Project #61974 - Information System Security Discussion Questions



Answer each of the 8 question in 200 word minimum. 


#1Answer DQ1 in 200 word minimum. 


 Review the "Policy and Update Management" lab (link attached). What did you learn? What did you think was most valuable?


#2 Respond to Troy answer to DQ1 


This virtual lab exercise works with using ConfigMgr to create and deploy Forefront End Protection (FEP) policy to computers managed by ConfigMgr. There are also exercises on using the server-role policy templates and FEP Group Policy tool to populate Group Policy Objects with FEP settings for computers that are not yet managed by ConfigMgr.

In the first exercise I followed the steps to examine the default client and server policies, and their advertisements. Followed by creating and editing a new FEP policy. After creating the policy I assigned the policy to all Windows Workstations. In the next exercise I Installed the FEP 2010 Group Policy templates on the  computer so that the settings become visible in the Group Policy Editor. This process also includes adding Domain Controller and DNS policies to the GPO.


After finishing all steps of the virtual lab I gained a better understanding of managing FEP policies using configuration manager and by using Group Policy. FEP is Microsoft's offering for antivirus, try to think of it as the corporate version of Security Essentials. Just about everything on the net for managing it seems to be geared to managing it with System Center Configuration Manager (SCCM). Which is fine if you have SCCM, but what if you don't? Thankfully you can manage it with group policy as well.


#3 Answer DQ2 in 200 words minimum.  


What access control system is most valuable for protecting enterprise systems? Why? What are two specific strengths and two specific drawbacks for your chosen access control system?


#4 Answer DQ3 in 200 words minimum.  


What are some situations that illustrate the difference between authorization and authentication?




#5 Respond to Peter answer in DQ3 in 200 words minimum 


Code security protects the normal, day-to-day operations of an app, tool, or daemon. But what happens when your code is under siege? It is often essential to know not only what the user is doing but also who the user is and whether the user is allowed to do that. This is where authentication and authorization come into play.




"If you know yourself but not your enemy, for every victory gained you will also suffer a defeat."

Sun Tzu, The Art of War

When securing software, the first thing you must do is find a way to distinguish friend from foe. This process is called authentication.

In computer security, authentication verifies the identity of a user or service. Authentication usually serves one of two purposes:

â–ªAs a precursor to authorization, identifying the requesting entity to determine whether that entity should have permission to perform an operation

â–ªFor producing an audit trail by logging who performed an operation so that blame can be cast when something breaks

Three types of authentication are most common:

â–ªLocal user authentication. Verifying a user's identity is usually performed by the operating system as the first step in authorization. If your code is running as a normal user, the operating system limits what your code can do based on that user's permissions. Your code can also ask the operating system for the identity of the user for auditing purposes.

â–ªNetwork host authentication. Verifying the authenticity of a remote server is often necessary, for example, to determine whether it is safe to send credit card information to a specific website. Digital certificates, described in the next chapter, are a common way to achieve this.

â–ªRemote user authentication. Users are often authenticated by remote servers when performing certain tasks. Authenticating a user remotely requires that your code send credentials in some form, such as a password, a cookie, or a digital certificate.



Authorization is the process by which an entity such as a user or a server gets permission to perform a restricted operation. The term is also often used to refer to the right itself, as in "The soldier has authorization to enter the command bunker."


The difference between authentication and authorization is somewhat subtle. Often, the mere fact that a user has an account means that the user is authorized to do something, in which case authentication and authorization are the same thing. However, in more complex systems, the difference becomes more obvious.

Consider a computer with two users. Each user is known to the system. Therefore, both users can each log in to the computer, and it authenticates them. However, neither user is authorized to modify the other's files, and as a result, neither user can do so.


The details of authorization depend on whether you are using iOS or OS X.

In iOS, the user can set a passcode which by default is a four-digit personal identification number to prevent unauthorized use of the device. After entering this passcode, the user of the device is presumed to be authorized to use the device. In addition, each app is digitally signed and can therefore be authenticated by the operating system. Therefore, there are no user authentication or authorization APIs in iOS.

In OS X, there are several layers of authorization:

â–ªIf FileVault 2 full-disk encryption is enabled, the computer requires a password to decrypt the boot volume.

â–ªIf automatic login is disabled, OS X displays a login screen after booting.

â–ªOS X also displays a login screen when the user logs out.

â–ªIf the appropriate checkbox in the Security system preferences pane is checked, OS X displays a login screen when waking from sleep or when leaving a screen saver.

â–ªWhen an app or tool requests access to a locked keychain, a password is required.

â–ªIf an app or tool needs elevated privileges, an administrator password is required. Some apps may restrict access to parts of their functionality through the Authorization Services API.

In addition, on both OS X and iOS, some apps may require you to log in to a remote server, which in turn performs authentication and authorization.


#6 Answer DQ4 in 200 words minimum.  


What are three specific threat mitigation controls you consider most useful? Why? What are the potential risks of your chosen controls?


#7 Answer DQ5 in 200 words minimum 


Do you feel distributed trust management is important to organizations? Why or why not? Could future technology change your stance?


#8 Respond to Peter’s answer to DQ5 in 200 words minimum.  


Yes because, almost all organizations today are already practicing some kind of distributed work management. In most cases, however, there is either no formal policy, or it's being done ad hoc and in a highly inconsistent manner. Typically, some employees in some departments are working out of the office once in a while because it's more convenient for them, or an emergency at home has made it temporarily necessary, or they just needed a quiet place to get a special report completed. We've come to call this kind of informal/implicit program "Don't ask, don't tell," because it's unofficial, is often not known about in other parts of the company, or is tolerated for certain individuals primarily because they're highly competent and have threatened to leave the company if they can't work flexibly. However, these kinds of ad hoc efforts often get out of control. Either they grow too large without any thought to their consequences, or other employees get jealous and even resentful at being unable to take advantage of what they see as a highly desirable "perk."

 Some organizations have moved beyond DADT and ad hoc distributed work, have done so for these reasons:


â–ªLiability Mitigation

Informal programs and ad hoc arrangements leave companies open to legal liability for workmen's compensation, and for potential violations of the Fair Labor Standards Act.

Employees who are denied the opportunity to work remotely might become resentful of the perceived inequity and file a claim under the provisions of the FLSA.


â–ªEmployee Attraction/Retention

Companies in urban areas with long, difficult commutes have found that offering part -time work from home can tip the scales in their favor, particularly in a competitive hiring environment.  According to Phil Montero of the Anywhere Office, 72% of U.S. employees say that flexible work arrangements would cause them to choose one job over another


â–ªGeographic Diversification and Globalization

It's not a new phenomenon, but as an organization opens new facilities in remote locations, it has a de-facto distributed workforce even if everyone is in a corporate facility every day. Historically, a distributed business coped by increasing its travel budget and by burning up the long-distance telephone lines. Today, however, with the proliferation of low-cost conference calling and Internet Web conferencing, it's not just about staying in touch with remote Individuals; distributed project teams have become far more common.


â–ªCost Reduction

Many organizations, especially in the current economic climate, are actively seeking ways to reduce operating costs. Distributed work programs are one of the most effective ways of achieving badly-needed operational savings. Enabling employees to work remotely makes it possible to reduce the corporate real estate portfolio by as much as 40% - 50% by offering employees an opportunity to work from home full- or part-time in return for giving up an assigned private workspace in the corporate facility.


â–ªContinuity Planning

In recent years most large organizations have beefed up their business continuity plans in light of external risks such as natural disasters such as: hurricanes, tornadoes, blizzards, earthquakes, terrorist attacks, or pandemics like swine flu. A formal distributed work program dramatically lowers the risk of operational disruption.


â–ªEnvironmental Impact

Flexible work programs can also have a powerful and very positive effect on an organization's carbon output as well as its economic, environmental, and social contributions to its local communities. When employees are not traveling to a central office they are not burning gasoline, and they're not clogging the highways or taking up space on the local commuter train.


Could future technology change your stance? No, many organizations have invested heavily in capital-intensive expenditures such as new equipment and technology such as ERP packages like SAP and Oracle in the hope that these will reduce cost and increase productivity. Academic research has shown that it is not the "hard" technology acquisitions by themselves that guide organizational success, but the integration of these assets into organizational change management processes that elevate the importance of the human system. It is the integration that really makes the difference.



Subject Computer
Due By (Pacific Time) 03/14/2015 02:00 pm
Report DMCA

Chat Now!

out of 1971 reviews

Chat Now!

out of 766 reviews

Chat Now!

out of 1164 reviews

Chat Now!

out of 721 reviews

Chat Now!

out of 1600 reviews

Chat Now!

out of 770 reviews

Chat Now!

out of 766 reviews

Chat Now!

out of 680 reviews
All Rights Reserved. Copyright by - Copyright Policy