AVOID USE OF AI, THE ASSIGNMENT WILL BE REJECTED.

Competencies

4045.1.1 : Compliance Legal Requirements

The graduate describes the legal requirements to address compliance with cybersecurity policies and procedures with an organization.

4045.1.3 : Security Awareness Training and Education (SATE)

The graduate outlines legal issues that should be included within the security awareness training and education (SATE) program of an organization.

4045.1.4 : Ethical Issues for Cybersecurity

The graduate discusses the implications of ethical issues for specific cybersecurity actions within an organization.

Introduction

Information security professionals must understand how to apply ethical security principles and processes to their organizations. These standards should define the organization's specific needs and demands to assure data confidentiality, integrity, and availability. An organization's employees must be aware of the security challenges it is facing. In this task, you will analyze ethical challenges related to information security and develop a training plan for an organization, which will raise awareness of these challenges, convey strategies, and prevent unwanted developments.

Scenario

Review the attached "TechFite Case Study" for information on the company being investigated. You should base your responses on this scenario.

SCENERIO:

TechFite Case Study

Background of Company:

TechFite is traded on NASDAQ and has approximately 1,000 employees. The company's core business involves consulting with and advising Internet organizations on promoting and monetizing their online business ventures. Most of the company operates legally and ethically with good internal financial oversight. However, its Applications Division has recently been reported in the news media for undertaking some disturbing business practices. This division consults with start-ups on launching new applications and apps online.

Assignment:

The chairperson of the board commissioned me, John Jackson, to investigate the IT and business practices of the Applications Division. I hold an MS in network security and am qualified as a Certified Information Systems Security Professional (CISSP), and I have 12 years' experience in cybersecurity. In addition, the chairperson has consented to allow Maria Harrison to assist me. She is a private investigator who holds an MS in criminal justice and has 15 years' experience in corporate investigations.

Findings:

I interviewed Noah Stevenson, the chief executive officer (CEO) of Orange Leaf Software LLC, whose company was cited in recent news articles about the Applications Division. Stevenson indicated his company had meetings with the division's representatives to possibly hire TechFite for consulting services. Prior to divulging any technical details, Applications Division head Carl Jaspers executed a nondisclosure agreement (NDA) with Orange Leaf. As a part of the preconsulting process, Orange Leaf's CEO, chief technology officer (CTO), and lead software engineer completed questionnaires that included technical information about Orange Leaf's products. Ultimately, Orange Leaf decided not to hire TechFite's Applications Division for a variety of business reasons. Months later, Noah Stevenson was disturbed to find out a competitor was launching some products very similar to those of Orange Leaf.

A similar scenario occurred in an interview with Ana Capperson, CTO for Union City Electronic Ventures. She described the same fact pattern as Orange Leaf's. That is, after this company decided not to use the Applications Division, proprietary information eventually found its way into the hands of a competitor.

Both potential clients provided copies of the questionnaires to me, and they do contain information that could be of value to a competitor. Copies of the NDAs executed by Carl Jaspers were also provided. A check of the Applications Division's customer database revealed that the two competitors identified by Stevenson and Capperson are existing clients of TechFite's Applications Division.

The Applications Division has a Business Intelligence (BI) Unit, which gathers publicly available information about companies in the Internet sector to benefit the division's marketing of its services and to aid clients. Such an operation is legal and is common in the industry. However, I was interested in what kind of oversight the unit had to prevent the abuses alleged by Stevenson and Capperson.

IT Security Analyst Nadia Johnson of TechFite's Applications Division reviewed reports for the chief information security officer (CISO) and revealed the organization had performed a credible job of protecting the division's network against external threats. Vulnerability scanning, penetration testing, and UTM (unified threat management) were all in place. Documentation on internal oversight, especially of the BI Unit, however, was lacking. There were blanket summaries that no irregularities were found in internal operations. What was missing were specific discussions of auditing users' accounts, checking for escalation of privilege, enforcing data loss prevention (DLP) on sensitive documents, and surveilling internal network traffic and activity.

Also disturbing was the lack of coverage on the critical issue of safeguarding sensitive and proprietary information belonging to existing clients, potential clients, and previous clients. No plan was evident in keeping different clients' information segregated from each other and employing a Chinese wall methodology. (No general policy at TechFite requires such a methodology.) Within the BI Unit, the principles of least privilege and separation of duties were not enforced. Every workstation and computer had full administrative rights. In the marketing/sales unit associated with the BI Unit, the same person can create customers (clients), report sales, and post sales on the system. In fact, there is no IT segmentation or separation between the two unitsdata or applications. Each unit has full visibility and access into the other.

Additionally, background checks into IT Security Analyst Nadia Johnson raised some questions. First, Jaspers (head of Applications Division) regularly gives Johnson's boss, the CISO, positive recommendations about Johnson during annual reviews and she gets ample raises. Johnson's social media posts have photos and text documenting her frequently attending social events hosted by Jaspers. A recent post even thanks Jaspers for a gift on Johnson's birthday. (Currently, no policy at TechFite bars social relationships between IT Security staff and those they conduct oversight on.)

We audited the client list database for the division (an action never done by Johnson). Most of the clients are well-known companies in the Internet arena. We researched the businesses we did not immediately recognize online. All but three came up as legitimate companies in the Internet field. These three organizationsBebop Software of Alberta, FGH Research Group of Indiana, and Dazzling Comet Software of Floridahad no real Internet presence. Further investigation revealed they were all incorporated in Nevada. The registered agent for all three corporations was Yu Lee, who attended graduate school with Carl Jaspers at Stanford University.

We crosschecked with the TechFite Financial Unit and found all three companies pay for services at TechFite with checks drawn from the same bank: Freeworkers' Pennsylvania Bank, NA in Scranton, Pennsylvania. Given this pattern, these three clients may not be actual, real clients but may simply be conduits for moving money into TechFite's sales figures for the division. Since TechFite does not do business with Freeworkers and does not have accounts there, the bank may provide an off-the-books method of making payments elsewhere.

In auditing IT user accounts for the division, we found most to be created in the normal manner for TechFite. (A manager requests that an employee receives account access with the appropriate privileges.) However, two accounts were created solely upon the request of Carl Jaspers. The employees assigned to the accounts have not worked for TechFite for over a year. However, the accounts are in constant use. Emails associated with these accounts are addressed to parties who are not clients of TechFite. Some of the emails refer to intelligence-gathering activities against various companies, including references to "dumpster diving" and "trash surveillance."

All TechFite employees at the time of hire sign a release permitting company surveillance of any electronic communications using TechFite equipment. Accordingly, we remotely deployed Encase Endpoint Investigator on BI Unit computers and digital devices. We discovered the Metasploit tool (used for system penetration) on multiple machines. In addition, evidence on the hard drives indicates recent penetration and scanning activity into IP addresses for several Internet-based companies.

Among the BI Unit employees, Sarah Miller, the senior analyst, has the most traffic in scanning other companies' networks. Analysts Megan Rogers and Jack Hudson take direction from Miller in doing similar efforts. Hudson also coordinates efforts by third parties to gather intelligence through surveilling and through mining companies' trash. Furthermore, social media research on Hudson revealed his membership in the Strategic and Competitive Intelligence Professionals (SCIP), which has a very strong code of ethics against covert and illegal BI activities.

Finally, and very disturbing, the BI Unit, through its dummy user accounts, has gained access to other groups and units within TechFite outside its own division, without proper authorization. Escalation of privilege has occurred on these accounts to permit access to legal, human resources (HR), and finance departments. Networking monitoring logs reflect regular traffic between the BI Unit and these other departments to examine financial and executive documents.

[End of report]

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.( see AT the end)

A. Address ethical issues for cybersecurity by doing the following:

1. Discuss the ethical guidelines or standards relating to information security that should apply to the case study.

a. Justify your reasoning.

2. Identify the behaviors, or omission of behaviors, of the people who fostered the unethical practices.

3. Discuss what factors at TechFite led to lax ethical behavior.

B. Describe ways to mitigate problems and build security awareness by doing the following:

1. Describe two information security policies that may have prevented or reduced the criminal activity, deterred the negligent acts, and decreased the threats to intellectual property.

2. Describe the key components of a Security Awareness Training and Education (SATE) program that could be implemented at TechFite.

a. Explain how the SATE program will be communicated to TechFite employees.

b. Justify the SATE program's relevance to mitigating the undesirable behaviors at TechFite.

C. Prepare a summary directed to senior management (suggested length of 1-2 paragraphs) that states TechFite's ethical issues from Part A and the related mitigation strategies from Part B.

D. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

Some reference can come from this textbook;

• Grama, J. (2020). Legal and privacy issues in information security, Third Edition. Burlington, MA: Jones & Bartlett Learning. (new tab)

E. Demonstrate professional communication in the content and presentation of your submission.

Rubric

A1:Discussion of Ethical Guidelines or Standards

Not Evident A discussion of the ethical guidelines or standards relating to information security that should apply to the case study is not provided.

Approaching Competence The discussion illogically addresses the ethical guidelines or standards relating to information security that should apply to the case study, or it is unclear how the ethical guidelines or standards relate to the case study.

Competent The discussion logically addresses the ethical guidelines or standards relating to information security that should apply to the case study.

A1a:Justification of Standards or Guidelines

Not Evident A justification of the reasoning of the ethical considerations or guidelines is not provided.

Approaching Competence The justification illogically addresses the reasoning of the ethical considerations or guidelines.

Competent The justification logically addresses the reasoning of the ethical considerations or guidelines.

A2:Description of Unethical Behaviors

Not Evident The unethical behavior of individuals or groups is not identified.

Approaching Competence The identification of unethical behavior of individuals or groups is inaccurate.

Competent The identification of the unethical behavior of individuals or groups is accurate.

A3:Factors

Not Evident A discussion of the factors at TechFite that led to lax ethical behavior is not provided.

Approaching Competence The discussion of the factors at TechFite that led to lax ethical behavior is unclear or illogical.

Competent The discussion of the factors at TechFite that led to lax ethical behavior is clear and logical.

B1:Information Security Policies

Not Evident A description of 2 information security policies that may have minimized the criminal activity, negligent acts, and threats to intellectual property is not provided.

Approaching Competence A description of 2 information security policies that may have minimized the criminal activity, negligent acts, and threats to intellectual property is provided, but at least 1 of the policies is not relevant or applicable to the case study.

Competent The description addresses 2 information security policies, specific to the case study that may have minimized the criminal activity, negligent acts, and threats to intellectual property.

B2:SATE Key Components

Not Evident A description of key components of a SATE program is not provided.

Approaching Competence The description of key components of a SATE program that could be implemented at TechFite is not relevant or applicable to the case study.

Competent The description of key components of a SATE program that could be implemented at TechFite is relevant and applicable to the case study.

B2A:SATE Communication

Not Evident An explanation of how the SATE program will be communicated to TechFite employees is not provided.

Approaching Competence The explanation of how the SATE program will be communicated to TechFite employees is illogical.

Competent The explanation of how the SATE program will be communicated to TechFite employees is logical.

B2B:SATE Relevance

Not Evident A justification of the SATE program's relevance to mitigating the undesirable behaviors at TechFite is not provided.

Approaching Competence The justification of the SATE program's relevance to mitigating the undesirable behaviors at TechFite is illogical.

Competent The justification of the SATE program's relevance to mitigating the undesirable behaviors at TechFite is logical.

C:Challenges and Strategies Summary

Not Evident A summary directed to senior management that states TechFite's ethical issues and the related mitigation strategies is not provided.

Approaching Competence A summary directed to senior management that states TechFite's ethical issues and the related mitigation strategies is provided, but the summary is not complete or does not align with the information provided in Parts A and B.

Competent A complete summary directed to senior management that states TechFite's ethical issues and the related mitigation strategies is provided, and the summary aligns with the information provided in Parts A and B.

D:Sources

Not Evident The submission does not include both in-text citations and a reference list for sources that are quoted, paraphrased, or summarized.

Approaching Competence The submission includes in-text citations for sources that are quoted, paraphrased, or summarized and a reference list; however, the citations or reference list is incomplete or inaccurate.

Competent The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available. Or the candidate does not use sources.

E:Professional Communication

Not Evident This submission includes pervasive errors in professional communication related to grammar, sentence fluency, contextual spelling, or punctuation, negatively impacting the professional quality and clarity of the writing. Specific errors have been identified by Grammarly for Education under the Correctness category.

Approaching Competence This submission includes substantial errors in professional communication related to grammar, sentence fluency, contextual spelling, or punctuation. Specific errors have been identified by Grammarly for Education under the Correctness category.

Competent This submission includes satisfactory use of grammar, sentence fluency, contextual spelling, and punctuation, which promote accurate interpretation and understanding.