SEC360 Data Privacy Security


SEC360 Data Privacy Security
Compose a report on the experience of performing the Physical Security survey…



SEC360 Data Privacy Security

SEC360 Data Privacy Security

A+ Entire Course: You Decide Paper Week 2, 6 | Physical Security Simulation Report Week 5 | Quiz Week 1, 3, 5, 7 | Discussions Week 1-7

Sunshine Machine Works You Decide Paper Week 2 

Click Here: SEC 360 Sunshine Machine

Scenario, Your Role, Key Players

Sunshine Machine Works has expanded its infrastructure. When they started there were just three computers, and ten employees. Now there are over 100 employees and their network will have fifty computer terminals, with two servers. During the expansion there has been a lot of discussion about the need for a written computer use policy.

You are the IT Services manager for Sunshine Machine Works. This company has seen rapid growth. Management is looking to you to provide a critical input for an Information Systems Use Security Policy. Although they have a format they can use for the policy, they are looking to you to provide some guidance on areas they will need to address when creating this policy.

When we first started this company there were only a few computers that we used to share our files. Now, with the growth of our company we have a situation where we need to centralize our file storage. I am concerned that if we are not careful, some proprietary information could be compromised. We need a good information systems use policy in place. Keep in mind that I am also looking at expanding our business into some oil field work and the standards we will be required to comply with dictate that we have a written policy in place.

There are a lot of spreadsheets which have our account information on them. There is restricted access so that the only ones to access those files are the CEO, the General Manager, and me. No other employees have access to most of them. When they need access to financial data, I am contacted and provide them with the feedback they request. I hope that we are able to keep this system running efficiently and any policy helps enhance the safeguarding of our financial data.

I look at the way we need to do business now, which entails a lot of online collaboration with our vendors, customers, and activities related to our potential sales outreach. I need to have our staff utilize our computing resources with maximum efficiency; however, I want to balance this with the realization our staff may need to check their personal email accounts, bank information, etc. As our file server has arrived and all file storage has been centralized, we need to look at how we secure our network while keeping productivity up.

Write a paper consisting of 500-1,000 words (double spaced) about your experience in the Week 1 You Decide exercise. Briefly explain some of the issues that a company may face as it experiences growth, and begin to address the proper use of their information systems.

Students should see Appendix C of the textbook for examples of policies that address the issues that companies may face.

Since you are responsible for IT Services and want to keep the systems and network functioning effectively, you will want to identify activities which would be permitted and which activities would be prohibited. Management will take your policy suggestions, finalize the policy and it will be provided to the employees.

Follow the instructions provided in the You Decide Exercise: Information Systems Use Security Policy.


Over the years I learned through experience that a good security policy needs to adapt and it must be reviewed and revised as the business adapts. As the company continues to expand and many more users being added to the network environment, I advise to keep in mind that the policies…

SEC360 Data Privacy Security

Physical Security Simulation Report Week 5 

Click Here: SEC360 Physical Security Simulation

Compose a report on the experience of performing the Physical Security survey. Students will write a report consisting of 250-500 words (double-spaced) on experiences in the Physical Security Simulation.


The first stop in the walkthrough was the security guard shack to the Vehicle Yard. There was a sign that stated that badges must be at the ready. This showed that the company had security badges for its employees. I would recommend…

SEC360 Data Privacy Security

Sunshine Machine Works You Decide Paper Week 6 

Click Here: SEC 360 You Decide

Sunshine Machine Works, who recently expanded its infrastructure, now needs to ensure that any authorized employee can access the intranet. Sales people and management staff frequently travel to remote locations, and often require access to documents stored on the intranet file server.

You are the IT Services manager for Sunshine Machine Works. You are to assess the information presented and provide a response to management on how remote access may be handled for Sunshine Machine Works.

Wilma Stone – Chief Executive Officer

It’s great that we have expanded and are able to reach out to customers all over the country. With the way things are going, I see real potential for continued success as long as our field assets have the ability to access information here on our local network. I don’t have any problem with any or our people getting access to the resources they need. I just don’t want anything compromised because I don’t want to lose any proprietary information or have any of our customer’s data leaked.

Margie Nelson – Chief Financial Officer

I am pretty paranoid when it comes to this remote access stuff. I keep hearing about people getting their networks broken in to and the next thing you know their bank accounts have been drained! However, it is apparent that this is an option whose time has come. I hope we are able to keep our data safe.

Gary Thomas – General Manager

We have workers who travel to remote locations and need to access information here on the Intranet. I would rather have our people accessing information over a secure connection than sending them out to who knows where with a laptop or thumbdrive full of our company information. Let’s see if we can solve the problem of remote access and maintain company proprietary information.

Given the scenario, your role and the information provided by the key players involved, it is time for you to make a decision. If you are finished reviewing this scenario, close this window and return to this Week’s You Decide tab, in eCollege, to complete the activity for this scenario. You can return and review this scenario again at any time.


There are two possible options for providing the company employees with secure remote access to the company’s network. One is through the use of a VPN (Virtual Private Network), and the other is through cloud computing. A VPN is a private network that uses…

SEC360 Data Privacy Security

Quiz Week 1, 3, 5, 7 

Click Here: SEC360 Quiz Week 1-7

Quiz Week 1 

Click Here: SEC360 Quiz Week 1

(TCO 1) Defense-in-depth is a _____.

Security requirement

Security model

Security strategy

Security policy

Security control

(TCO 1) What are the common effects of controls?

Prevention, detection, and response

Administration, technology, and physical

Detection, accounting, and access control

Identification, audit, and access control

Confidentiality, integrity, and availability

(TCO 1) An organization’s security posture is defined and documented in _____ that must exist before any computers are installed.




Tolerance for risk

All of the above

(TCO 1) The unique security issues and considerations of every system make it crucial to understand all of the following, except _____.

Security standards

Security skills of developers

Hardware and software security configurations

Data sensitivity

The business of the organization

(TCO 2) Which of the following domains is not part of the IISSCC CBK?


Project Management



Operations Security

(TCO 2) A security event that causes damage is called _____.

A compromise

A violation

An incident

A mishap

A transgression

(TCO 2) What is the enemy of security?


Foreign nations




(TCO 2) The Cryptography domain includes all of the following topics, except _____.

Block and stream ciphers

Symmetric key algorithms

The OSI model

Public Key Infrastructure

(TCO 1) Policies and procedures are often referred to as _____.


A necessary evil



(TCO 2) The Application Development Security domain focuses on _____.

Sound and secure application development techniques

Who may access a system

Single sign-on technologies and their risks

Specific attacks and countermeasures

SEC360 Data Privacy Security

Quiz Week 3 

Click Here: SEC360 Quiz Week 3

(TCO 3) According to your text, what are the four types of corporate policies?

Physical, personnel, technical, and administrative

Programme-level, programme-framework, issue specific, and system specific

Corporate, system, technology, and device

Technical, operational, procedural, and management

Laws, orders, directives, and regulations

(TCO 3) A user cannot access a file/folder to perform his/her required work activities. Who should the user contact?

Security testers

Security administrators

Access coordinators

Network engineers

Chief information security officers

(TCO 3) _____ authorize access to information.

Security administrators

Information owners

Access coordinators

Network engineers


(TCO 3) What does SDLC stands for?

Software development license cycle

Software development life cycle

System development life cycle

System definition life cycle

None of the above

(TCO 4) Various countries have different views of individual privacy. The European Union (EU) has very different privacy laws than the United States has. To allow U.S. companies better ease of operation in the European Union, the Department of Commerce negotiated the _____ with the EU.

Privacy treaty

Memorandum of Agreement regarding privacy

Privacy Reciprocity Act of 1993

International safe harbor principles

Privacy Act of 1983

(TCO 4) Which of the following statements is NOT true?

Patent law can be used to protect systems and processes

Trademark law can be used to protect a company idea

Copyright law can be used to protect source code and user interfaces

Trade secret law can be used to protect processes and source code.

Trademarks can be used to protect domain names

(TCO 5) A reference monitor should have all of the following except which attribute?

Complete in that it mediates all access between subjects and objects

Changeable by other system entities

Simple enough to be completely verified

Highly tamper resistant

Impossible to bypass

(TCO 5) Why are the Bell-LaPadula and Biba models called dual?

They are both confidentiality models

They use exactly the same rules

They are both state transition models

They are the same model with reversed rules

They are both no read up, no write down models

(TCO 4) The _____ program has created the need for companies that create protective equipment to help prevent spies from detecting stray computer signals

Information warfare

Qualitative risk analysis

Information assurance


None of the above

(TCO 5) What does a product or system have enforced over it by one or more components of the trusted computing base (TCB)?

Tools and methodologies

Unified security policy

Kernel monitoring

Driver signing

Quiz Week 5 

Click Here: SEC360 Quiz Week 5

(TCO 6) Which of the following is a consideration in site selection?



Both of the above

Neither of the above

(TCO 6) Which of the following are categories of intrusion detection devices?

Door sensors

Biometric detectors

Perimeter detectors

Security detectors

All of the above

(TCO 6) All effective security programmes require, among other things, _____.

A good management team

A physical security plan

A sign-in roster

A backup at an off-site location

Security guards

(TCO 7) Security operations generally does not provide controls for _____.

Personnel security

Resource protection

Backup and recovery of locally stored workstation data

Privileged entity controls

Virus scanning

(TCO 7) OPSEC is a(n) _____ discipline.

Information security


Law enforcement



(TCO 8) Disaster recovery planning includes all of the following except _____.

IT systems and applications

Application data

Data entry users


Communication lines

(TCO 8) A business impact analysis identifies _____.

Risks to the business

Quantifies risks

Risks to the business if critical services are discontinued

Priorities of restoring critical services

All of the above

(TCO 9) What is the U.S. government classification label that means that unauthorized disclosure may seriously damage national security?






(TCO 9) For purposes of access controls, identification and authentication applies to _____.





All of the above

(TCO 9) When a transaction requires only a _____, there is not any actual proof that a particular person conducted that transaction.

Written signature

Digital signature


Driver’s license

Fingerprint scan

SEC360 Data Privacy Security

Quiz Week 7 

Click Here: SEC360 Quiz Week 7

(TCO 10) A digital signature provides verification of _____ and _____.

Sender reliability, message integrity

Message authenticity, message integrity

Message integrity, sender authenticity

Message authenticity, sender integrity

Message reliability, message integrity

(TCO 10) Computers are _____, and at some point a random number generator becomes _____.

Periodic, deterministic

Deterministic, periodic

Pseudorandom, deterministic

Deterministic, pseudorandom

Random, deterministic

(TCO 11) A packet filter that keeps track of the state of a connection is called a _____.

stateful inspection firewall

stateful inspection filter

stateful inspection router

stateful inspection bridge

stateful inspection gateway

(TCO 11) A Layer 2 firewall is also called a(n) _____.

Packet-filtering router

Bastion host

Packet-filtering bridge

Application-level gateway

Circuit-level gateway

(TCO 12) Modern intrusion detection systems act as sensors for hosts and network devices and work in a centrally controlled distributed fashion using _____.


Remote procedure calls

Agent technology

Common interfaces

Access to local audit records

(TCO 12) A decoy used to lure intruders into staying around is called a(n) _____.





Mug of ale

(TCO 12) What are the two major classifications of potential intruders into a network?

Foreign and domestic

Outside and inside

Domestic and international

Anonymous and contracted

None of the above

(TCO 13) Which form of malware is independent of the operating system and replicating?

Trap door




Logic bomb

(TCO 13) In which system life cycle phase should security policy be established?

Test and evaluation

Operations and maintenance

Requirements definition



(TCO 13) Which form of malware contains hidden and malicious functions disguised as a utility program that performs useful work?

Trap door



Trojan horse

Logic bomb

SEC360 Data Privacy Security

Discussions Week 1-7 All Students Posts 253 Pages 

Click Here: SEC360 Course Discussions Week 1-7

Week 1 All Students Posts 47 Pages 

Click Here: SEC360 Course Discussions Week 1

Security Policy – 21 Pages

Click Here: SEC 360 Security Policy

Policy is central to affecting security in organizations. Using the security policy for your workplace (or other organization with which you are familiar), what are some key features that allow personnel to control security? Are there any deficiencies? What can be added that would improve security? How do you come up with a set of policies for a particular business?  How do you enforce?  How would you handle non-compliance?  Should you have a policy about Jump Drive if there was ONE incident about Jump Drive in the last 10 years?

The best way to come up with a set of policies for a particular business is to really analyze that business and see what most of their day to day tasks will consist of. We also want to ensure that keep everything protected from physical access to computers, and even personal data. You can really come up with a set of basic policies for any business, however, certain business models may require more attention in the IT policies field, such as a tech company who might have different policies than an accounting company. It really just depends on the type of business and the type of information that is being shared within that business…

Security CBK – 26 Pages

Click Here: SEC 360 Security CBK

The security Common Body of Knowledge (CBK) describes what security professionals collectively known about the discipline. What knowledge domains are included in the CBK? What do you think will be added to the CBK in the future? What is the logic behind the concept?  How do we accommodate IOT?

The reason security is defined in terms of DOMAINS is that the term itself is broad. When I think of security, many ideas go through my head. I think of risk management, protecting networks, passwords, and more. The list can go on an on. Therefore the kinds of security need to be categorized in manner that allows focus. For instance we have a domain called “Security Assessment and Testing”. Here polices and methods are evaluated to have their effectiveness tested to see if they actually deter/reduce threats. Or another domain can regard the adherence of current laws, regulations, and…

Week 2 All Students Posts 39 Pages 

Click Here: SEC360 Course Discussions Week 2

Compliance Legislation – 21 Pages 

Click Here: SEC 360 Compliance Legislation

How can we utilize the four types of security policies to develop a HIPAA security program for organizations? What kinds of information does HIPAA protect? What kinds of organizations does HIPAA cover? What are the differences between HIPAA and HITECH?

HITECH enhanced the enforcement of HIPAA and extended provisions of HIPAA to business associates. HITECH had extended the Privacy and Security Rules of HIPAA to business associates: agents of carriers. It also imposed new requirements regarding breaches – covered entities are now obligated to report large data breaches to the government and the affected individuals…

Intellectual Property (IP) – 18 Pages 

Click Here: SEC 360 Intellectual Property

Your organization has asked you to assist in the discussion about how to best protect its intellectual property (IP). The engineers in your organization have developed new database and ordering software to support a faster process for fulfilling customer orders. Which of the various forms of IP protection will you recommend for safeguarding the engineers’ work? Should it be protected at all? What does the organization risk by getting IP protection? Is Grand’ma recipe a trade secret?  So if somebody steals the recipe, what are the remedies? How do you make something a trade mark? Would a sorting program protect-able by law?

It may depend on what perspective you take, but basing it on the definition we are provided in the text book: “Usually denotes a patent in process or an unofficial and legally unprotected idea.” Using that definition, I would say the Grandma’s recipe can be considered a trade secret. It is an unofficial and legally unprotected idea. If I were to discover her secret, there is no legal action she could take against me. It is simply something she retains in order to have an “advantage.”…

Week 3 All Students Posts 38 Pages

Click Here: SEC360 Course Discussions Week 3

Snack Cake Security – 18 Pages 

Click Here: SEC360 Snack Cake Security

Your company has a special recipe for snack cakes. This snack cake is a key product in your company’s lineup, and it is responsible for a large majority of shareholder value. Using a security model described in the text, describe an approach that will allow this important recipe to be kept secure.

Think of what is most important and review your Security models? How would you use it then? For example KFC has to give the recipe to the stores? Maybe everything comes premixed?  How would you control access to the recipe?

From my security model I would definitely implement a system that requires the creator of this recipe to log in every time it needs to be accessed. I would then create an asymmetric encryption key that only allows that specific user to log in and access it. The person who has access to the recipe must then get all the ingredients together and measured out so that someone else can continue the process of baking the cakes and sending them out for production. That way, if the recipe were to ever get out, there would only be one person responsible for that and then further action will be taken whether it be disciplinary or legal…

Security and the OSI Model – 20 Pages 

Click Here: SEC360 Security and OSI Model

Security can have a cumulative effect. Consider the OSI model as a key component of the Common Body of Knowledge. For definitions of OSI layers, click here: Layers. What is the OSI model about, and how can we use it when we are selecting security controls? Explain the function of the 7 layers.

How about Confidentiality- where does it fit?  How about Integrity? Where do we implement?  Can you implement filtering at layer 2 (Data Link Layer)?

PHYSICAL LAYER – Physical medium attachment, accommodating various possibilities in the medium
DATA LINK LAYER – provides error-free transfer of data frames from one node to another over the physical layer
NETWORK LAYER – controls the operation of the subnet, deciding which physical path the data should take based on network conditions, priority of service, and other factors
TRANSPORT LAYER – ensures that messages are delivered error-free, in sequence, and with no losses or duplications
SESSION LAYER – The session layer allows session establishment between processes running on different stations
PRESENTATION LAYER – formats the data to be presented to the application layer
APPLICATION LAYER – serves as the window for users and application processes to access network services…

Week 4 All Students Posts 33 Pages 

Click Here: SEC360 Course Discussions Week 4

Amusement Security – 17 Pages 

Click Here: SEC 360 Amusement Security

Your company is in the business of entertainment; they run an amusement park. There are thousands of people all over the park every day. It is very important to control who has access to what, and not just for visitors, but for employees as well. Define groups of people, and indicate how you would control physical access for them. How would you handle a shooter in the crowd? How would you handle an evacuation? How about scarf, baseball hats and so on that can prevent identifications of bad folks?

An amusement park can have a lot of facilities that need to be secured from the general public. From maintenance sheds, to employee break rooms. This facilities will need to be clearly marked “Employees Only,” and if possible a fence build around it. Furthermore, some locations should not be available to all employees. Take the example of the maintenance sheds. Only employees that are involved with the maintenance and upkeep of the rides should have access and/or keys to these facilities…

Security Operations Changes – 16 Pages 

Click Here: SEC360 Security Operations Changes

Describe how to insert changes in the operational security of the organization. How do you manage those who do not want to accept the changes?

When we make changes at our work we always make sure to send out a notification at least 5 business days prior to actually implementing the change. When make sure to include which specific users and systems will be impacted, along with a training document on how to get started with the new changes. We always welcome our users to contact the support desk for any help or questions they may have regarding the changes as well. We very rarely get complaints for new security changes, and when we do get them we always remind the user that its better to be extra secure than to have all of our data stolen, corrupted, or any other type of malicious attacks. I feel that this is probably the best way to go about change…

SEC360 Data Privacy Security

Week 5 All Students Posts 32 Pages 

Click Here: SEC360 Course Discussions Week 5

Backup and Recovery Planning – 17 Pages 

Click Here: SEC360 Backup and Recovery Planning

Why are backups so often overlooked in an organization? How do we sell the benefits of spending money on backup solutions to business managers and executives? Now that system are redundant, do we still need backup and recovery plans?…

Backups and recovery is still very important even in this age of redundancy, just in case the primary version is loss, corrupted, or a potential system failure. So if any of these things were to happen you would have to restore the data and the full working environment, but none of this…
For a company it is essential to have some kind of backups especially to their sensitive material. Backups are important because when a natural disaster or any event happen not…

Access Control Lists – 15 Pages 

Click Here: SEC360 Access Control Lists

Access control lists are very valuable for administering granular control over an organization’s resources. So why do a lot of organizations opt not to use them in lieu of more general super user or administrator accounts? It is a challenge to remove administrator rights from users? What strategy should be used? Do you think common users need admin rights? How would you handle software installation at the local level?

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object’s DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see How DACLs Control Access to an Object. For information about how to properly create a DACL, see Creating a DACL…

Week 6 All Students Posts 33 Pages 

Click Here: SEC360 Course Discussions Week 6

Cryptography – 16 Pages 

Click Here: SEC360 Cryptography Course Discussions

Which algorithm is more secure: AES256 or AES128? Why? How about stenography?

This seems to be a relatively controversial topic. In some external research, I found many different opinions. Technically speaking, AES256 should be more secure because it has 2^256 combinations, compared to AES128’s 2^128 combinations; however, AES256 also performs significantly slower than AES128 and has less sophisticated key-scheduling technology.

Ultimately, I would say that AES128 is more secure. It is easy to assume that 256 bit would be more secure, because it makes sense based on the fact that there are more encryption combinations; however, the value that the extra combinations adds compared to the other ways that 128 bit outperforms 256 aren’t worth the trade-offs…

The Enterprise Firewall is Dead – 17 Pages 

Click Here: SEC360 Enterprise Firewall is Dead

A popular computer network publication stated at one time that the enterprise firewall was dead. It boldly stated that the exterior firewalls of the organization should be torn down and replaced with host-based firewalls instead. Is this insane, or is it the best new practice in security management? Explain your answer. What types of firewalls do we need today? Which type will provide you better protection? Are traditional firewalls still efficient today? Are these efficient? How do they handle encrypted packets?

Each type of firewall has advantages and disadvantages, ranging from ease of implementation to high initial cost. Companies should use the firewall as part of an overall information security program that includes data integrity, application integrity and data confidentiality and authentication. Four examples of basic firewall types that can be implemented, especially for a business network are:

-Circuit-Level Gateway
-Application-Level Gateway
-Stateful Multilayer Gateways…

Week 7 All Students Posts 31 Pages

Click Here: SEC360 Course Discussions Week 7

Intrusion Detection – 16 Pages 

Click Here: SEC 360 Intrusion Detection

Your organization’s business manager has read an article about how intrusion detection systems can help deter hackers. He or she wants to spearhead a campaign to deploy them around the company’s locations in three states. Since an IDS can help deter hackers, does this make it a worthwhile project, or is there some reason to be wary? Specific to this example, how do you respond to ad hoc security requests like this? In general, how can you keep requests like this in check? Are IDS systems enough to deter hackers?

No, an IDS system would not be enough to deter hackers and are not enough to secure a network. IDS’s themselves are not “bullet-proof.” One such weakness is known as the “base rate fallacy.”

Here is how our lesson this week describes the base rate fallacy:

“The base rate fallacy: There is a problem with intrusion detection systems that is shared with other probability-based systems. This problem is called the base rate fallacy and is dependent on the way that conditional probability works.

Let us say that the accuracy of an intrusion detector is 99%. That is, when tested in an environment where all events are intrusions, the intrusion detector detects 99% of those events as intrusions. Also, when the same intrusion detector is tested in an environment where no events are intrusions, the system identifies 99% of the events as nonintrusions.

Let us say that, somehow, we know that actual intrusions will comprise 1% of all of the events that the intrusion detector will look at. How we have come to know that 1% of the events are intrusions is not important, but we may have derived that figure by looking at a lot of historical audit trail records.

The question we want to address is: If the intrusion detector indicates that an intrusion has occurred, what is the probability that the intrusion actually did not occur? An event that is detected as an intrusion but is not actually an intrusion is called a false positive.”…

Secure as a Car – 15 Pages 

Click Here: SEC360 Secure as a Car

Engineering software is like engineering a car; if one were so inclined, there could be a completely bug- and security-free application. Do you agree with this? Why or why not?

A “security-free application” is a very lofty goal. It sounds good and it is definitely a goal to shoot for. However, any good security professional knows that there weak links in any wall or application. Cars perform a task, they do have functionality that limit the dangers of driving a…

The complexity of software means it would take incredible planning and foresight to ensure no bugs would arise and there would be no security risks. There is also the fact that users have the potential to take what is supposed to be a normal function of software and use it in either an unprecedented or malicious way…

Final Exam Not Included

SEC360 Data Privacy Security