1 3 Financial Service Security EngagementLearning Team CCMGT/400 April 8th, 2019 Ellen Gaston Financial Service Security Engagement · Create a plan that addresses the secure use of mobile devices by internal employees and external employees as they use mobile devices to access these applications. · Recommend physical security and environmental controls to protect the data center which runs the on-site applications. Introduction Integrating cloud-based, customer relationship management (CRM) software application with the on-site software applications that manage customer accounts and investment portfolios can assist a firm to create more leads, increase revenue, minimize the cost of sales, and improve customer services. However, this system has some security risks and requires an organization to create a plan that addresses its secure use. Mobile Gadget Security/Bring Your Own Device Plan (BYOD) This involves creating a gadget usage policy, before issuing them to workers. This entails limitation of its use and probable actions against its violation (Michener, 2015). Employees also are taught on how to mitigate security risks of mobile phones. If workers can utilize their personal gadgets, BYOD security policy is created, which comprises of installing distant wiping application on all devices to store data accessed from the organization (Michener, 2015). Organization should install current antivirus software to all devices to prevent hacking and loss of data. The content stored in the mobile devices should be backed up on organization’s computers on regularly basis to make sure that the data is safe if a gadget is stolen or lost. Selecting Passwords Passwords meant for the devices should be strong enough and not common to any third party. This ensures privacy as it prevents data linkage to unwanted individuals. On a different point, carrying out consistent mobile security audits and penetration assessment is one of the physical securities and environmental control measures. In this case, a firm hires a recognized security testing company to audit their gadget security and carry out penetration assessment (Michener, 2015). This ensures data protection as any noticed channels of data linkage drives the firm to upgrade its system. · Propose audit assessment and processes that will be used to ensure that the cloud-based CRM software provider uses appropriate physical security and environmental controls to protect their data centers which run your cloud-based CRM software. · Develop identity and access management policies for both the on-site systems and the cloud-based CRM. Customers should be aware that unique data security issues arise in a cloud computing environment. For example, in an ASP environment, a single physical server may be dedicated to the customer for hosting the application and storing the customer’s data. However, in a cloud computing environment, technologies and approaches used to facilitate scalability, such .

1. 1
3
Financial Service Security EngagementLearning Team
CCMGT/400
April 8th, 2019
Ellen Gaston
Financial Service Security Engagement
· Create a plan that addresses the secure use of mobile devices
by internal employees and external employees as they use
mobile devices to access these applications.
· Recommend physical security and environmental controls to
protect the data center which runs the on-site applications.
Introduction
Integrating cloud-based, customer relationship management
(CRM) software application with the on-site software
applications that manage customer accounts and investment
portfolios can assist a firm to create more leads, increase
revenue, minimize the cost of sales, and improve customer
services. However, this system has some security risks and
requires an organization to create a plan that addresses its
secure use.
Mobile Gadget Security/Bring Your Own Device Plan (BYOD)
This involves creating a gadget usage policy, before issuing
them to workers. This entails limitation of its use and probable
actions against its violation (Michener, 2015). Employees also
are taught on how to mitigate security risks of mobile phones. If

2. workers can utilize their personal gadgets, BYOD security
policy is created, which comprises of installing distant wiping
application on all devices to store data accessed from the
organization (Michener, 2015). Organization should install
current antivirus software to all devices to prevent hacking and
loss of data. The content stored in the mobile devices should be
backed up on organization’s computers on regularly basis to
make sure that the data is safe if a gadget is stolen or lost.
Selecting Passwords
Passwords meant for the devices should be strong enough and
not common to any third party. This ensures privacy as it
prevents data linkage to unwanted individuals. On a different
point, carrying out consistent mobile security audits and
penetration assessment is one of the physical securities and
environmental control measures. In this case, a firm hires a
recognized security testing company to audit their gadget
security and carry out penetration assessment (Michener, 2015).
This ensures data protection as any noticed channels of data
linkage drives the firm to upgrade its system.
· Propose audit assessment and processes that will be used to
ensure that the cloud-based CRM software provider uses
appropriate physical security and environmental controls to
protect their data centers which run your cloud-based CRM
software.
· Develop identity and access management policies for both the
on-site systems and the cloud-based CRM.
Customers should be aware that unique data security issues
arise in a cloud computing environment. For example, in an
ASP environment, a single physical server may be dedicated to
the customer for hosting the application and storing the
customer’s data. However, in a cloud computing environment,

3. technologies and approaches used to facilitate scalability, such
as virtualization and multi-tenancy, may result in customer data
being stored on a physical server that also stores data of the
provider’s other customers, which may increase the risk of
unauthorized disclosure. We are recognizing the unique security
and privacy risks related to a cloud computing service delivery
model and calling on the government for legislation to enhance
and strengthen security and privacy protections. (Foley &
Lardner, 2013)
To address data security issues, customers should conduct due
diligence regarding the security practices of a provider and
include specific contractual protections relating to information
security. Part of a customer’s due diligence should include
identifying the location of the data center where the data will be
physically stored and who may have access to the data. If the
data center is in a foreign country, then the customer should be
concerned as it may not have an opportunity to inspect the
foreign location to ensure it complies with customer’s
information security requirements. Even if the data center is in
the United States, help desk personnel accessing the data could
be in a foreign country with limited or different security and
privacy laws. (Foley & Lardner, 2013)
In addition, the location of the data and the ability of data to be
widely distributed across different jurisdictions present complex
issues of which law is applicable in a given transaction.
Currently, there is very little guidance from courts on these
conflict of law issues. For example, if personally identifiable
information is in Europe, then European law may govern that
information regardless of what is provided for in the contract.
Also, a Vendor may have multiple data centers, each located in
a different state in the United States, with each state having its
own law regarding data privacy and security. Therefore, to
minimize potential issues, the customer should consider adding
a restriction against offshore work and data flow to foreign

4. countries, including a requirement that the data center
(including the hosted software, infrastructure, and data) be
located and the services be performed in the United States, and
that no data be made available to those located outside the
United States. (Foley & Lardner, 2013)
In addition, the customer should identify who will be operating
the data center. If the provider is not operating the data center
itself (e.g., the provider is the owner of the software and will be
providing support, but is using a third-party data center to host
the software), then the provider should be required to ensure
that the third-party host complies with the terms of the
agreement (including the data security requirements), accept
responsibility for all acts of the third-party host, and be jointly
and severally liable with the third-party host for any breach by
the third-party host of the agreement. Also, the customer should
consider entering into a separate confidentiality and
nondisclosure agreement with the third-party host for the
protection of the customer’s data. If the provider ever desires to
change the host, the provider should be required to provide the
customer with advance notice, and the customer should be given
time to conduct due diligence about the security of the proposed
host and the right to reject any proposed host. (Foley &
Lardner, 2013)
· Recommend cryptography and public key infrastructure (PKI)
uses which could be used to increase security for these systems.
Due to the sensitive nature of the accounts that we handle, and
the need to uphold a reputation of trust encryption should be
implemented. The use of public key infrastructure and the use
of digital certificates that are company generated, outsourced,
or public fills this space. The use of digital certificates is key to
this infrastructure. The certificates can be issued to a user,
computer, device, server, or webpage. This certificate must
come from a place that is trusted. These certificates contain who
issued the certificate, who the certificate is issued to, expiration
dates, public key, digital signature. The digital signature

5. involves hash value. The hash value is used in concert with
public and private keys for encryption methods. A public key
infrastructure being that this is infrastructure and if it is put
into place it will give the business opportunities for use because
it is there. The opportunities include SSL, digital signatures,
Encryption, smart card login, software code signing, secure e-
mail, encrypted file system, VPN, 802.1x port-based
authentication. These benefit the company by giving an extra
layer of security to employees. This also benefits customers in
any applications or web-based services with the use of AES
encryption from a man in the middle attack. The reputation of
the company is an asset that gets overlooked until it is too late
by using methods that will ensure the security of our employees
and our customers, we make a stance that we are our services
and our clients seriously. This will hopefully generate more
revenue in the future as our clientele grows along with our
business scalability by putting down a good security
infrastructure.
References
Adams, C., & Lloyd, S. (2007). Understanding PKI: Concepts,
standards, and deployment considerations. Boston: Addison-
Wesley. Retrieved from
https://books.google.com/books?hl=en&lr=&id=ERSfUmmthMY
C&oi=fnd&pg=PP23&dq=pki&ots=nsynQXqjLp&sig=8aYQMu
ZvUxvfMVeSX5tULHD5jhI#v=onepage&q=pki&f=false.
Michener, W. K. (2015). Ten simple rules for creating a good
data management plan. PLoS computational biology, 11(10),
e1004525.
Gartner Highlights Five Attributes of Cloud Computing,
Gartner, Inc. (June 23, 2009), at
http://www.gartner.com/it/page.jsp?id=1035013.

6. Part4
Step-by-Step Guide to Assignment 8.4
Problem 4. Kaplan-Meier Survival Analysis (With Strata)
a. Run a Kaplan-Meier analysis in SPSS, using Time as the
Time variable and Event as the Status variable (Be sure to
define the event). Add Interval as the Strata variable.
Step 1. Analyze ( Survival ( Kaplan Meier.
Step 2. Remove the Treatment Status [tx] variable from the
Factor box Select The order of the time interval [interval] and
place it in the Strata box.
Step 3. Click Options. In statistics, select Survival table(s) and
Mean and median survival. Select Survival in plots. Click
continue. Click OK.
SPSS Output:
b. Produce a plot of the survival function for each strata.
c. Why would you want to produce Kaplan-Meier Survival
Curves after stratifying for a variable?
Stratification allows you to compare survival by different levels
of a variable, adding yet another layer of adjustment (control) in
a model. In this example, total time on study was subdivided
into 5 time intervals. Because the probability of survival
changes over time, stratification enabled survival patterns to be
compared at various stages or observation times. It may be that

7. despite treatment, length of time lived beyond diagnosis has an
affect on survival. Stratification controls for this effect.
Part3
Step-by-Step Guide to Assignment 8.3
Problem 3. Kaplan-Meier Survival Analysis (With Factor)
a. Run a Kaplan-Meier analysis in SPSS, using Time as the
Time variable and Event as the Status variable (Be sure to
define the event). Add Tx as the factor.
Step 1. Open the SPSS dataset. Go to Analyze (Survival (
Kaplan-Meier. The information from 8.2 should be saved. Select
Treatment Status [tx] and place it in the Factor box.
(Note: Time to event/censor [time] should be in the Time box
and event(“0” “1”) should be in the Status box from Problem
8.2; if not, you need to repeat steps to place them there and
define Event again).
b. Test the difference between Tx groups (Compare Factor)
using Log-Rank, Breslow, and Tarone-Ware
Step 2. Click on the Compare Factor button.
Step 3. In the open window, check Log-Rank, Breslow, and
Tarone-Ware.. Click Continue.
Step 4. Click the Options button. (Make sure Survival table(s)
and Mean and median survival are checked in Statistics and that
Survival is checked in Plots.)
Click Continue.
Step 5. Click OK in the Kaplan-Meier window.

8. SPSS output:
c. Produce a plot of the survival function
d. Describe what the Overall Comparisons mean in terms of
treatment groups and survival times.
Overall Comparisons
Chi-Square
df
Sig.
Log Rank (Mantel-Cox)
4.308
1
.038
Breslow (Generalized Wilcoxon)
.926
1
.336
Tarone-Ware
2.074
1
.150
Test of equality of survival distributions for the different levels
of Treatment Status.
Means and Medians for Survival Time
Treatment Status
Meana
Median
Estimate
Std. Error
95% Confidence Interval
Estimate
Std. Error

9. 95% Confidence Interval
Lower Bound
Upper Bound
Lower Bound
Upper Bound
Placebo
12.422
1.155
10.157
14.686
8.000
1.007
6.027
9.973
Tx Thiotepa
16.278
1.839
12.674
19.881
11.000
2.121
6.842
15.158
Overall
14.017
1.026
12.007
16.027
9.000
1.097
6.849

10. 11.151
a. Estimation is limited to the largest survival time if it is
censored.
Notes:
Recall that the log-rank test is based on a 2 x 2 table looking at
the number of deaths and expected number of deaths for each
group. The log-rank chi square statistic is 4.31. For 1 df, the chi
square statistic must be greater than the 3.84 (table p. 466 in the
text) to reject the null hypothesis of no difference between the
two treatment groups (placebo and Thiotepa) at the 95%
probability level. Since 4.31 > 3.84, we can reject the null.
Additionally, since the significant value of the Log Rank test is
less than 0.05 and the Breslow and Tarone-Ware tests are
greater than 0.05, there is a difference in survival times between
the two groups. This is confirmed by the log-rank p-value =
0.038, which is p < 0.05.
Part2
Step-by-Step Guide to Assignment 8.2
Problem 2. Kaplan-Meier Survival Analysis (Without factor or
Strata)
Run a Kaplan-Meier analysis in SPSS, using Time as the Time
variable and Event as the Status variable (Be sure to define the
event). Do not add a factor or strata at this time.
Step 1. In the Practice_Week08_dataset with the added Time
variable, Analyze ( Survival ( Kaplan-Meier.
Step 2. In the Kaplan-Meier window, select the Time to
event/censor [Time] variable and place it in the Time box.
Step 3. Select the Tumor [event] variable and place it in the
Status box.

11. Step 4. Click on the Define event button.
Step 5. In this window, select the List of values radio button,
type 0 in the List of values box then click Add.
Step 6. Type 1 in the List of variables box. Click Add then click
Continue.
Step 7. In the Kaplan-Meier window, click on Options.
Step 8. In the Options window, check Survival table(s) and
Mean/ median survival in the Statistics area; check Survival in
the Plots area. Click Continue. Click OK when you are returned
to the Kaplan-Meier window.
SPSS output:
a. Produce a Survival Table (you do not need to submit this)
Your Output window should contain small Case-Processing
Summary table with a VERY long Survival Table below it. This
is the table you are asked to produce, but not turn in, in
Problem 2b.
SPSS output:
b. Produce a plot of the survival function
c. What is the mean survival time (include confidence
intervals)? What is the median survival time (include
confidence intervals)? Why do you think they are so different
from each other?
Means and Medians for Survival Time
Meana
Median

12. Estimate
Std. Error
95% Confidence Interval
Estimate
Std. Error
95% Confidence Interval
Lower Bound
Upper Bound
Lower Bound
Upper Bound
14.017
1.026
12.007
16.027
9.000
1.097
6.849
11.151
a. Estimation is limited to the largest survival time if it is
censored.
Recall that means are affected by extreme values where the
median is not. Consider the frequency distribution for the Time
variable that you ran in Problem 1.
PART1
Step-by-Step Guide to Assignment 8.1
Problem 1. Data
a. Create a variable for Time-to-event by subtracting the start
time (variable = start) from the stop time (variable = stop).
Label the new variable “Time”.
Step 1. Open Practice_Week08_dataset.sav. Under Transform,
select Compute variable.

13. Step 2. Type “Time” in the Target Variable box. Select the
Time of event or censor [stop] variable and move it to the
Numeric Expression box.
Step 3. Stop will appear in the Numeric Expression box. Click
on the minus sign on the key pad then click on the Start time for
each interval [start] variable and transfer it to the Numeric
Expression box. The numeric expression should read “stop –
start”. Click OK.
Step 4. Bring up the Data Editor screen in Variable View. Note
the new Time variable has 2 decimals. Change this to 0 using
the down arrows in the decimal cell for Time.
Step 5. Select Define Variable Properties under Data.
Step 6. In the Define Variable Properties window, select Time
in the Variables box and move it to the Variables to Scan box.
Click Continue.
Step 7. In the new Define Variable Properties window, type
“Time to event/censor” in the Label box. Click OK.
Step 8. Switch to Variable View in the Data Editor Window.
The Time variable label should appear as below.
Step 9 Switch to Data View and review the data in Time. Each
value should equal the stop value minus the start value.

14. b. Produce the appropriate descriptive statistics, numerical and
graphical, for the following variables:
Step 1. Review each variable to determine whether it is
categorical or continuous.
Step 2. Analyze ( Descriptive statistics (Frequencies.
Step 3. Select one variable in Frequencies window and place in
Variables box.
For each categorical variable, run frequencies and bar graphs
for frequencies:
Step 4. Click on Charts and select Bar Charts and Frequencies.
Click Continue. Click OK.
For each continuous variable, run descriptive statistics (mean,
standard deviations, minimum, and maximum) and produce
histograms for continuous variables.
Step 5. Click on Statistics. Select Mean, Median, and Mode in
Central Tendency area. Select Std deviation, Variance, Range,
Minimum, Maximum, and SE mean in Dispersion area. Select
Skewness and Kurtosis in Distribution area. Click Continue.
Step 6. Click on Charts and select Histogram and Show normal
curve on histogram. Click Continue. Click OK.
· Event (categorical)
Tumor
Frequency
Percent
Valid Percent
Cumulative Percent
Valid
No Tumor

15. 74
42.5
42.5
42.5
Tumor
100
57.5
57.5
100.0
Total
174
100.0
100.0
· Interval (categorical)
The order of the time interval
Frequency
Percent
Valid Percent
Cumulative Percent
Valid
1
80
46.0
46.0
46.0
2
43
24.7
24.7
70.7

16. 3
25
14.4
14.4
85.1
4
18
10.3
10.3
95.4
5
8
4.6
4.6
100.0
Total
174
100.0
100.0
· Tx (categorical)
Treatment Status
Frequency
Percent
Valid Percent
Cumulative Percent
Valid
Placebo
102
58.6

17. 58.6
58.6
Tx Thiotepa
72
41.4
41.4
100.0
Total
174
100.0
100.0
· Num (categorical)
Number of Tumors
Frequency
Percent
Valid Percent
Cumulative Percent
Valid
1
92
52.9
52.9
52.9
2
27
15.5
15.5
68.4
3

18. 16
9.2
9.2
77.6
4
12
6.9
6.9
84.5
5
12
6.9
6.9
91.4
6
10
5.7
5.7
97.1
8
5
2.9
2.9
100.0
Total
174
100.0
100.0
· Size (categorical)

19. Size in cm of tumor
Frequency
Percent
Valid Percent
Cumulative Percent
Valid
1
109
62.6
62.6
62.6
2
10
5.7
5.7
68.4
3
36
20.7
20.7
89.1
4
7
4.0
4.0
93.1
5
5
2.9
2.9
96.0

20. 6
5
2.9
2.9
98.9
7
2
1.1
1.1
100.0
Total
174
100.0
100.0
· Time (continuous)
Statistics
Time to event/censor
N
Valid
174
Missing
0
Mean
14.02
Std. Error of Mean
1.026
Median
9.00
Mode
2

21. Std. Deviation
13.528
Variance
183.011
Skewness
1.232
Std. Error of Skewness
.184
Kurtosis
.694
Std. Error of Kurtosis
.366
Range
59
Minimum
0
Maximum
59