William Slater's CIS 608 Blog

http://billslater.com//webstats

=====================================

--- > Was it worth the time and money to acquire your current certs?

Yes. I never earned a certifications that wasn’t worth it.

--- > Would you recommend them to others?

If people are willing to put in the time, effort and money, yes, I would recommend certifications.

--- > Which do you think has more credibility when looking at resumes, certifications or formal education or experience?

I have 71 certifications and two master’s degrees and am 17% of the way through with my third master’s degree, this time an M.S. in Cybersecurity (which is why I am here).

I believe that the solid IT professional will have certifications, formal education, and experience, and that they will also belong to and maintain membership in organizations that are related to their profession.

These are the organizations that I belong to:

PROFESSIONAL ORGANIZATIONS:

� Association for Computing Machinery

� Chicago Chapter of the Internet Society

(President and Founder)

� Data Center Professionals Network

� EC Council

� Electronic Frontier Foundation

� Federal IT Security Institute

� IEEE Computer Society

� Institute for Data Center Professionals, Charter Member and Newsletter Editor

� International Information Systems Security Certification Consortium, Inc., (ISC)

� International Society for Auditing and Control Association (ISACA) - Member

� Internet Society, Supporting Member

� Microsoft Alumni Network

� Microsoft Partner Program

� Microsoft Developer Network

� The Planetary Society

� Project Management Institute

� Triton College Advisory Board Member

� Uptime Institute

--- > If your answer depends upon the type of job, include that information.

If a person’s job demands one or more certifications, then that person certainly needs to get busy.

Final comments about certifications:

1) Thanks to a lot of respectable certifications and a good resume and education, I get about 15 to 20 job offers via education and e-mail, every Monday through Friday.

2) If you have a website or a LinkedIn.com profile, having certifications will definitely help your ranking in the search engines. To see what I mean, Search on these strings using Google :

Pmp cissp Chicago

Also check this page out and see the most popular pages at my website, BILLSLATER.com:

3) No one should pursue certifications that have additional requirements for continuing professional education (CPE) unless they are willing to put forth the time, energy, and money to actually pursue the CPEs to keep the certification(s) current. I have four current certifications that require these CPEs:

CISSP
SSCP
PMP
CISA

4) The most shocking thing to me about certifications is how much people have ridiculed me for pursuing certifications and how many jealous people will publicly and privately trash talk me for being driven to each these achievements. I really think that people should mind their own business and keep their negative opinions to themselves. I am not hurting anyone my pursuing endeavors that help my career (http://billslater.com/career ). Maybe they need to get busy and get a life, some certifications and their own website.

When I graduated from high school in May 1973, I had eight scholarships and I attended Memphis State University and earned a four year Bachelor of Science in Engineering Technology degree with a major in Computer Systems Technology in May 1977. I don’t think there is anything wrong with being achievement oriented and I think people who engage in negative behaviors toward me regarding my intelligence, certifications, and technical abilities are usually guilty of repeatedly breaking the 9th and 10th Commandments of the original Ten Commandments and that one day, in some way, they will have to answer to God for all the ways they have tried to hurt me.

But until that day, I’ll just be getting more education and certifications, and they can pursue their own path, whatever that is.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Best regards,

Bill
William Favre Slater, III, PMP
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Group 2
CIS 608 Blog: http://cis608.blogspot.com
http://billslater.com/career
Chicago, IL

Post 059 - CIS 608

2011-11-07T11:41:00.000-08:00

Prisoners from California Prisons

A Real Automation Integration Nightmare: Can Hackers Release Prisoners from California Prisons?

The articles below explains the probability of Hackers being able to break into the computer systems and networks that control the release mechanisms that lock the doors in California Prisons. This further highlights the need for strong leadership, policies, and efforts in sound Information Security Management.

Washington Times Article
Wired.com Article

Chronicle.su

===========================================

William Favre Slater, III, MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL
United States of America

Post 058 - CIS 608

2011-11-06T16:14:00.000-08:00

USA PATRIOT ACT
and Its Effect on the American People

Many of you may be unaware of the USA PATRIOT ACT that was passed in October 2001 as a quick response to the terrorist attacks of September 11, 2001. This post explains some facts that you need to know about the USA PATRIOT ACT and how it changed the freedoms that the Founding Fathers tried to provide for the citizens of this country when the first wrote and ratified the Constitution of the United States and the first 10 Ammedments, commonly known as the Bill of Rights.

USA PATRIOT ACT essentially nullified 5 of the first 10 Amendments to the U.S. Constitution.

Many citizens feel strongly that the powers now granted to the Executive branch of government and its agents are in direct conflict with the 1st, 4th, 5th, 6th and 8th Amendments in the Bill of Rights to the U.S. Constitution (see Bill of Rights, below.). In other words, we now live in such times that many of the rights to privacy that we thought we were guaranteed under the U.S. Constitution, are now preempted, at least temporarily by the PATRIOT Act. In fact, the only way that the PATRIOT Act could be successfully passed in both chambers of Congress was to include a “Sunset Clause,” which caused many of the more far-reaching provisions of the Act to expire automatically, unless they were again reviewed and approved by both chambers of Congress. Though there was a “Sunset Clause" the PATRIOT Act has now been renewed TWICE, once under President Bush and once under President Obama.

= = = = = = = = = = = = = = = = = = = = = = = = = = = =

Bill of Rights – First 10 Amendments to the U.S. Constitution

ARTICLES IN ADDITION TO, AND AMENDMENTS OF, THE Amendments to the Constitution

CONSTITUTION OF THE UNITED STATES OF AMERICA, PROPOSED BY CONGRESS, AND RATIFIED BY THE LEGISLATURES OF THE SEVERAL STATES, PURSUANT TO THE FIFTH ARTICLE OF THE ORIGINAL CONSTITUTION

Article [I.]

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Article [II.]

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

Article [III.]

No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.

Article [IV.]

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Article [V.]

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Article [VI.]

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defence.

Article [VII.]

In Suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise re-examined in any Court of the United States, than according to the rules of the common law.

Article [VIII.]

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.

Article [IX.]

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.

Article [X.]

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

======================================

References:

The Constitution of the U.S. (1791). U.S. Constitution.Retrieved from the web at

http://www.billslater.com/wfs_us_constitution.htm on November 6, 2011.

The Declaration of Independence. (1776). The Declaration ofIndependence. Retrieved from the web at

http://www.billslater.com/tj1776.htm on November 6, 2011.

Doyle, C. (2002). USAPATRIOT Act: A sketch. Retrieved fromthe web at

http://www.fas.org/irp/crs/RS21203.pdf on December 24, 2011.

Doyle, C. (2010). National Security Letters in Foreign Intelligence Investigations: A Glimpseof the Legal Background and Recent Amendments - a CRS Report Dated December 27,2010. Retrieved from the web at http://www.fas.org/sgp/crs/intel/RS22406.pdf on December 24, 2011.

Electronic Privacy and Information Center Resources aboutthe USA PATRIOT Act

http://epic.org/privacy/terrorism/usapatriot/.

U.S. Government (2001). USA PATRIOT Act. Retrieved fromthe web at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf on December 24, 2011.

U.S. Department of Justice (2004). USA PATRIOT Act at Work. Retrieved from the web at

http://www.justice.gov/olp/pdf/patriot_report_from_the_field0704.pdf on December 24, 2011.

Wikipedia. (2011). USA PATRIOT Act. A Wikipedia articleretrieved from the web at

http://en.wikipedia.org/wiki/Usa_patriot_act on November 6, 2011.

= = = = = = = = = = = = = = = = = = = = = = =

William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002,ISO 20000, ITIL v3, Cloud Computing Foundation

Project Manager / Program Manager

M.S. in Cybersecurity Program at BellevueUniversity

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and PersonnelSecurity

Career

Certifications

Credentials

ISO 27001

http://www.washingtonpost.com/world/national-security/us-cyber-espionage-report-names-china-and-russia-as-main-culprits/2011/11/02/gIQAF5fRiM_story.html?wprss=

Chicago, IL

United States of America

Post 057 - CIS 608

2011-11-03T22:08:00.000-07:00

Foreign Spies Stealing US Economic Secrets in Cyberspace

Many of you may want to read this report and perhaps share it with your families, friends, and colleagues.

Foreign Spies Stealing US Economic Secrets in Cyberspace
http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

It details the threats of China and Russia and how active they are in their respective efforts to steal secrets from U.S. Companies.

More about this report in this article from the web:

In a world of cybertheft, U.S. names China, Russia as main culprits

The threats described in these reports are some of the main reasons that I signed up for this 18 month program for an M.S. in Cybersecurity at Bellevue University in Bellevue, NE.

==========================================================

William F. Slater, III, M.S., MBA, PMP, CISSP, SSCP, CISA, MCITP, MCSE, ISO 20000, ISO 27002, MCP #3585
Project Manager / Program Manager
Chicago, IL
slater@billslater.com
http://billslater.com/career

Post 056 - CIS 608

2011-11-03T12:21:00.000-07:00

Time to Get Naked... Naked Security - An Award-winning IT Security Blog Worth Checking Out

Today, the good folks at Naked Security helped save me and my wife from a Facebook scam related to giving away two "free" Southwest Airlines tickets. This is the linkk that saved us from that scam: http://nakedsecurity.sophos.com/2011/10/03/freesouthwest-airlines-tickets/

I found it using Google, then checked it out and this an award-winning IT Security Blog and it is definitely worth checking out.

This is the link: http://nakedsecurity.sophos.com/

Get Naked(Security) and Enjoy!

William F. Slater, III, M.S., MBA, PMP, CISSP, SSCP, CISA, MCITP, MCSE, ISO 20000, ISO 27002, MCP #3585

Project Manager / Program Manager

Chicago, IL
slater@billslater.com
http://billslater.com/career

Post 055 - CIS 608

2011-11-02T19:58:00.000-07:00

Week Ten Assignments- Maps to Course Objs. 2 & 7

Read/Review

: Chapter 10, Management of Information Security, 3e.

: Powerpoint Slides, Chapter 10, located in Course Documents, Lecture Notes

Learning Objectives - Week 10

• Know and understand access controls approaches

• Identify and describe the types of intrusion detection systems and the two strategies on which they are based

• Understand the encryption process

This week will be a review of sorts for a number of topics presented in CIS606.

Assignment 10.1

This assignment is worth 50 points.

Search for information regarding personal firewall applications. Examine at least three alternatives and document a comparison of their functionality, cost, support, and platform of use. Which would you recommend to a family member or a small business? Why? Provide justification to the owner/family member as well as a cost comparison.

>> View/Complete Assignment: Assignment 10.1

Assignment 10.2 (post to the Week 10 Forum)

This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.

1. Facial geometry

2. Fingerprint

3. Hand and palm print

4. Hand geometry

5. Iris recognition

6. Retinal recognition

7. Signature recognition

8. Voice recognition

For each of the above, locate a vendor that provides a product designed to examine that feature. Provide the name of the vendor, the name of the product, the URL, and the CER associated with the product (many vendors do not provide CERs, just report what you can find). Of those in the list, which do you believe is more acceptable to users and why? Which would be preferred by security administrators and why? Provide some guidance to the organization as to what can be done if what the security folks prefer is not acceptable to users.

In your response, comment on whether you agree with the opinions stated.

Minimum Posting Requirements: You must post at least five messages to get credit for participation. The first message is your original posting, no later than Wed. At least two of the other messages must be responses to other student original postings. This is a pass/fail type of grade. If you meet the minimum requirements you get the points. If you do not meet the minimum requirements, you'll get no points for participation. Messages must be posted on more than one day. Don't wait until the last minute!

________________________________________

Group Assignment-Week 10

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left...

Have one person in your group post the group consensus, labeled as "Week10 Post - Grade Me" to your group forum.

Assignment 10.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post 054 - CIS 608

2011-10-31T08:37:00.000-07:00

Important News Item: DHS: U.S. infrastructure faces a barrage of cyber-attacks

Summary from CompTIA News Digest on October 30, 2011:

DHS: U.S. infrastructure faces a barrage of cyber-attacks
Hackers have launched thousands of cyber-attacks against critical U.S. infrastructure such as financial and transportation assets and have nearly succeeded in crippling key systems, according to the Department of Homeland Security. DHS Secretary Janet Napolitano said officials responded to more than 100,000 cybersecurity incidents in fiscal 2011, and she urged Congress to draft stronger laws to protect the nation's most vital networks.

Source: http://www.eweek.com/c/a/Security/CyberAttackers-Already-Targeting-Critical-Infrastructure-DHS-573564/?kc=rss

========================================================

My Comments:

Looks like yet another reason to be in the Bellevue University M.S. in Cybersecurity Program:

I am resolved, more than ever, to do all the work and complete this important program.

I am also keeping my (public) course blogs up to date and they are getting TONS of hits.

http://cis608.blogspot.com - CIS 608 - Information Security Management

http://cybr515.blogspot.com - Security Architecture and Design

========================================================

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL
United States of America

Post 053 - CIS 608

2011-10-30T21:16:00.000-07:00

Designing and Implementing Enterprise Network Malware Prevention Solutions

(This was my Assignment 9-3 for my CYBR 515 - Security Architecture and Design Course. I thought many of you might like seeing it here in this blog.)

==============================================

Conclusion (from the presentation)

This Enterprise Malware Protection Solution Implementation Project will:

1. Help provide protection from a wide range of threats

2. Enable excellence in protecting our client’s information

3. Help optimize return on investments

4. Help provide future business opportunities

5. Help protect the Slater Technologies, Inc. brand and reputation

6. Help ensure business continuity

7. Help reduce the risk of financial loss

8. Help reduce risk of litigation

9. Help Slater Technologies to become famous for what we do and how we do it

==============================================

The diagrams above were part of the design and presentation I created as part of the assignment shown below.

Companies like Symantec, McAffee, Trend Micro, Kaspersky, etc. provide enterprise-level malware protection. Choose a major anti-virus company and familiarize yourself with their product line. Using what you learned from your research and this week's reading assignment, create an executive presentation of 8-12 PowerPoint slides on the product and on how you would install an enterprise malware solution on a hypothetical network with 50 Windows servers and 2000 Windows 7 computers. Provide sufficient detail about hardware devices and software and where they would be installed. Create a high-level Visio diagram to accompany your proposal that shows the layout of your software. It is not necessary to diagram your complete network, just a high level representation of it. For example, you could represent the 2000 Windows 7 computers with one Icon labeled Windows 7 Workstations (2000). However, if you include a security appliance that provides malware protection, it should be included as a separate icon. Also, indicate location of software components (clients, servers, databases, management tools, etc) on your diagram, as well.

================

Post 052 - CIS 608

2011-10-30T21:06:00.000-07:00

Newly Discovered Information: Chinese Hackers Attacked U.S. Satellites in 2007 and 2008

This is amazing. Why would our friends do something like this to American satellites?

Source: http://unionresourcecenter.com/wp/?p=9168

“Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” according to the draft. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”

More Information is in this BBC article:
http://www.bbc.co.uk/news/business-15490687

More Information is also in this Bloomburg article:
http://www.bloomberg.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html

==============================
William F. Slater, III, M.S., MBA, PMP, CISSP, SSCP, CISA, MCITP, MCSE, ISO 20000, ISO 27002, MCP #3585

Project Manager / Program Manager
Chicago, IL
slater@billslater.com
http://billslater.com/career

Post 051 - CIS 608

2011-10-29T14:31:00.000-07:00

Navajo Codetalkers - Some True World War II American Heroes of the U.S. Marine Corps

CYBR 515 - Week 9, Assignment 9_2 Trivia Question:

What is code talking and how was it used in World War 2?

During the early part of World War II, the U.S. Government allowed the United States Marine Corps to recruit Native Americans from the Navajo tribe to be able to quickly transmit messages via combat radio equipment using their native Navajo language in combat situations in the Pacific Theater while fighting the Japanese troops (Churchhouse, 2004).

Initially, this project with the Navajo codetalkers, as they were called, started with 29 Navajo Marines. The significance of the ability to use these these Navajo codetalkers was that it afforded the U.S. Marines the ability to transmit vitally important battlefield communications using their native Navajo language in a way that the Japanese could not possibly hope to crack. Reason: the Japanese had no familiarity with the Navajo language (Churchhouse, 2004).

What is remarkable is the patriotism and the heroism of these men. Depite the fact that, many native Americans still felt as if the Americans had stolen their land during the 1700s and the 1800s. These Navajo Codetalkers rose to the call to serve the U.S. cause in World War II, and placed themselves in harm’s way in battlefield situations to help further the cause of the U.S.’s tactical and strategic objectives in the Pacific Theatre.

I did some additional research and found 12 very interesting pictures of the surviving Navajo codetalkers and these pictures are attached (Facebook Navajo Codetalkers Forum, 2011).

Please check out these pictures. They will help you understand a lot about these magnificent Americans and their selfless service to the U.S.

Enjoy!

References:

Churchhouse, R. (2004). Code and Ciphers: Julius Caesar, the Enigma, and the Internet. Cambridge, U.K.: Cambridge University Press.

Facebook Navajo Codetalkers Forum. (2011). Facebook Navajo Codetalkers Forum Photo Album. Retrieved from the web at http://www.facebook.com/pages/Our-Navajo-Code-Talkers/119244804756?ref=ts&sk=wall on October 28, 2011.

Best regards,

Bill
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
CIS 608 Blog: http://cis608.blogspot.com
Chicago, IL
United States of America

Post 050 - CIS 608

2011-10-27T20:04:00.001-07:00

Internet History and Growth Presentation

Tonight, I updated my Internet History and Growth presentation.

Visit this link: Internet History and Growth presentation

I originally created this in 2002 and it was well received. Tonight I added slides about the impact of mobile technologies and Steve Jobs.

Enjoy!

William Favre Slater, III, MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ITIL v3, Cloud Computing Foundation

Project Manager / Program Manager
http://billslater.com/career

Chicago, IL

United States of America

Post 049 - CIS 608

2011-10-27T17:16:00.001-07:00

Measuring Return on IT Security Investments

The two diagrams above are part of an additional approach on measuring the return on IT security investment. These are from a white paper that was produced in December 2007 by Intel Corporation.

As I stated in Post 046 - CIS 608, I really believe that an organization must consider additional factors when trying to uncover and quantify the real return on IT security investment. As I stated earlier, those factors that should be considered are:

Business Revenues and Opportunities gained because the implementation of a solid Information Security Management Program

Business Revenues and Opportunities that a company retained because of the implementation of a solid Information Security Management Program

Awards achieved, such as Industry Recognition Awards because of the implementation of a solid Information Security Management Program

Compliance penalties and/or regulatory penalties avoided because of the implementation of a solid Information Security Management Program

People that kept their jobs because of the implementation of a solid Information Security Management Program

PR campaigns and damage control campaigns that that were avoided because of the implementation of a solid Information Security Management Program

What is also interesting is that this week, per the directions in our 2010 text book, Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition. Indianapolis, IN: Course Technology, you see a business trend toward using this method to quantify the value of investment on controls to increase information security and reduce risk:

It is based on determining two sets of Annual Loss Expectancy (ALE).

The first ALE is before the application of information security controls.

The second ALE is after the application of information security controls.

ALE is based on this calculation:

SLE * ARO = ALE

Where:

SLE is the Single Loss Expectancy for an incident

ARO is the Annualized Rate of Occurrence (Example 1 incident per month would be an ARO of 12.)

ALE = Annual Loss Expectancy

=======================================================

I think the important lessons here are that:

1) Management is looking for ways to quantify and justify the amount of money spent on IT security management controls

2) Risk must be reduced, but only to the degree that management can cost justify it and also is willing to accept the residual risk that remains

3) Even though the 2007 model and the 2010 model for measuring the effectiveness of money spent on information security controls are similar, the models for justifying and quantifying the money spent on information security may still be in a state of flux if they can change that much between December 2007 and when our book was published in 2010.

Post 048 - CIS 608

2011-10-27T07:36:00.000-07:00

Image from Glogster.com

Assignment 9.2 - Calculating the Cost Benefit Analysis after Applying Information Security Controls

The table image above shows the exercise we did to calculate the Cost Benefit Analysis after applying Information Security.

It is based on determining two sets of Annual Loss Expectancy (ALE).

The first ALE is before the application of information security controls.

The second ALE is after the application of information security controls.

ALE is based on this calculation:

SLE * ARO = ALE

Where:

SLE is the Single Loss Expectancy for an incident

ARO is the Annualized Rate of Occurrence (Example 1 incident per month would be an ARO of 12.)

ALE = Annual Loss Expectancy

Reference:

Whitman, M. E and Mattord, H. J. (2010). Management of Information Security, third edition. Indianapolis, IN: Course Technology.

Post 047 - CIS 608

2011-10-27T06:59:00.000-07:00

Week Nine Assignments- Maps to Course Obj. 7

MesusaControls.xls (19.5 Kb)

Read/Review

: Chapter 9, Management of Information Security, 3e.

: Powerpoint Slides, Chapter 9, located in Course Documents, Lecture Notes

Learning Objectives - Week 9

• Understand and select from risk mitigation strategy options to control risk

• Identify risk control classification categories

• Use existing conceptual frameworks to evaluate risk controls, and formulate a cost-benefit analysis

Assignment 9.1

This assignment is worth 50 points.

One year ago, the Mesusa Corporation conducted a threat evaluation and created a list of threats, the cost per incident and the projected frequency of occurrence. During the year, Mesusa decided to implement controls designed to reduce the cost per incidence and the number of threats. The attached spreadsheet (top of page - MesusaControls.xls) indicates the pre-control cost and frequency of occurrence, the cost of controls for each type of threat, and the post-control cost and frequency of occurrence. Calculate the AROs, the ALEs and the CBA for this initiative, and return the completed spreadsheet.

Assignment 9.2 (post to the Week 9 Forum)

This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.

Once you have finished 9.1, present only your CBA totals to the forum. Describe which controls were worth the cost, which were not, and why. For those that were not, determine what alternative controls are available.

In your response, comment on whether you agree with the analysis and the recommended alternate controls.

Group Assignment-Week 9

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left...

Have one person in your group post the group consensus, labeled as "Week9 Post - Grade Me" to your group forum.

Assignment 9.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post your link to your blog in this drop box. If the link is not posted, the assignment is not considered to be submitted and will get a grade of zero.

Post 046 - CIS 608

2011-10-24T08:12:00.000-07:00

ROSI - Return on Security Investment

This week in our CIS 608 class, we are dealing with measuring Information Security Management in terms of quantitative ideas such as ROSI, ALE, and SLE. (see diagram above)

ROSI = Return on Security Investment

ALE = Annual Loss Expectancy

SLE = Single Loss Expectancy

I believe that these are ideas that are outdated throwbacks to the Insurance Industry and calculations related to damage claims, investments, and loss payouts.

I might also add to the mix here that these are measurements for which people will be tested and measured when they take exams like the CISSP and the CRISC.

But despite their longevity as standard ways to define the effectiveness of Information Security, I believe that ROSI, ALE, and SLE are now obsolete I will would like to add my own thoughts here about measuring ROSI.

I think that here in the second decade of the 21st century, we need something better to help measure the effectiveness of Information Security Management programs. In my opinion, a better idea on measuring the effectiveness of an Information Security Management program would be to measure and quantify benefits like these:

Business Revenues and Opportunities gained because the implementation of a solid Information Security Management Program

Business Revenues and Opportunities that a company retained because of the implementation of a solid Information Security Management Program

Awards achieved, such as Industry Recognition Awards because of the implementation of a solid Information Security Management Program

Compliance penalties and/or regulatory penalties avoided because of the implementation of a solid Information Security Management Program

People that kept their jobs because of the implementation of a solid Information Security Management Program

PR campaigns and damage control campaigns that that were avoided because of the implementation of a solid Information Security Management Program

These are just a few ideas about how to create a better set of metrics with which to measure the effectiveness of your Information Security Management Program. I will be writing a lot more about this in the very near future.

Feel free to comment below or better yet, e-mail me with your ideas: slater@billslater.com

Thanks.

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
Chicago, IL
United States of America

Post 045 - CIS 608

2011-10-22T21:45:00.001-07:00

Information Asset Classification - A Key Step in Risk Management and Information Security Management

This week, we covered classification of Information Assets as a key step in risk management and Information Security Management. The diagram above was adapted from a diagram in a Data Classification white paper I downloaded from the ISACA website.

Data Classification and Information Classification and labeling is required under these areas of ISO 27001 Annex A Domains, Control Objectives and Controls:

A.7 Asset Management
A.7.2 Information Classification
A.7.2.1 Classification Guidelines
A.7.2.2 Information labeling and handling

There was quite a bit of discussion on whether we were going to have a three-tier data classification system or a four-tier data classification system.

It’s really important to get this right as early as possible. What surprised me was

1) Just how political it was

2) How difficult it was to explain to the stakeholders

3) How difficult it was to get senior management to make a decision and support it

The proposed possible three-tier classification system:

Unclassified

Marketing and promotion literature; Annual Financial Reports for Shareholders

Protected

Personally Identifiable Information

Names with Social Security Numbers, Phone numbers, addresses

Client related;

Business-related

Restricted

Company Strategy, Privileged Data Related to How the Company is Managed; etc.

The proposed possible four-tier classification system:

Unclassified	Marketing and promotion literature; Annual Financial Reports for Shareholders
Private	Business-related
Confidential	Personally Identifiable Information Names with Social Security Numbers, Phone numbers, addresses
Secret	Company Strategy, Privileged Data Related to How the Company is Managed; etc.

You may want to study this because it shows how much work, thought, time and diplomacy can be expended to arrive at a business decision regarding classification of information assets and data assets.

Which one did I favor? The four-tier classification system.

Best regards,

Bill
William Favre Slater, III, PMP
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL

Post 044 - CIS 608

2011-10-20T14:32:00.001-07:00

Week Eight Assignments- Maps to Course Obj. 1

Read/Review

: Chapter 8, Management of Information Security, 3e.

: Powerpoint Slides, Chapter 8, located in Course Documents, Lecture Notes

: NIST Security docs

Learning Objectives - Week 8

• Define risk management and its role in the organization

• Use risk management techniques to identify and prioritize risk factors for information assets.

• Assess risk based on the likelihood of adverse events and the effects on information assets when events occur

• Document the results of risk identification

Assignment 8.1

This assignment is worth 50 points.

The Mesusa Corporation has three information assets to evaluate for risk management as listed below. Create a ranked list of risk associated with the four vulnerabilities. You can begin with the columns from the Ranked Vulnerability Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk rating, then include percentage of current control and the uncertainty rate to come up with a final risk -rating estimate. Use the formula as described in this chapter.

From your results, determine in what order the three assets be evaluated for additional controls. Include your worksheet and interpretation of the results.

Switch L47 connects a network to the Internet. It has two vulnerabilities; (1) susceptibility to hardware failure, with the likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75% certainty of the assumptions and data.

Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such and attack is estimated at 0.2. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of vulnerability by 75%. There is an 80% certainty of the assumptions and data.

Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90% certainty of the assumptions and data.

Assignment 8.2 (post to the Week 8 Forum)

This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.

Using the data classification scheme presented in this chapter, identify and classify the categories of information contained in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information is a) confidential, b) sensitive but unclassified, or c) suitable for public release?

In your response, comment on whether you agree with the ratings, and identify any possible instances for misuse or embarrassment that the author may have missed.

________________________________________

Group Assignment-Week 8

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left... Have one person in your group post the group consensus, labeled as "Week8 Post - Grade Me" to your group forum.

Assignment 8.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post 043 - CIS 608

2011-10-19T10:47:00.000-07:00

What Does a Cyberweapon Attack Look Like?

The diagram above, from Technolytics, shows the processes and phases of a cyberweapon attack. You can use your imagination to try to understand how an entity (like the U.S.) could conceivably use such cyberweapons to punish or retaliate against an adversary to accomplish a military and/or political objective.

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 042 - CIS 608

2011-10-19T10:39:00.000-07:00

Classes and Capabilities of Cyberweapons

There are several classes of cyberweapons. The table above, from Technolytics, shows the current classes, descriptions, and capabilities of cyberweapons. You can use your imagination to try to understand how an entity (like the U.S.) could conceivably use such cyberweapons to punish or retaliate against an adversary to accomplish a military and/or political objective.

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 041 - CIS 608

2011-10-19T10:06:00.000-07:00

The Economic Justification for Cyberweapons

The diagram above from Technolytics, shows how cyberweapons are now possible and much cheaper than building a $2.2 billion stealth bomber, a cruise missile, or a stealth fighter. In addition, the possible throw-weight and the attack velocity of a cyberweapons is far greater than a bomber, missile, or fighter, because a cyberweapon can conceivably attack any "target" that is attached to the Internet. The good news is that these devices have the advantage of the Internet, but the bad news is that they are vulnerable to cyberweapons that could strike on the Internet. (Remember the Army axiom, "Tracer rounds work BOTH ways.")

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 040 - CIS 608

2011-10-19T06:50:00.000-07:00

Evolution of Cyberweapons

The diagram above shows how cyberweapons are emerging in their capabilities. This is not only because of the importance and proliferation of the Internet and everything connected to it, it is also because cyberweapons are now possible and much cheaper than building a $2.2 billion stealth bomber.

Think about the proliferation of cyberweapons and compare it to the first chart from Mary Meeker, showing how mobile Internet traffic will overtake Internet traffic from desktop and laptop computers in the year 2013.

Can you see where all this is heading? If left unchecked, the world of those who can possibly threaten a world of people who have ubiquitous access to the Internet will continue to increase.

References:

Ingram, M. (2010). Mary Meeker: Mobile Internet Will Soon Overtake Fixed Internet. A web article published at Gigaom.com. Retrieved from the web on July 19, 2010 at http://gigaom.com/2010/04/12/mary-meeker-mobile-internet-will-soon-overtake-fixed-internet/

Technolytics. (2011). Cyber Commander's eHandbook: The Weaponry and Strategies of Digital Conflict. Purchased and downloaded from Amazon.com on April 16, 2011.

Post 039 - CIS 608

2011-10-18T18:43:00.000-07:00

U.S. Weighed Use of Cyberattacks to Weaken Libya

Right now, I am on a business trip in San Diego. At the hotel this morning, I picked up a news digest from the New York Times. On the front page was an article with this headline: U.S. Weighed Use of Cyberattacks to Weaken Libya.

This article explained that it was revealed recently that members of the Obama Administration seriously considered the use of offensive cyberwarfare capabilities against Libya as the administration planned the events leading to the ouster of Quaddafi's government. The targets would have likely included computer systems related to infrastructure, radar systems, and air defense missile systems.

However, there were two key reasons that the ultimate decision was to hold back from using these offensive cyberwarfare capabilities:

1) It would set an example that could be copied by Russia and/or China.

2) It begs the question: How would they carry out such attacks without informing congressional leaders?"

My comments:

In the grand scheme of things, such considerations about the possibile intent to use such cyberwarfare weapons proves that such types weaponized software and the battle plans to launch such attacks now actually exist.

Also, there is legal language Title 10 of the U.S. Code that prohibits the offense use of "cyberweapons." Going outside Title 10 by way of Executive Order from the President of the United States is the only way this can occur with impunity.

So now there are some new things to think about as Americans brace themselves for a world in which the landscape international conflict has literally now been extended into the Internet and potentially everything connected to the Internet. When such weapons are unleashed, don't expect Symantec, McAfee, Kapersky, or anything you can buy at Amazon.com to save you. Nope. It will take much more than that.

Reference:

Schmitt, E and Shanker, T. (2011). U.S. Weighed Use of Cyberattacks to Weaken Libya. An article printed on the New York Times website. Retrieved at

http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html on October 18, 2011.

Bill
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
CIS 608 Blog: http://cis608.blogspot.com
slater@billslater.com
http://billslater.com/career
Chicago, IL
United States of America

Post 038 - CIS 608

2011-10-16T17:03:00.000-07:00

Logical Network Design Diagram by William F. Slater, III

Designing the Enterprise Wireless Network for the Forever Young Cosmetic Company

This Assignment 6_3, was for my CYBR 515 - Security Architecture and Design course in this same M.S. in Cybersecurity program. I am posting it in this blog because there are many concepts related to Information Security Management controls involved.

Put yourself in the role of a consultant. You have been hired to propose a wireless solution for a small company. The background information on the company is contained in the attachment to this assignment. Based on that information, your reading, and any other source materials at your disposal, provide a simple design for a secure wireless network. In your design, include a list of the security features that you would enable and why you would enable them.

================================

Bellevue University

CYBR515

Forever Young Cosmetics
Business and Technical Requirements Document

Purpose: Gain experience in configuring a Wireless Local Area Network consisting of multiple access points.

Instructions: Read the narrative below and produce a network drawing and list of security features that you would plan to implement.

Background: Your group has been hired as secure networking consultants by Forever Young Cosmetics. Their corporate headquarters, manufacturing plant, and distribution center are in a single 250,000 square foot structure located in St Louis, MO. They want to use IEEE 802.11n capable wireless devices to track inventory and shipment and to provide laptop access to the Internet for their employees. They want to provide total wireless coverage of their entire building with the maximum wireless security possible using commercially available devices. Your task is to provide a preliminary recommendation for a secure wireless infrastructure that would support their needs. They currently have a wired Local Area Network with approximately 250 hosts that is connected through a firewall to a single high speed Internet connection provided by Comcast.

Deliverables:

A one page Visio diagram that overviews your proposed wireless infrastructure. The diagram doesn’t have to depict all of the hardware, just the logical components that will make up the network. For example, a single laptop Icon can be used to simulate laptop users and single switch and computer icons can be used to represent their existing wired network. You are free to choose any Visio symbols you wish, as you will be graded on content, not style. For the purposes of placing wireless devices, you may consider the building as a perfect square. Please indicate the quantity of wireless devices on your drawing, and include controllers and firewalls, if necessary.

A list of security features that would be enabled in the network and an explanation of the type of protection, strengths and weaknesses that they would afford.

For more information about ISO 27001, click here.

William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America

Post 037 - CIS 608

2011-10-16T14:53:00.000-07:00

Creating an Effective Information Security Management System (ISMS) Using ISO 27001

The diagram above shows the steps required to implement an ISO 27001-based ISMS

This week, we studied discussed Information Security management frameworks. Since I worked on an ISO 27001-based ISMS implementation project between January 2011 and July 2011 I personally found it especially interesting. Despite the fact that ISO 27001 is an internationally recognized standard for Risk Management and Information Security Management, I was amazed that more classmates were unfamiliar with the ISO 27001 standard. Maybe it's just because this Information Security Management Standard is better known and understood in places like India, Japan, Korea, the U.K.

Many people often look at the list of Domains, Control Objectives, and Controls in ISO 27001 Annex A and think that these topics are the only things that need to be address. But it is essential to remember that the implementation of an ISMS is as much Risk Management driven and Information Security Policy driven as much as it is about the establishment of Information Security Controls. It is also important to measure it so the effectiveness of the policies and other controls can be determined and also so the entire ISMS can continue to be improved under the Plan - Do - Check - Act process so it be under continuous process improvement.

Remember, if you are doing one of these ISO 27001 implementation projects, don't forget to do the Risk Management effort.

For more information about ISO 27001, click here.

William Favre Slater, III

Post 036 - CIS 608

2011-10-11T09:37:00.000-07:00

Implementing E-Mail Security Solutions to Defend Against E-Mail Dangers, Scams, and SPAMS

This week in the CYBR 515 - Security Architecture and Design class, we are studying E-Mail Dangers and how to implement security against these dangers to mitigate the risks.

I received the e-mail below this morning. The header is also included for those who like to read such things The point in including this scam e-mail in this blog is to show:

1) It looks VERY authentic and legitimate. They want you to believe that they are from Microsoft Canada and that they are legitimate.

2) That even the best spam filters can't catch everything and that your ability to be secure in the use of e-mail requires constant vigilance and education about the dangers that are associated with e-mail threats.

You brain, your awareness, and your vigilance may be some of your best defenses in e-mail and other places you touch and use the Internet (especially the web via web browsers).

===============================================================

E-Mail Header:

X-MSK: CML=3.201000

Received: from zuul.matrixconsulting.net ([10.4.5.2]) by powerweb.net with MailEnable ESMTP; Tue, 11 Oct 2011 10:33:03 -0500

X-ASG-Debug-ID: 1318347175-00958a099a1049e00001-LAYJgu

Received: from sharpe (78-33-47-12.static.enta.net [78.33.47.12]) by zuul.matrixconsulting.net with ESMTP id ypTHT0fs5gSIj2Qr for ; Tue, 11 Oct 2011 11:32:55 -0400 (EDT)

X-Barracuda-Envelope-From: customers@microsoft.ca

X-Barracuda-Apparent-Source-IP: 78.33.47.12

From: "Microsoft-Canada"

Subject: Critical Update For Microsoft Firewall and Security Center 4081

To: slater@billslater.com

X-ASG-Orig-Subj: Critical Update For Microsoft Firewall and Security Center 4081

Content-Type: text/plain;

Reply-To: customers@microsoft.ca

Date: Tue, 11 Oct 2011 16:32:57 +0100

X-Priority: 1

X-Library: Indy 8.0.25

X-Barracuda-Connect: 78-33-47-12.static.enta.net[78.33.47.12]

X-Barracuda-Start-Time: 1318347175

X-Barracuda-URL: http://zuul.matrixconsulting.net:8000/cgi-mod/mark.cgi

X-Virus-Scanned: by bsmtpd at matrixconsulting.net

X-Barracuda-Spam-Score: 0.64

X-Barracuda-Spam-Status: No, SCORE=0.64 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC0_SA601, MISSING_MID, NORMAL_HTTP_TO_IP

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.77031

Rule breakdown below

pts rule name description

---- ---------------------- --------------------------------------------------

0.14 MISSING_MID Missing Message-Id: header

0.00 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL

0.50 BSF_SC0_SA601 Custom Rule SA601

Message-Id: <20111011153304.70ED92067105@zuul.matrixconsulting.net>

X-ME-Bayesian: 0.000000

Return-Path:

===============================================================

E-Mail Text Body:

Tuesday, October 11, 2011,

10:33 AM

Dear Customer,

Please notice that Microsoft has recently issued a Security Update for Microsoft Windows Firewall and Security Center.

This Update is to prevent malicious users from getting access to your computer files by executing arbitary code on a new buffer overflow found in the windows firewall process.

This is an high-priority updates. In order to help protect your computer against security threats and malicious code.

Please follow these instructions:

1. Download the file from http://200.21.20.163/SecurityPatch/SECURITY_FIX_4081.exe

2. Double-click on SECURITY_FIX_4081.exe to start the update.

3. Click on *Allow Access*

This is an Automated Message produced by Microsoft Canada Co., Please Do Not Reply

Microsoft Team.

===============================================================

Stay safe online!

Dr. Martin Luther King, Jr.

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America

Post 035 - CIS 608

2011-10-10T22:20:00.000-07:00

Week 7 Assignments- Maps to Course Obj. 1

Read/Review

: Chapters 6 & 7, Management of Information Security, 3e.

: Powerpoint Slides, Chapters 6 & 7, located in Course Documents, Lecture Notes

: NIST Security docs

: SSE-CMM

: 2010 Data Breach Investigations Report

Learning Objectives - Week 7

• Select from the dominant information security management models, including US goverment-sanctioned models, and customize them for a specific organization

• Implement the fundamental elements of key information security management practices

• Follow emerging trends in the information security models.

Assignment 7.1

This assignment is worth 50 points.

This week you'll be revisiting the Verizon report from Week 3. At the end of the 2010 report (linked above), you'll see a set of recommendations. Your task is to select one recommendation from that report and create a Performance Measures document that an organization could use to assess how well that recommendation was implemented. The NIST 800-55, rev. 1 and your textbook both provide examples of a Performance Measures document.

Assignment 7.2 (post to the Week 7 Forum)

This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.

Examine the Systems Security Engineering - Capability Maturity Model (SSE-CMM) site link above. This model has recently been accepted as ISO/IEC 21827. Given the prevalence of security management models published by NIST, how does this fit into the picture? Additionally, given the prevalence of security models, what course of action would you recommend to an organization which seeks to adopt a security model, and upon what criteria might they base their decision? (examples: size of the organization? Industry type?)

Minimum Posting Requirements: You must post at least five messages to get credit for participation. The first message is your original posting, due no later than Wed. At least two of the other messages must be responses to other student originalpostings. This is a pass/fail type of grade. If you meet the minimum requirements you get the points. If you do not meet the minimum requirements, you'll get no points for participation. Messages must be posted on more than one day. Don't wait until the last minute!

________________________________________

Group Assignment-Week 7

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of these chapters. Use your group forum area for discussion, located under the Groups button to the left...

Have one person in your group post the group consensus, labeled as "Week7 Post - Grade Me" to your group forum.

Assignment 7.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post 034 - CIS 608

2011-10-10T22:14:00.001-07:00

Thoughts on Strong, Positive, Leadership - You CAN Lead by Inspiring People

I believe that positive Leadership that inspires people and gets the best results. I do not believe that Steve Jobs was a good, positive Leader. He was a visionary and an innovator.

These people are my role models for strong, positive Leadership:

Simon Sinek

Peter Senge

Jaime Escalante

Coach John Wooden

John C. Maxwell

President Harry S. Truman

President George Washington

I invite you to study the Leadership abilities and style of these people and you will start to understand how each, in their own special way was able to change the world and make it a better place without intimidating and humiliating people.

When you see Leaders that lead by bullying, mobbing tactics, intimidating and humiliating people, refer them to this post and just say NO!!!

Source: White paper from General Dynamics

Post 033 - CIS 608

2011-10-09T08:31:00.001-07:00

Steve Jobs shows off the new Apple iPad 2 in 2011

Can a Leadership Style Adversely Affect the State and Quality of an Organization's Information Security?

Apple's Co-founder and former CEO, Steven Paul Jobs (1955 - 2011), passed away on October 5, 2011. May he rest in peace, and may his family and friends be comforted and experience rapid healing during their time of intense loss.

Much has been said of Mr. Job's visionary contributions to the work of computing and personal communications, and how he empowered the masses by having the vision to humanize technology and make it useful. That is all noteworthy, and significant, and it has certainly made the world a more interesting place.

But this article shows the real Steve Jobs, and the way he treated the people around him, who were executing his vision to change the world. http://gawker.com/5847344/what-everyone-is-too-polite-to-say-about-steve-jobs. I was aware of these traits, but it's documented so well here that it deserves to be shared. I was also aware that Mr. Jobs' tyrannical ways worked some people so hard that it broke up marriages and almost drove some people crazy. It's a poor leadership style that in my opinion could not have continued, if he had continued to live.

And since this is a blog for a course in Information Security Management, the point of this post, however, is that I personally believe that a poor tyrannical, leadership style, based on bullying, intimidation, and humiliation, can itself constitute a threat to information security because it increases risks that an organization doesn't want. This is because when things start to go awry, many people who work on the Team of a Tyrant may become passive aggressive and enjoying watching a Tyrannical Leader fail. I believe that there is a human trait in which people like to see what goes around comes around. If a tyrant mistreats people, those people will probably be happy to see him or her get what is coming to them. If that means watching a tyrant take the heat for situations like 1) the compliance penalities associated with a data breach; or 2) failing to secure something that should have been secured during an information security-related project; or 3) a Business Continuity Plan that is missing critical components that will ultimately doom it to failure if and when it is ever executed; employees will be only too glad to see these things occur, despite the fact that it could and will adversely affect an organization. So I believe that a poor leader can create situations that in raise the information security risk factors in an organization.

What's the answer? I will share what I believe is the answer in a in a post that follows this one.

Post 032 - CIS 608

2011-10-07T16:09:00.001-07:00

Week 6 Assignments- Maps to Course Obj. 6

Read/Review

: Chapter 5, Management of Information Security, 3e.

: Powerpoint Slides, Chapter 5, located in Course Documents, Lecture Notes

: Defense Security Service SETA Program

Learning Objectives - Week 6

• Recognize and understand the organizational approaches to information security

• Describe the functional components of the information security program

• Describe the components of a security education, training, and awareness program

Assignment 6.1

This assignment is worth 50 points.

The Mesusa Corporation has decided to increase their employees' information security awareness. Your task is to find at least three sources of information security awareness training (government or commercial), and write a memo to Bob Kranke, the Chief Information Security Officer, describing the training objectives, cost, length, and who provides the training. You should also provide a recommendation to Mr. Kranke as to which training program to adopt.

Assignment 6.2 (post to the Week 6 Forum)

This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.

Design at least three security posters or flyers on information security. Be creative! The class will vote on the two best posters, and the winners will have their work used as an example for the next class.

________________________________________

Group Assignment-Week 6

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left...

Have one person in your group post the group consensus, labeled as "Week6 Post - Grade Me" to your group forum.

This week, you have an additional task of revisiting your WBS. After reading through this chapter, are there additions or deletions or modifications you would make? Finalize your WBS and post it to the Group Form with subject line of "WBS- Final".

Assignment 6.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post the URL for your blog in the text box for this assignment.

Post 031 - CIS 608

2011-10-07T13:46:00.000-07:00

U.S. Air Force Predator firing a deadly Hellfire Missile

U.S. Air Force Predator Crew

Exclusive: Computer Virus Hits U.S. Drone Fleet

By Noah Shachtman October 7, 2011 | 1:11 pm | Categories: Drones

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”

My comments:

This is the first public release of such information. About 14 months ago with the disclosure of the Stuxnet worm and its effect on equipment in the Iranian Nuclear facilities, one industry observer noted that this was the public beginning of specialized, weaponized computer software. With the advent of a virus that is quietly monitoring U.S. Air Force Drone Crews as they fly operational missions in Afghanistan and other forward operating locations, we may be witnessing the second chapter of specialized, weaponized computer software.

As a former U.S. Air Force Officer, I sincerely wish the men and women of the U.S. Air Force Drone Team the best as they fight this newly identified danger to their operational mission.

------------------

Source: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Post 030 - CIS 608

2011-10-06T08:09:00.000-07:00

Electronic Health Records, the Department of Veterans Affairs, the Department of Defense and the Future

The white paper link about the VA and the DoD and the State of Health Records Initiatives and diagram above describe a big picture view of what I am doing in my career now with VA and DoD-related Health Care Records Initiatives. You may want to download and view this new white paper

http://download.1105media.com/GIG/Custom/2011PDFS/InsightsHealthIT.pdf

I am managing a program that develops the enabling software for these initiatives.

This is truly the future of Health Care Records and because it will pass Personally Identifiable Information (PII) and other related sensitive information over a complex network of MANY distributed systems and applications, it represents MANY opportunities for the application of security controls and Cybersecurity best practices to protect this information. This is one more reason I am happy that I enrolled in the M.S. in Cybersecurity program at Bellevue University on August 29, 2011.

=====================

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
http://billslater.com/career
Chicago, IL
United States of America

Post 029 - CIS 608

2011-10-05T20:31:00.000-07:00

Information Security Awareness Posters

This week, we had the fun task of developing and critiquing Information Security Awareness Posters. In this I blog post, I am sharing the posters I developed. Enjoy! I certainly enjoyed developing these.

Post 028 - CIS 608

2011-10-05T20:15:00.000-07:00

The IT Security Security Learning Continuum

Picture from NIST SP 800-50 - Developing an Information Security Education Program

Week Six Assignments- Maps to Course Obj. 6

Read/Review

: Chapter 5, Management of Information Security, 3e.

: Powerpoint Slides, Chapter 5, located in Course Documents, Lecture Notes

: Defense Security Service SETA Program

Learning Objectives - Week 6

• Recognize and understand the organizational approaches to information security

• Describe the functional components of the information security program

• Describe the components of a security education, training, and awareness program

Assignment 6.1

This assignment is worth 50 points.

Assignment 6.2 (post to the Week 6 Forum)

This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation.

________________________________________

Group Assignment-Week 6

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left...

Have one person in your group post the group consensus, labeled as "Week6 Post - Grade Me" to your group forum.

Assignment 6.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post the URL for your blog in the text box for this assignment.

Post 027 - CIS 608

2011-10-05T20:09:00.000-07:00

Week 5 Assignments- Maps to Course Obj. 6

: Chapter 4, Management of Information Security, 3e.

: Powerpoint Slides, Chapter 4, located in Course Documents, Lecture Notes

: SANS Security Policy Project

Learning Objectives - Week 5

• Define information security policy and understand its central role in a successful information security program

• Recognize the three major types of information security policy and know what goes into each type

• Develop, implement, and maintain various types of information security policies

Assignment 5.1

Write a research report to consider the two approaches described in your text to developing an information security policy (SecSDLC and ISPME). In your opinion, answer the following:

1. How are they similar? How are they different?

2. Is there another approach that might be used?

3. Which is might be suited for use by a smaller organization? Why?

4. Which is might be suited for a larger organization? Why?

5. What criteria you would consider before making a recommendation for adopting a formal approach to policy development?

Use external sources only, provide examples and evidence to support your report

Assignment 5.2 (post to the Week 5 Forum)

This assignment is worth 75points; 25 points for each of your original postings, and 25 points for participation.

This week's assignment is in two parts: (post in separate messages)

a. Consider your incident response plan you created last week for your home computer, and draft a generic sample issue-specific policy that would be useful to any home computer user. Let's use the premise that this plan would be available to the general public.Post to the forum.

b. Examine at least two policies. Form an opinion and get a second opinion on their usability. You might use a family member, or a work colleague. Include those opinions in your responses to other students.

Minimum Posting Requirements: You must post at least five messages to get credit for participation. The first message is your original posting, due by Wed. At least two of the other messages must be responses to other student original postings. This is a pass/fail type of grade. If you meet the minimum requirements you get the points. If you do not meet the minimum requirements, you'll get no points for participation. Messages must be posted on more than one day. Don't wait until the last minute!

________________________________________

Group Assignment-Week 5

This assignment is worth 50 points.

As a group, determine a best response to the Case Exercises for RWW, Inc. at the end of the chapter. Use your group forum area for discussion, located under the Groups button to the left...

Have one person in your group post the group consensus, labeled as "Week5 Post - Grade Me" to your group forum.

Assignment 5.3 (Post to your Blog)

This assignment is worth 20 points.

Time to start adding to that blog! If you are not sure what to include, you might want to re-read the assignment located at the top of the Week 1 Assignments.

Post 026 - CIS 608

2011-10-03T09:34:00.001-07:00

October is now National Cybersecurity Awareness Month

As an M.S. student in Cybersecurity at Bellevue University, I am happy to inform you that October is now National Cybersecurity Awareness Month. Please share with your friends, kids, grandkids, co-workers, neighbors, Facebook Friends, etc.

http://www.staysafeonline.org/

Stay Safe Online!

William F. Slater, III, M.S., MBA, PMP, CISSP, SSCP, CISA, MCITP, MCSE, ISO 20000, ISO 27001 Auditor, ISO 27002, MCP #3585

Project Manager / Program Manager
Chicago, IL
slater@billslater.com

Post 025 - CIS 608

2011-09-30T20:54:00.000-07:00

Source: http://workflow-process.com/2011/09/21/records-management-11/

Records Management

In September 2011, as I was taking my required Information Protection training to maintain my clearance status with the U.S. Air Force, I discovered this "Records Management Toolbox." I hope it will help readers of this Blog.

Records Management References

44 U.S.C. Chapters 15, 21, 22, 23, 25, 27, 29, 31, 33 – Records Management
http://www.archives.gov/about/laws/

18 U.S.C. § 2071 - Concealment, Removal, or Mutilation of Records
http://www.archives.gov/records-mgmt/laws/

36 CFR, Chapter XII, Subchapter B - Records Management (Parts 1220 - 1239)
http://www.archives.gov/about/regulations/subchapter/b.html

OMB Circular A-130 – Management of Federal Information Resources
http://www.whitehouse.gov/omb/circulars_a130_a130trans4

OMB Circular A-123 – Management Accountability and Control
http://www.whitehouse.gov/omb/circulars_a123

DoD 5015.02-STD, Electronic Records Management Software Applications Design Criteria Standard
http://www.dtic.mil/whs/directives/corres/pdf/501502std.pdf

AFI 33-321, Authentication of Air Force Records
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-321.pdf

AFI 33-322, Records Management Program
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-322.pdf

AFMAN 33-363, Management of Records
http://www.e-publishing.af.mil/shared/media/epubs/AFMAN33-363.pdf

National Archives and Records Administrationhttp://www.archives.gov/records-mgmt/

Air Force Records Information Management System (AFRIMS)
https://www.my.af.mil/afrims/afrims/afrims/rims.cfm

AF Records Management Community of Practice
https://www.my.af.mil/afknprod/community/views/home.aspx?Filter=OO-SC-EI-M4

AF Regulation on RECORDS DISPOSITION—PROCEDURES AND RESPONSIBILITIES
http://www.e-publishing.af.mil/shared/media/epubs/AFI33-364.pdf

= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002,ISO 20000, ITIL v3, Cloud Computing Foundation

Project Manager / Program Manager

M.S. in Cybersecurity Program at BellevueUniversity

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and PersonnelSecurity

Career

Certifications

Credentials

ISO 27001

Chicago, IL

United States of America

Post 024 - CIS 608

2011-09-30T20:47:00.000-07:00

Source: http://www.gwu.edu/~nsarchiv/nsa/foia.html

Freedom of Information Act (FOIA) Resources

In September 2011, As I was taking my required Information Protection training to maintain my clearance status with the U.S. Air Force, I discovered this "Freedom of Information Act Toolbox." I hope it will help readers of this Blog.

FOIA Tool Box

OPEN Government Act of 2007: http://www.usdoj.gov/oip/amendment-s2488.pdf

Executive Order 12600: http://www.archives.gov/federal-register/codification/executive-order/12600.html

DoD Regulation 5400.7/AF Supplement: http://www.foia.af.mil/shared/media/document/AFD-070702-060.pdf

DoD Regulation 5400.7: http://www.dtic.mil/whs/directives/corres/pdf/540007r.pdf

AF FOIA Web Page - Public website: http://www.foia.af.mil/

AF Reading Room: http://www.foia.af.mil/reading/documents/index.asp

AF Public Access Link (PAL): https://www.efoia.af.mil/palMain.aspx – Inform requesters to submit request online

Current Value Fund Rate (CVFR): http://www.fms.treas.gov/cvfr – Interest rates are established annually by the Secretary in accordance with 31 U.S.C. 3717

AF FOIA/PA Community of Practice (CoP): https://afkm.wpafb.af.mil/community/views/home.aspx?Filter=OO-SC-AF-53 – Information for policy and guidance

Caution: you may be required to spend money to obtain the information you are requesting, so these FOIA requests can get rather expensive.

= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002,ISO 20000, ITIL v3, Cloud Computing Foundation

Project Manager / Program Manager

M.S. in Cybersecurity Program at BellevueUniversity

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and PersonnelSecurity

Career

Certifications

Credentials

ISO 27001

Source: http://www.anonymous-proxies.org/2011/02/price-of-your-privacy-and-why-its.html

Chicago, IL

United States of America

Post 023 - CIS 608

2011-09-30T20:33:00.000-07:00

Privacy Resources on the Web

As I was taking my required Information Protection training to maintain my clearance status with the U.S. Air Force, I discovered this "Privacy Toolbox." I hope it will help readers of this Blog.

Privacy Toolbox

Privacy Act of 1974 As Amended

http://www.opm.gov/feddata/usc552a.txt

AF Privacy Act Web Page:

http://www.privacy.af.mil

Defense Privacy Office webpage:

http://www.defenselink.mil/privacy/

AFI 33-332, Air Force Privacy Program

http://www.e-publishing.af.mil/shared/media/epubs/AFI33-332.pdf

DoD Publication 5400.11-R, Department of Defense Privacy Program

http://privacy.defense.gov/files/540011R.pdf

DoD Directive 5400.11, DoD Privacy Program

http://privacy.defense.gov/dod_directive_5400.11.shtml

DISA Personally Identifiable Information computer-based training (CBT)

http://iase.disa.mil/eta/pii/pii_module/pii_module/index.html

DISA CBT on Personal Electronic Devices / Removable Storage Media

http://iase.disa.mil/eta/pedrm/pedrm/index.htm

Safeguarding Against and Responding to the Breach of Personally Identifiable Information

http://www.defenselink.mil/privacy/files/PII_Memo_Safeguard.pdf

Federal Trade Commission website on protecting consumer's privacy

http://www.ftc.gov/privacy/

= = = = = = = = = = = = = = = = = = = = = = =
William Favre Slater, III

MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002,ISO 20000, ITIL v3, Cloud Computing Foundation

Project Manager / Program Manager

M.S. in Cybersecurity Program at BellevueUniversity

CIS 537 Introduction to Cyber Ethics

CIS 608 Information Security Management

CYBR 515 - Security Architecture and Design

CYBR 510 Physical, Operations, and PersonnelSecurity

Career

Certifications

Credentials

ISO 27001