At the time of writing, the system was managed by two administrators – Gary
and Tom from the Computing Systems department. They had been in their roles for a little over a
year.
Although the TMS system depended on multiple divisions (IT, Finance, etc.,) for effective operation, the incentives in place were conducive to reinforcing the functional boundaries among various divisions (see Figure 1), thus resulting in friction among divisions. As the TMS grew in stature, the logical solution to reduce the political tensions among divisions was to split the system
responsibilities among the divisions. In this arrangement, IT continued to manage the servers with
Gary as the primary administrator and Tom as the backup. The Finance division took over the
administration and user access portion of the system. The responsibilities for system administrator fell on Don who had some technical background and was seen as a ‘tech geek’ in the Finance
division. At the time of this case study, Don had been in the system administrator role for three
months. When Don inherited the system, he received no formal system administration or security
training and found that there were no formal policies or business rules in place. As he learned the
system, he realized it housed a large amount of personally identifiable information (PII). There
were student social security numbers (which acted as a student …
Purchase answer to see full
attachment
Recent Comments