Security Risks Our initial protection measures were aimed at protection based on reports that identified cyber-attacks on European banks stealing customers’ credit card information. To combat the...

Security Risks
    Our initial protection measures were aimed at protection based on reports that identified cyber-attacks on European banks stealing customers’ credit card information. To combat the theft of our citizens’ financial data we must increase the security measures of both data in transit and data stored on databases. Heightened encryption methods reduce the damage of data stolen during transmission. The second area of concern was the economic downturn caused by interest rates being increased and the lowering of small company spending on cyber-security measures. Missteps in providing adequate cyber security may lead to the disclosure of customer data. It is our responsibility as the Federal Government to protect the nation’s best interests. Support of the infrastructure of our economy relies on the protection of commerce and the privacy of our citizens.
Economic Downturn
Issues associated with the economic downturn can be lessened by applying measures that aid in reduction in downtime, increase support of small business cyber-security measures, and offer training for personnel wishing to enter the cyber-security field. To encourage businesses to keep a minimum level of security either a tax reduction for products that aid in cyber-security can be offered and penalties based on compliance failure. A Business Continuity Plan (BCP) offers guidance for actions a company should take when there are issues with their ability to continue business after some event affects operations.
To enact a BCP the company should outline the roles that would identify which personnel are leading specific efforts. This would include the hiring policy that is focused on finding an experienced candidate to fill roles in leadership defined in the BCP. Other tactics to minimize impacts from the economy are increasing the network uptime. It is necessary to create redundancy measures for network loads such as load balancing, DNS failover, and secondary operations sites. Often external collaboration methods can help identify these sites. Cloud computing allows information to be stored off-site and accessible to the customer with the license agreement. The cloud storage option allows for data backups to recover data that may be co
upted, encrypted from an attack, or otherwise unavailable at the normal company site.
Criminal Hacking
    The hacking of computer systems has become a commonplace topic for at least the last decade. Each subsequent attack has experts looking deeper into the value of the efforts that security personnel must include to protect the networks in the future. When dealing with cyber hacking there is not a one size fits all plan, the technology is growing, and new vulnerabilities are being discovered rapidly. There are measures that companies can take to reduce the likelihood of loss when these attacks inevitably find their way onto the network
    Policy is one key method in identifying the staples of security that a company can follow to allow baseline measures. Things to consider are antivirus, authorized software, and the information that can be shared. As the Federal Government, we are limited in what policies we can enforce on private companies’ systems. We can encourage support, provide training, and metrics that can show the value of utilizing the policies we suggest. The use of outdated antivirus will provide lower amounts of protection compared to updated packages. Remaining cu
ent gives hackers less opportunity to find weaknesses in the cyber-security armor they provide. Encouraging an authorized software list for companies requires that approved software from trusted vendors will be identified and used for operations. This may impact some users due to a lack of familiarity. Another good practice is the limitation of information sharing. This is regarding the access employees have to customer data that is not relevant to their jobs.
    Other things to consider when creating cyber security policy that deters hacking:
· Remote Access
· Role-Based Access Controls
· Data Encryption Methods
Public Sentiment
    If our citizens do not feel confident in our decisions, they will disregard any suggestions that we make for the protection of the American networks. We must be diligent in working with public relations to establish a positive outlook on our decisions. Americans must know that we respect the privacy of their information and are taking each precaution we can in establishing safe internet communication methods by following advisories designed by the National Institute of Standards and Technology (NIST), funding research efforts, and requiring
each notifications so that any loss of their data will be reported.
    As an act of faith, we can increase financial funding to support private sector cyber security issues. This will allow for greater access to security tools, training efforts for personnel, and encourage information sharing between private sector professionals and government representatives.
    Stakeholders
    FBI
    DISA
    Department of Treasury
    NIST
    Congress
    Attorney General's Office
    Department of Homeland Security
Critical to every cybersecurity strategy is identification of all stakeholders. In the event of a cyber
each, or often just a cyberattack, certain stakeholders require notification. As you review each round of activity, create a spreadsheet or table with your team that lists stakeholders to be notified. Include this in your AAR.
Retain notes on the control decisions from each round, in addition to the CISO De
ief Report, as you move to the next step of stakeholder identification. 
Round One of the simulation is complete.  All five teams faced the following scenarios: Criminal Hacking and Economic Downturn.
    
    
    Round
         
    Federal Government
    Avisitel
    DTL Powe
    Mistral Bank
    Hytema
    Criminal Hacking
     
     
     
     
     
    Economic Downturn
     
     
     
     
     
Here is how the teams performed after Round One:
In terms of overall Index Score, Hytema and Mistral were tied for the best performance followed close behind by the Federal Government.  Downtime and Profitability are areas to watch closely for the private sector players.  The Federal Government should focus on ways to improve Popular Sentiment and Surplus (Budget) moving forward.
R
Prof G.
    Student Name: Mitsuko Brown | Role: Cyber Security Policy Analyst
        Category
    Decisions
    Round 1
    Antivirus Policy
    Quality of antivirus solution used
    State-of-the-art
    
    Frequency of scans
    Multiple times per day
    
    Frequency of patch updates
    Always once released
    Authorized Software Policy
    Type of software permitted for use by employees
    Approved software
    
    Software evaluation frequency in months
    6
    
    Violation penalties
    Focus on termination
    Breach Notification Policy
    Degree of openness of
each notification
    Only critical incidents
    
    Investigative agencies to call in for major security
eaches
    CERT
    
    Violation penalties
    Focus on termination
    Emergency Bypass Policy
    Spending on emergency bypass policy
    $ 125,000
    
    Response to violations of typical separation of duties protocol
    Not allowed
    
    Violation penalties
    Focus on suspensions
    General Access Policies
    Degree of freedom given to employees regarding communications over the Internet
    Restricted
    
    Degree of freedom over
owsing non-business sites
    Restricted
    
    Degree of logging of Internet access and other system actions and accesses
    All actions
    
    Number of permitted login attempts
    3
    
    Password validity in days
    45
    
    Password length requirements
    8
    
    Non-use of prior passwords
    3
    
    Violation penalties
    Focus on warnings
    Hiring and Employee Policy
    IT team size
    Average
    
    Full-time employees as a percentage of the workforce
    0.9
    
    Hiring by average experience in years
    7
    
    Spending on background check of DSS or other vendors
    $ 15,000
    
    Forced rotation of employees
    Enable
    
    Forced vacation for employees
    Enable
    Information Sharing Policy
    No. of people in groups to overlook and enforce internal information sharing
    4
    
    Internal information sharing by role-based access control
    Strictly need-to-know
    
    Degree of external information sharing
    Strictly need-to-know
    
    Frequency of disclosure for Infragard communication in days
    14 days
    
    Violation penalties
    Suspensions
    Remote Access Policy
    Degree of remote access by employee grade
    Middle management
    
    Access privileges permitted
    Medium - read/write
    
    Violation penalties
    Focus on termination
    
        Rounds
    Rationale
    Round 1
    Strong antivirus solution is critical for protecting federal government information assets especially when cyber threat impact probability is high and the impact of a cyber
each is very high. The US Government will enforce strong password requirements with MFA. 45 day password changes are sufficient with strong password requirements. The security demands of the US Government require more monitoring than other entities less targeted by hackers
    
    
    Student Name: Esi FYNN-AIKINS | Role: Chief Information Security Officer
        Category
    Decisions
    Round 1
    Business Continuity Planning
    Degree of IT data storage redundancy
    Low
    
    Degree of IT network redundancy
    High
    
    Levels of power backup redundancy
    2
    
    Number of backup sites
    1
    
    Number of redundant backup communication links
    3
    
    Policy review frequency in months
    6
    Database Security
    Frequency of forcing password changes in days
    90
    
    Degree of separation of roles for admin and operator roles
    Complete
    
    Control privileges
    Restricted
    
    OS services and associated ports
    Disable
    
    Database honeypots
    Enable
    External Collaboration
    Degree of collaboration with allies and Interpol
    High
    Federal Government Information Classification
    Strictness of cybersecurity information classification
    Top secret/SCI
    Information Privacy Policy
    Privacy program investment spending
    $ 250,000
    
    Appoint a dedicated privacy office
    Yes
    
    Privacy training spending for employees
    $ 400,000
    
    Degree of information and record retention
    All information
    
    Violation penalties
    Focus on suspensions
    Role Based Access Control
    Degree of role-based access control
    High
    Training and Auditing
    Focus on training area: network vulnerabilities
    35%
    
    Focus on training area: controls
    25%
    
    Focus on training area: encryption
    30%
    
    Focus on training area: penetration testing
    10%
    
    Frequency of physical audits of the equipment
    Once a yea
    
        Rounds
    Rationale
    Round 1
    Increased data redundancy can eat up server storage space. Redundancy will be low and done intentionally. A high network redundancy will minimize the chances of e
ors, damage, or shutdowns. A medium-power backup akin to a 2N system will still keep things up and running. It is better to have more redundant backup communication links is essential to ensure effective alternative communication. One offsite backup site is enough for storing data needed in the event of a
each. Critical functions should be reviewed and updated every 6 months to help resume operations quickly after an incident. Role separation stops an attacker using access control. 90 days password change policy limits an attacker's stay inside a hacked account. Enabling honeypots will lure and deflect attackers at the same time to learn their techniques. OSes must be hardened in this instance. Privacy program cost includes cost for a response management tool, estimated incidents per year, cost for time spent on the incident intake and assessment, reporting cost and internal and outside counsel costs. Employees who violate privacy policy will be suspended pending investigation. Cost for training 115 employees in 10 regional offices at an average cost of $390. More focus should be on assessing vulnerabilities, encrypting data, and providing controls. Auditing equipment once a year will reduce cost involved in the audit but still meet requirements for certification.
    
    
    Student Name: Mfonobong Noah | Role: General counsel
        Category
    Decisions
    Round 1
    Advisories
    NSA security configuration guide creation spending
    $ 25,000
    
    NIST li
ary funding
    $ 500,000
    CERT Controls
    CERT funding
    $ 1,250,000
    
    Frequency of automated advisories in days
    10
    
    Experience of CERT responders in years
    2
    
    Training allocation funding
    $ 1,250,000
    
    Vulnerability database maintenance funding
    $ 500,000
    ISACs
    Funding for the ISAC
    $ 1,250,000
    
    Training and certification programs funding
    $ 1,405,000