To complete this assignment, review the prompt and grading rubric in the Project Two Guidelines and Rubric. When you have finished your work, submit the assignment here for grading and instructor feedback. For reference, refer to the CIA Triad and Fundamental Security Design Principles PDF document.
CYB 200 Project Two Guidelines and Rubric
Overview
This project is to create an incident analysis brief for your manager. Cybersecurity incidents will occur regardless of the level of protec�on and preven�on an organiza�on has in place. The
response to the incident is what may make or break an organiza�on. As you progress through your degree, you will build your skills to address all stages of incident response: prepara�on,
detec�on and analysis, containment, eradica�on and recovery, and post-incident ac�vity.
A cri�cal aspect of incident response is using the informa�on gained from an incident to improve the organiza�on’s security. The insight helps security professionals develop solu�ons that
reduce the likelihood of similar incidents in the future. It also helps balance the poten�al nega�ve impacts on the people, processes, and technologies the solu�ons ul�mately affect. In this
project, you will examine a past incident and use the Fundamental Security Design Principles to develop recommenda�ons that will protect the organiza�on in the future.
In this assignment, you will demonstrate your mastery of the following course competency:
Describe fundamental principles of cybersecurity
Scenario
In a course announcement, your instructor will provide you with a scenario to base your work on. In the scenario, you are a security analyst crea�ng an incident analysis brief that explains to
the security or IT director explaining how to apply the Fundamental Security Design Principles to strengthen the organiza�on’s security posture following the incident described in the case.
The scenario will provide all the specific technical informa�on you need for your brief. You should address each cri�cal element in the Project Two prompt, speaking broadly to your analysis
and recommenda�ons based on your research from the course materials in previous modules.
Prompt
Using evidence from the scenario, prepare an incident analysis brief for your manager. Limit your analysis to one security objec�ve and two Fundamental Security Design Principles from the
lists below.
Security Objec�ve (Choose One):
Confiden�ality
Integrity
Availability
Fundamental Security Design Principles (Choose Two):
Separa�on (of domains and du�es)
10/7/24, 3:33 PM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102839/View 1/4
Isola�on
Encapsula�on
Modularity
Simplicity of design (economy of mechanism)
Minimiza�on of implementa�on (least common mechanism)
Open design
Complete media�on
Layering (defense in depth)
Least privilege
Fail-safe defaults and fail secure
Least astonishment (psychological acceptability)
Minimiza�on of trust surface (reluctance to trust)
Usability
Trust rela�onships
Specifically, you must address the cri�cal elements listed below:
I. Scenario Analysis: Using your work in the case study analyses (Modules Two through Four) and other course resources as reference, select the security objec�ve you think is most
relevant to the organiza�on in the case.
A. Describe why the loss of your selected security objec�ve (confiden�ality, integrity, or availability) reflects the greatest overall nega�ve impact on the organiza�on. Use evidence
from the scenario and your coursework to support your selec�on.
B. Summarize the nega�ve impacts on people, processes, and technologies associated with the loss of your selected security objec�ve.
II. Recommenda�ons: Select two Fundamental Security Design Principles as criteria, and recommend solu�ons to remedy the loss of the selected security objec�ve based on your
assessment of the incident.
A. Explain how your solu�on implements the selected Fundamental Security Design Principles. Provide evidence from the scenario and your coursework to support your selec�ons.
B. Describe how your solu�on balances impacts on people, processes, and technologies.
C. Explain which aspect of your solu�on you would recommend to your manager as the most important to the organiza�on. Support your response with evidence from the
coursework or scenario
10/7/24, 3:33 PM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102839/View 2/4
What to Submit
Your submission should be 3 to 5 pages in length (plus a cover page and references) and should be wri�en in APA format. Use double spacing, 12-point Times New Roman font, and one-inch
margins. Include at least three references, which should be cited according to APA style. Use a file name that includes the course code, the assignment �tle, and your name—for example,
CYB_200_Project_Two_Neo_Anderson.docx.
Project Two Rubric
Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Scenario Analysis: Greatest
Overall Nega�ve Impact
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Describes why the loss of the
selected security objec�ve
reflects the greatest overall
nega�ve impact on the
organiza�on with evidence
from the scenario and
coursework to support the
selec�on
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
19
Scenario Analysis: Nega�ve
Impacts
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Summarizes the nega�ve
impacts on people, processes,
and technologies associated
with the loss of the selected
security objec�ve
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
19
Recommenda�ons:
Implementa�on of
Fundamental Security
Design Principles
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Explains how the solu�on
implements the selected
Fundamental Security Design
Principles with evidence to
support the selec�ons
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
19
Recommenda�ons:
Balancing Impacts
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Describes how the solu�on
balances impacts on people,
processes, and technologies
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
19
10/7/24, 3:33 PM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102839/View 3/4
Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Recommenda�ons:
Importance to Organiza�on
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Explains which aspect of the
solu�on is most important to
the organiza�on with evidence
to support the explana�on
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
19
Ar�cula�on of Response Submission is free of errors
related to cita�ons, grammar,
spelling, and organiza�on and
is presented in a professional
and easy-to-read format
Submission has no major errors
related to cita�ons, grammar,
spelling, or organiza�on
Submission has some errors
related to cita�ons, grammar,
spelling, or organiza�on that
nega�vely impact readability
and ar�cula�on of main ideas
Submission has cri�cal errors
related to cita�ons, grammar,
spelling, or organiza�on that
prevent understanding of ideas
5
Total: 100%
10/7/24, 3:33 PM Assignment Information
https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102839/View 4/4
,
CIA Triad and Fundamental Security Design Principles
The terms listed below are essential in the field of cybersecurity and will be a topic of conversation and application throughout the program. It is therefore important for you to familiarize yourself with these terms and their definitions. Note that the CIA triad is sometimes referred to as the tenets of cybersecurity. The Fundamental Security Design Principles are sometimes called fundamental design principles, cybersecurity first principles, the cornerstone of cybersecurity, and so on.
CIA Triad
Information that is secure satisfies three main tenets, or properties, of information. If you can ensure these three tenets, you satisfy the requirements of secure information (Kim & Solomon, 2013).
Confidentiality Only authorized users can view information (Kim & Solomon, 2013).
Integrity Only authorized users can change information (Kim & Solomon, 2013).
Availability Information is accessible by authorized users whenever they request the information (Kim & Solomon, 2013).
Fundamental Security Design Principles
These principles offer a balance between aspirational (and therefore unobtainable) “perfect security,” and the pragmatic need to get things done. Although each of the principles can powerfully affect security, the principles have their full effect only when used in concert and throughout an organization. These principles are a powerful mental tool for approaching security: one that doesn’t age out of usefulness or apply only to a few specific technologies and contexts; one that can be used for architecture, postmortem analysis, operations, and communication. The principles are ultimately only one piece in the security practitioner’s toolkit, but they are a flexible piece that will serve different roles for different people (Sons, Russell, & Jackson, 2017).
Abstraction Removal of clutter. Only the needed information is provided for an object-oriented mentality. This is a way to allow adversaries to see only a minimal amount of information while securing other aspects of the model (Tjaden, 2015).
Complete Mediation All accesses to objects should be checked to ensure that they are allowed (Bishop, 2003).
Encapsulation The ability to only use a resource as it was designed to be used. This may mean that a piece of equipment is not being used maliciously or in a way that could be detrimental to the overall system (Tjaden, 2015).
Fail-Safe Defaults / Fail Secure The theory that unless a subject is given explicit access to an object, it should be denied access to that object (Bishop, 2003).
Information Hiding Users having an interface to interact with the system behind the scenes. The user should not be worried about the nuts and bolts behind the scenes, only the modes of access presented to them. This topic is also integrated with object-oriented programming (Tjaden, 2015).
Isolation Individual processes or tasks running in their own space. This ensures that the processes will have enough resources to run and will not interfere with other processes running (Tjaden, 2015).
Layering Having multiple forms of security. This can be from hardware or software, but it involves a series of checks and balances to make sure the entire system is secured from multiple perspectives (Tjaden, 2015).
Least Astonishment (Psychological Acceptability) Security mechanisms should not make the resource more difficult to access than when security mechanisms were not present (Bishop, 2003).
Least Privilege The assurance that an entity only has the minimal amount of privileges to perform their duties. There is no extension of privileges to senior people just because they are senior; if they don’t need the permissions to perform their normal everyday tasks, then they don’t receive higher privileges (Tjaden, 2015).
Minimization of Implementation (Least Common Mechanism) Mechanisms used to access resources should not be shared (Bishop, 2003).
Minimize Trust Surface (Reluctance to Trust) The ability to reduce the degree to which the user or a component depends on the reliability of another component (Bishop, 2003).
Modularity The breaking down of larger tasks into smaller, more manageable tasks. This smaller task may be reused, and therefore the process can be repurposed time and time again (Tjaden, 2015).
Open Design The security of a mechanism should not depend on the secrecy of its design or implementation (Bishop, 2003).
Separation (of Domains) The division of power within a system. No one part of a system should have complete control over another part. There should always be a system of checks and balances that leverage the ability for parts of the system to work together (Tjaden, 2015).
Simplicity (of Design) The straightforward layout of the product. The ability to reduce the learning curve when analyzing and understanding the hardware or software involved in the information system (Tjaden, 2015).
Trust Relationships A logical connection that is established between directory domains so that the rights and privileges of users and devices in one domain are shared with the other (PC Magazine, 2018).
Usability How easy hardware or software is to operate, especially for the first-time user. Considering how difficult applications and websites can be to navigate through, one would wish that all designers took usability into greater consideration than they do (PC Magazine, 2018).
References
Bishop, M. (2003). Computer security: Art and science. Boston, MA: Addison-Wesley Professional. Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security (2nd ed.). Burlington,
MA: Jones & Bartlett Publishers. PC Magazine. (2018). Encyclopedia. Retrieved from https://www.pcmag.com/encyclopedia Sons, S., Russell, S., & Jackson, C. (2017). Security from first principles. Sebastopol, CA: O’Reilly Media,
Inc. Tjaden, B. C. (2015). Appendix 1: Cybersecurity first principles. Retrieved from
https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles.pdf
