Download - Gp2 Public Policy Assign8 644 Sp10
![Page 1: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/1.jpg)
INFO 644: PUBLIC POLICY ASSIGNMENT
PRESIDENTIAL INITIATIVES
Group #2:Tamara Clark
Gustave R DeCoursey
Deepa Devadas
Megan Dougherty
Chrystal Edwards
![Page 2: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/2.jpg)
Top five issues for the current administration
Cyber-Terrorism Insider Threats Risk Mitigation Information Security/Corporate
Governance Working in the Cloud
![Page 3: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/3.jpg)
CYBER-TERRORISM
![Page 4: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/4.jpg)
Cyber Terrorism
Threat will increase as terrorists become more high tech and computer savvy.
“A cyber attack could have the same impact as a well-placed bomb” – Robert Mueller, III, Director of FBI
Terrorists look for and take advantage of vulnerabilities – network infrastructure security vulnerabilities
![Page 5: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/5.jpg)
Cyber Terrorism
What is Cyber Terrorism?“Cyber Terrorism is a criminal act perpetrated by
the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services, where the intended purpose is to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social or ideological agenda” - Keith Lourdeau, Deputy Asst Director of FBI’s Cyber Division
![Page 6: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/6.jpg)
Cyber Terrorism
Two Types of Cyber Terrorism Attacks Effects based - Disruptive enough to
generate the same fear within individuals as traditional types of terrorism
Intent based - Create severe economic harm or intimidate the government and individuals into supporting the terrorists’ political objectives
![Page 7: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/7.jpg)
Cyber Terrorism
What terrorists have
done: Email bombs Publication of
threatening material and content
Denial-of-service Defaced websites
What is possible? Massive blackouts Destruction of
Financial systems
Transportation systems
Defense infrastructure
National Security infrastructure
![Page 8: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/8.jpg)
Cyber Terrorism
Evidence of acquiring computer skills to use for
cyber attacks: Al-Qaeda fighters left behind documents
that contained information about Al-Qaeda operatives and their level of computer systems proficiency during an attack by the U.S
Iman Sundra, the convicted Bali nightclub bomber, has written a book to influence Muslim youth to learn computer hacking skills in order to obtain credit card information and funds from U.S. companies.
![Page 9: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/9.jpg)
Cyber Terrorism
Iranian Cyber Army defaced Congress’ website after President Obama’s State of the Union speech
Google’s network infrastructure in China hacked for Gmail accounts of Chinese human rights activists
U.S. Department of Defense computer network attacked and malware installed on the network
![Page 10: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/10.jpg)
Cyber Terrorism
SWOT
Strengths – Human capital resources to upgrade network infrastructure security
Weaknesses – Vulnerability of network infrastructure and security holes
Opportunities – Awareness and knowledge to collaborate and build strong security policies
Threats – Terrorists taking advantage of network vulnerabilities
![Page 11: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/11.jpg)
Cyber Terrorism
Secretary of State, Hillary Clinton, is pushing for internet freedom for all.
Governments should not prevent people from connecting to the internet, web sites and each other.
Current administration will work with academia, the private sector, and foreign governments to provide new tools to the people so they may exercise their freedom of speech and expression towards their governments
Internet freedom will open the door to possible cyber terrorism attacks
![Page 12: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/12.jpg)
Insider Threats
![Page 13: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/13.jpg)
Insider Threats
Businesses are most at risk from former and current employees
Motivated by work situations, opportunities or other personal factors
Resultant action is computer abuse, fraud and theft, falsification, planting of malicious code, or sale of personal information
![Page 14: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/14.jpg)
Insider Threats
Real World Example: Donald Burleson, a computer programmer Designed a virus after being scolded for
sotring personal letters on his company computer
Virus was designed to erase portions of the mainframe
After being fired, Burleson was able to employ an unauthorized backdoor password to execute the virus
![Page 15: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/15.jpg)
Insider Threats
Simpler Real World Example: Two credit union employees had access to
alter credit reports based on updated information received
Intentionally misused this authorization to alter credit reports in exchange for money
![Page 16: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/16.jpg)
Insider Threats
U.S. Secret Service National Threat Assessment Center and the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute completed an Insider Threat Study and found: Most insider events were triggered by a
negative event in the workplace Most were motivated by financial gain Perpetrators did not share a common profile
![Page 17: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/17.jpg)
Insider Threats
Insider Threat Study (continued): Most perpetrators planned their actions in
advance Only seventeen percent involved
individuals with administrator access Eighty-seven percent of the attacks used
very simple user commands that didn't require any advanced knowledge
Most attacks were committed while at the workplace and during normal work hours
![Page 18: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/18.jpg)
Insider Threats
Business tend to concentrate on preventing outside intrusion and neglect insider threats
62% of large businesses have dealt with a security incident by a current or former employee.
Deloitte 2007 Global Security Survey found that 91% were concerned about employees and 79% cited the human factor as the root cause of Information Security failures.
Same survey showed 22% of respondents had provided no employee security training over the past year and less than a 33% said their staff was skilled enough to respond to security needs
![Page 19: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/19.jpg)
Insider Threats
Companies need more requirements for: Clear and concise policies Training Background checks Discipline actions
![Page 20: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/20.jpg)
Risk Mitigation
![Page 21: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/21.jpg)
Risk Mitigation
The most commonly considered risk management strategy
This involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw.
“Risk mitigation involves the process of prioritizing, evaluating and implementing appropriate controls. “
![Page 22: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/22.jpg)
Risk Mitigation - Purpose
Helps in communicating how specific risks will be dealt with and the action steps that are required to carry them out.
Provides a clear sense of the actions that the project team members are expected to take
Provides management with an understanding of what actions are being taken on their behalf to ameliorate project risk.
![Page 23: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/23.jpg)
Risk Mitigation Issues/Threats
Care should be taken while assessing and prioritizing risks, since it could result in time being wasted in dealing with risks that are not likely to occur. When there is too much time spent in assessing and managing unlikely risks, this diverts resources that could have been used more profitably.
If the risk management process is prioritized too highly, then this could keep an organization from ever completing a project or even getting started.
Another very important consideration in risk mitigation is to avoid any conflicts of interest.
![Page 24: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/24.jpg)
Why should Risk Mitigation be considered important?
If ignored: Result in the failure to develop a strong
organizational culture Inefficient communication of information
between levels of management Insufficient risk assessment Ineffective auditing and monitoring
programs
![Page 25: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/25.jpg)
Risk Mitigation – Opportunities
Provide opportunities for the project members to discuss improvements, including explicit discussion of risk mitigation strategies and approaches, as well as what the probable impact of different risk mitigation measures might be
These communications among organizational members offer opportunities to challenge assumptions, identify errors and voice issues. There are also opportunities for dispersed organizational members to grow and learn together.
Provides opportunities for clarification, for sense making, for organizational growth, and opportunities for people to discuss improvements to the organization and the impacts of different risk mitigation strategies
![Page 26: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/26.jpg)
Information Security/ Corporate governance
![Page 27: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/27.jpg)
Corporate Irresponsibility
WorldCom & Enron No ownership of liabilities Difficult to prosecute Legislative Action
HIPAA Sarbanes-Oxley Act Graham-Leach-Bliley Act
![Page 28: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/28.jpg)
Governance
Top down methodology for ownership of corporate processes
Information governance is a subset of corporate governance Deals with all aspects of information
Electronic Written Printed Creation, transport and destruction
![Page 29: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/29.jpg)
Security Governance
Security roles and responsibilities Provide strategic direction Ensures objectives are met Manages risk
Security policies Address roles of individual Address standards of implementation
Continual evaluation of security program
![Page 30: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/30.jpg)
![Page 31: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/31.jpg)
Management’s Involvement
Understand Risks when governance is nonexistent Reputation damage Loss of revenue Litigious effects
Implementation works better with top involvement
![Page 32: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/32.jpg)
Deliverables
Security plan design Plan Implementation Monitor plan for desired outcomes Ongoing education
Awareness of goals and initiatives Maintain security education to highest
levels
![Page 33: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/33.jpg)
Cloud computing
![Page 34: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/34.jpg)
Cloud Computing – Definition Internet-based computing, which allows
for shared resources, such as software and information to be provided to computers and other devices on-demand. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software.
![Page 35: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/35.jpg)
Cloud Computing – Service models
Software as a Service, through which applications are provided in the cloud;
Platform as a Service, through which a cloud provider permits users to create or run applications using languages and tools supported by the provider while the provider delivers the underlying infrastructure such as servers, operating systems, or storage; and
Infrastructure as a Service, through which a customer can deploy a computing infrastructure similar to a virtualized environment.
![Page 36: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/36.jpg)
Clouds
Reduced costs Resource sharing is more
efficient Management moves to
cloud provider Consumption based cost Faster time to roll out new
services Dynamic resource
availability for crunch periods
Compliance/regulatory laws mandate on-site ownership of data
Security and privacy Latency & bandwith guarantees
Absence of robust SLA’s
Availability & reliabilty
Pros Cons
![Page 37: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/37.jpg)
Federal Cloud
Due to its growing popularity of cloud computing, the federal government is moving more quickly than the private sector in both their interest and potential adoption of what has been referred to as the federal cloud
The Obama administration has made cloud computing a high priority, calling for a "fundamental re-examination of investments in the technology infrastructure.“ the overall objective is to create a more agile federal
enterprise, where services can be provisioned and reused on demand to meet business needs
![Page 38: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/38.jpg)
Security issues with the cloud Privileged user access
Sensitive data processed outside the enterprise brings a level of risk
Regulatory compliance Customers are ultimately held responsible for the
security and integrity of their own data, even when it is held by a service provider
Data location When using a cloud, you may not have an idea of where
your data is stored. Data segregation
Data in the cloud in in a shared environment, with data from other customers
![Page 39: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/39.jpg)
Security issues with the cloud Recovery
Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster
Investigative Support Investigating inappropriate or illegal activity may be
impossible in cloud computing Long-term Viability
Ideally, your cloud computing provider will never go broke or get acquired by a larger company. If this happens you must be sure your data will be available, even after such an event.
![Page 40: Gp2 Public Policy Assign8 644 Sp10](https://reader033.vdocument.in/reader033/viewer/2022061222/54c1a0be4a7959bc3c8b456c/html5/thumbnails/40.jpg)
Cloud – summary
Client-plus-cloud computing offers enhanced choice, flexibility, operational efficiency, and cost savings for governments, businesses, and individual consumers.
To take full advantage of these benefits, reliable assurances regarding the privacy and security of online data must be provided.
In addition, a number of regulatory, jurisdictional, and public policy issues remain to be solved in order for online computing to thrive.