Questions and Topics We Can Help You To Answer:
Paper Instructions:

Assignment # 1: Security and Compliance

Security and compliance are interconnected in important ways. What happens if you have a policy, but you cannot assure compliance? There is no automated enforcement mechanism. You cannot be sure if policy is followed or not.
To gain a deeper appreciation for the relationship between security and compliance, consider the following scenario:
In an organization, managers are allowed to add users to Active Directory groups, which potentially grant them access to sensitive data on file shares. There are security policies and regulations that state that this access must be reviewed quarterly to ensure that only approved people have access to certain types of sensitive data. Sometimes, when people change jobs, their access may not be removed properly, so controls need to be put in place to demonstrate that the organization is doing a good job of meeting security and regulatory requirements.
Access requirements can change frequently, and at a large organization this can become very difficult to manage. When an employee moves from one job to another in the same organization, someone must change their level of access to certain resources. A manager should approve this change, and there should be quarterly metrics that show how managers are reviewing access levels for employees, and modifying access, as needed.
For this Assignment # 1, in 250–400 words, address the following:
For the given scenario, recommend two policies that you would create for managers approving new access and for monitoring that access. In recommending these policies, make sure they are appropriate for the employees and are in accordance with the organizational policy for approving and monitoring access. Discuss the artifacts you would generate, as a part of these policies, to demonstrate compliance.

Assignment # 2: Developing Operational Security Metrics to Meet Business Value

Identity management is just one area of information assurance that needs to be improved in an organization. An information assurance professional needs to have a good understanding of how well all areas of security and information assurance are being managed and maintained. Metrics are very important instruments for managing security and information assurance. Examples of metrics from other areas of security that can be more quantitative and meaningful include:
•    Tracking the number of security intrusion detection incidents on a monthly basis
•    Breaking intrusion detection incidents down by Week and country because this will demonstrate if security is weak in some functional area
•    Recording the business impact of each intrusion detection incident
For this Assignment # 2, write a 4- to 6-page paper in which you create 8–10 operational metrics, and explain how these metrics demonstrate the overall efficacy of the information assurance program at your organization. In the paper, respond to the following: 
•    How do you determine acceptable baselines for the metrics you created?
•    How are these metrics efficacious to the teams involved in the operation of security controls?
Because you are using a fictitious scenario, state any assumptions you make.

Required Readings

Brotby, K. (2009). Information security governance: A practical development and implementation approach.  Hoboken, NJ: Wiley.

•    Chapter 13, “Security Program Development Metrics”
In this chapter you are introduced to the process of putting an information system security strategy into operational use. You will explore the decisions that must be made and metrics that will be needed to provide the information required for security program development management.

•    Chapter 14, “Information Security Management Metrics”
In this chapter you are introduced to the concept of using management metrics to help executive management of an organization with decision support regarding information security. You will investigate the tactical metrics that are needed to keep the information security governance program operating at an acceptable level guided by the strategic objectives.
Jaquith, A. (2007). Security metrics: Replacing fear, uncertainty, and doubt.  Upper Saddle River, NJ: Pearson.

•    Chapter 3, “Diagnosing Problems and Measuring Technical Security”
In this chapter you will be introduced to a collection of common security metrics for diagnosing problems and measuring technical security activities.

•    Chapter 6, “Visualization”
In this chapter you are introduced to the concept of graphically representing data and metrics as an information visualization practice. You will explore ways to display data graphically without losing the richness and texture that best facilitate deep understanding.