Week 10 CYBR 650 Blog

Action Plans 
This week I finished up creating my Action Plan for the Harry and Mae case study in my Current Trends in Cybersecurity course. This is the culmination of many weeks analyzing assets, threats, and vulnerabilities for the simulated enterprise. We delivered an action plan, detailing the steps recommended to fix some of the vulnerabilities. As I was detailing these steps I realized how incredibly complex and difficult some of these actions actually are. For academic purposes, some of this information can be handwaved as we are understanding the process, not necessarily all of the project management projection of some of these tasks we were detailing.  

  



For example, recommending that an organization move from no password policy to two-factor authentication briefs very well, but it can be incredibly complex, expensive, and time consuming. At many points during the drafting of the Action Plan I felt like the employee in the above Dilbert cartoon.

Deeper Analysis of Recommendations

An action plan has to take more into account that the “most secure” solution. Can the company afford the initial cost and time delay? Can the technically execute the upgrade, and most importantly, can they sustain operations once the system is fielded? The action plan should be robust and answer these types of questions, or at least hint that they need answering. You might have to recommend that they look at hiring additional staff, maybe even detail the specifics required. So, in essence an action plan might recommend many courses of action for each risk or way forward. Instead of the most secure solution and nothing else, maybe give the most secure, the most bang for their buck, and maybe a middle road solution - one that balances overall security with other factors for the organization you are analyzing.

https://searchnetworking.techtarget.com/photostory/4500267797/Five-essential-network-security-topics-and-trends-to-watch/3/Most-end-users-would-bypass-IT-security-policies-they-dislike

I know it’s almost sacrilegious to say this, but maybe the most secure solution isn’t always the best. Over complicating systems above the skill levels of the staff they hired may be even worse than doing nothing. Once security becomes too complicated or overwhelming users seek ways to work around it…thus negating the controls you put in place and opening up completely new unassessed risks.

Comments

Post a Comment

Popular posts from this blog

Week 5 CYBR 650 Blog

Image
Will Harry and Mae’s Diner Ever Listen to their Paid Consultants? This week in class we are working through the familiar (at least for Bellevue Cybersecurity students) Harry and Mae’s case study . This examines a franchise of diners, and depending on the class you are in, you examine it through the lens required…it could be risk management, secu re network design, or threat analysis. One item I got to thinking about this week is the individual franchises under a company like this, and how much leeway they have when deciding how to run their own infrastructure. This is especially important when the headquarters policies dictate an insecure implementation of the IT equipment, such as is the case with Harry and Mae's. In my specific experience with them, this will be the third time I have recommended basic security configurations without any visible action on their part. Point of Sale Security Certainly, a hot-topic over the last few years, point of sale devices a...
Read more

Week 7 CYBR 650 Blog

Week 7 Blog Its National Cybersecurity Awareness Month! October is designated as Cybersecurity Awareness Month , generally a time of the year for the Government to post some helpful guidelines for everyday people to read about how cyber security could impact their lives. Typically, these involve a good exposure of common threats and vulnerabilities to personnel without much direct cybersecurity knowledge. This year there are four themes for the four weeks of the month: Cybersecurity at home, careers in cybersecurity, workplace cybersecurity, and critical infrastructure cybersecurity.   More specifically, week 4, Oct. 22–26 will be about safeguarding the Nation’s Critical Infrastructure. When most read this they correctly assume this means energy, financial, and emergency systems or maybe centralized communications and transportation. Those are all considered critical infrastructure, and afforded enhanced protection resources through that designation. One item that many ma...
Read more

Finally Here!

Hello all, welcome to my blog covering the final course in the Bellevue Cybersecurity Master's program. This has been quite a journey, starting back in the Winter of 2014. I am fully aware that four years is kind of excessive to complete 12 classes, but I went through at a pace that allowed me to enjoy life and accomplish other goals at the same time. My original goal was to complete my MS degree before retiring from the Air Force. Well, I hit that retirement button yesterday, requesting a retirement date of next year. So pending the results of this course (and the concurrent Risk Management course), mission accomplished! A bit about me. I am 37 years old and currently residing in Anchorage, AK. I married my high school sweetheart 18 years ago, and we have three wonderful children. We love Alaska, and all of the amazing things that you can only do here. I have about a year left to enjoy it, before we retire and transition to civilian life in Colorado, my hometown. I love fishing,...
Read more