To complete this assignment, review the prompt and grading rubric in the Module Two Case Study Activity Guidelines and Rubric. You will also need to access the Module Two Case Study Template Word Document. For reference, refer to the CIA Triad and Fundamental Security Design Principles PDF document.
When you have finished your work, submit the assignment here for grading and instructor feedback.
CYB 200 Module Two Case Study Activity Guidelines and Rubric
Overview
In this case study assignment, we will con�nue to inves�gate the Fundamental Security Design Principles at work in a real-world scenario. Through the lens of data protec�on, we will
analyze the following principles:
Least Privilege
Layering (Defense in Depth)
Fail-Safe Defaults / Fail Secure
Modularity
Usability
Note: You will be engaging with this scenario again in the Module Three discussion.
Case Study Scenario
You are a cybersecurity analyst working at a prominent regional hospital. On Monday morning, the organiza�on’s technology help desk received a call from Dr. John Beard, a long-�me
resident physician. Dr. Beard called them to report that his company laptop was stolen from his car a�er he stopped to work out at a local gym on his way home from the office.
A representa�ve from the help desk informed you of the the� and also men�oned that Dr. Beard stated that his laptop case contained a USB thumb drive that he purchased to “back up”
important pa�ent files he saved onto his laptop. Dr. Beard also revealed that his daily planner “might have” been in the bag and that the planner had his hospital computer user name and
password wri�en on the back cover. Prior to ending the call, Dr. Beard told the representa�ve that he would call her back if his daily planner turned up.
As your conversa�on with the help desk representa�ve wound down, she commented that Dr. Beard has many different computer “issues” that keep her team busy. She recalled talking to
Dr. Beard about the hospital’s policy against accessing pa�ent files remotely and his annoyance with her inability to help him “get work done” while away from the hospital. And just a week
ago, a junior member of her team completed a service �cket to reconfigure Dr. Beard’s laptop to grant him administra�ve rights. The service request stuck out because it did not have a
“reason” indicated (a company policy requirement) but was s�ll approved by James Davis, the hospital’s senior system administrator and close personal friend of Dr. Beard.
Prompt
A�er reading the scenario above, complete the Fundamental Security Design Principles mapping table in the Case Study Template and answer the short response ques�ons. You’ll no�ce that
the listed Fundamental Security Design Principles differ from those presented in previous ac�vi�es. In the cybersecurity trade, there are many different design principles and frameworks.
Successful prac��oners learn to work with many different (but conceptually similar) principles to achieve their security goals.
Specifically, you must address the cri�cal elements listed below:
9/11/24, 10:40 AM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102834/View 1/3
I. Fundamental Security Design Principles Mapping: Fill in the table in the Module Two Case Study Template by comple�ng the following steps for each control recommenda�on:
A. Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X.
B. Indicate which security objec�ve (confiden�ality, availability, or integrity) best reflects your selected control recommenda�on.
C. Explain your choices in one to two sentences, providing a selec�on-specific jus�fica�on to support your decision.
II. Short Response Ques�ons:
A. How might you work with someone like Dr. Beard to cul�vate a security mind-set that is more in line with the organiza�on’s ethical norms? Hint: Consider his a�tude, his past
behaviors, and his opinion about organiza�onal policies.
B. How would you help the hospital be�er secure its pa�ent files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-in-mo�on) and one of the
control recommenda�ons from your completed table in your response.
What to Submit
Submit your completed Fundamental Security Design Principles map and short response answers in the Module Two Case Study Template. Your submission should be 1–2 pages in length
(plus a cover page and references, if used) and wri�en in APA format. Use double spacing, 12-point Times New Roman font, and one-inch margins. Use a filename that includes the course
code, the assignment number, and your name—for example, CYB_100_1- 4_Neo_Anderson.docx.
Module Two Case Study Activity Rubric
Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value
Mapping: Fundamental
Security Design Principle
Specifies which Fundamental Security
Design Principle applies to at least 8 of the
control recommenda�ons
Specifies which Fundamental Security
Design Principle applies to fewer than 8 of
the control recommenda�ons
Does not address cri�cal element, or
response is irrelevant
20
Mapping: Security Objec�ve Indicates which security objec�ve (CIA)
best applies to 8 or more control
recommenda�ons
Indicates which security objec�ve (CIA)
best applies to fewer than 8 control
recommenda�ons
Does not address cri�cal element, or
response is irrelevant
20
Mapping: Explain Explains choices with relevant
jus�fica�ons for at least 8 of the control
recommenda�ons
Explains choices with relevant
jus�fica�ons for fewer than 8 of the
control recommenda�ons
Does not address cri�cal element, or
response is irrelevant
25
Short Response: Cul�va�ng
Mindset
Explains how you might work with
someone like Dr. Beard to cul�vate a
security mindset that is more in line with
the organiza�on’s ethical norms
Addresses “Proficient” criteria, but there
are gaps in clarity, logic, or detail
Does not address cri�cal element, or
response is irrelevant
10
9/11/24, 10:40 AM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102834/View 2/3
Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value
Short Response: Be�er
Secure
Explains how you would help the hospital
be�er secure its pa�ent files incorpora�ng
at least one data state (data-at-rest, data-
in-use, or data-in-mo�on) and one of the
control recommenda�ons from your table
Addresses “Proficient” criteria, but there
are gaps in clarity, logic, or detail
Does not address cri�cal element, or
response is irrelevant
20
Ar�cula�on of Response Submission has no major errors related to
cita�ons, grammar, spelling, or
organiza�on
Submission has some errors related to
cita�ons, grammar, spelling, or
organiza�on that nega�vely impact
readability and ar�cula�on of main ideas
Submission has cri�cal errors related to
cita�ons, grammar, spelling, or
organiza�on that prevent understanding of
ideas
5
Total: 100%
9/11/24, 10:40 AM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102834/View 3/3
,
CYB 200 Module Two Case Study Template After reviewing the scenario in the Module Two Case Study Activity Guidelines and Rubric document, fill in the table below by completing the following steps for each control recommendation:
1. Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X. 2. Indicate which security objective (confidentiality, availability, or integrity) best reflects your selected control recommendation. 3. Explain your choices in one to two sentences, providing a selection-specific justification to support your decision.
Control Recommendations Least Privilege
Layering (Defense in
Depth)
Fail-Safe Defaults / Fail Secure
Modularity Usability Security Objective Alignment
(CIA)
Explain your Choices (1-2 sentences)
Automatically lock workstation sessions after a standard period of inactivity. (Completed as an example)
X C I chose layering because it adds another layer of protection for the confidentiality of our data.
If possible, close and lock your office door when leaving your computer.
Use technology to make sure that only authorized software executes, and unauthorized software is blocked from executing on assets.
Use automated tools to inventory all administrative accounts to ensure that only authorized individuals have elevated privileges.
Use system configuration management tools to automatically
Control Recommendations Least Privilege
Layering (Defense in
Depth)
Fail-Safe Defaults / Fail Secure
Modularity Usability Security Objective Alignment
(CIA)
Explain your Choices (1-2 sentences)
reapply configuration settings to systems at regularly scheduled intervals.
Maintain an inventory of all sensitive information stored or transmitted by the organization's technology systems, including those located on site or at a remote location.
Use approved whole-disk encryption software to encrypt the hard drive of all mobile devices.
If USB storage devices are required, software should be used that can configure systems to allow the use of specific devices.
Configure systems not to write data to external removable media, if there is no business need for supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted.
Protect all information stored on systems through the use of access control lists. These access control lists enforce the principle that only authorized individuals should have access to the information based on
Control Recommendations Least Privilege
Layering (Defense in
Depth)
Fail-Safe Defaults / Fail Secure
Modularity Usability Security Objective Alignment
(CIA)
Explain your Choices (1-2 sentences)
approved business need.
Require multifactor authentication for all user accounts, on all systems, whether managed on site or by a third-party provider.
After you have completed the table above, respond to the following short questions:
1. How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms? Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies.
2. How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-in- motion) and one of the control recommendations from your completed table in your response.
,
CIA Triad and Fundamental Security Design Principles
The terms listed below are essential in the field of cybersecurity and will be a topic of conversation and application throughout the program. It is therefore important for you to familiarize yourself with these terms and their definitions. Note that the CIA triad is sometimes referred to as the tenets of cybersecurity. The Fundamental Security Design Principles are sometimes called fundamental design principles, cybersecurity first principles, the cornerstone of cybersecurity, and so on.
CIA Triad
Information that is secure satisfies three main tenets, or properties, of information. If you can ensure these three tenets, you satisfy the requirements of secure information (Kim & Solomon, 2013).
Confidentiality Only authorized users can view information (Kim & Solomon, 2013).
Integrity Only authorized users can change information (Kim & Solomon, 2013).
Availability Information is accessible by authorized users whenever they request the information (Kim & Solomon, 2013).
Fundamental Security Design Principles
These principles offer a balance between aspirational (and therefore unobtainable) “perfect security,” and the pragmatic need to get things done. Although each of the principles can powerfully affect security, the principles have their full effect only when used in concert and throughout an organization. These principles are a powerful mental tool for approaching security: one that doesn’t age out of usefulness or apply only to a few specific technologies and contexts; one that can be used for architecture, postmortem analysis, operations, and communication. The principles are ultimately only one piece in the security practitioner’s toolkit, but they are a flexible piece that will serve different roles for different people (Sons, Russell, & Jackson, 2017).
Abstraction Removal of clutter. Only the needed information is provided for an object-oriented mentality. This is a way to allow adversaries to see only a minimal amount of information while securing other aspects of the model (Tjaden, 2015).
Complete Mediation All accesses to objects should be checked to ensure that they are allowed (Bishop, 2003).
Encapsulation The ability to only use a resource as it was designed to be used. This may mean that a piece of equipment is not being used maliciously or in a way that could be detrimental to the overall system (Tjaden, 2015).
Fail-Safe Defaults / Fail Secure The theory that unless a subject is given explicit access to an object, it should be denied access to that object (Bishop, 2003).
Information Hiding Users having an interface to interact with the system behind the scenes. The user should not be worried about the nuts and bolts behind the scenes, only the modes of access presented to them. This topic is also integrated with object-oriented programming (Tjaden, 2015).
Isolation Individual processes or tasks running in their own space. This ensures that the processes will have enough resources to run and will not interfere with other processes running (Tjaden, 2015).
Layering Having multiple forms of security. This can be from hardware or software, but it involves a series of checks and balances to make sure the entire system is secured from multiple perspectives (Tjaden, 2015).
Least Astonishment (Psychological Acceptability) Security mechanisms should not make the resource more difficult to access than when security mechanisms were not present (Bishop, 2003).
Least Privilege The assurance that an entity only has the minimal amount of privileges to perform their duties. There is no extension of privileges to senior people just because they are senior; if they don’t need the permissions to perform their normal everyday tasks, then they don’t receive higher privileges (Tjaden, 2015).
Minimization of Implementation (Least Common Mechanism) Mechanisms used to access resources should not be shared (Bishop, 2003).
Minimize Trust Surface (Reluctance to Trust) The ability to reduce the degree to which the user or a component depends on the reliability of another component (Bishop, 2003).
Modularity The breaking down of larger tasks into smaller, more manageable tasks. This smaller task may be reused, and therefore the process can be repurposed time and time again (Tjaden, 2015).
Open Design The security of a mechanism should not depend on the secrecy of its design or implementation (Bishop, 2003).
Separation (of Domains) The division of power within a system. No one part of a system should have complete control over another part. There should always be a system of checks and balances that leverage the ability for parts of the system to work together (Tjaden, 2015).
Simplicity (of Design) The straightforward layout of the product. The ability to reduce the learning curve when analyzing and understanding the hardware or software involved in the information system (Tjaden, 2015).
Trust Relationships A logical connection that is established between directory domains so that the rights and privileges of users and devices in one domain are shared with the other (PC Magazine, 2018).
Usability How easy hardware or software is to operate, especially for the first-time user. Considering how difficult applications and websites can be to navigate through, one would wish that all designers took usability into greater consideration than they do (PC Magazine, 2018).
References
Bishop, M. (2003). Computer security: Art and science. Boston, MA: Addison-Wesley Professional. Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security (2nd ed.). Burlington,
MA: Jones & Bartlett Publishers. PC Magazine. (2018). Encyclopedia. Retrieved from https://www.pcmag.com/encyclopedia Sons, S., Russell, S., & Jackson, C. (2017). Security from first principles. Sebastopol, CA: O’Reilly Media,
Inc. Tjaden, B. C. (2015). Appendix 1: Cybersecurity first principles. Retrieved from
https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles.pdf
