Pandiya Rajan, profile picture
Uploaded byPandiya Rajan
PPTX, PDF84 views

CONTEXTUAL ARCHITECTURE.pptx

Understanding an organization's risk environment involves taking a holistic approach to information security risk management. This includes identifying the organization's business processes, resources, threats, vulnerabilities and risks through techniques such as business impact analysis and risk evaluation. Risk evaluation aims to identify risk scenarios and their potential business impacts by collecting relevant data, analyzing risks while considering business impacts, and maintaining an up-to-date risk profile. Understanding an organization's business processes, dependencies, resources and the risks that could disrupt them are key to developing and implementing effective security and business continuity strategies.

Embed presentation

Download to read offline
Contextual Security Architecture
Contextual security architecture: Understanding an Organization’s Risk Environment Information security means protecting information and information systems confidentiality, integrity and availability from: • Unauthorized access, use, disclosure • Modification • Disruption and destruction (Confidentiality) (Integrity) (Availability)
ISACA RiskIT NIST Risk Management Framework Holistic Approach to Information Security Risk Management ISACA RiskIT NIST Risk Management Framework
Risk Evaluation Risk evaluation is the process of identifying risk scenarios and describing their potential business impact
Risk Evaluation - Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
Collect Data
Business Impact Analysis (BIA) Business Continuity Plan (BCP) Provides procedures for sustaining mission/business operations while recovering from a significant disruption caused by a natural or human-induced disaster The purpose of the business impact analysis (BIA) is to identify which business units/departments and processes are essential to the survival of the business. The BIA will identify how quickly essential business units and/or processes have to return to full operation following a disaster situation. The BIA will also identify the resources required to resume business operations
Business Continuity Management • The Business Continuity Plan (BCP) is developed to help assure the organization’s ability to maintain, resume, and recover the business It is not just about recovering information technology capabilities • Planning focuses on the entire enterprise’s mission critical infrastructure 1. People 2. Processes 3. Technology • Thorough business impact analysis (BIA) and risk assessment form the foundation of an effective Business Continuity Plan
Business Continuity Management (BCM) An important and big topic: • How to maintain the continued operation of the business’ processes?
Business Continuity Management (BCM) Prerequisite: Good documented models of the business’ processes, broken down into a series of hierarchical layers of sub-processes, sub-sub processes… 1. Business processes 2. Resources needed to run processes 3. Threats, vulnerabilities and risks 4. Business Impact Analysis (BIA) 5. Develop recovery strategies 6. Plan, design and implement recovery plans 7. Testing – Maintenance (update), Awareness, Training (practice) … Repeat Including disaster recovery plan
Each process can be decomposed into a further level of detailed sub-processes • some run in parallel • some in sequence… Business Impact Analysis: Meta processes of large enterprises There may be 5 or 10 high-level information processes (“meta-processes”) essential to the business, for example: 1. Develop product offerings 2. Bring product offerings to market 3. Acquire customer orders 4. Fulfill customer orders 5. Manage and administer the business • For example has 6 sub-processes… Sherwood, J., Clark, A. and Lynas D. (2005)
Business Continuity Management Process Step 1 • Identify and map business processes • Assess the business impact of loss of each business process • Classify and rank the business processes into 3 or 4 groups 1. Critical – Loss of this process will destroy the business 2. Severe – Loss will cause persistent, severe damage to the business 3. Significant (optional) – Loss will cause significant damage 4. Other – Damage caused by loss of this process can be absorbed BIA – Business Impact Analysis Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Business Continuity Management Process Step 2 • Select each Critical and Severe process • Analyze all sub-processes • Down to single functional steps to discover all the process and functional components needed to keep this high-level process in continuous operation Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Work processes to support Service requests and utility maintenance management work orders • City’s Public Works Department • 4 Divisions (230 employees) • Operations • Transportation • Sewer • Water
Service Request / Work Order Computerized Maintenance Management System (CMMS)
Service Request Work
Business Processes A collection of Swim Lane models document the work processes of each DPW Division’ Sewer Work processes
Business Processes Water work processes
Business Proceses Transportation Work processes
Operations work processes
Business Continuity Management Process Step 3 • For each sub-process or function identified in Step 2: – What resources are needed – How much of each resource is needed • People • Information and communications technology • Data • Equipment • Raw materials • Accommodations • Communications • … Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Business Continuity Management Process Step 4 • For each information resource identified in Step 3, what is the high-level threat scenarios put that resource at risk? • Focus on effects, not cause Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
Inventory of Work Processes and Staff needed from a Single Organizational Unit
Understanding cross organizational workflows… Identifying dependencies on critical paths for completing prioritized work processes
Gaining an Understanding of Staff Needed to Support Mission Critical Work DPW work is often supported by staff of a number of DPW Divisions, other City offices, and outside agencies
Business Process Analysis Results in an Integrated Overview of how DPW Work is Coordinated
Risk Evaluation - Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
Analyze Risk
Maintain Risk Profile
38
Overview of a risk model NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 21 and page 32
Risk assessment process NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 32 … NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 95
Key concepts Threat Potential for the occurrence of a harmful event such as an attack Vulnerability Weakness that makes targets susceptible to an attack Risk Potential of loss from an attack Risk Mitigation Strategy for dealing with risk
What is a threat? Anything that has the potential to lead to: • Unauthorized access, use, disclosure • Modification • Disruption or Destruction Physical Technical Administrative of an enterprises’ information
What is a threat… Threats to information and information systems include: 1. Purposeful attacks (“Human malicious”) 2. Human errors (“Human ignoramus”) 3. Structural Failures 4. Environmental disruptions
Taxonomy of threat sources 44 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals
Adversarial/Purposeful threat sources (i.e. attackers) Are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated Successful attacks on private and public information systems can result in serious or grave damage to businesses, organizations, nations and their economic security… The significance and growing danger or these threats make it imperative for leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks 45
Adversarial (i.e. purposeful) threat sources 46 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
Human malicious threat examples viruses identified) • Corporate espionage (spies) • Crackers/scriptkiddies (amateurs, novices; considerably less skilled than hackers) • Cybercrime/fraud • Data diddling • Denial-of-service attacks • Dumpster diving • Employees, management (greed, vices, financial pressure, extravagant lifestyle, real or imagined grievances, workplace pressure/stress) • High-energy radio frequency attacks (laser-like device aimed at buildings housing computers; high-frequency radio waves melt computer chips) • Accessing public material (80 percent unclassified and open to public) • Black-hat hackers (lightweights to heavyweights) • Bombing • Career criminals • Computer viruses (stealth, polymorphic, macro; over 6,500 different • • Impersonation/spoofing (e-mail spoofs, anonymous eMailers, use of someone’s login and password) • Intelligence agencies • Looping Internet Protocol ISP address (always-on Internet connections vulnerable) • Password crackers (such as Cracker and LoPht Crack software) Physical attacks • Remote access control software (examples include PCAnywhere, Timbuktu, NetBus, BackOrifice) • Sabotage • Social engineering (attacks against persons; using fake badges, blackmail, threat, harassment, bribery and impersonation) • Surveillance (shoulder surfing, high-powered photography) • Terrorists • Trojan horses • Unshredder software • Van Eck receptors • Vendors/suppliers/customers • Vulnerability scanning software (such as Nessus, CyberCop software) • War dialing • Web crawlers
Malicious threats Howard’s process-based taxonomy, from Hansman, S. and Hunt, R., 2004, “A taxonomy of network and computer attacks”, Computers & Security, page 3, Elsevier Ltd. Cited from Howard, JD, 1997, “An analysis of security incidents on the internet 1989-1995. PhD thesis, Carnegie Mellon University.
Anatomy of an Attack (McAfee, 2011) Threat landscape
5/20/201 5 Anatomy of an Attack (MANDIANT, 2015) 1. Attacker sends spear fishing e-mail 2. Victim opens attachment • Custom malware is installed 3. Custom malware communicates to control web site • Pulls down additional malware 4. Attacker establishes multiple backdoors 5. Attacker accesses system • Dumps account names and passwords from domain controller 6. Attacker cracks passwords • Has legitimate user accounts to continue attack undetected 7. Attacker reconnaissance • Identifies and gathers data 8. Data collected on staging server 9. Data exfiltrated 10. Attacker covers tracts • Deletes files • Can return any time Advanced threats usually maintain remote access to target environments for 6-18 months before being detected (i.e. they are persistent (Holcomb & Stapf, 2014) Threat landscape
51 Threat landscape
Taxonomy of threat sources 52 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals 
Accidental threat sources 53 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
The Non-Malicous insider threat 1. A current or former employee, contractor, or business partner 2. Has or had authorized access to an organization’s network, system, or data 3. Through action or inaction without malicious intent… 4. Causes harm or substantially increases the probability of future serious harm to… confidentiality, integrity, or availability of the organization’s information or information systems Major characteristic is ‘failure in human performance’ Carnegie Mellon University’s Software Engineering Institute’s (SEI) Computer Emergency Response Team (CERT) Definition (2013)
How accidental human (non-malicious insider) threats can happen… 55 • Most people feel security is not part of their job • People underestimate the value of information • Security technologies give people a false sense of protection from attack • We have a culture of trust that can be taken advantage of with dubious intent
Characterizing insiders’ mistakes • Ignorant • An unintentional accident • Negligent • Willingly ignores policy to make things easier • Well meaning • Prioritizes completing work and “getting ‘er done” takes over following policy Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
Examples of insiders’ accidents • Accidental Disclosure • Posting sensitive data on public website • Sending sensitive data to wrong email address • Malicious Code • Clicking on suspicious link in email • Using ‘found’ USB drive • Physical data release • Losing paper records • Portable equipment • Losing laptop, tablet • Losing portable storage device (USB drive, CD) Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
Example of an accident made by a well meaning employee… “Terrific employee”: • Account Manager handling Medicaid data for Utah • Employee had trouble uploading a file requested by State Health Dept. • Copied 6,000 medical records to USB drive • Lost the USB drive • CEO admits the employee probably didn’t even know she was breaking policy • this makes it accidental i.e. “well meaning…”
Human non-malicious threat examples • Computer operator errors • Data entry (input) errors • Inadequate access controls • Inadequate training • Inadequate human resource policies • Inadequate program testing/controls incorporated into computer programs • Inadequate risk analysis undertaken • Inadequate supervision • Lack of ethics • Mislaid disk files • Physical damage to disk • Poor management philosophy/attitude • Unlocked trash containers • Update of wrong file • Weak internal controls
Malicious Attacks Non-Malicious Mistakes Outsiders Insiders Employee Mistakes Intentional Rule Breaking  Hackers  Crackers  Social engineers  ...  Disgruntled employees  ...  IP theft  IT sabotage  Fraud  Espionage  Ignorance  ... The threat landscape…. Information Security Threats What is the role of humans in a breach of information security…? Humans
The threat landscape… What is the role of humans in a breach of information security…?
Taxonomy of threat sources 62 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals  
Structural threat sources 63 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
Structural Threat Examples • Air conditioning failure • Building collapse • Destruction of data, disks, documents, reports • Destruction of water mains, sewer lines • Failure of hardware • Failure of fire alarms, smoke detectors • Failure of computer programs • Freak accidents • Gas line explosions • Power outages (brownouts, blackouts, transients, spikes, sags and power surges) • Product failure • Software failure (operating system, database software)
Taxonomy of threat sources 65 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals   
Environmental threat sources 66 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
Taxonomy of threat sources 67 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66    
What is a Vulnerability? Any unaddressed susceptibility to a physical, technical or administrative information security threat Physical Technical Administrative
Vulnerabilities can be classified by asset class • Physical examples • Buildings in environmental hazard zones (e.g. low floor in flood zone) • Unlocked and unprotected doors to data center • Unreliable power sources • Technical examples • Hardware – susceptibility to humidity, dust, soiling, unprotected storage • Software – insufficient testing, lack of audit trail, poor or missing user authentication and access control • Data – unencrypted transfer or storage, lack of backup • Network – Unprotected communication lines, insecure architecture • Organizational examples • Inadequate screening and recruiting process, lack of security awareness and training • Lack of regular audits • Lack of security and IT related business continuity plans http://www.infosightinc.com/collaterals/CVA-PT_March2016.pdf
What is a Risk? • Access, use, disclosure • Modification • Disruption or destruction A measure of threat Potential loss resulting from unauthorized: Physical Technical Administrative (organizational, governance) …of an enterprises’ information Can be expresses in quantitative and qualitative terms
Information security risks • Loss of Life • Economic impact and financial loss • Replacement costs (software, hardware, other) • Backup restoration and recovery costs • Reprocessing, reconstruction costs • Bankruptcy • Business interruption • Crime (non-computer, computer) • Losses due to fraud, theft, larceny, bribery • Impact of – lost competitive edge – lost data – lost time – lost productivity – lost business • Frustration • Ill will • Injury • Impacts of inaccurate data
Examples of types of information security risk 1. Safety 2. Compliance and regulatory 3. Financial 4. Legal 5. Reputational 6. Political 7. Strategic (competitive) 8. Program/acquisition (cost, schedule, performance) 9. Project 10. Operational (mission/business) 11. Supply chain
Steps in a risk assessment methodology 1. What are your business assets ? 2. What possible threats put your business assets at risk ? 3. Which vulnerabilities and weaknesses may allow a threat to exploit your assets ? 4. For each threat, if it materialized, what would be the business impact on your assets ?
Assessing risk – quantitative method
Assessing risk – qualitative method
FIPS 199: Risk assessment based on security objectives and impact ratings
Risk categorization is based on CIA security objectives and an ordinal impact measure … Low: Limited adverse effect Moderate: Serious adverse effect High: Severe or catastrophic adverse effect
FIPS Pub 199 Standards for Security Categorization 81 Example with multiple information types: Low: Limited adverse effect Medium: Serious adverse effect High: Severe or catastrophic adverse effect = MODERATE rating = LOW rating = MODERATE rating
Qualitative to quantitative transformation of ordinal risk measures into “interval scale” risk measures 82 NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99 Requires the risk analyst to contribute additional information to move ordinal onto interval scale…
83 A single risk model cannot meet the diverse needs of the organizations in the private and public sectors. The expectation is for each organization to define a risk model appropriate to its view of risk with formulas reflecting: • Which risk factors must be considered • Which risk factors can be combined • Which factors must be further decomposed • How assessed values should be combined algorithmically
NIST SP 800-60 volumes 1 and 2
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
2 Broad types of Information and Information systems 1. Mission-based Information and Information Systems 2. Management and Support Information and Information Systems A. Services Delivery Support Functions and Information Types B. Government Resource Management Functions and Information Types
Mission-based Information and Information Systems 10. Community and Social Services 11. Transportation 12. Education 13. Workforce Management 14. Health 15. Income Security 16. Law Enforcement 17. Litigation and Judicial Activities 1. Defense and National Security 2. Homeland Security 3. Intelligence Operations 4. Disaster Management 5. International Affairs and Commerce 18. Federal Correctional Activities 6. Natural Resources 7. Energy 8. Environmental Management 9. Economic Development 19. General Sciences and Innovation 20. Knowledge Creation and Management 21. Regulatory Compliance and Enforcement 22. Public Goods Creation and Management 23. Federal Financial Assistance 24. Credit and Insurance 25. Transfers to State/Local Governments 26. Direct Services for Citizens
Services Delivery Support Functions and Information Types 1. Controls and Oversight 2. Regulatory Development 3. Planning and Budgeting 4. Internal Risk Management and Mitigation 5. Revenue Collection 6. Public Affairs 7. Legislative Relations 8. General Government
Management and Support Information and Information Systems
Government Resource Management Functions and Information Types 1. Administrative Management 2. Financial Management 3. Human Resources Management 4. Supply Chain Management 5. Information and Technology Management
Management and Support Information and Information Systems
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf Assignment: Determine the security categorization of an information system
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf 1. Each group should pick an information system to focus on
2. Identify information types in your selected information system
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf E.g. Financial management information system…
3. Select Impact Levels
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf 3. Select Impact Level for each information type in the system…
4. Assign System Security Category for the information system…
Assignment deliverable for Week 5 to be started in class 4: Select an information system to assess from either: • Mission area (bold heading in Table 4 from NIST 800-60 Volume I Revision 1) • Management support function (Table 5) or • Government resource support function (Table 6) which will include and the associated information types under the heading Draw conceptual diagram and annotate with text descriptions that answer the following: 1. What are the impact ratings of each information type in the information system you chose? 2. What is the single overall impact rating for each information type? 3. What is the system security rating for each of the CIA dimensions of the system? 4. What is the overall system security rating for the system ? You can use Visio, PowerPoint or any drawing software tool. Save your annotated diagram as a PDF file in your MIS5214 Google Drive folder, name it with the following naming convention: “yourfirstname”-”lastname”_MIS5214- Week5.pdf For example: dave-lanter_MIS5214-week5.pdf

More Related Content

PDF
Fundamental Concepts of Data Security _Business Continuity
bySibtainHaider13
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PDF
Microsoft Power Point Information Security And Risk Managementv2
byGraeme Payne
 
PPT
Cyber crime with privention
byManish Dixit Ceh
 
PPT
Intro.ppt
byRamaNingaiah
 
PPT
Introduction to Information Security CSE
byBurhanKhan774154
 
PPT
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
PDF
Outsourcing
bykarlhennessy
 
Fundamental Concepts of Data Security _Business Continuity
bySibtainHaider13
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
Microsoft Power Point Information Security And Risk Managementv2
byGraeme Payne
 
Cyber crime with privention
byManish Dixit Ceh
 
Intro.ppt
byRamaNingaiah
 
Introduction to Information Security CSE
byBurhanKhan774154
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
Outsourcing
bykarlhennessy
 

Similar to CONTEXTUAL ARCHITECTURE.pptx

PPTX
nist_small_business_fundamentals_july_2019 (2).pptx
bylblgofgwsnqoeqquvy
 
PPTX
nist_small_business_fundamentals_july_2019.pptx
byJkYt1
 
PDF
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
PDF
Information assurance /Information security
byjorgenajarro3
 
PPT
Security Considerations in Process Control and SCADA Environments
byamiable_indian
 
PDF
Cervone uof t - nist framework (1)
byStephen Abram
 
PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
byMarcoTechnologies
 
PPT
It Audit And Forensics
byJED Consulting Services LLC
 
PPT
S nandakumar
byIPPAI
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PPTX
a hypothetical company’s cybersecurity analysis
byJS
 
PPTX
Assess risks to IT security.pptx
bylochanrajdahal
 
DOCX
case studies on risk management in IT enabled organisation(vadodara)
byishan parikh production
 
PDF
Qatar Proposal
byAbsar Husain
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PPT
S nandakumar_banglore
byIPPAI
 
PDF
Vskills Certified Network Security Professional Sample Material
byVskills
 
PPTX
Understanding the security_organization
byDan Morrill
 
PDF
Cyber Security
bybethpatrick
 
nist_small_business_fundamentals_july_2019 (2).pptx
bylblgofgwsnqoeqquvy
 
nist_small_business_fundamentals_july_2019.pptx
byJkYt1
 
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
MIS: Information Security Management
byJonathan Coleman
 
Information assurance /Information security
byjorgenajarro3
 
Security Considerations in Process Control and SCADA Environments
byamiable_indian
 
Cervone uof t - nist framework (1)
byStephen Abram
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
byMarcoTechnologies
 
It Audit And Forensics
byJED Consulting Services LLC
 
S nandakumar
byIPPAI
 
Security Baselines and Risk Assessments
byPriyank Hada
 
a hypothetical company’s cybersecurity analysis
byJS
 
Assess risks to IT security.pptx
bylochanrajdahal
 
case studies on risk management in IT enabled organisation(vadodara)
byishan parikh production
 
Qatar Proposal
byAbsar Husain
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
S nandakumar_banglore
byIPPAI
 
Vskills Certified Network Security Professional Sample Material
byVskills
 
Understanding the security_organization
byDan Morrill
 
Cyber Security
bybethpatrick
 

More from Pandiya Rajan

PPTX
22IT508 - Full Stack Development with Node and React.pptx
byPandiya Rajan
 
PDF
Software defined netwoks is useful to learn NFV and virtual Lans
byPandiya Rajan
 
PPTX
UNIT-I Introduction to CICD.pptx
byPandiya Rajan
 
PPTX
UNIT-I Introduction to CICD.pptx
byPandiya Rajan
 
PPT
process syn.ppt
byPandiya Rajan
 
PPTX
selinuxbasicusage.pptx
byPandiya Rajan
 
PPT
SSH.ppt
byPandiya Rajan
 
PPTX
HTML-Advance.pptx
byPandiya Rajan
 
PPTX
css1.pptx
byPandiya Rajan
 
PPTX
HTML-Basic.pptx
byPandiya Rajan
 
PPTX
UNIT-I Introduction to Ansible.pptx
byPandiya Rajan
 
PPTX
lvm.pptx
byPandiya Rajan
 
PDF
React Lab Programs with Descriptions and explanations
byPandiya Rajan
 
PPTX
environmentalpollution-.pptx
byPandiya Rajan
 
PPTX
thermal pollution.pptx
byPandiya Rajan
 
PPT
page_fault pbm.ppt
byPandiya Rajan
 
PPTX
marinepollution.pptx
byPandiya Rajan
 
PPTX
CICD.pptx
byPandiya Rajan
 
PPTX
Selenium.pptx
byPandiya Rajan
 
PPTX
DM.pptx
byPandiya Rajan
 
22IT508 - Full Stack Development with Node and React.pptx
byPandiya Rajan
 
Software defined netwoks is useful to learn NFV and virtual Lans
byPandiya Rajan
 
UNIT-I Introduction to CICD.pptx
byPandiya Rajan
 
UNIT-I Introduction to CICD.pptx
byPandiya Rajan
 
process syn.ppt
byPandiya Rajan
 
selinuxbasicusage.pptx
byPandiya Rajan
 
SSH.ppt
byPandiya Rajan
 
HTML-Advance.pptx
byPandiya Rajan
 
css1.pptx
byPandiya Rajan
 
HTML-Basic.pptx
byPandiya Rajan
 
UNIT-I Introduction to Ansible.pptx
byPandiya Rajan
 
lvm.pptx
byPandiya Rajan
 
React Lab Programs with Descriptions and explanations
byPandiya Rajan
 
environmentalpollution-.pptx
byPandiya Rajan
 
thermal pollution.pptx
byPandiya Rajan
 
page_fault pbm.ppt
byPandiya Rajan
 
marinepollution.pptx
byPandiya Rajan
 
CICD.pptx
byPandiya Rajan
 
Selenium.pptx
byPandiya Rajan
 
DM.pptx
byPandiya Rajan
 

Recently uploaded

PPTX
Disaster_Management_Detailed_25Slides.pptx
byssuser615453
 
PPTX
ASSIGNMENT INDUSTRIAL chemistry explained
byamnmunir786
 
PPTX
Partnerships Plugged In: Regional Coalitions Advancing Energy Policy
byWorld Resources Institute (WRI)
 
PDF
Climate Finance Analysis Mongolia by GCH
bywinfredkinuthia1
 
PPTX
Urban Ecology : Cities as Living Systems - Exploring the Intersection between...
bycaugheysavannah
 
PDF
Unit 5 A New Nation Presentation for 5th
byjaninecruz24
 
PPTX
095445Green House Effect and Global Warming ppt (1).pptx
byAmmarairfan7
 
PDF
How Lake Michigan Strengthens Connections Across Wisconsin by Randall Melcher...
byDr. Randall G. Melchert OD
 
PPTX
Environmental Biohacking & Biophilic Design: Transform Your Indoor Environmen...
byFitOnear
 
PDF
Ahamadabad Heritage Meets Greener sportier.pdf
byRaghu Ram
 
PDF
Trace-elements evaluation of composted municipal solid wastes used in dry sea...
byOpen Access Research Paper
 
PPTX
Range Ecological Zones of Pakistan..pptx
byah2981861
 
PPTX
plant growth and development by Gulshan Athbhaiya.pptx
byGulshan Athbhaiya
 
PPTX
plant respiration, photosynthesis by Gulshan Athbhaiya.pptx
byGulshan Athbhaiya
 
Disaster_Management_Detailed_25Slides.pptx
byssuser615453
 
ASSIGNMENT INDUSTRIAL chemistry explained
byamnmunir786
 
Partnerships Plugged In: Regional Coalitions Advancing Energy Policy
byWorld Resources Institute (WRI)
 
Climate Finance Analysis Mongolia by GCH
bywinfredkinuthia1
 
Urban Ecology : Cities as Living Systems - Exploring the Intersection between...
bycaugheysavannah
 
Unit 5 A New Nation Presentation for 5th
byjaninecruz24
 
095445Green House Effect and Global Warming ppt (1).pptx
byAmmarairfan7
 
How Lake Michigan Strengthens Connections Across Wisconsin by Randall Melcher...
byDr. Randall G. Melchert OD
 
Environmental Biohacking & Biophilic Design: Transform Your Indoor Environmen...
byFitOnear
 
Ahamadabad Heritage Meets Greener sportier.pdf
byRaghu Ram
 
Trace-elements evaluation of composted municipal solid wastes used in dry sea...
byOpen Access Research Paper
 
Range Ecological Zones of Pakistan..pptx
byah2981861
 
plant growth and development by Gulshan Athbhaiya.pptx
byGulshan Athbhaiya
 
plant respiration, photosynthesis by Gulshan Athbhaiya.pptx
byGulshan Athbhaiya
 

CONTEXTUAL ARCHITECTURE.pptx

  • 1.
  • 2.
    Contextual security architecture: Understandingan Organization’s Risk Environment Information security means protecting information and information systems confidentiality, integrity and availability from: • Unauthorized access, use, disclosure • Modification • Disruption and destruction (Confidentiality) (Integrity) (Availability)
  • 3.
    ISACA RiskIT NIST Risk Management Framework HolisticApproach to Information Security Risk Management ISACA RiskIT NIST Risk Management Framework
  • 4.
    Risk Evaluation Riskevaluation is the process of identifying risk scenarios and describing their potential business impact
  • 5.
    Risk Evaluation -Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
  • 6.
  • 7.
    Business Impact Analysis(BIA) Business Continuity Plan (BCP) Provides procedures for sustaining mission/business operations while recovering from a significant disruption caused by a natural or human-induced disaster The purpose of the business impact analysis (BIA) is to identify which business units/departments and processes are essential to the survival of the business. The BIA will identify how quickly essential business units and/or processes have to return to full operation following a disaster situation. The BIA will also identify the resources required to resume business operations
  • 8.
    Business Continuity Management •The Business Continuity Plan (BCP) is developed to help assure the organization’s ability to maintain, resume, and recover the business It is not just about recovering information technology capabilities • Planning focuses on the entire enterprise’s mission critical infrastructure 1. People 2. Processes 3. Technology • Thorough business impact analysis (BIA) and risk assessment form the foundation of an effective Business Continuity Plan
  • 9.
    Business Continuity Management(BCM) An important and big topic: • How to maintain the continued operation of the business’ processes?
  • 10.
    Business Continuity Management(BCM) Prerequisite: Good documented models of the business’ processes, broken down into a series of hierarchical layers of sub-processes, sub-sub processes… 1. Business processes 2. Resources needed to run processes 3. Threats, vulnerabilities and risks 4. Business Impact Analysis (BIA) 5. Develop recovery strategies 6. Plan, design and implement recovery plans 7. Testing – Maintenance (update), Awareness, Training (practice) … Repeat Including disaster recovery plan
  • 11.
    Each process canbe decomposed into a further level of detailed sub-processes • some run in parallel • some in sequence… Business Impact Analysis: Meta processes of large enterprises There may be 5 or 10 high-level information processes (“meta-processes”) essential to the business, for example: 1. Develop product offerings 2. Bring product offerings to market 3. Acquire customer orders 4. Fulfill customer orders 5. Manage and administer the business • For example has 6 sub-processes… Sherwood, J., Clark, A. and Lynas D. (2005)
  • 12.
    Business Continuity ManagementProcess Step 1 • Identify and map business processes • Assess the business impact of loss of each business process • Classify and rank the business processes into 3 or 4 groups 1. Critical – Loss of this process will destroy the business 2. Severe – Loss will cause persistent, severe damage to the business 3. Significant (optional) – Loss will cause significant damage 4. Other – Damage caused by loss of this process can be absorbed BIA – Business Impact Analysis Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 13.
    Business Continuity ManagementProcess Step 2 • Select each Critical and Severe process • Analyze all sub-processes • Down to single functional steps to discover all the process and functional components needed to keep this high-level process in continuous operation Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 14.
    Work processes tosupport Service requests and utility maintenance management work orders • City’s Public Works Department • 4 Divisions (230 employees) • Operations • Transportation • Sewer • Water
  • 15.
    Service Request /Work Order Computerized Maintenance Management System (CMMS)
  • 16.
  • 21.
    Business Processes A collectionof Swim Lane models document the work processes of each DPW Division’ Sewer Work processes
  • 22.
  • 23.
  • 24.
  • 25.
    Business Continuity ManagementProcess Step 3 • For each sub-process or function identified in Step 2: – What resources are needed – How much of each resource is needed • People • Information and communications technology • Data • Equipment • Raw materials • Accommodations • Communications • … Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 27.
    Business Continuity ManagementProcess Step 4 • For each information resource identified in Step 3, what is the high-level threat scenarios put that resource at risk? • Focus on effects, not cause Sherwood, J., Clark, A. and Lynas D. (2005), Enterprise Security Architecture, CRC Press
  • 28.
    Inventory of WorkProcesses and Staff needed from a Single Organizational Unit
  • 29.
    Understanding cross organizationalworkflows… Identifying dependencies on critical paths for completing prioritized work processes
  • 30.
    Gaining an Understandingof Staff Needed to Support Mission Critical Work DPW work is often supported by staff of a number of DPW Divisions, other City offices, and outside agencies
  • 31.
    Business Process AnalysisResults in an Integrated Overview of how DPW Work is Coordinated
  • 32.
    Risk Evaluation -Key Components Collect Data Identify relevant data to enable effective IT-related risk identification, analysis and reporting Analyze Risk Develop useful information to support risk decisions that take into account the business impact of risk factors Maintain Risk Profile Maintain and up-to-date and complete inventory of known risks and attributes as understood in the context of IT controls and business processes
  • 33.
  • 37.
  • 38.
  • 39.
    Overview of arisk model NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 21 and page 32
  • 40.
    Risk assessment process NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 32 … NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 95
  • 41.
    Key concepts Threat Potentialfor the occurrence of a harmful event such as an attack Vulnerability Weakness that makes targets susceptible to an attack Risk Potential of loss from an attack Risk Mitigation Strategy for dealing with risk
  • 42.
    What is athreat? Anything that has the potential to lead to: • Unauthorized access, use, disclosure • Modification • Disruption or Destruction Physical Technical Administrative of an enterprises’ information
  • 43.
    What is athreat… Threats to information and information systems include: 1. Purposeful attacks (“Human malicious”) 2. Human errors (“Human ignoramus”) 3. Structural Failures 4. Environmental disruptions
  • 44.
    Taxonomy of threat sources 44 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals
  • 45.
    Adversarial/Purposeful threat sources(i.e. attackers) Are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated Successful attacks on private and public information systems can result in serious or grave damage to businesses, organizations, nations and their economic security… The significance and growing danger or these threats make it imperative for leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks 45
  • 46.
    Adversarial (i.e. purposeful)threat sources 46 NIST SP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 47.
    Human malicious threatexamples viruses identified) • Corporate espionage (spies) • Crackers/scriptkiddies (amateurs, novices; considerably less skilled than hackers) • Cybercrime/fraud • Data diddling • Denial-of-service attacks • Dumpster diving • Employees, management (greed, vices, financial pressure, extravagant lifestyle, real or imagined grievances, workplace pressure/stress) • High-energy radio frequency attacks (laser-like device aimed at buildings housing computers; high-frequency radio waves melt computer chips) • Accessing public material (80 percent unclassified and open to public) • Black-hat hackers (lightweights to heavyweights) • Bombing • Career criminals • Computer viruses (stealth, polymorphic, macro; over 6,500 different • • Impersonation/spoofing (e-mail spoofs, anonymous eMailers, use of someone’s login and password) • Intelligence agencies • Looping Internet Protocol ISP address (always-on Internet connections vulnerable) • Password crackers (such as Cracker and LoPht Crack software) Physical attacks • Remote access control software (examples include PCAnywhere, Timbuktu, NetBus, BackOrifice) • Sabotage • Social engineering (attacks against persons; using fake badges, blackmail, threat, harassment, bribery and impersonation) • Surveillance (shoulder surfing, high-powered photography) • Terrorists • Trojan horses • Unshredder software • Van Eck receptors • Vendors/suppliers/customers • Vulnerability scanning software (such as Nessus, CyberCop software) • War dialing • Web crawlers
  • 48.
    Malicious threats Howard’s process-basedtaxonomy, from Hansman, S. and Hunt, R., 2004, “A taxonomy of network and computer attacks”, Computers & Security, page 3, Elsevier Ltd. Cited from Howard, JD, 1997, “An analysis of security incidents on the internet 1989-1995. PhD thesis, Carnegie Mellon University.
  • 49.
    Anatomy of anAttack (McAfee, 2011) Threat landscape
  • 50.
    5/20/201 5 Anatomy of anAttack (MANDIANT, 2015) 1. Attacker sends spear fishing e-mail 2. Victim opens attachment • Custom malware is installed 3. Custom malware communicates to control web site • Pulls down additional malware 4. Attacker establishes multiple backdoors 5. Attacker accesses system • Dumps account names and passwords from domain controller 6. Attacker cracks passwords • Has legitimate user accounts to continue attack undetected 7. Attacker reconnaissance • Identifies and gathers data 8. Data collected on staging server 9. Data exfiltrated 10. Attacker covers tracts • Deletes files • Can return any time Advanced threats usually maintain remote access to target environments for 6-18 months before being detected (i.e. they are persistent (Holcomb & Stapf, 2014) Threat landscape
  • 51.
  • 52.
    Taxonomy of threat sources 52 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals 
  • 53.
    Accidental threat sources 53 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 54.
    The Non-Malicous insiderthreat 1. A current or former employee, contractor, or business partner 2. Has or had authorized access to an organization’s network, system, or data 3. Through action or inaction without malicious intent… 4. Causes harm or substantially increases the probability of future serious harm to… confidentiality, integrity, or availability of the organization’s information or information systems Major characteristic is ‘failure in human performance’ Carnegie Mellon University’s Software Engineering Institute’s (SEI) Computer Emergency Response Team (CERT) Definition (2013)
  • 55.
    How accidental human(non-malicious insider) threats can happen… 55 • Most people feel security is not part of their job • People underestimate the value of information • Security technologies give people a false sense of protection from attack • We have a culture of trust that can be taken advantage of with dubious intent
  • 56.
    Characterizing insiders’ mistakes •Ignorant • An unintentional accident • Negligent • Willingly ignores policy to make things easier • Well meaning • Prioritizes completing work and “getting ‘er done” takes over following policy Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
  • 57.
    Examples of insiders’accidents • Accidental Disclosure • Posting sensitive data on public website • Sending sensitive data to wrong email address • Malicious Code • Clicking on suspicious link in email • Using ‘found’ USB drive • Physical data release • Losing paper records • Portable equipment • Losing laptop, tablet • Losing portable storage device (USB drive, CD) Willis-Ford, C.D. (2015) “Education & Awareness: Manage the Insider Threat”, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-willis-ford.pdf
  • 58.
    Example of anaccident made by a well meaning employee… “Terrific employee”: • Account Manager handling Medicaid data for Utah • Employee had trouble uploading a file requested by State Health Dept. • Copied 6,000 medical records to USB drive • Lost the USB drive • CEO admits the employee probably didn’t even know she was breaking policy • this makes it accidental i.e. “well meaning…”
  • 59.
    Human non-malicious threatexamples • Computer operator errors • Data entry (input) errors • Inadequate access controls • Inadequate training • Inadequate human resource policies • Inadequate program testing/controls incorporated into computer programs • Inadequate risk analysis undertaken • Inadequate supervision • Lack of ethics • Mislaid disk files • Physical damage to disk • Poor management philosophy/attitude • Unlocked trash containers • Update of wrong file • Weak internal controls
  • 60.
    Malicious Attacks Non-Malicious Mistakes Outsiders Insiders Employee Mistakes Intentional Rule Breaking Hackers  Crackers  Social engineers  ...  Disgruntled employees  ...  IP theft  IT sabotage  Fraud  Espionage  Ignorance  ... The threat landscape…. Information Security Threats What is the role of humans in a breach of information security…? Humans
  • 61.
    The threat landscape…What is the role of humans in a breach of information security…?
  • 62.
    Taxonomy of threat sources 62 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals  
  • 63.
    Structural threat sources 63 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 64.
    Structural Threat Examples •Air conditioning failure • Building collapse • Destruction of data, disks, documents, reports • Destruction of water mains, sewer lines • Failure of hardware • Failure of fire alarms, smoke detectors • Failure of computer programs • Freak accidents • Gas line explosions • Power outages (brownouts, blackouts, transients, spikes, sags and power surges) • Product failure • Software failure (operating system, database software)
  • 65.
    Taxonomy of threat sources 65 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66 Cybersecurity Awareness for GIS Professionals   
  • 66.
    Environmental threat sources 66 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66
  • 67.
    Taxonomy of threat sources 67 NISTSP 800-30r1 “Guide for Conducting Risk Assessments”, page 66    
  • 68.
    What is aVulnerability? Any unaddressed susceptibility to a physical, technical or administrative information security threat Physical Technical Administrative
  • 69.
    Vulnerabilities can beclassified by asset class • Physical examples • Buildings in environmental hazard zones (e.g. low floor in flood zone) • Unlocked and unprotected doors to data center • Unreliable power sources • Technical examples • Hardware – susceptibility to humidity, dust, soiling, unprotected storage • Software – insufficient testing, lack of audit trail, poor or missing user authentication and access control • Data – unencrypted transfer or storage, lack of backup • Network – Unprotected communication lines, insecure architecture • Organizational examples • Inadequate screening and recruiting process, lack of security awareness and training • Lack of regular audits • Lack of security and IT related business continuity plans http://www.infosightinc.com/collaterals/CVA-PT_March2016.pdf
  • 70.
    What is aRisk? • Access, use, disclosure • Modification • Disruption or destruction A measure of threat Potential loss resulting from unauthorized: Physical Technical Administrative (organizational, governance) …of an enterprises’ information Can be expresses in quantitative and qualitative terms
  • 71.
    Information security risks •Loss of Life • Economic impact and financial loss • Replacement costs (software, hardware, other) • Backup restoration and recovery costs • Reprocessing, reconstruction costs • Bankruptcy • Business interruption • Crime (non-computer, computer) • Losses due to fraud, theft, larceny, bribery • Impact of – lost competitive edge – lost data – lost time – lost productivity – lost business • Frustration • Ill will • Injury • Impacts of inaccurate data
  • 72.
    Examples of typesof information security risk 1. Safety 2. Compliance and regulatory 3. Financial 4. Legal 5. Reputational 6. Political 7. Strategic (competitive) 8. Program/acquisition (cost, schedule, performance) 9. Project 10. Operational (mission/business) 11. Supply chain
  • 73.
    Steps in arisk assessment methodology 1. What are your business assets ? 2. What possible threats put your business assets at risk ? 3. Which vulnerabilities and weaknesses may allow a threat to exploit your assets ? 4. For each threat, if it materialized, what would be the business impact on your assets ?
  • 74.
    Assessing risk –quantitative method
  • 75.
    Assessing risk –qualitative method
  • 76.
    FIPS 199: Riskassessment based on security objectives and impact ratings
  • 77.
    Risk categorization isbased on CIA security objectives and an ordinal impact measure … Low: Limited adverse effect Moderate: Serious adverse effect High: Severe or catastrophic adverse effect
  • 81.
    FIPS Pub 199Standards for Security Categorization 81 Example with multiple information types: Low: Limited adverse effect Medium: Serious adverse effect High: Severe or catastrophic adverse effect = MODERATE rating = LOW rating = MODERATE rating
  • 82.
    Qualitative to quantitativetransformation of ordinal risk measures into “interval scale” risk measures 82 NIST SP 800-100 “Information Security Handbook: A Guide for Managers”, page 99 Requires the risk analyst to contribute additional information to move ordinal onto interval scale…
  • 83.
    83 A single riskmodel cannot meet the diverse needs of the organizations in the private and public sectors. The expectation is for each organization to define a risk model appropriate to its view of risk with formulas reflecting: • Which risk factors must be considered • Which risk factors can be combined • Which factors must be further decomposed • How assessed values should be combined algorithmically
  • 84.
    NIST SP 800-60volumes 1 and 2
  • 85.
  • 86.
    2 Broad typesof Information and Information systems 1. Mission-based Information and Information Systems 2. Management and Support Information and Information Systems A. Services Delivery Support Functions and Information Types B. Government Resource Management Functions and Information Types
  • 87.
    Mission-based Information andInformation Systems 10. Community and Social Services 11. Transportation 12. Education 13. Workforce Management 14. Health 15. Income Security 16. Law Enforcement 17. Litigation and Judicial Activities 1. Defense and National Security 2. Homeland Security 3. Intelligence Operations 4. Disaster Management 5. International Affairs and Commerce 18. Federal Correctional Activities 6. Natural Resources 7. Energy 8. Environmental Management 9. Economic Development 19. General Sciences and Innovation 20. Knowledge Creation and Management 21. Regulatory Compliance and Enforcement 22. Public Goods Creation and Management 23. Federal Financial Assistance 24. Credit and Insurance 25. Transfers to State/Local Governments 26. Direct Services for Citizens
  • 89.
    Services Delivery SupportFunctions and Information Types 1. Controls and Oversight 2. Regulatory Development 3. Planning and Budgeting 4. Internal Risk Management and Mitigation 5. Revenue Collection 6. Public Affairs 7. Legislative Relations 8. General Government
  • 90.
    Management and SupportInformation and Information Systems
  • 91.
    Government Resource ManagementFunctions and Information Types 1. Administrative Management 2. Financial Management 3. Human Resources Management 4. Supply Chain Management 5. Information and Technology Management
  • 92.
    Management and SupportInformation and Information Systems
  • 93.
  • 94.
  • 95.
    2. Identify informationtypes in your selected information system
  • 96.
  • 97.
  • 98.
  • 99.
    4. Assign SystemSecurity Category for the information system…
  • 100.
    Assignment deliverable forWeek 5 to be started in class 4: Select an information system to assess from either: • Mission area (bold heading in Table 4 from NIST 800-60 Volume I Revision 1) • Management support function (Table 5) or • Government resource support function (Table 6) which will include and the associated information types under the heading Draw conceptual diagram and annotate with text descriptions that answer the following: 1. What are the impact ratings of each information type in the information system you chose? 2. What is the single overall impact rating for each information type? 3. What is the system security rating for each of the CIA dimensions of the system? 4. What is the overall system security rating for the system ? You can use Visio, PowerPoint or any drawing software tool. Save your annotated diagram as a PDF file in your MIS5214 Google Drive folder, name it with the following naming convention: “yourfirstname”-”lastname”_MIS5214- Week5.pdf For example: dave-lanter_MIS5214-week5.pdf