Class,
I'm providing a recently example of a critical analysis written by Dr. Valorie King. This example is based on the 1st case study for this class, CSIA 350.
I think most of you have a good idea of what's required for the case studies, but use the information as you need. I will continue to grade appropriate.
A Critical Analysis (CA) is a discussion response that has an introductory paragraph, an analysis section (around 3 paragraphs or so), and a brief summary. For Case Study #1, a really good CA would have looked something like this:
There are many reasons why a business should invest in cybersecurity products and services. In [her / his] essay, [student name] addressed ethical principles which drive such investments. While ethics are important, the business needs and requirements for IT security must also be considered. In this critical analysis response, I would like to take a deeper look at three important points which drive businesses to invest in IT security.
First, consider the question of the Business Benefits of IT Security products and services. Businesses exist to make a profit (Vitez, 2016). Making a profit requires that losses and unnecessary costs be avoided. This is where the business benefit of IT security products comes into play. An anti-virus product can prevent a malware infection (Drew, 2011). Spending some money to buy an anti-virus product to prevent malware will save money in the long run since the business will not have to pay to cleanup malware infections on laptops, workstations, and servers.
Second, consider the question of Why an organization should invest in IT security technologies. This is very similar to the first question. But, in addition to the financial benefits (cost avoidance) there are also legal and regulatory reasons why an organization should invest in IT security technologies (Smedinghoff, 2005). Many laws require that companies use encryption to protect private information (HIPAA, FERPA, etc.). This is an IT security technology that a company may be legally required to purchase (invest in).
Third, consider Where an organization should focus its attention & why. Technology is only one type of investment that a company should make when it comes to IT security. Investing in people by hiring well qualified security professionals and then providing ongoing training is another area where a company needs to spend money to protect information, information systems, and information infrastructures (ISACA, 2009). Even the best IT security products need people who understand how to configure, test, and operate those products. For this reason, an organization should also focus its attention on hiring the best security professionals that it can afford. Then, the company should keep these people the best by investing in training.
In summary, there are many reasons why a business should invest in IT security and why those investments should include both people and products (technologies). But, the b ...
Z Score,T Score, Percential Rank and Box Plot Graph
Class,Im providing a recently example of a critical analysis wr.docx
1. Class,
I'm providing a recently example of a critical analysis written
by Dr. Valorie King. This example is based on the 1st case
study for this class, CSIA 350.
I think most of you have a good idea of what's required for the
case studies, but use the information as you need. I will
continue to grade appropriate.
A Critical Analysis (CA) is a discussion response that has an
introductory paragraph, an analysis section (around 3
paragraphs or so), and a brief summary. For Case Study #1, a
really good CA would have looked something like this:
There are many reasons why a business should invest in
cybersecurity products and services. In [her / his] essay,
[student name] addressed ethical principles which drive such
investments. While ethics are important, the business needs and
requirements for IT security must also be considered. In this
critical analysis response, I would like to take a deeper look at
three important points which drive businesses to invest in IT
security.
First, consider the question of the Business Benefits of IT
Security products and services. Businesses exist to make a
profit (Vitez, 2016). Making a profit requires that losses and
unnecessary costs be avoided. This is where the business benefit
of IT security products comes into play. An anti-virus product
can prevent a malware infection (Drew, 2011). Spending some
money to buy an anti-virus product to prevent malware will save
money in the long run since the business will not have to pay to
cleanup malware infections on laptops, workstations, and
servers.
2. Second, consider the question of Why an organization should
invest in IT security technologies. This is very similar to the
first question. But, in addition to the financial benefits (cost
avoidance) there are also legal and regulatory reasons why an
organization should invest in IT security technologies
(Smedinghoff, 2005). Many laws require that companies use
encryption to protect private information (HIPAA, FERPA,
etc.). This is an IT security technology that a company may be
legally required to purchase (invest in).
Third, consider Where an organization should focus its attention
& why. Technology is only one type of investment that a
company should make when it comes to IT security. Investing in
people by hiring well qualified security professionals and then
providing ongoing training is another area where a company
needs to spend money to protect information, information
systems, and information infrastructures (ISACA, 2009). Even
the best IT security products need people who understand how
to configure, test, and operate those products. For this reason,
an organization should also focus its attention on hiring the best
security professionals that it can afford. Then, the company
should keep these people the best by investing in training.
In summary, there are many reasons why a business should
invest in IT security and why those investments should include
both people and products (technologies). But, the bottom line is
that a business needs to make a profit to stay in business.
Investing in IT security products is an important part of
protecting profits and avoiding unnecessary costs.
References
Drew, J. (2011, August 30). The benefits of having anti-virus
protection. TopTenReviews. Retrieved from http://anti-virus-
software-review.toptenreviews.com/learning-center/the-
benefits-of-having-anti-virus-protection.html
3. ISACA. (2009). An introduction to the business model for IT
security. Retrieved from http://www.isaca.org/knowledge-
center/research/documents/introduction-to-the-business-model-
for-information-security_res_eng_0109.pdf
Smedinghoff, T. (2005, November). The new law of information
security: What companies need to do now. The Computer and
Internet Lawyer Journal, 9-25.
Vitez, O. (2016). What are the effects of profit or loss in a
business organization? Houston Chronicle. Retrieved from
http://smallbusiness.chron.com/effects-profit-loss-business-
organization-824.html
Make sure you explain the reply further, At least 6 to 8
sentences.
Replies needed 1
Chapter 11 discusses measuring business processes. Review the
RR Case Study and requirements for part #8 of the IT Decision
Paper and come up with 4 business performance measures that
the senior executives might review each day on their individual
desktop dashboards.
Getting your performance measurement right involves
identifying the areas of your business it makes most sense to
focus on and then deciding how best to measure your
performance in those areas. [1] The 4 business performance
measures that senior executives would review on a daily basis
are:
1. Number of customer complaints
2. How long the average delivery/pickup takes
3. How long a vehicle is in maintenance
4. Number of hours the drivers are on schedule
1. Sr. executives would want to see how many complaints there
are coming from the customers. This information can prove to
5. caught later and result in a more difficult time trying to fix
those issue.
This model works well with well-defined smaller projects. But
does not work well with complicated projects that have
requirements that have a decent chance of needing to be
changed.
Spiral method (SDM)
The next model is the Spiral model. This model is a
combination of the waterfall model and a prototyping method.
It tries to combine the advantages of bottom up and top down
concepts in one model. It essentially uses the same steps as the
waterfall model but is separated by planning, risk assessment,
and building of prototypes.
This model is designed for use with large complicated projects.
The estimates of the project can become more realistic as the
process continues. There are earlier phases of testing which can
find any issues sooner. The negatives of this model is that it
can be expensive and because a lot of the steps are customized
to the specific project it makes the process difficult to reuse.
I added an attachment with a picture of both systems that show
how the process is used.
Sami, M. (n.d.). Software Development Life Cycle Models and
Methodologies. Retrieved from Melsatar:
https://melsatar.wordpress.com/2012/03/15/software-
development-life-cycle-models-and-methodologies/
SDLC - V-Model. (n.d.). Retrieved from TutorialsPoint:
http://www.tutorialspoint.com/sdlc/sdlc_v_model.htm
SDLC - Waterfall Model. (n.d.). Retrieved from TutorialsPoint:
http://www.tutorialspoint.com/sdlc/sdlc_waterfall_model.htm
Reply 3 needed
1. Chapter 11 discusses measuring business processes. Review
the RR Case Study and requirements for part #8 of the IT
Decision Paper and come up with 4 business performance
measures that the senior executives might review each day on
their individual desktop dashboards.
6. During this technological upgrade several divisions within
Rusty Rims(RR) Distribution Company process performance
will be measured for efficiencies and deficiencies against the
previous systems. The senior management team will view the
performance measurement of several company procedures and
how they will effectively increase the companies revenue base
and production while reducing cost over the years in
comparison to its competitors.
Measure
Benefit to the Business
Driver routes and pickup orders
The upgrade “routing” system will provide VP Operations and
Senior Management with the necessary information to measure
dispatcher intake effectiveness. In addition to viewing, track
and forecast the efficiency of each driver's route and re-routes
from origination terminal to drop off (delivery). VP and on-site
Operations Managers can monitor the reduced delivery time for
customers.
Financial Reporting
CFO, authorized management, and staff will have the functional
capabilities of ad-hoc reporting to produce required SOX
financial audit and reporting requirements with increase
accuracy and efficiency.
Finance System Performance
The Accurate Financial system improves staff performance with
a more accurate percentage to exceed the “estimate” 95%. Data
validation will prevent inaccurate information impacting the
customer during the billing phase, in turn, will minimize client
complaints and improve confidence in RR. CFO will have the
ability to monitor data accuracy against billing.
Fleet Maintenance
Operations will have the ability proactively to monitor any
preventive maintenance, repair scheduling and parts inventory
for the entire RR fleet. In turn minimizing any delay in route
7. deliveries.
Reply 4 needed
Nearly a year ago on a Monday, I was pulled by my upper Chain
of Command to create a logistical tracking system. They wanted
to be able to pull a database and know the status of every
outstanding logistical requirement at all times. At the time,
requirement statuses could be found but you had to navigate
through several programs to get a clear picture of the
status. Because of the immense number of offices and work
centers, I expected concocting the database to take roughly a
week. I expected to need the first day to design the query and
test it to make sure it pulled the exact data I needed every time.
I then expected it to take an hour per work center to sift through
the data and color code certain items and ensure that everything
being dumped into the database was current and accurate. I
explained to my superiors that I would need five working days
and I would present the database the following Monday
morning.
At the time, I had never written a query and was familiar with
old versions of the software (like, for Windows 95), but I was
not well trained in the current version. I spent the first day
putting the query together and watching tutorials on the
software. A mentor came to help me and showed me the best
way to structure the query. She also showed me how to add code
that colored data automatically depending on the input. On Day
2, I did my first data dump. The query she had shown me was
perfect, and the color coding occurred automatically. It also
pulled all work centers and populated them automatically. I set
up filters and made a few tweaks and tested it again. By the end
of Day 2, the database was finished. In retrospect, I should have
taken the next few days off and presented on Monday as
planned.
Instead, overly excited and pleased with myself, I informed my
supervisors that the database was ready. They were as pleased
8. as I was and promptly decided I could do anything in 40% of
the time expected. The consequences of this were more work
than any one person could handle. Over the next month I
repeatedly tried to explain that I could not meet some of the
deadlines provided, and I was repeatedly ignored. It took a long
time for them to understand that the one poor planning incident
should not set the tone for future projects. I was chewed out
constantly for missing deadlines that I had told them were
unreasonable in the first place. Things have evened out now, but
it was a definite learning experience for me, and I have not
given a timeline on a project since then without consulting with
my mentor first.
Reply 5 needed
Consider a situation you've experienced when you made an
inaccurate estimation for the duration of some activity. It
doesn't necessarily need to be during a project (though that
would be desirable if possible).
1. a) What was the situation?
This situation that I was involved in where I had given
an inaccurate estimate of time for a task to be completed, was
about four years ago. I was in charge of a team that was
responsible for a small part of a larger project, but we were the
customer interface for all outside organizations. Our task was to
work with the customers at each base and track their SharePoint
migration. We functionally tested all organizational sites and
worked with site administrators to recover data that didn’t
originally migrate over.
1. b) Describe how you made the estimate. Discuss your
reasoning for estimating the duration of the activity the way you
did.
The estimate was first made taking into account the
overall content size of each base or military installation. Our
back shop or server administrators had all been through a
migration before and had made their estimates based off of
lessons previously learned. Our entire team also included
9. contingency plans for just about any major issue encountered.
The server administrators timeframe along with the amount of
time that it had taken us to functionally test our testing
environment and production sites, are all circumstances that
helped to drive my estimation. I felt that my estimate was a
pretty well rounded and thought estimate, with proof of concept
working in my favor, considering all other estimates were met
or exceeded.
1. c) In what way was it inaccurate? Discuss the factors that
caused your estimate to be inaccurate.
It was inaccurate, because we were unable to meet my time
estimate for migrating one particular base. As I mentioned
before, we had contingency plans for just about any issue you
could possibly think of concerning migrating an entire base. We
were unable to migrate an organization’s data from the old
environment to the new environment. I have to say that the team
of about 25 subject matter experts, to include vendor
representatives, was not able to figure out exactly what the
problem was. Because of this phenomenon, the majority of the
scheduled migration time was used trouble shooting verse
migrating.
1. d) What was the outcome of the situation?
The outcome of the situation was that the suspense or
estimate for that base was busted. Even though the migration
was only pushed back by an additional two days, there were
additional financial and personnel cost. The vendor was on
station longer than contracted and overtime was paid to all of
the non-military employees that worked the issue around the
clock and also continued with the other base migrations. I of
course didn’t get into any trouble nor was I held responsible for
the busted suspense.
1. e) What were the consequences of the inaccuracy?
There were no personal consequences for the
inaccuracy, because all of the migration stakeholders were very
involved in the planning and although I was responsible for
10. making the customer notifications, the team had already agreed
on the estimates and timeframes, before every informing the
customers. This was a situation that even though it had been
planned for and time built into our estimates, it was just a
situation that we had no control over and had to work to find a
resolution.
Reply 6 needed
1. What was the situation?
I planned a going away luncheon for boss and the miss the fact
that the head count was firm and was charged for the buffer
attendees.
1. Describe how you made the estimate. Discuss your reasoning
for estimating the duration of the activity the way you did.
From experience, I know that we always have stragglers.
However, this was the first time I worked with a fixed menu.
So, I went with my usual procedures not paying attention to the
apparent differences “fixed menu” not a pay per order.
1. In what way was it inaccurate? Discuss the factors that
caused your estimate to be inaccurate.
Less people attended than estimated (i.e. no stragglers)
and I did not pay close enough attention to the details.
1. What was the outcome of the situation?
I had to pay for the difference.
1. e) What were the consequences of the inaccuracy?
More money was paid than necessa
Reply 7 needed
John,
Thanks for your post. With all the threats surrounding
computer systems (mobile or otherwise) it is important to utilize
technologies like virtualization and containers to limit the
amount of exposure for the Agency. Everyone must be diligent
in securing their systems and information as there will always
be bad actors. You are correct that cost is also a big factor. A
lot of times agencies are required to do more with less resources
11. so somethings suffer, including security.
You also pointed out that cloud services should be utilized. As
such there must be more training for administrators and system
owners to understand cloud technology because often times
people believe the service provider is providing security
services, however, the agency always have some security
responsibility as well. FedRAMP offers only baseline security
as does Amazon and other cloud service providers.
Reply 8 needed
Dmitriy,
Your post was informative, and you are absolutely correct that
developers need to do a better job with the programming of
mobile applications and networks must be properly designed to
support them.There also has to be better policies regarding
mobile applications because they are not required to have the
level of security as web-based applications.
You mentioned that the benefits of government applications is
not there; however, I disagree. I agree that improvements are
required, but there are many benefits to government
applications. It is nice to be able to go to a government website
and request services instead of having to travel to an office and
speak with someone in person. One can file their taxes online,
get health and benefit information online, and apply for jobs.
The list is endless.
Consider that there will always be security issues as technology
is continuously changing. Remember security is a journey.
Reply 9 needed
Thank you Zena. There are methods to increase mobile device
security and some companies do incorporate them into their
business. Methods such as encrypting devices, authentications,
stronger passwords and connections to mobile device
management software for configurations, allows IT departments
to have a strong grasp on security ("Learning guide," n.d.). I'm
sure with time, more defensive practices will come and be
12. incorporated as well for stronger security.
When I wrote about benefits of the government applications, I
meant to compare it to the applications being in immature
stages in security aspect and data that has potential to be
leaked, causing more damage, thus outweighing the benefits.
Of course these applications are a big plus and I fully support
them as they lead to innovations and ways to reduce cost.
Learning guide: Mobile device protection. (n.d.). Retrieved
from http://searchmobilecomputing.techtarget.com/guides/Mobil
e-device-protection-and-security-threat-measures
SUBJECT: Mobile Application Security for Digital
Government Services
Today federal agencies are required to adopt mobile technology
to improve citizen service. The growing risks associated with
delivering mobile enterprise services to consumers make it
critical to address mobile application management and mobile
device management. These mobile enterprise services require a
comprehensive mobile application and mobile device life cycle
management framework consistent with industry standards and
trends. Successful deployment of applications also requires
revamping of the identity and access management strategy to
enhance security. This framework must address mobility,
services, data, privacy, device sanitization, network
modernization, and application deployment (NIST 2012-2015).
Three of the main considerations for CIOs are capabilities, cost,
and security. (CIO Council 2012). CIOs have a variety of
decisions to make as most of the risks associated with the
adoption of mobile applications for digital government services
fall within these considerations. When users access endpoint
devices, networks, networked applications or web applications
that required some type of authentication, there must be a
strategy in place to address what mechanism(s) will be
employed for identity verification and access authorization.
13. Mobile identity integrates identity and access management with
enterprise mobility management. Mobile identity verification
should answer: who are you, where are you connecting from
(location), and which device is connecting to the infrastructure.
Risk associated with mobile application deployment include
(CIO Council 2012, 2013):
1. Technical limitation of available products and solutions
2. Lack of policies (privacy, breach, financial, personal devices,
etc.)
3. Network connectivity and availability
4. Processes or lack thereof
5. No Government-wide contract vehicle to purchase devices
and data plans
6. Justification of mobile technology investment
7. Cost to support increasing number of devices and products
8. Information sensitivity must be determined
9. Limited authentication and encryption options
10. Validation process speed
11. PIV Authentication (NIST 2012-2015)
12. No standard for derived credentials (FIPS 2013).
13. Lack of consistent configuration guidance
These risks factors should be addressed during the planning
phase of the mobile application life cycle. Additionally, the
following recommended best practices for mobile application
implementation will ensure a successful deployment. Listed
below are a few recommended practices (Garcia 2012).
· Build in protection and address risk at the beginning of the
life cycle
· Secure the infrastructure where mobile applications reside
· Continually assesses and identify potentially exploitable flaws
· Implement policies (password, device such as lock, privacy,
wireless, etc.)
· Disable functionality (Wi-Fi, camera, Global Positioning
System (GPS) to access location-based services (LBS),
Bluetooth, Siri, App Store, etc.)
· Utilize containers that are FIPS 140-2 compliant (isolates data
14. from rest of the device)
· Do not permit processing of classified information
· Require authentication to the device and container
· Establish best practices, training and risk awareness
In conclusion a successful mobile application deployment
framework will (Garcia 2012):
1. Establish an agency-wide application development approach
2. Take advantage of all the benefits of mobile devices
3. Reinforce mobile security
References:
CIO Council (2012), GOVERNMENT USE OF MOBILE
TECHNOLOGY: Barriers, Opportunities, and Gap Analysis,
Retrieved from: https://cio.gov/wp-
content/uploads/downloads/2012/12/Government_Mobile_Techn
ology_Barriers_Opportunities_and_Gaps.pdf
CIO Council (2013), Adoption of Commercial Mobile
Applications within the Federal Government: Digital
Government Strategy Milestone 5.4, Retrieved from:
https://cio.gov/wp-
content/uploads/downloads/2013/05/Commercial-Mobile-
Application-Adoption-DGS-Milestone-5.4.pdf
Garcia, Jorge (2016), Moving Beyond the Basics: Key
Considerations for Successful Adoption of Mobile Platform,
Retrieved from:
http://www.vnsgmagazine.nl/ExecutiveDiner/7_SuccessfulAdop
tion.pdf
Souppaya, Murugiah and Scarfone, Karen (2012), National
Institute of Standards and Technology (NIST) Special
Publication (SP) 800-124 Revision 1 (Draft), Guidelines for
Managing and Securing Mobile Devices in the Enterprise
(Draft), Retrieved from:
http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-
124-rev1.pdf
Hildegard Ferraiolo, Hildegard, Feldman, Larry, and Witte,
Greg (2014), National Institute of Standards and Technology
15. (NIST) Special Publication (SP) 800-157, Guidelines for
Derived Personal Identity Verification (PIV) Credentials,
Retrieved from:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-157.pdf
Steve Quirolgico, Steve, Voas, Jeffrey, Karygiannis, Tom
(2015), National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-163 Revision 1 (Draft) (2015),
Vetting the Security of Mobile Applications, Retrieved from:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-163.pdf
Computer Security Division Information Technology Laboratory
(2013), Revised Draft Federal Information Processing Standard
(FIPS) 201-2, Personal Identity Verification (PIV) of Federal
Employees and Contractors. (Introduction of PIV-derived
credential), Retrieved from:
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf
The government is moving forward to streamline easy access to
their abundance of data in form of digital government services
to individuals and companies. This easy access comes in a
method of software, downloadable to different device operating
systems called application (app) in app stores. Mobile devices
have already surpassed personal computers (PC) as the primary
method to access internet in recent years (Kovach, 2015). This
trend continues in other countries as well as third of adults’
reach for their smart phones at beginning of their day and two-
thirds are inseparable from them (Hern, 2015). With this type
of data, the government is smart to pursue mobile applications
for digital government services to increase innovations and
jobs.
The draw back with mobile applications has been the growing
threat of vulnerabilities associated with apps and mobile
devices. The risk comes with sensitive information falling into
wrong hands or the applications not being built strong enough
16. to deter threats. Currently 75 percent of mobile applications are
susceptive to breaches as many are poorly configured with this
number to only rise in coming years (Shetty, 2014). Even if the
app is configured correctly to protect security holes, losing or
having the device stolen opens up the exposure to private
information as the device can now be accessed at any time
(“Architecture and design,” 2012). Other weaknesses in mobile
applications include unencrypted storage on device, none or
poor authentication between server and device, unsuitable
sessions when connection are present, weak cryptography and
poor design of application (“Architecture and design,” 2012).
These weaknesses are harder to implement due to devices
ability to continuously shift between networks causing a
complex model to attend to (“Architecture and design,” 2012).
Other malicious software may already be installed on devices
and they can cause mischievous malware or codes to run on
these devices, compromising a secure session between users and
governments digital services (Carroll, Rose, & Sritapan, 2013).
Government definitely has the publics best interest when it
comes to providing their digital services via mobile
applications. The problem that arises is, presently these apps
are either built with misconfigurations or sessions are
vulnerable to attacks. Currently 5 million mobile devices are
either lost or stolen causing another security issues needing to
be addressed (Deitrick, 2015). Even though advancement in
better security and protecting them is here or coming via
updates, users are still considered one of the biggest issues
when it comes to security in applications if those features are
never utilized. The benefits may be there but if data is
mishandled after an attack, it can cause more damage than the
good it was intended for. At this point the benefits of
government applications is not there, until more improvements
are made to cover all of susceptible security holes that are
currently present.
Carroll, D., Rose, M., & Sritapan, V. (2013). Mobile security
reference architecture. Retrieved from https://cio.gov/wp-
17. content/uploads/downloads/2013/05/Mobile-Security-Reference-
Architecture.pdf
Deitrick, C. (2015). Smartphone thefts drop as kill switch usage
grows but android users are still waiting for the technology.
Retrieved from
http://www.consumerreports.org/cro/news/2015/06/smartphone-
thefts-on-the-decline/index.htm
Hern, A. (2015). Smartphone now most popular way to browse
internet – Ofcom report. Retrieved from
https://www.theguardian.com/technology/2015/aug/06/smartpho
nes-most-popular-way-to-browse-internet-ofcom
Kovach, S. (2015). More people are using just their phones to
access the internet than desktops. Retrieved from
http://www.businessinsider.com/mobile-internet-users-pass-
desktop-users-2015-4
Shetty, S. (2014). Gartner says more than 75 percent of mobile
applications will fail basic security tests through 2015.
Retrieved from http://www.gartner.com/newsroom/id/2846017
Architecture and design considerations for secure software.
(2012). In Software Assurance Pocket Guide Series, 5(2).
Retrieved from https://buildsecurityin.us-
cert.gov/sites/default/files/ArchitectureAndDesign_PocketGuide
_v2%200_05182012_PostOnline.pdf