Please see the attached document.
https://www.himss.org/resources/sample-risk-assessment-cloud-computing-healthcare
| Timestamp | Untitled Question |
| Risk ID | ID Date | Cause(s) | Risk Name | Consequence | Risk Details | Risk Owner (Responsible Person or Group) | Probability | Impact | Risk Score | Response Action Type | Response Actions | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Select One | Select One | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| LIKELIHOOD | IMPACT | RISK | RESPONSE | |
| Unlikely | Minor | Accept | Avoid | |
| Likely | Moderate | Acceptable Risk: Medium | Transfer | |
| Very Likely | Major | Unacceptable Risk: High | Mitigate | |
| Unacceptable Risk: Extremely High |
PLEASE READ CAREFULLY
– Please cite your work in your responses
– Please use APA (7th edition) formatting
– All questions and each part of the question should be answered in detail (Go into depth)
– Response to questions must demonstrate understanding and application of concepts covered in class,
– Use in-text citations and at LEAST 2 resources per discussion from the school materials that I provided to support all answers.
– No grammatical errors; Complete sentences are used. Proper formatting is used. Citations are used according to APA
– The use of course materials to support ideas is HIGHLY RECOMMENDED
– Lastly, Responses MUST be organized (Should be logical and easy to follow)
SPEP 1: Identify Potential Privacy Issues and Mitigation Measures
Now that you have identified the guidelines most applicable to your organization, it is time to discuss privacy protections that may apply.
BallotOnline is now a global organization and may need to contend with several sets of
privacy laws
since these laws vary from country to country.
Sophia has recommended that you focus on European Union (EU) privacy requirements for now, including the
General Data Protection Regulation (GDPR)
, since those are considered to be the most challenging for compliance. Many companies opt to host data for their European customers entirely within facilities in the European Union, and the companies implement restrictions to prevent data for EU citizens from crossing borders into non-EU zones. This is the approach that you have been asked to take and where you should focus your efforts. Note that some cloud providers, such as Amazon, have received special approval from EU authorities to permit data transfer outside of the EU.
Research EU privacy requirements, identify the requirements that apply to your project and why they apply, and compile your recommendations for complying with these requirements.
STEP 2: Create Risk Management Matrix
Now that you have identified and described the types of risks that may apply to your organization, create a
risk management matrix
to assess/analyze that risk and make recommendations for risk mitigation measures.
This
Sample Risk Assessment for Cloud Computing
will give you an example of a completed risk matrix.
Use the
risk management matrix template
to identify risks and write a brief summary explaining how to understand the data. Submit it for feedback using the steps described below.
Step 3: Describe Cloud Security Issues
Now that you have completed the risk analysis, you can start to identify
cloud and network security issues
that may apply in BallotOnline’s operating environment, including
data in transit vulnerabilities
and
multifactor authentication
.
Consider cloud computing risks,
network security design
,
information security
, data classifications, and
identity management issues
.
Besides the risk management matrix in step 2, your research and recommendations to your colleagues must cover the following.
· What network security issues could you encounter?
· What (if any) data classification issues are there to consider?
· What identity management issues need to be considered?
· How would you share responsibilities for securing your project with the Service Provider?
· How does Cloud security compare to on-prem security?
· Are there any other potential cloud security issues that you should identify?
Your answer in the word document should be logical and easy to follow:
Your goal should be to convey this critical information to your colleagues in a concise, yet thorough manner.
2/9/22, 11:22 PM Cloud and Network Security Issues
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-and-network-security-issues.html?ou=622270 1/3
Learning Topic
Cloud and Network Security Issues
Both cloud customers and providers consider security as one of the main issues and risks
of the cloud. Off-premises cloud deployments are accessed over a network and located in
remote data centers along with the resources of many other clients, so they could be
prone to security breaches. On the other hand, cloud providers can often ensure better
security protections than many on-premises installations. Often, a cloud provider has
dedicated security staff identifying and mitigating threats.
Securing the cloud involves taking steps in these areas:
Physical data center security: securing access and resilience of facilities
Network security: secure network access, preventing sniffing, spoofing,
eavesdropping, denial of service; intrusion detection
Account access security: authentication and authorization for both human and
programmatic access, preventing account hijacking, single sign-on, identity and
access management
Infrastructure and application security: hardening system software and machine
images, providing virus, malware protection, preventing virtualization attacks
Data security: making sure that client data is inaccessible to intruders, both in-transit
and at-rest: encryption, digital signatures, digital certificates
Because a big part of cloud functionality is implemented in software, many cloud security
measures apart from physical data center security are also software-based.
2/9/22, 11:22 PM Cloud and Network Security Issues
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-and-network-security-issues.html?ou=622270 2/3
Seven Security Measures to Protect Your Servers
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/7SecurityMeasurestoProtectYourServers_checked.p
df
?ou=622270)
Cyber Attacks Explained: Packet Spoofing
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/CyberAttacksExplained_PacketSpoofing_checked.p
df?ou=622270)
NIST Cloud Computing Security Reference Architecture
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/NISTCloudComputingReferenceModel_checked
?ou=622270)
Security and Privacy Issues in Public Cloud Computing
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/security-and-privacy-issues-in-
public-cloud-computing.html?ou=622270)
Security Analysis in the Migration to Cloud Environments
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/security-analysis-in-the-migration-
to-cloud-environments.html?ou=622270)
An Analysis of Security Issues for Cloud Computing
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/AnAnalysisofSecurityIssuesForCloudComputing_ch
ecked ?ou=622270)
Cloud Computing: Security and Reliability Issues
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/cloud-computing–security-and-
reliability-issues.html?ou=622270)
Resources
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/7SecurityMeasurestoProtectYourServers_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/CyberAttacksExplained_PacketSpoofing_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/NISTCloudComputingReferenceModel_checked ?ou=622270
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/security-and-privacy-issues-in-public-cloud-computing.html?ou=622270
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/security-analysis-in-the-migration-to-cloud-environments.html?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/AnAnalysisofSecurityIssuesForCloudComputing_checked ?ou=622270
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/cloud-computing–security-and-reliability-issues.html?ou=622270
2/9/22, 11:22 PM Cloud and Network Security Issues
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/cloud-and-network-security-issues.html?ou=622270 3/3
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/9/22, 11:23 PM Data in Transit Vulnerabilities
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/data-in-transit-vulnerabilities.html?ou=622270 1/5
Learning Topic
Data in Transit Vulnerabilities
Data in transit can be exposed to a wide range of vulnerabilities. The following is a
discussion of some of these types of vulnerabilities.
Endpoint Access Vulnerabilities
The world today is a vast technological landscape with an increasing number of portable
and personal devices. These endpoints include mobile devices and wireless devices such
as laptops, phones, and tablets. Such devices can have complex vulnerabilities for security
threats.
Endpoint vulnerabilities can be caused by three primary gaps in protection and
knowledge.
Gap Vulnerability
User Gaps A large number of endpoint security vulnerabilities arise from gaps in
the user’s knowledge. Attackers target users through social
engineering, malicious links in emails and web pages, or installing
software on endpoint devices.
Operational
Gaps
Many corporations rely on intrusion detection technologies to
protect their endpoints. Endpoint threats take advantage of
detection-only security deployments to compromise vulnerabilities
before corporations become aware of incidents.
Technical
Gaps
Signature-based intrusion detection solutions cannot keep up with
the constantly increasing attack surface of threats, for which there
might not be available signatures.
2/9/22, 11:23 PM Data in Transit Vulnerabilities
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/data-in-transit-vulnerabilities.html?ou=622270 2/5
External Storage Vulnerabilities
Users enjoy flexibility when they have convenient access to personal and business data
through the use of portable external storage devices. However, as the use of portable
devices to store and transfer data increases, the risk an organization faces also increases.
Organizations can face challenges in protecting against data loss or unauthorized
transmission. They can face obstacles that prevent the installation of drivers for devices.
Organizations can also fail to prevent the installation of malware capable of using external
storage devices to traverse a network.
External storage devices are an easy way for attackers to spread malware throughout an
organizational network. In some cases, external storage devices possess “smart”
capabilities such as wireless or Bluetooth. Attackers can use sniffing tools on public
networks to take advantage of wireless capabilities to infect storage devices. In many
cases, personal and external storage devices are able to bypass the security protections
attached to organizationally owned equipment.
The following are best practices to assist with external storage vulnerabilities:
compile a list of authorized and unauthorized external storage devices
compile a list of authorized and unauthorized drivers
install host-based antivirus systems that scan external storage devices for malware
encrypt all data transmitted through external hard drives
Media Access Control and Ethernet Vulnerabilities
Media access control is a sublayer of the OSI model that describes how devices are
connected together at the hardware level. Ethernet is a media access protocol that is
traditionally used in local area networks (LANs). An Ethernet port, also known as a LAN
port, is the port that connects the computer to the network. The physical connector used
for this access is RJ45; it looks like a wide version of the RJ12, the connector commonly
used for landline telephones. This connector plugs into a network interface card (NIC),
which is also called an Ethernet card to transmit on an ethernet network. Each Ethernet
card has a unique media access control (MAC) address.
A common issue with Ethernet is that it broadcasts frames, and any computer connected
to the Ethernet wiring can potentially read the other frames being broadcast on the
network. Akin to eavesdropping, this process of collecting and reading network
2/9/22, 11:23 PM Data in Transit Vulnerabilities
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/data-in-transit-vulnerabilities.html?ou=622270 3/5
transmission is called network sniffing. Network switches can help in reducing packet
sniffing.
Network cables must be protected from damage and tampering; this can be done with
special cable protectors. Networks are also vulnerable to attacks that attempt to pull data
from frames, cause buffer overflow, or cause denial of service. These vulnerabilities are
normally patched by vendors when discovered; however, finding these vulnerabilities can
be challenging. A denial-of-service attack is more readily identifiable than an hacker
sniffing and pulling data from frames.
Virtual Private Network Vulnerabilities
Virtual private networks (VPNs) provide an encrypted connection over a less secure
network (Burke, 2016). This allows users to securely connect to an intranet from a
computer that is not on the network or connect two internal sites using a gateway device.
VPNs typically mask the true IP address of the machines using the VPN. However, there
are vulnerabilities that can unmask the true IP address due to port forwarding services.
These vulnerabilities are conducted by attackers that have access to multiple VPN
services and lure the victims to connect to another VPN service that forces the user to
provide the real IP address (Vijayan, 2015).
In addition, because VPNs are dependent upon less secure connections like the internet,
they can suffer from service issues from the internet service provider. If the internet is
down, there is no way to connect to the VPN unless the user connects to another
network with internet access. Furthermore, there are VPNs that have been exposed to
vulnerabilities while switching access points inadvertently. Hackers could attack when this
occurs because it could disrupt the end-to-end encryption, which normally accompanies
VPNs.
References
Burke, J. (2015). Virtual private network.
http://searchenterprisewan.techtarget.com/definition/virtual-private-network
Vijayan, J. (2015, December 1). Port fail vulnerability exposes real IP addresses of VPN
users. https://securityintelligence.com/news/port-fail-vulnerability-exposes-real-
ip-addresses-of-vpn-users/
2/9/22, 11:23 PM Data in Transit Vulnerabilities
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/data-in-transit-vulnerabilities.html?ou=622270 4/5
Operating Systems Security: Protection Measures Analysis
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/OperatingSystemsSecurity_ProtectionMeasuresAna
lysis_checked ?
ou=622270)
Performance Management in Network Management System
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/PerformanceManagementinNetworkManagementS
ystem_checked.p
df?ou=622270)
Guide to IPsec VPNs
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/Guide_to_IPsecVPN_checked ?ou=622270)
Measures of VPN Technology
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/MeasuresofVPNTechnology_checked ?
ou=622270)
Keys Under Doormats: Mandating Insecurity by Requiring
Government Access to All Data and Communications
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/Keysunderdoormatsmandatinginsecuritybyrequiring
governmentaccesstoalldataandcommunications_checked ?
ou=622270)
About the PIA Client Security and VPN Security in General
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/AboutthePIAClientSecurityandVPNSecurityinGener
al_checked ?ou=622270)
A Review on Media Access Control Spoofing
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
Resources
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/OperatingSystemsSecurity_ProtectionMeasuresAnalysis_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/PerformanceManagementinNetworkManagementSystem_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/Guide_to_IPsecVPN_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/MeasuresofVPNTechnology_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/Keysunderdoormatsmandatinginsecuritybyrequiringgovernmentaccesstoalldataandcommunications_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/AboutthePIAClientSecurityandVPNSecurityinGeneral_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/AReviewonMediaAccessControlSpoofing_checked ?ou=622270
2/9/22, 11:23 PM Data in Transit Vulnerabilities
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/data-in-transit-vulnerabilities.html?ou=622270 5/5
610/document/AReviewonMediaAccessControlSpoofing_checked.p
df?ou=622270)
Yes, You Can Still Trust VPN Technology, but Defend in Depth
(https://leocontent.umgc.edu/content/dam/course-
content/tgs/cca/cca-
610/document/YesYouCanStillTrustVPNTechnologyButDefendinDe
pth_checked ?ou=622270)
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/AReviewonMediaAccessControlSpoofing_checked ?ou=622270
https://leocontent.umgc.edu/content/dam/course-content/tgs/cca/cca-610/document/YesYouCanStillTrustVPNTechnologyButDefendinDepth_checked ?ou=622270
2/9/22, 11:16 PM
General Data Protection Regulation (GDPR)
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/general-data-protection-regulation–gdpr-.html?ou=622270 1/3
Learning Topic
General Data Protection Regulation (GDPR)
cnythzl/Getty Images
General Data Protection Regulation (GDPR) is the European Union’s (EU) new data
privacy law, implemented May 25, 2018. These regulations protect personal data (defined
as any information relating to an identified or identifiable person) and ensure individuals’
right to privacy through new data protection, security, and compliance requirements
(AWS, 2018).
The central idea behind this law is to require “privacy by default” with regard to the
collection and handling of all personal data.
The GDPR has six general data protection principles (European Commission, 2018):
1. fairness and lawfulness;
2. purpose limitation;
3. data minimisation;
2/9/22, 11:16 PM General Data Protection Regulation (GDPR)
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/general-data-protection-regulation–gdpr-.html?ou=622270 2/3
4. accuracy;
5. storage limitation; and
6. integrity and confidentiality.
Scope
Any organization that holds or uses data on citizens inside the EU are subject to these
regulations, regardless of the physical location of the company itself (Kottasová, 2018).
Cost of Compliance and Sanctions
The International Association of Privacy Professionals (IAPP) estimate that Fortune’s
Global 500 companies will spend about $7.8 billion on new technology, lawyers, and
compliance consultants in order to ensure they are compliant with the rules, in addition to
costs associated with updating their products and services to make them GDPR-compliant
(IAPP, 2017)
Companies out of compliance could face fines up to 4 percent of annual global turnover
or about $23 million (Kottasová, 2018).
For more information on GDPR, review the references below.
References
Amazon Web Services (AWS). (2018). General Data Protection Regulation (GDPR) center.
Retrieved from https://aws.amazon.com/compliance/gdpr-center/?
sc_medium=AW_AWNS_FMM_GDPR_nb_041018&trk=70150000000mkld&s_k
wcid=AL!4422!3!265937371174!e!!g!!gdpr&ef_id=WvTFNQAAALLzX2jc:201807
31134307:s
European Commission. (2018). 2018 reform of EU data protection rules. Retrieved from
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-
protection/2018-reform-eu-data-protection-rules_en
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European
regulation that has a global impact. International Journal of Market Research,
59(6), 703–705. doi:10.2501/IJMR-2017-050. Retrieved from
2/9/22, 11:16 PM General Data Protection Regulation (GDPR)
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/general-data-protection-regulation–gdpr-.html?ou=622270 3/3
http://ezproxy.umgc.edu/login?
url=http://search.ebscohost.com.ezproxy.umgc.edu/login.aspx?
direct=true&db=bth&AN=126375540&site=eds-live&scope=site
International Association of Privacy Professionals (IAPP). (2017). Global 500 companies to
spend $7.8B on GDPR compliance.Retrieved from
https://iapp.org/news/a/survey-fortune-500-companies-to-spend-7-8b-on-gdpr-
compliance/#
Kottasová, I. (2018, May 21). What is GDPR? Everything you need to know about
Europe’s new data law. Retrieved from
https://money.cnn.com/2018/05/21/technology/gdpr-explained-europe-
privacy/index.html?iid=EL
Ensuring GDPR Compliance
(https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-
cca610/learning-resource-list/ensuring-gdpr-compliance.html?
ou=622270)
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
Resources
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/ensuring-gdpr-compliance.html?ou=622270
2/9/22, 11:19 PM Risk Management Matrix
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-matrix.html?ou=622270 1/1
Learning Topic
Risk Management Matrix
When conducting a risk assessment for cloud computing in the elections industry, you will
categorize risks based on the likelihood of an incident occurring, and the seriousness of
the impact.
The image below shows an example of how to categorize risks with a risk matrix.
Risk Matrix
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/9/22, 11:15 PM Privacy Laws
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/privacy-laws.html?ou=622270 1/2
Learning Topic
Privacy Laws
Privacy protections often govern activities such as information processing, data
protections, and how data may flow between systems.
Because governments worldwide are so diverse, there has never been any global
consensus on the major tenets of privacy—what it is, how it should be protected, and how
much it should be respected by law enforcement personnel. These laws vary from country
to country, and depending on where your organization operates, you may need to
determine how to comply with vastly different and often conflicting requirements. These
privacy laws are also fluid and are subject to rapid changes.
Examples of privacy laws for various areas of the world include privacy directives in the
European Union and the Personal Information Protection and Electronic Documents Act
(PIPEDA) in Canada.
European Approach to Privacy Laws
The government and the law play a major role in how many European countries handle
privacy issues. In Europe, the government is expected to defend its citizens’ right to
privacy. Historically, the EU has tried to regulate privacy and streamline the approach to
privacy.
In the workplace, European privacy laws and court rulings generally skew toward
protecting personal information. Members of the European Union (EU) look to the 1995
Data Protection Directive (Directive 95/46/EC) as a guide in establishing workplace
regulations. In 2001, the Article 29 Working Party (WP29), a group of EU data protection
authorities convened to issue more specific guidance. According to an article in
the Privacy & Security Law Report (2011):
The WP29 generally recommends that monitoring should be avoided unless there is a
specific and important business need. It suggests that before implementing monitoring
policies, employers should consider whether monitoring is necessary and proportionate,
and whether the same results could be obtained through traditional methods of
2/9/22, 11:15 PM Privacy Laws
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/privacy-laws.html?ou=622270 2/2
supervision. In addition, the WP29 insists that monitoring must be transparent and that
the processing of personal data be fair. Therefore, prior notice informing employees about
monitoring is essential (Retzer & Lopatowska, 2011).
Privacy Laws in the United States
In the United States, privacy laws are generally promulgated at the state level. For
example, California includes privacy protections in its state constitution and statutes: SB
1386 – Personal Information Protection and CA Civil Code 1798.83 – Personal Information
Protection.
In Maryland, the 2007 Maryland Personal Information Protection Act (MPIPA) protects
the privacy and personal information of state residents with requirements to protect
personal information during the disposal of records, adopt reasonable security procedures
and practices to prevent unauthorized access to personal information, and to provide
individual notification when a business has experienced a breach of security that may
result in the release and misuse of personal information.
References
European Commission (2007, June 28). The SWIFT case and the American Terrorist
Finance Tracking Program [Press release]. Retrieved from
http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/07/266
Retzer, K., & Lopatowska, J. (2011). Analysis: How to monitor workplace e-mail and
Internet use in Europe: The Polish perspective. Privacy & Security Law Report.
Retrieved from https://media2.mofo.com/documents/110718-privacy-and-
security-law-report
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/9/22, 11:25 PM Information Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/information-security.html?ou=622270 1/5
Learning Topic
Information Security
Security safeguards in the enterprise protect telecommunications channels, minimize
successful hacker attacks, and create infrastructures to enhance enterprise-level security.
More specifically, the safeguards protect information during transit, storage, or processing
(traditional IT) by keeping the information private, unaltered, and accessible for authorized
users.
The information security services of confidentiality (privacy), integrity (lack of alteration),
and availability (accessibility) ensure that information is secure at the customer’s level of
expectation for telecommunications, information systems, or supporting infrastructure.
Information Security Triad
Communications Security
Any business should ensure that sensitive and proprietary data remain private. From
evaluating the results of a risk assessment to applying the risk management framework,
specific communications security controls are identified and implemented to reduce the
2/9/22, 11:25 PM Information Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/information-security.html?ou=622270 2/5
network risk to a reasonable and acceptable level.
Communications security protects wired (cable) and wireless (radio) channels in a variety
of telecommunications environments, information types, and data formats. Much of the
information traversing the telecommunications landscape is supported by the packet-
based internet protocol (IP) data network, but other data formats and transport
mechanisms exist. Mobile cellular networks, wireless local networks, and traditional
landline networks are separate telecommunications infrastructures that use various
standards and formats at the lower end of the OSI reference model to group, organize,
and transport IP data to various end-user devices. Formats and standards at the higher
end of the OSI model ensure that data is prepared for network applications and the end
user. The common use of the IP packet in the network layer allows standard techniques
for securing sensitive, private information across multiple platforms, systems, and
infrastructures.
The confidentiality of IP communications is usually provided through a process of
encryption that makes the data unreadable. This scrambling of data occurs in wireless
LAN transmissions, secure internet connections, e-commerce, some private email
transmissions, and other areas where privacy is extremely important. If you want to keep
data from snooping eyes, you encrypt it.
For example, in a telecommunications and networking environment, a company’s
personnel file or payroll data could be transported through multiple networks (e.g., from
the payroll processor’s network through the internet to Company B’s network), so the
information is virtually and physically out of the originator’s control. A skilled hacker could
capture the data at multiple points of transit and read the contents without the sender or
receiver having knowledge of the interception. Therefore, to make it more difficult for
would-be hackers, network encryption scrambles the data so only the sender and
intended recipients can easily read the information.
Systems Security
While communications security supports data in transit, there are equally important
features and security controls for servers and end-user computing devices. Since these
devices are the access points for the network, they are also important to the security of
the network.
Information systems in a networked environment require a variety of security features to
ensure that an authorized user has appropriate access to the set of protected data
required for the user to perform a task. These security controls are growing in importance
as more consumers access the internet from a growing array of devices such as
2/9/22, 11:25 PM Information Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/information-security.html?ou=622270 3/5
smartphones, tablets, gaming platforms, and nontraditional devices (e.g., kitchen
appliances). As with communications security, encryption is also important for stored,
sensitive data, especially as laptops and other mobile devices contain a growing amount of
personal privileged information and business secrets that criminals may acquire and
transmit to other users in support of a broader attack. Limiting access to servers and end-
user devices through authentication services (e.g., username/password) helps preserve
overall system security and the integration of communications security.
For instance, botnets are groups of compromised systems that can be used by a hacker
not only to commit crimes, but also to limit the availability of target systems via
distributed denial of service (DDoS) attacks. System authentication can be provided via
multiple mechanisms, such as passwords or biometrics using preferred multifactor
variables defined by
something the user uniquely knows
something the user uniquely has
something the user inherently and uniquely is
Ensuring high information system availability has distinct security concerns that are
difficult to achieve for system or communications security components when they are
handled independently. The integration of communications security, information systems,
and underlying infrastructure is critical to the success or failure of cybersecurity
initiatives. The importance of business needs, risk assessment, and security controls
culminates in the integration of infrastructure services.
Infrastructure Security
Infrastructure is often taken for granted; we don’t think about it until it’s not working. A
clogged pipe or a frayed electrical wire in your home may not be seen, but you will find
out about it when water backs up in the sink or a lamp doesn’t work.
For consumers, infrastructure just works, but there is a lot of activity behind the scenes
that keeps that infrastructure working safely and securely. The telecommunications
security infrastructure for a business can comprise corporate firewalls, intrusion
protection services (IPS), public key infrastructures (PKI), antivirus software, etc. These
items are designed to identify and negate malicious network traffic. Through the use of
common infrastructure services, a large business can define a stronger and more
centralized security posture. From this perspective, potential risks and threats can be
easily categorized, current status can be more easily monitored, and security incidents can
receive a more holistic response instead of a fragmented one.
2/9/22, 11:25 PM Information Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/information-security.html?ou=622270 4/5
As a provider (or consumer) of infrastructure services, the following questions are worth
consideration:
Which information systems compose the enterprise infrastructure? Have protections
been applied to protect all information systems and the network infrastructure?
What level of compliance, audit, or regulatory concern is required for the business,
operating environment, or location?
What are the roles and responsibilities of people accessing restricted data (e.g.,
payroll, human resources, trade secrets)?
How are the systems, network, and infrastructure monitored and managed?
Are there defined rules for configuration and change management of any network-
enabled devices?
Internal IT Infrastructure
A company’s internal IT infrastructure requires significant resources for development,
implementation, operation, management, and maintenance throughout its life cycle. Many
large companies have their own staff, equipment, networks, backup facilities, etc., to
support business operations via highly reliable and secure network infrastructure services.
However, some companies are selecting another solution to the business problem of
infrastructure services by choosing cloud services. (Note: Companies still need to perform
a risk assessment and possess a risk management plan for services outside their
immediate control.)
Cloud services can be described as one of several ways to subscribe to an IT service and
pay only for what is required. For instance, people regularly subscribe to specific content
via really simple syndication (RSS) feeds or through a publisher’s range of magazines; it is
the consumer’s choice, not the publisher’s, what the customer receives. Similarly, the
flexibility and low cost of cloud services are very appealing to a wide range of companies.
Categories of cloud services such as software as a service (SaaS), platform as a service
(PaaS), and infrastructure as a service (IaaS) are clearly poised to provide economic
benefits, quality of service, and security features to companies of various sizes.
Companies with sensitive data are still faced with a difficult choice of whether to maintain
their current internal infrastructures, or use some cloud services. There are still regulatory
and compliance concerns for international data, especially when there are restrictions on
physical storage locations. There are also internal security concerns associated with the
accidental mixing of data or potential leakage of corporate secrets. There could be legal
liability issues, too, if the leakage of data causes harm to consumers, as in the case of
2/9/22, 11:25 PM Information Security
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/information-security.html?ou=622270 5/5
credit card numbers being exposed. A thorough analysis of business needs and
requirements should be conducted prior to using the public cloud, and multiple elements
must be accounted for in the final analysis and choice.
References
Committee on National Security Systems. 2010. Committee on National Security Systems
National Information Assurance (IA) Glossary. Accessed June 17, 2011.
http://www.cnss.gov/Assets/pdf/cnssi_4009 .
National Institute of Standards and Technology. 2002. Special Publication 800-30: Risk
Management Guide for Information Technology Systems. Gaithersburg, MD:
Department of Commerce, NIST. Retrieved June 17, 2011.
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30 .
National Institute of Standards and Technology. 2010. Special Publication 800-37: Guide
for Applying the Risk Management Framework to Federal Information Systems: A
Security Life Cycle Approach. Gaithersburg, MD: Department of Commerce, NIST.
Accessed June 17, 2011. http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/sp800-37-rev1-final .
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
2/9/22, 11:24 PM
Multifactor Authentication
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 1/5
Multifactor Authentication
It is often a good idea to use two-level or multifactor authentication, instead of single-
level authentication, for network security. For example, organizations can make it
mandatory for all employees to use both a PIN and a password to log in.
A multifactor authentication system authenticates users via a combination of factors:
something they know (for example, a password), something they have (for example, a
smart card or token), and something they are (for example, as proven with a biometric
characteristic such as a fingerprint).
Multifactor Authentication Scenarios
After a security breach where an intruder gained access to the network by using an
employee’s password, Programmers, Inc., has decided to move to a multifactor-based
authentication system. Programmers, Inc., installs a smart card reader at the entrance to
the office. This reader acts as the first authentication mechanism. The employees’
usernames and passwords act as the second mechanism. The IT security team installs
biometric systems at the entrances to the office, the data center, and the server rooms,
and those systems act as the third authentication factor.
The multifactor authentication system is easy to use and tough to break. However, it is
expensive to implement and maintain.
As for single sign-on, most banks provide their customers with a unique username and
password combination so that they can access their accounts online. However, usernames
and passwords are easy to obtain, making this a less than ideal solution (Imprivata, 2009).
A multifactor authentication system is the most secure authentication system the bank
can implement. Such an authentication system would authenticate users based on a
combination of factors: something they are (for example, a unique username that
identifies the user), something they have (for example, a USB token or certificate that the
Learning Resource
2/9/22, 11:24 PM Multifactor Authentication
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 2/5
bank provides to its customers), something they know (for example, an SMS code the
bank sends the user on his or her mobile phone and that the user enters to access the site
or carry out a transaction).
Multifactor Authentication Overview
Often passwords alone do not provide adequate protection. One way of strengthening
security is to deploy more than one authentication method before users are allowed to
access a system. The process of using more than one means of authentication for added
security is known as multifactor or strong authentication.
The most commonly used form of multifactor authentication is two-factor authentication,
in which a combination of two separate security elements are used in tandem before
access is granted.
In general, authentication is based on three factor types:
Type 1: Something you know
Type 2: Something you have
Type 3: Something you are
For organizations that need to guard mission-critical data, additional factors should be
evaluated. An emerging approach to authentication is called adaptive authentication. This
approach evaluates the behavior of the user pre- and post-authentication, considering a
number of risk-based factors. Machine learning based on heuristics and user profile
characteristics might be employed with this approach.
Two-Factor Authentication
Two-factor authentication combines two security elements before allowing access to an
asset. Security elements may include a password, authentication tokens, or digital
certificates, and physical characteristics such as fingerprints. A two-factor authentication
is useful in safeguarding extremely sensitive information such as a confidential customer
data.
An extra layer of authentication can prevent unauthorized access to data.
Three-Factor Authentication
2/9/22, 11:24 PM Multifactor Authentication
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 3/5
Three-factor authentication combines three security elements before allowing access to
an asset. Security elements may include a password, authentication tokens, or digital
certificates, and physical characteristics such as fingerprints. A three-factor authentication
is useful in safeguarding extremely sensitive information such as confidential customer
data.
The use of three factors can drastically reduce incidents involving phishing, Trojan attacks,
and identity theft.
Security Tokens
Security tokens are a commonly used multifactor authentication mechanism. A token is a
piece of hardware or a physical device that generates one-time security passwords
composed of strings of random numbers and characters, set to sync with the server.
Tokens are typically set to expire in one minute, so if the password is not entered in that
time, a new password will be generated by the token. It is important that passwords are
completely random to ensure the security of this method.
Smart Cards
Many organizations use smart cards to provide multifactor authentication mechanisms. A
smart card differs from a computer memory card in that it can read, store, and process
data. They can be created with programmable magnetic strips to allow the user to swipe
the card for access (Smart Card Alliance, 2004).
Biometrics
Identity theft and data fraud are huge security challenges for organizations around the
world. With the increase in online financial transactions, identity theft is also on the rise.
Even as organizations step up efforts to mitigate security threats, criminals find new ways
of breaching security.
Because identity theft is so prevalent and breaches are occurring at a higher frequency,
organizations are gravitating toward increased use of multifactor authentication
mechanisms. Biometrics are an attractive option because they offer a way of uniquely
identifying individuals based on physical and behavioral traits that do not change.
Biometric devices are designed to provide authentication by verifying a unique
physiological or behavioral characteristic that belongs to the user.
2/9/22, 11:24 PM Multifactor Authentication
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 4/5
Selecting Strong Authentication Methods
In addition to considering an organization’s unique security requirements, it is important
to weigh the benefits and costs of various strong authentication choices.
Cost
When considering total cost of ownership, there are two primary considerations: the
initial cost and the operating cost. It is also important to consider the types of incremental
costs with adding users to expanding the authentication model to other aspects of the
organization’s enterprise.
Usability
Authentication methods should be as transparent as possible and not negatively affect the
way users are able to carry out their jobs.
Manageability
The application of authentication along with the management of user accounts and the
monitoring of their use plays an important part in the overall security of information
resources. The authentication method should provide centralized management along with
advanced capabilities including tracking events, auditing, and reporting capabilities.
Flexibility
Where there are differing requirements, an organization may deploy alternative
authentication methods. The authentication method should be capable of addressing
multiple functional requirements while also matching the risk profile of user groups.
Integration
The authentication mechanism should be capable of integrating with existing enterprise
applications such as single sign-on (SSO), virtual private network (VPN), internet protocol
security (IPsec) and public key infrastructure (PKI) authentication, and Remote
Authentication Dial-In User Process (RADIUS).
References
2/9/22, 11:24 PM Multifactor Authentication
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-resource-list/multifactor-authentication.html?ou=622270 5/5
Imprivata. (2009). A more secure front door: SSO and strong authentication.
https://www.imprivata.com/sites/default/files/resource-
files/a_more_secure_front_door
Smart Card Alliance. (2004). Logical access security: The role of smart cards in strong
authentication. http://www.library.ca.gov/crb/rfidap/docs/SCA
Smart_Cards_and_Logical_Access_Report
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
