On your computer monitor, you read the meeting topic: “HR Data Access.” You think, “This might be a tricky one.”
You remember a discussion with John, the CTO, about conflict caused by the sharing of information between two departments. Grabbing your laptop, you head to the meeting.
In the conference room, John is already waiting. He says, “We will be joined by the VP of HR and the managers of the Payroll and Training departments. Our focus will be on access to data that is housed in the HR database.”
The door opens and the other three attendees walk in.
Amy Jones, the vice president of HR, begins: “The database that we use contains all employee data, ranging from payroll and benefits information to training and performance results. The issue that we are facing, and that I hope you can help us alleviate, is that all departments within Human Resources have full access to all of the data within the database.
“Recently, it was brought to my attention that the training department has access to payroll data.”
The two managers glance at one another.
John says, “I believe we can come up with a solution. As a matter of fact, this could be an opportunity to also evaluate the risk level that the HR database has from outside threats.”
John turns to you: “I would like you to prepare a presentation for HR management.
“In this presentation, you will suggest how we might limit access to specific types of data and protect vulnerable data from outside threats. Since we will be presenting to non-technical managers, you will need to explain the difference between authentication, authorization, and access control in plain language. The presentation will be scheduled in three weeks.”
After the meeting, you realize that while you might understand the problems of data access, other employees may not be aware of the issues involving information access in an organization. Your presentation will have to be understood by employees who do not have an information technology background.
Organizations have two concerns surrounding access to data: They must limit access to data from outside the organization as well as control which people have access to what data within the organization. In this project, you will explain to management the difference between authentication, authorization, and access control, and suggest how to keep outsiders from getting in and keep insiders from getting data they shouldn’t.
This is the second of four sequential projects. During this project, you will research the models for authentication, authorization, and access control. You will also communicate the recommended solution to a nontechnical audience.
There are 13 steps in this project. Begin by reviewing the project scenario and then proceed to Step 1.
Your work will be evaluated using the competencies listed below.
Step 1: Explore the Basics of Authentication
In order to build a presentation with the most current information available, you will gather information by reaching out to a group of your peers working in various industries. In the next three steps, you will prepare background information for this discussion.
In the next step, you will continue with your exploration of data access models with a look at authorization.
Step 2: Explore the Basics of Authorization
Another topic you’ll need to be prepared to discuss is authorization. Define authorization and differentiate it from authentication (similarities and differences). You will use the notes compiled in this step in your upcoming peer discussion. Complete each of the items listed below.
In the next step, you’ll complete your exploration of data access models with a look at access control.
Step 3: Explore the Basics of Access Control
One last topic to prepare for the upcoming discussion is access control: Define access control and then differentiate between access control, authentication, and authorization. You will use the notes compiled in this step in your upcoming peer discussion. You should describe the different access control models and how they are used, including, but not limited to, the list below.
After completing this step, you are ready for the next step, in which you will compile a report on the psychological aspects of cybersecurity.
Step 4: Write a Social Psychology Report
In the previous steps, you explored the basics of authentication, authorization, and access control and common models of implementing them. Your next task in preparing for the discussion with your peers is to consider the impact that human factors, such as ethics, legal issues, and psychology have on cybersecurity.
To synthesize your research on these factors, you will write a report on the psychological aspects of cybersecurity. This report will be used to formulate recommendations later in the project and be included as an appendix to the final presentation in the last step of this project.
In this report, do the following:
Submit the report for feedback.
Following the report on the impact of social psychology on cybersecurity, you will compose a report on privacy awareness and the implications on cybersecurity policy to further prepare for the discussion with your peers. This report will be used to formulate recommendations later in the project and be included as an appendix to the final presentation in the last step of this project.
In this report, complete the following:
Submit the report for feedback.
To go along with the reports on the impact of social psychology on cybersecurity and the impact of privacy awareness on cybersecurity policy, you will now report on the implication anonymity has on cybersecurity by giving a brief one-paragraph summary on each of the items within the bulleted list below.
Submit this report for feedback.
You have explored and reported on the human aspects of cybersecurity. Chief information security officers frequently make security decisions in high-pressure environments and deal with individuals whose actions may violate certain standards of behavior and ethics. In this step, you will review several scholarly sources that discuss issues and concerns that a CIO and CIO staff may be faced with in the normal course of duties.
After you have reviewed these materials, create a concept map of important issues, concerns, and best practices or model solutions to common problems. Your goal in creating this map is to develop a visual aid which can help decision makers identify important aspects of a cybersecurity issue revolving around human behavior as they seek to resolve the issues in a manner that is in keeping with an organization’s ethical standards and practices.
Review the following scholarly sources:
1. Dunn Cavelty, M. (2014). Breaking the cyber-security dilemma: Aligning security needs and removing vulnerabilities. Science & Engineering Ethics, 20(3), 701–715. http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=asn&AN=97178206&site=eds-live&scope=site
2. Evans, M., Maglaras, L. A., He, Y., &Janicke, H. (2016). Human behaviour as an aspect of cyber security assurance. https://arxiv.org/ftp/arxiv/papers/1601/1601.03921.pdf
3. Draper, C. & Raymond, A. H. (2020). Building a risk model for data incidents: A guide to assist business in making ethical data decisions. Business Horizons (2020) 63, 9-16. https://doi-org.ezproxy.umgc.edu/10.1016/j.bushor.2019.04.005
You can use MS Word or PowerPoint to create your map using boxes, ovals, and connecting lines. Below are simple concept maps made using MS Word’s Smart Art. Your concept map should have between 15 to 20 concepts total.
Note: if you are not familiar with how to build a concept map and would like more information, see the following https://www.lucidchart.com/blog/how-to-make-a-concept-map
Now that you have explored authentication, authorization, and access control, you will direct attention to the specific issues of your assigned organization.
Identify particular issues that the organization has had, currently has, or could potentially have in terms of authentication, authorization, and access control. Next, assess the potential effectiveness of the access control models from Step 3 for the organization and scenario.
Document your assessment, as you will refer to this information throughout this project.
In many twenty-first century professions, expertise in your own field is not always enough. Sure, you are well on your way to becoming an expert in cybersecurity management. But the cybersecurity field exists so that professionals in other field can be confident that their computing platforms are safe. Knowledge of the types of information, processes, teams, and real-life activities that other professionals engage in is what will enable you to make the best decisions about how to ensure CIA on widely disparate platforms in different environments.
In the next step, you will look across your industry to determine best security practices.
Step 9: Research Industry Best Practices
In the first three steps, you gathered information regarding authentication, authorization, and access control and had an opportunity to apply these concepts through training. You have thought about how to apply this knowledge to your organization, and you wrote reports on how psychology, anonymity, and privacy awareness affect cybersecurity. You are finally ready to meet with your peers in the industry to get a sense of current practices.
The peer discussion can take various shapes. Research online articles and/or interview colleagues, friends, and acquaintances in different fields to gather the most current information of what various industries are doing to face their cybersecurity needs. The information and ideas that you obtain here will help you to formulate a recommendation and develop a job aid for the human resources (HR) managers that John requested. You will need to at least cover the items in the list below.
Use the information gathered here to assist in formulating your recommendations in the next step.
Step 10: Formulate Recommendations
From the information that you have gathered throughout this project, formulate a recommendation for authentication, authorization, and access control. If you determine that your organization needs no changes in these areas, explain your position and what leadership (and you, as CISO) will continue to monitor to ensure that security standards are commensurate with expectations.
Make sure to consider the needs of restricting data from department to department as appropriate, protecting the organization’s HR data from outside and inside threats in general and allowing for employees to access the data they need while offsite. Also consider the human aspects of cybersecurity from the previous steps. Include a recommendation for an ongoing risk management strategy. You will include your recommendations in your Implementation Guidance Presentation in the last step.
The recommendation must meet the following criteria:
In the next step, you will take your recommendations and use them to create a job aid for HR managers regarding authentication, authorization, and access control so they can spread the information to the various departments.
Now that you have formulated your recommendation for authentication, authorization, and access control, you will develop a job aid that the HR managers can take to their departments after the presentation.
This job aid will empower the HR managers to educate their staff on the topics of authentication, authorization, and access control in a simple and effective way to improve the security of their systems. The job aid will be distributed after the presentation.
Develop a short (two- to three-page) job aid that explains the differences between authentication, authorization, and access control using common-sense examples to help the reader understand the differences and the importance of each in protecting the organization’s information. The job aid should address all the items listed below.
Submit the job aid for feedback.
Project 2: Authentication, Authorization, and Access Control
Step 12: Develop the Implementation Guidance Presentation
In response to the request from the CTO and VP of HR, you will develop a presentation for HR management which discusses how to limit access to specific types of data and protect vulnerable data from outside threats. You will explain the lineage of data, data ownership, and data-access related authentication, authorization, and access control. You will also take this opportunity to educate on the basic principles of data/network access control and to advocate for stronger access controls.
You will develop an 18- to 20-slide presentation that clearly explains the principles of authentication, authorization, and access control, examines various models, and recommends a strategy for the organization. You will use the information that you have gathered in the initial steps of this project. Make sure to include the following:
Submit the presentation in the last step.
Your presentation should include the following as appendices:
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.