Consider your case study from the previous week. Now, we have learned additional information by interviewing the intern. We have learned that the intern had missed the last two security awareness training sessions: The intern perceived this training as having a low priority compared to their other responsibilities, and thought that there would be no new or relevant information relative to their role in the organization.
For your initial post, select one of the following and respond to it:
What changes could be made that would help build a more security-aware culture within the security organization? Justify your response.
What tactics or strategies could you employ to help shift people’s perspectives from reactive to proactive when it comes to security? Justify your response.
Privacy Protection Case Study
Chenele Wallace
Cybersecurity Foundations
Professor Brickan
September 17th, 2023
Fundamental Security Design Principles and Security Objectives Relevant to Each Control
Control
Recommendations
Deploy an automated
tool on network
perimeters that
monitors for
unauthorized transfer
of sensitive
information and
blocks such transfers
while alerting
information security
professionals.
Isolation
Encapsulation
Complete
Mediation
X
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
The recommended
control falls under
complete mediation,
which involves
checking access to
all objects and
determining if they
are allowed (Adkins
et al., 2020). The
security objective is
confidentiality, as
the measure seeks to
block the breach of
confidential data
(Adkins et al.,
2020).
Control
Recommendations
Monitor all traffic
leaving the
organization to detect
any unauthorized use.
Isolation
Encapsulation
X
Complete
Mediation
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Integrity
Explain Your
Choices
(1–2 sentences)
Encapsulation is the
principle that applies
to control as it aims
to enforce the use of
resources for their
intended purposes
(Adkins et al.,
2020). Integrity is
the measure’s
security objective as
it seeks to protect
data and information
from unauthorized
use (Adkins et al.,
2020).
Control
Recommendations
Use an automated
tool, such as hostbased data loss
prevention, to enforce
access controls to data
even when data is
copied off a system.
Isolation
Encapsulation
Complete
Mediation
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
X
Confidentiality
Trust relationships is
the principle that
applies to the control
as it seeks to enforce
privileges even
when data is copied
off a system (Adkins
et al., 2020).
Confidentiality is the
security objective
applying to the
control as it seeks to
prevent unauthorized
data access.
Control
Recommendations
Isolation
Physically or logically
segregated systems
should be used to
isolate higher-risk
software that is
required for business
operations.
X
Encapsulation
Complete
Mediation
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
Isolation is the
principle that applies
to the control as it
seeks to isolate
sensitive computing
operations from nonsensitive operations
(Adkins et al.,
2020).
Confidentiality is the
security objective
applying to the
control as it also
seeks to prevent
unauthorized access
to sensitive software,
processes, and data.
Control
Recommendations
Isolation
Make sure that only
X
the resources
necessary to perform
daily business tasks
are assigned to the end
users performing such
tasks.
Encapsulation
Complete
Mediation
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Availability
Explain Your
Choices
(1–2 sentences)
Isolation is the
principle that applies
to control as it seeks
to ensure that tasks
run in their assigned
space and do not
interfere with other
tasks (Adkins et al.,
2020). Availability
is the security
objective that
applies to the
control, as
eliminating
interference between
tasks ensures that
data relating to such
tasks is available to
authorized users on
request (Adkins et
al., 2020).
Control
Recommendations
Install application
firewalls on critical
servers to validate all
traffic going in and
out of the server.
Isolation
Encapsulation
Complete
Mediation
X
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
Complete mediation
is the principle
relevant in this case,
as firewalls would
check all attempts to
access servers to
ensure they are
allowed.
Confidentiality also
applies to the control
as it aims to prevent
unauthorized access
to critical servers.
Control
Recommendations
Require all remote
login access and
remote workers to
authenticate to the
network using
multifactor
authentication.
Isolation
Encapsulation
Complete
Mediation
X
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
Complete mediation
also applies to this
control as
multifactor
authentication
checks attempt to
access a system and
determine if they are
allowed.
Confidentiality also
applies to the control
as it aims to prevent
unauthorized
network access.
Control
Recommendations
Restrict cloud storage
access to only the
users authorized to
have access and
include authentication
verification through
the use of multifactor
authentication.
Isolation
Encapsulation
Complete
Mediation
X
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
Complete mediation
also applies to this
control as it is
intended to restrict
access to cloud
storage and mediate
control through
multifactor
authentication.
Confidentiality is the
control’s security
objective as it aims
to prevent breaches
of confidential data
stored in the cloud.
Control
Recommendations
Make sure all data-inmotion is encrypted.
Isolation
Encapsulation
Complete
Mediation
X
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
The measure also
falls under complete
mediation as it seeks
to ensure all data in
motion is accessed
by authorized
recipients.
Confidentiality is the
security objective as
encryption ensures
only authorized
users can access the
same.
Control
Recommendations
Set alerts for the
security team when
users log into the
network after normal
business hours or
when users access
areas of the network
that are unauthorized
to them.
Isolation
Encapsulation
Complete
Mediation
Minimize
Trust
Trust
Relationships
Surface
(Reluctance
to Trust)
X
Security
Objective
Alignment
(CIA)
Explain Your
Choices
(1–2 sentences)
Confidentiality
Minimizing trust
surface is the
principle that applies
to the proposed
control as it
minimizes the
degree of trust for
users who access a
network after normal
working hours or
attempt to access
network resources
that they are not
authorized to access
(Adkins et al.,
2020).
Confidentiality is the
security objective
that majorly applies
to the recommended
control, as the alerts
are aimed at
ensuring that
confidential data and
files do not fall into
the wrong hands.
The Possibility of Maintaining an Isolated Environment
DataStore can be used to uphold an isolated environment. Synchronizing internal network folders with the DataStore platform
contributed to the confidential data breach. Stopping the synchronization of internal network folders with DataStore would result in
an isolated environment. In that case, the organization’s employees would have to manually upload the information they would like
to share with their customers to the DataStore platform. The move would improve the firm’s cyber security as sensitive data
accidentally saved on an internal folder synchronized with DataStore would not be accidentally or intentionally shared with the
public on the DataStore platform.
Minimizing Trust Surface with Datastore to Protect Its Confidential Data
The minimization of trust surface principle regards reducing the extent to which a user or component relies on the reliability of
another user or component in their decision-making or processing. The DataStore platform depended on the reliability of the user,
who saved sensitive data on a folder shared with the DataStore platform and uploaded the sensitive data to a public forum. A step
the organization could have taken to effectively apply the principle to protect its confidential data is desisting from synchronizing
some of its folders with DataStore. The significant trust the firm had with DataStore led to the accidental data leak.
Building a More Security-Aware Culture from the Top Down to Prevent Mistakes Before They Happen
Rigorous and regular security training is one key measure the organization can take to build a more security-aware culture.
Employees, especially those outside Information Technology (IT) divisions, know quite little regarding security. They are highly
likely to make mistakes that can expose sensitive systems to attacks. Rigorous security training would help educate employees to be
aware of the many threats to the organization’s systems and the dos and don’ts regarding security. Regular training would make
employees more security-conscious. Employees from all levels within the organization should participate in such training.
Participation by all employees, regardless of their positions, would help foster a security-aware culture from the top down. Thus
preventing mistakes from being made by any employee within the organization.
References
Adkins, H., Beyer, B., Blankinship, P., Lewandowski, P., Oprea, A., & Stubblefield, A.
(2020). Building secure and reliable systems: best practices for designing, implementing,
and maintaining systems. O’Reilly Media.
