cyber security /computer science
Project: Information Systems Security
Purpose
This project provides you an opportunity to analyze risks, threats, and vulnerabilities and apply
countermeasures in the information systems environment.
Required Source Information and Tools
Web References: Links to Web references are subject to change without prior notice.
To complete the project, you will need the following:
1. Access to the Internet to perform research for the project
o Microsoft Windows How-To, including:
Optimize Windows for Better Performance: http://windows.microsoft.com/enus/windows/optimize-windows-better-performance
– optimize-windows-betterperformance=windows-7
Monitor Attempts to Access and Change Settings On Your Computer / To Turn
On Auditing: http://windows.microsoft.com/en-us/windows7/monitor-attemptsto-access-and-change-settings-on-your-computer
What Information Appears in Event Logs? http://windows.microsoft.com/enus/windows/what-information-event-logs-event-viewer
– 1TC=windows-7
2. Course textbook
Learning Objectives and Outcomes
You will:
Explain how to assess risks, threats, and vulnerabilities
Evaluate potential outcomes of a malware attack and exposure of confidential information
Evaluate information systems security countermeasures
Explain how system hardening relates to a company’s IT security policy framework
Analyze the purposes of system hardening
Analyze security events
Evaluate information systems security activities in terms of business contributions
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Project: Information Systems Security
Introduction
Contemporary organizations collect, store, and transmit a tremendous amount of highly sensitive data.
Despite the many benefits that information technology offers, these systems are not completely secure.
Proper controls must be put in place to mitigate security risks and protect vital business information.
Deliverables
The project is divided into three parts. Details for each deliverable can be found in this document. Refer to
the course Syllabus for submission dates.
Project Part 1: Risks, Threats, and Vulnerabilities
Project Part 2: System Hardening
Project Part 3: Monitoring and Reporting
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 2
Project: Information Systems Security
Project Part 1: Risks, Threats, and Vulnerabilities
Scenario
Fullsoft, Inc. is a software development company based in New York City. Fullsoft’s software product
development code is kept confidential in an effort to safeguard the company’s competitive advantage in
the marketplace. Fullsoft recently experienced a malware attack; as a result, proprietary information
seems to have been leaked. The company is now in the process of recovering from this breach.
You are a security professional who reports into Fullsoft’s infrastructure operations team. The Chief
Technology Officer asks you and your colleagues to participate in a team meeting to discuss the incident
and its potential impact on the company.
Tasks
Prepare for the meeting by deliberating on the following questions:
How would you assess the risks, threats, and/or vulnerabilities that may have allowed this
incident to occur, or could allow a similar incident to occur in the future?
What insights about risks, threats, and/or vulnerabilities can you glean from reports of similar
incidents that have occurred in other organizations?
What potential outcomes should the company anticipate as a result of the malware attack and
possible exposure of intellectual property?
Which countermeasures would you recommend the company implement to detect current
vulnerabilities, respond to the effects of this and other successful attacks, and prevent future
incidents?
Write an outline of key points (related the questions above) that the team should discuss at the meeting.
As a reminder, you may use the book for this course and the Internet to conduct research. You are
encouraged to respond creatively, but you must cite credible sources to support your work.
Project Part 1 should be submitted in the following format and style:
Format: Microsoft Word
Font: Arial, Size 12, Double-Space
Citation Style: Follow your school’s preferred style guide
Length: 1–2 pages
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 3
Project: Information Systems Security
Self-Assessment Checklist
I have created an outline that describes key points the team should discuss at the meeting. My
outline explains how to assess potential risks, threats, and/or vulnerabilities; describes potential
outcomes of a malware attack and exposure of confidential information; and recommends
countermeasures the company should implement.
I have conducted adequate independent research for this part of the project.
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 4
Project: Information Systems Security
Part 2: System Hardening
Scenario
After the productive team meeting, Fullsoft’s CTO engages in further analysis and establishes a plan to
mitigate risks, threats, and vulnerabilities. As part of the mitigation plan, you and your team members will
configure baseline security on all workstations. You will ensure that the antivirus software is running
properly, remove unnecessary software and services, and implement a control related to password
hacking attempts. You have been asked to train a new employee by demonstrating how to implement
system hardening on a local workstation.
Tasks
Ensure that you are logged in as an administrator. Using a computer that has Windows 7* installed:
Review the antivirus program and ensure it is up to date and running a full scan of the system.
Disable at least five unnecessary services from the default installation of Windows 7.
Configure audit logging to identify all failed password attempts into the system.
* If possible, complete these tasks using a personal computer with the default installation of Windows
7. If you do not own the necessary hardware and software, consult with your Instructor about
alternatives. After your work on this project is complete, you may need to return the settings to the
previous configuration.
Then, for the employee you are training, write a summary of what you did and explain why system
hardening is important. Include the following:
Summary
Explain how you ensured the antivirus program is updated and running a full scan of the system;
describe anything significant you observed.
Explain how you removed unnecessary services from the default installation of Windows 7, noting
the five (or more) services by name and function.
Explain how you configured audit logging to record all failed password attempts into the system.
Rationale
Share an example of an IT security policy, standard, procedure, and guideline that relates to the
system-hardening steps you have implemented.
Explain the purposes of system hardening in terms of the company’s overarching goal of
maintaining information systems security.
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 5
Project: Information Systems Security
As a reminder, you may use the book for this course and the Internet to conduct research. You are
encouraged to respond creatively, but you must cite credible sources to support your work.
Project Part 2 should be submitted in the following format and style:
Format: Microsoft Word
Font: Arial, Size 12, Double-Space
Citation Style: Follow your school’s preferred style guide
Length: 1–2 pages
Self-Assessment Checklist
I have summarized the system-hardening steps I implemented on a computer using Windows 7,
including:
o How I ensured the antivirus software is running properly
o How I removed at least five unnecessary services, noting the services by name and
function
o How I configured audit logging of all failed password attempts
I have provided an example to illustrate how system hardening relates to a company’s IT security
policy framework, and explained the purposes of system hardening in terms of the company’s
overarching goal of maintaining information systems security.
I have conducted adequate independent research for this part of the project.
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 6
Project: Information Systems Security
Project Part 3: Monitoring and Reporting
Scenario
Fullsoft’s CTO asks you to continue training the new employee, and highlight the importance of
continuously monitoring, testing, and improving countermeasures. You inform your new teammate that
even within the first 24 hours of configuring baseline security, you may sometimes receive alerts that
malware has been quarantined within an antivirus program, discover that a disabled service has been
turned on (likely via malware), or notice a failed attempt to log in captured by the audit log. To illustrate
this point, you decide to check and report on the security of the workstation for which you and your new
teammate configured baseline security.
In addition, the CTO requests that you write a brief statement explaining how your work on this project
relates to the larger responsibility you have for supporting the company’s success. Your statement will be
considered a part of your upcoming performance review.
Tasks
Check the Windows 7 workstation you configured (in Project Part 2) for security events. Be sure to review
the last 24 hours of the audit log in Event Viewer.
Write a brief report in which you:
Describe all the potentially problematic security events that occurred in the 24-hour period.
Explain what was done (or should be done) to correct the problems encountered.
Also write a brief statement explaining how your work on this project relates to your responsibility to help
the company achieve its goals. Describe at least additional area of concern or emerging trend related to
information systems security that you think warrants the company’s attention in the immediate future.
As a reminder, you may use the book for this course and the Internet to conduct research. You are
encouraged to respond creatively, but you must cite credible sources to support your work.
Project Part 3 should be submitted in the following format and style:
Format: Microsoft Word
Font: Arial, Size 12, Double-Space
Citation Style: Chicago Manual of Style
Length: 1–2 pages
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 7
Project: Information Systems Security
Self-Assessment Checklist
I have created a report that shows all potentially problematic security events that occurred within
a 24-hour period, and noted actions that were taken (or should be taken) to address them.
I have explained how my work on this project relates to my professional responsibility to help the
company achieve its goals, and I have proposed at least one area of concern or emerging trend
related to information systems security that warrants additional attention.
I have conducted adequate independent research for this part of the project.
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 8
