CMGT 400 Grading Rubric Learning Team – CMGT 400 Week 4 Learning Team Grading Rubric – Disaster Recovery and Business Continuity Plan
MEETS CRITERIA?
CMGT 400 Week 4 Learning Team Grading Rubric - Disaster Recovery and Business Continuity Plan
PTs
Grade
COMMENTS
Content (77.0 points)
Using the financial services scenario from the Week 2 and Week 3 Learning Team assignments, “Financial Service Security Engagement,” create an 8- to 10-page Disaster Recovery and Business Continuity Plan with the following:
· Determine the recovery model for your backup and recovery strategy (16pts.)
· Design the backup strategy and include a diagram to document your backup strategy. (16pts.)
· Include recovery steps in your diagram (16pts.)
· Recommend a schedule for backups (13 pts.)
· Explain how you will test your backup and recovery strategy (16pts.)
· Recovery sites
· Hot site
· Warm site
· Cold site
· Order of restoration
· Backup types
· Differential
· Incremental
· Snapshot
· Full
· Geographic considerations
· Off-site backups
· Distance
· Location selection
· Legal implications
· Legal implications
· Data sovereignty
· Continuity of operation
· Exercises
· After-action reports
· Failover
· Alternate processing sites
· Alternate business practices
Submit the assignment.
77
X out of 77
Research
Assignment has research depth including at least two outside relevant peer reviewed references from course material and/or the library.
7
Organization
Assignment is organized appropriately covering all required topics in a logical sequence. Title, introduction, body, conclusion and references are included in required sequence.
3
Mechanics, Quality and APA:
Assignment projects professional, quality image, meets academic integrity requirements. Meets APA format. Include title page and reference section. References in APA format. No spelling errors - the paper has obviously been proofread. Title and reference pages do not count toward the length requirement.
3
TOTAL POINTS FOR RESEARCH, ORGANIZATION, QUALITY, AND APA REQUIREMENTS
X out of 13
TOTAL POINTS
(X out of 90 possible points) 04-29-19 rpg
2
2
Financial Service Security Engagement
John Fulcher, LatoyaDavis, RenitaGarland, WilliamCrabb, LoganHampton Comment by Ellen Gaston: Include the names of all participating team members
CMGT 400
October 1, 2019
Financial Service Security Engagement
Customers are a critical stakeholder to every business organization across the globe. As the learning team for a financial service company specializing in sales and management of an investment portfolio for high net-worth individuals, the team has a responsibility to ensure safety. As a measure to improve confidentiality, integrity, and availability of information, the company migrated to cloud-based, customer relationship management. However, the chief information security officer (CISO) is concerned about the new system security. This ...
1. CMGT 400 Grading Rubric Learning Team – CMGT 400 Week
4 Learning Team Grading Rubric – Disaster Recovery and
Business Continuity Plan
MEETS CRITERIA?
CMGT 400 Week 4 Learning Team Grading Rubric - Disaster
Recovery and Business Continuity Plan
PTs
Grade
COMMENTS
Content (77.0 points)
Using the financial services scenario from the Week 2 and Week
3 Learning Team assignments, “Financial Service Security
Engagement,” create an 8- to 10-page Disaster Recovery and
Business Continuity Plan with the following:
· Determine the recovery model for your backup and recovery
strategy (16pts.)
· Design the backup strategy and include a diagram to document
your backup strategy. (16pts.)
· Include recovery steps in your diagram (16pts.)
· Recommend a schedule for backups (13 pts.)
· Explain how you will test your backup and recovery strategy
(16pts.)
· Recovery sites
· Hot site
· Warm site
2. · Cold site
· Order of restoration
· Backup types
· Differential
· Incremental
· Snapshot
· Full
· Geographic considerations
· Off-site backups
· Distance
· Location selection
· Legal implications
· Legal implications
· Data sovereignty
· Continuity of operation
· Exercises
· After-action reports
· Failover
3. · Alternate processing sites
· Alternate business practices
Submit the assignment.
77
X out of 77
Research
Assignment has research depth including at least two outside
relevant peer reviewed references from course material and/or
the library.
7
Organization
Assignment is organized appropriately covering all required
topics in a logical sequence. Title, introduction, body,
conclusion and references are included in required sequence.
3
Mechanics, Quality and APA:
4. Assignment projects professional, quality image, meets
academic integrity requirements. Meets APA format. Include
title page and reference section. References in APA format. No
spelling errors - the paper has obviously been proofread. Title
and reference pages do not count toward the length requirement.
3
TOTAL POINTS FOR RESEARCH, ORGANIZATION,
QUALITY, AND APA REQUIREMENTS
X out of 13
TOTAL POINTS
(X out of 90 possible points) 04-29-19 rpg
2
2
Financial Service Security Engagement
John Fulcher, LatoyaDavis, RenitaGarland, WilliamCrabb,
LoganHampton Comment by Ellen Gaston: Include the names of
all participating team members
CMGT 400
October 1, 2019
5. Financial Service Security Engagement
Customers are a critical stakeholder to every business
organization across the globe. As the learning team for a
financial service company specializing in sales and management
of an investment portfolio for high net-worth individuals, the
team has a responsibility to ensure safety. As a measure to
improve confidentiality, integrity, and availability of
information, the company migrated to cloud-based, customer
relationship management. However, the chief information
security officer (CISO) is concerned about the new system
security. This paper aims to address the concern of new cloud-
based CRM by formulating a plan for usage of mobile devices,
recommending physical and environmental controls for data
center, audit assessment process, developing an identity and
access policies, and recommending cryptography and public key
infrastructure. Comment by Ellen Gaston: Applied CIA triad
Mobile Device Security Plan
The progress and growth of a business rely on a business
developing a healthy relationship with customers to foster
business success. After migrating to cloud-based, customer
relationship management (CRM), the company expects the
cybersecurity engineering team to guarantee the security of
customer information. The management objectives of migrating
to cloud-based, CRM integrated with the on-site software
application are to manage the investment portfolio and customer
account. As a result, the organization hopes to improve
customer service, reduce the cost of sales, and thus generate
6. more leads, increase sales, and improve revenues.
The account managers' enthusiasm for the use of a new system
because of its ability to support mobile devices is growing
exponentially. The use of mobile devices enables managers to
operates seamlessly from anywhere at any given time (Sammons
& Cross, 2017). Mobile devices are vulnerable to a security
breach. However, through planning, IT organizations can
account for threats relating to intrusive applications and stolen
devices' security issues. Securing corporate and private-owned
mobile devices such as tablet computers, laptops, universal
serial bus (USB) memory sticks, and smartphones are the major
challenge for the IT department. A best practice for mobile
devices' security plan contains guidelines and safeguards that
protect the use of mobile devices in the company. The policy
plan for the secure use of mobile devices by both internal and
external employees includes technical and user requirements.
Comment by Ellen Gaston: Effective use of research and
insight into mobile device security risks. Remember BYOD.
Comment by Ellen Gaston: Applied formal plan and
policy.
Technical requirements
Mobile devices' security plan is a document that highlights
measures to protect mobile devices against vulnerabilities and
business risks. The use of the mobile device in a financial
company ensures managers remain reachable when away from
the office or home. Adhering to company acceptable use policy
is the best practice for ensuring internal and external employees
remain cautious about the issues emanating from the use of
mobile devices. The following are technical requirements for
securing mobile devices. Comment by Ellen Gaston: Excellent
formal definition of t requirements applying SDLC concepts and
key security technologies such as encryption.
· All devices must store all user-saved passwords in an
encrypted password store.
· Devices must use the following operating system, android
version 5.1.1 or later and IOS4x or later.
7. · All devices must have antivirus software
· The CRM application is accessible from the app stores
· The devices must comply with the company password policy.
· Devices must comply with company password management
rules on security features
User Requirements
The concerns of the chief information security officer remain
valid as the mobile devices are the source of security incidents.
The issue ranges from device loss, external breaches, and
malware infection. Given the fact that cloud-based, CRM
integration with the onsite application has an immense benefit
to business operation, the use of mobile devices will continue to
increase (Vacca, 2013). The usage of mobile devices warrants
for proper risk management. User requirements for security plan
are as follows: Comment by Ellen Gaston: Correct! A formal
risk assessment should be conducted. Apply mobile data
management (MDM).
· Users must report stolen or lost devices promptly.
· Users must regularly update devices OS with security patches.
Comment by Ellen Gaston: Considered currency,
· Users may only download and store corporate data relating to
their task at hand only.
· All devices must be disconnected from Wi-Fi when not in use.
· Avoid jailbreaks
· Keep the device in close possession at all times.
Physical Security and Environmental Controls for Data Center
Comment by Ellen Gaston: Section meets requirements.
The data center is the epicenter of the financial services
company. Data centers host on-site application that plays a vital
role in the daily operation of the company. The physical
security and environmental control of the data center are
fundamental to the corporation for remote storage and
processing of data. Organization data centers require security
measures and control against loss of connectivity caused by
fire, theft, intention destruction, flood, equipment failures,
unintentional damage, and power failure.
8. The cloud service providers should provide detailed physical
and operational security to secure network and server
infrastructure. Erecting physical security helps to deal with
foreseeable threats. Building and the room that houses the
information technology system must be secured from
unauthorized access to avoid damage to systems and
information. Perimeter security is the first line of defense to
deter trivial attackers. Data centers should have physical
elements such as fences, gates, berms, bollards, and lighting to
deter unauthorized access. The data center should be fitted with
hardware locks to protect equipment theft. All entry points
should have mantraps to detect an illegal access to the facility.
The use of detection systems such as video surveillance, motion
detectors, alarms, closed-circuit TV, and security guards should
visible to enhance physical security.
In addition to physical security, environmental aspects relating
to data centers should be managed properly because if not, they
can cause interruption of services. Data centers should be
separate from the other operation building to maintain optimum
heating and cooling. The data center should have a fully
functioning heating, ventilating, and air conditioning (HVAC)
system to keep the environment at a constant temperature.
Separating the data room form the rest of the building helps to
manage overheating effects such that it does not affect the rest
of the building.
Water should not be nearby when working in areas with a
computer and power systems. However, the organization should
maintain a little fire suppression system that relies on water.
The data room should be fitted with smoke, heat, and fire
detection system to enhance suppression. Chemicals that
environmentally friendly should be used to suppress fire rather
than water. Electromagnetic Interferncingf (EMI) shielding
should be put in place to protect users of computers and mobile
devices. Another environmental control for data centers is a hot
and cold aisle. The design of a data center is essential to ensure
cold and hot air circulation to improve server optimization.
9. Environmental monitoring should be done regularly to ensure
data centers are fully functional.
Audit Assessment for Cloud-Based CRM Software Provider
The financial service company will benefit immensely by
investing in cloud-based, CRM. Auditing is an essential part of
the company's overall security plan to ensures that the cloud
service provider has established proper physical security and
environmental control. The audit assessment proposal highlights
the minimum requirements to ensure the CRM software
application is in line with company goals. The results of the
audit assessment can help the company to put forth an elaborate
measure to ensure the information system is secure from threats.
Comment by Ellen Gaston: Applied audit considering
alignment with organization goals.
Running a significant portion of business in the cloud warrants
for assessment to ensure the service provided helps the company
serve the interest of the customers. Vetting cloud-based service
provider is not an easy task as there are no clear guidelines,
nevertheless, companies should not sigh away from auditing the
service providers (Chen, Wu, Chu, Lin, & Chuang, 2018). The
following is a proposed audit checklist for the hosting data
center.
Scope of the Audit Comment by Ellen Gaston: Applied project
management concepts clarifying scope
· The scope of the cloud-based, CRM audit will include the
procedures specific to hosting the data center.
· Additionally, the audit will include physical security and
environmental control relating to data center protection.
Site location
· Onsite visits to ensure the geographical location is safe from a
natural disaster (such as flooding and earthquakes) and mandate
threats such as civil disobedience, burglary, explosion, and
fires.
Facility design
· Perimeter fence, locked doors and windows, guards, hardware
lock, and mantrap
10. · The design of the room should resist damage emanating from
natural disasters.
· Detection system; motion detectors, CCTV, alarms, etc.
· Availability of suppression system; smoke, heat, and fire
detectors
· The data center should have the HVAC system
· A data center has environmental control
Identity and Access Mangement Policies Comment by Ellen
Gaston: Demonstrated understanding of IAM.
Technology resources serve as the most valuable resource for
any company. As a company dealing with investment
management for high net-worth individuals, the financial
service company should give identity management the attention
it deserves. According to information technology consultant
John Vacca (2013), “identity and access management (IAM)
refer to a set of information and technology for managing the
use of digital identities” (p. 167). The identity and access
management policies help to ensure that identities have the right
access to resources within the context of their job
responsibilities and roles. The AIM involves request, approval,
creates, deletes, grants access, and revoke access,
authentication, authorization, and deprovisoning for any
identity to the system. The following are access and
management policies for on-site systems and cloud-based for
CRM.
The AIM policies can be categorized into two at the individual
level and information system level. At the individual level, the
policies strictly provide guidelines to account holders on ways
to ensure proper use of their authorizations. Therefore, all
account holder must:
· Create a password with a minimum of eight-character to
conform with financial services company best practices.
· Not disclose or share a password related to the system with
any other person.
· Not use a password related to the financial service system for
non-business accounts.
11. · Use the privileged account for the intended purpose only.
· Use screen locking technologies for unattended devices.
Cloud AIM identity services come at no additional cost to the
company The service provides a central location for managing
identities of cloud administrator for the organization. The
administrators are responsible for developing policies that
configure and maintain devices and applications for the
company. The policies include;
User accounts policy. The policy entails the requirement for
requesting and maintaining an account on the cloud-based,
CRM. The company has three distinct accounts, namely user
accounts, shared accounts, and service accounts based on the
nature of the operation.
Authentication Policy. The cloud-based, CRM should use
federated authentication over local accounts and passwords. The
company password should be complex with a minimum of 8
characters containing numbers, special characters, lowercase,
and uppercase letters. For restricted use, only users with
multifactor authentication should have access to the system.
Authorization policy. Access to the system or application shall
be role-based authorization. Authorization should have
necessary approvals based on the principle of leaser privilege
and separation of duties.
Deprovisiong policy. Individuals who cease to be employees of
Finacial service company should not have an account.
Cryptography and PKI Recommendation
The security of the on-site system and cloud-based, CRM is
vital to the future of the financial service company. Secure
communication is at the heart of every company investing in
information technology. The purpose of cryptography is to
enhance the confidentiality of the transmitted message(Zhu,
Jiang, & Zhou, 2018).. Data protection from unauthorized
entails encryption and decryption of the message. Comment by
Ellen Gaston: Correct.
The financial service company must deploy the use of
encryption and ciphers to enhance the security of the system.
12. The three key traits for information security are confidentiality,
integrity, and authentication. The cipher transforms the bits of
the plaintext using key bits to ciphertext. The organization can
use a symmetric cipher to encrypt and decrypt messages within
the organization. Asymmetric cipher deploys the same key for
encrypting and decrypting messages.
Another recommendation that a financial service company can
improve security is the use of asymmetric cipher (Public-key
cryptography). Public key infrastructure (PKI) allows the use of
a private and public key to achieve security service. PKI
ensures that the trust of the public key is maintained. Common
PKI for improving information security includes HTTPS and
SSL, which validate the identity of the Web Server. I
recommend that the organization obtain a digital certificate for
a cloud-based software application to prove identity in the
electronic world. The organization should also deploy the use of
the cryptographic hash function to improve data integrity.
In conclusion, information privacy is an essential element that
every organization must pay close attention to at all times. To
improve the optimization of services, the financial service
company migrated to cloud-based, customer relationship
management. To address concerns raised by the CISO, it is
paramount to secure mobile devices by developing usage
policies. Cloud-based services require the use of data centers
that must be protected against threats using physical security
measures and environmental controls. Data protection is a
fundamental aspect of the organization. Developing an identity
and access management regulates who, where, how, and when
an identity has access to information. to secure and improve the
security of information is essential to deploy public-key
cryptography. Comment by Ellen Gaston: C0onsdiered key
organization role.
References
Chen, Y.-S., Wu, C., Chu, H.-H., Lin, C.-K., & Chuang, H.-M.
(2018, March). Analysis of performance measures in cloud-
based ubiquitous SaaS CRM project systems. The Journal of
13. Supercomputing: An International Journal of High-Performance
Computer Design, Analysis, and Use, 74(3), 1132-1156.
Halpert, B. (2013). Auditing Cloud Computing: A Security and
Privacy Guide. Hoboken, N.J: John Willey & Sons.
Sammons, o., & Cross, M. (2017). The basics of cyber safety:
Computer and mobile device safety made easy. Cambridge, MA:
Syngress is an imprint of Elsevier.
Santos, O. (2018). Developing cybersecurity programs and
policies (3rd ed.). London: Pearson Education.
Vacca, J. R. (2013). Computer and information security
handbook. Amsterdam: Morgan Kaufmann is an imprint of
Elsevier.
Zhu, S., Jiang, L., & Zhou, Z. (2018). Research on key
techniques of cryptographic access control and properties
optimisation in cloud storage. Int. J. of Information Technology
and Management, 17(4), 257-274.
CMGT 400 Grading Rubric Learning Team – Week 2 Financial
Service Security Engagement
MEETS CRITERIA?
Week 2 Financial Service Security Engagement
PTs
Grade
COMMENTS
Content (75.0 points)
Your Learning Team is a cybersecurity engineering team for a
financial services company that sells investments to, and
manages investment portfolios for, high net-worth individuals.
14. Your organization just completed the migration of the account
managers to a cloud-based, customer relationship management
(CRM) software application. Your organization has integrated
the cloud-based CRM with on-site investing and account
management systems to improve the sales of investment
products to customers and potential customers and for managing
customer accounts and investment portfolios. The Chief
Information Security Officer (CISO) of your organization is
concerned about the security of this new system and its
integration to existing systems and has requested that your team
complete the following 6- to 8-page security analysis:
Create a plan that addresses the secure use of mobile devices by
internal employees and external employees as they use mobile
devices to access these applications. (15pt)
Recommend physical security and environmental controls to
protect the data center which runs the on-site applications.
(15pt)
Propose audit assessment and processes that will be used to
ensure that the cloud-based CRM software provider uses
appropriate physical security and environmental controls to
protect their data centers which run your cloud-based CRM
software. (15pt)
Develop identity and access management policies for both the
on-site systems and the cloud-based CRM. (15pt) Recommend
cryptography and public key infrastructure (PKI) uses which
could be used to increase security for these systems. (15pt)
75.0
75
Learning team assignment met requirements. The team
developed a comprehensive plan to address the secure use of
mobile devices by internal employees and external employees.
Applied risk management and SDLC concepts when developing
15. security plans. The team made valid recommendations for
physical security and environmental controls. Applied cloud
based CRM application audit assessment processes, defined
scope, and appropriate controls for data center security.
Consider BYOD risk and apply MDM. Remember formal
standards such as such as ISO27001. The team demonstrated
understanding of identity and access management policies for
on-site and cloud-based systems. Cryptography and PKI were
included. The team included appropriate rationale to justify
recommendations
75 out of 75.0
Research
Assignment has research depth including at least two outside
relevant peer reviewed references from course material and/or
the library.
7
7
The assignment content demonstrated your team did research.
Included at least two references to meet research depth
requirement.
Organization
Assignment is organized appropriately covering all required
topics in a logical sequence. Title, introduction, body,
conclusion and references are included in required sequence.
4
4
Assignment is organized, flowed logically covering all required
topics. Assignment is structured to meet most APA
requirements.
16. Mechanics, Quality and APA:
Assignment projects professional, quality image, meets
academic integrity requirements. Meets APA format. Include
title page and reference section. References in APA format. No
spelling errors - the paper has obviously been proofread. Title
and reference pages do not count toward the length requirement.
4
4
Met most APA. Included a reference section. Assignment has in
text references to support APA and academic integrity
requirements.
TOTAL POINTS FOR RESEARCH, ORGANIZATION,
QUALITY, AND APA REQUIREMENTS
15 out of 15
TOTAL POINTS
(90 out of 90 possible points) 04-29-19 rpg