Yunze Wang

ITS 370

2/6/2020

 

CH4

 

Exercises

 

2.      Search the Web for security education and training programs in your area. Keep a list and see which category has the most examples. See if you can determine the costs associated with each example. Which do you think would be more cost-effective in terms of both time and money?

Answer:

Security education and training programs in My area (Kolkata - West Bengal).

 

AILABS (Rating – 4.8 / 5.00)

AILABS provides training on machine learning, data analytics, data science and business analytics and other areas of Artificial Intelligence (on site at a training facility).

 

Courses Available: -

Essentials of Machine learning

Introduction of Python

Introduction to R

Advance machine learning

Management development program

Data Science foundation

Introduction to business analysis

Deep Leaning for computer vision

 

Duration of all Courses: -

3 months

 

Cost: -

Rs 4000 per course.

 

Indian Cyber Security Solutions (Rating – 4.9 / 5.00)

Indian Cyber Security Solutions is a unit of Green Fellow IT Security Solutions Pvt Ltd rising platform with a mission to provide all possible cyber security solutions from large corporate companies to new emerging ones regardless of their sizes & kinds. Our mission to create a Digital hack-proof world (on site at a training facility).

 

Courses Available: -

All cyber security courses.

Networking courses

Programming courses

Duration of all Courses: -

1 month

 

Cost: -

Cyber security courses - Rs 4500

Networking courses – Rs 5000

Programming courses - Rs 4000

 

National Institute for Industrial Training (Rating - 4.6/5.00)

National Institute for Industrial Training, Affiliated To: National IT and Cyber Security Research Association, Data Analytics Skill Association, Indian Institute of Machine Learning, Indian Computer & Technical Association, Cyber Security Knowledge Sharing & Research Council-All Organizations are fully Registered Under Govt.of WB. Our Industrial Modules Approved By: Council of Industrial Engineering & Management AND Association of Industrial & Skill Training Framework (AISTF)[Regd. Under Govt.of WB].

 

Courses Available: -

Python with Data Science

Information Security

Python with Blockchain (We have Combined Program using Java Script Blockchain)

Python with Machine Learning

Introduction to C Programming

Data Analytics with R & Python Programming

Java with Android

Android App Development using Kotlin

Advanced Course-AI with ML (Basic Deep Learning Covered) Hands on Python Knowledge Required

Web Development (PHP, MySQL, MongoDB, Angular, Node)

Control System with MATLAB

Python with Networking Programming

Python with IoT

AutoCAD / CATIA

Advanced Communication

Advanced Ethical Hacking

Core JAVA

 

Duration of all Courses: -

1.5- 3 month

 

Cost: -

Rs 5500 onwards.

 

National Institute for Industrial Training would be more cost effective among all this cyber security education and training programs at a reasonable price as well as it its government training center with internship opportunity.

 

  1. Search the Web for examples of issue-specific security policies. What types of policies can you find? Using the format provided in this chapter, draft a simple issue-specific policy that outlines fair and responsible use of computers at your college, based on the rules and regulations of your institution. Does your school have a similar policy? Does it contain all the elements listed in the text?

Answer:

Managerial decisions on computer security issues vary greatly. To differentiate among various kinds of policy, this chapter categorizes them into three basic types:

Program policy is used to create an organization's computer security program.

Issue-specific policies address specific issues of concern to the organization.

System-specific policies focus on decisions taken by management to protect a particular system.48

Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. (See following box.)

Tools to Implement Policy:

Standards, Guidelines, and Procedures

Because policy is written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. Procedures are yet more detailed steps to be followed to accomplish particular security-related tasks. Standards, guidelines, and procedures may be promulgated throughout an organization via handbooks, regulations, or manuals.

Organizational standards (not to be confused with American National Standards, FIPS, Federal Standards, or other national or international standards) specify uniform use of specific technologies, parameters, or procedures when such uniform use will benefit an organization. Standardization of organization wide identification badges is a typical example, providing ease of employee mobility and automation of entry/exit systems. Standards are normally compulsory within an organization.

Guidelines assist users, systems personnel, and others in effectively securing their systems. The nature of guidelines, however, immediately recognizes that systems vary considerably, and imposition of standards is not always achievable, appropriate, or cost-effective. For example, an organizational guideline may be used to help develop system-specific standard procedures. Guidelines are often used to help ensure that specific security measures are not overlooked, although they can be implemented, and correctly so, in more than one way.

Procedures normally assist in complying with applicable security policies, standards, and guidelines. They are detailed steps to be followed by users, system operations personnel, or others to accomplish a particular task (e.g., preparing new user accounts and assigning the appropriate privileges)

Some organizations issue overall computer security manuals, regulations, handbooks, or similar documents. These may mix policy, guidelines, standards, and procedures, since they are closely linked. While manuals and regulations can serve as important tools, it is often useful if they clearly distinguish between policy and its implementation. This can help in promoting flexibility and cost-effectiveness by offering alternative implementation approaches to achieving policy goals.

Familiarity with various types and components of policy will aid managers in addressing computer security issues important to the organization. Effective policies ultimately result in the development and implementation of a better computer security program and better protection of systems and information.

These types of policy are described to aid the reader's understanding.49 It is not important that one categorizes specific organizational policies into these three categories; it is more important to focus on the functions of each.

5.1 Program Policy

A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. This high-level policy defines the purpose of the program and its scope within the organization; assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization); and addresses compliance issues.

Program policy sets organizational strategic directions for security and assigns resources for its implementation.

 

Case Exercises:

Discussion Questions

1.      What would be the first note you wrote down if you were Charlie?

Answer:

Charlie’s first note would be to make some changes to the company contingency plans.

He would also make a note to call for a meeting the first thing as soon as he is in the office to discuss his new company contingency plans.

 

2.      What else should be on Charlie’s list?

Answer:

Gladys’s

The Charlie’s list is:

1.      Information security policy is best disseminated in a comprehensive security education, training and awareness program. One of the least frequently implemented but most beneficial programs is the security at the forefront of the user’s minds.

2.      Business impact analysis is an investigation and assessment of the impact that various attacks can have on the organization.

 

3.      Suppose Charlie encountered resistance to his plans to improve continuity planning. What appeals could he use to sway opinions toward improved business continuity planning?

Answer:

Charlie needs to ensure that all critical data, and infrastructure is backed up and properly recorded in case a major issue does happen to the company.

He could use the concept of backing up all circa data and informant being stored properly.

 

Ethical Decision Making

1.      In some cases, especially when organizations expand into foreign countries, they experience a form of culture shock when the laws of their new host country conflict with their internal policies. Suppose that SLS has expanded its operations in France. Setting aside any legal requirements that SLS make its policies conform to French law, does SLS have an ethical imperative to modify its policies to better meet the needs of its stakeholders in the new country?

 Answer:

Yes, SLS must have an ethical imperative to change its policies according to the laws and ethics of the new country. Because each country will be having its own ethics and laws based on its economic conditions, culture etc. Because the SLS has setup its operation center in that country it must follow according to this country rules. If not, the country will not allow the company to carry on its operations. So, it is must to tune the ethical rules the company is having according to the stakeholder’s country.

 

2.      Suppose SLS has altered its policies for all operations in France and that the changes are much more favorable to employees—such as a requirement to provide child and elder-care services at no cost to the employee. Is SLS under any ethical burden to offer the same benefit to employees in its original country?

Answer:

Yes of course SLS will get Ethical burden if they offer the same benefit to the employees. And also, it is bare to set ethical rules of one country in another country. Because each country will have its own rules. Coming to this situation it is more beneficial to the employees, here because of this employee obviously get benefitted from this but the company will spend amount from profits in this case. If there is less profit generating then company will go under financial crisis. Also, if the company setup its operation center in some other country there the amount generated to that organization will be different and the amount generation in our country is different. So, the final opinion is it is ethical burden to the company.