Fundamental Security Design Principles Mapping: Fill in the table in the Module Two Case Study Template by completing the following steps for each control recommendation: A. Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X. B. Indicate which security objective (confidentiality, availability, or integrity) best reflects your selected control recommendation. C. Explain your choices in one to two sentences, providing a selection-specific justification to support your decision. II. Short Response Questions: A. How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms? Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies. B. How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-in-motion) and one of the control recommendations from your completed table in your response.
Specify which Fundamental Security Design Principle best applies by marking all appropriate cells with an X.
Indicate which security objective (confidentiality, availability, or integrity) best reflects your selected control recommendation.
Explain your choices in one to two sentences, providing a selection-specific justification to support your decision.
Control Recommendations
Least Privilege
Layering (Defense in Depth)
Fail-Safe Defaults / Fail Secure
Modularity
Usability
Security Objective Alignment (CIA)
Explain your Choices (1-2 sentences)
Automatically lock workstation sessions after a standard period of inactivity. (Completed as an example)
X
C
I chose layering because it adds another layer of protection for the confidentiality of our data.
If possible, close and lock your office door when leaving your computer.
Use technology to make sure that only authorized software executes, and unauthorized software is blocked from executing on assets.
Use automated tools to inventory all administrative accounts to ensure that only authorized individuals have elevated privileges.
Use system configuration management tools to automatically reapply configuration settings to systems at regularly scheduled intervals.
Maintain an inventory of all sensitive information stored or transmitted by the organization’s technology systems, including those located on site or at a remote location.
Use approved whole-disk encryption software to encrypt the hard drive of all mobile devices.
If USB storage devices are required, software should be used that can configure systems to allow the use of specific devices.
Configure systems not to write data to external removable media, if there is no business need for supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted.
Protect all information stored on systems through the use of access control lists. These access control lists enforce the principle that only authorized individuals should have access to the information based on approved business need.
Require multifactor authentication for all user accounts, on all systems, whether managed on site or by a third-party provider.
After you have completed the table above, respond to the following short questions:
How might you work with someone like Dr. Beard to cultivate a security mind-set that is more in line with the organization’s ethical norms? Hint: Consider his attitude, his past behaviors, and his opinion about organizational policies.
How would you help the hospital better secure its patient files? Make sure to incorporate at least one data state (data-at-rest, data-in-use, or data-in-motion) and one of the control recommendations from your completed table in your response.