Project: Problem Identification Assignment
Overview
The objective of the final comprehensive project is to show you are competent in the Information Assurance discipline and prepared for the final capstone systems analysis and design course. You will show competence through the execution of a final information security plan. The objective of the plan is to identify a current and relevant security related problem in computing, study related literature that pertains directly to the problem, analyze an appropriate secure fault tolerant solution, design the secure fault tolerant solution, and develop a continuity and disaster recovery plan for the final solution. The identified problem must be contained in a software, network, or system environment that you have sufficient knowledge of and data access to be able to perform a thorough analysis and design.
Instructions
Current and proper current APA formatting is required and must include a title page, proper margins, citations, organization, proper grammar and spelling, and an ending resources page.
At the minimum, this phase of the project must include:
I. Executive summary, introduction, and conclusion
a. Executive summary
b. Introduction
i. Statement of the problem
ii. Documentation of the organizational requirements
iii. Purpose of the plan
iv. Scope of the plan
v. Rationale of the plan
c. Conclusion
II. Review of Related Literature
a. Scholarly, peer-reviewed, original research (8 minimum sources and at least 8 double-spaced, current APA-formatted pages)
b. Comprehensive investigation of past and current security solutions relevant to the problem
c. Summary of the research outcomes
d. NOTE: required minimum length in the grading rubric excludes all systems analysis and design (SAD) diagrams and any other tables and/or graphical elements
III. Risk Analysis
a. Analyze the risk of various plausible solutions in the review of related literature
b. Value of the assets
c. Potential loss per threat
d. Threat analysis
e. Overall annual loss per threat
f. Reduce, transfer, avoid, or accept the risk
IV. Environmental Diagrams (minimum of 2 required) could include, but are not limited to:
a. System and/or network architecture diagrams
i. If you are designing a secure network or system, at least 1 complete architectural diagram must exist that details all the connections, nodes, and/or pertinent pieces of equipment (e.g. data links, servers, switches, routers, firewalls, IDSs, SANs, databases, etc.)
ii. If you are designing a secure application, detailed UML class and/or component diagrams must exist
b. Security and business requirement mappings
c. Information or data flow diagrams
d. SDL Threat Modeling diagrams
e. Risk matrix
f. Process overview (e.g. see ISO 31000:2009 Process Overview Diagram)
g. Shared resource matrix
h. Attack and/or malicious mappings (e.g. distributed denial-of-service attack mapping, encrypted message flow)
Critical to your success is a comprehensive and proper understanding of the information system and surrounding environment for which the plan will address. Within the scope of the plan, you must notate each domain that will be addressed. It is important to clearly define what is inside the scope and what is outside of the scope of the plan.
For example, if you choose application security, you must narrowly define the application and its counterparts within the scope. This could include mobile code, object-oriented code, database, distributed system, neural network, and a number of other components. Subsequently, the research in the review of related literature must focus on the specific types of solutions that will be necessary to be analyzed and designed. If the specific domain is software development security, and the solution must secure malicious code, the review of related literature, risk analysis, and diagrams must have some focus on varying types of malicious code such as logic bombs, Trojan horses, viruses, time bombs, trapdoors, worms, and rabbits. If the domain is network security, a number of network architecture diagrams must be present that identify every possible device within the selected business environment.
Choose each element wisely; assuring that sufficient selection occurs to develop the solution based upon the research in the review of related literature. Additionally, the comprised components must provide sufficient depth to allow the minimum length requirements to be met for each phase of the project, but more importantly to securely design the system and/or application. Within EACH of the 2 diagrams, there is a minimum of 20 elements exist that accurately detail analysis of the environment that needs securing. The details will be supported by previous designs in the review of literature. These serve as a benchmark for your designs. If your literature review is insufficient, you will be assessed on relevant literature review, given your choice of design. In other words, be very detailed. If your diagrams are not detailed, they will be unable to achieve the purpose of a secure design and ultimately, fail the customer.