Assignment 7
Background
To complete this assignment, you will need to have completed reading of chapters 14-16 of the textbook and completed the slides/lectures Security Management, Risk Assessment, Controls, Physical Security I and II.
Assignment Instructions
Reminder: All work turned in for this class must prepared in a form that I can open with Microsoft Word 2016. Do not copy the homework text into your answers; I already know what the questions are, and putting superfluous filler into your answers just makes more work for me.
For this assignment and any others that require research you must answer in your own words and cite your references correctly. A cut-and-paste answer will earn a zero for the entire assignment and may earn a course grade of F for plagiarism.
Part 1: Acme Corporation operates a small server room. They work 9:00 AM to 5:00 PM, five days a week, and can operate for several hours without IT services. However, part of their IT application includes a database system that is sensitive to interruption; it must be shut down properly to avoid corruption. They're based in Tampa; frequent thunderstorms cause brief power "blips." Complete power failures are rare, but do happen two or three times a year and last for several hours. Describe what Acme should do with respect to electric power protection.
Part 2: MidCorp is a mid-sized corporation that sells music and movie downloads over the Internet. They're in the same building as Acme and have the same electric power conditions. MidCorp's CFO that each hour of web server downtime costs the company $2,000 in profit from sales. Describe what MidCorp should do with respect to electric power protection. If your recommendation is different from Acme's, explain why. Explicitly state any assumptions you have made.
Part 3: Using the cost-benefit analysis method described in the lecture, estimate how much money MidCorp should spend on power protection. You will have to make several assumptions to do this. Your answer should contain an "assumptions" section in which you list them. Justify each assumption in one or two sentences.
Part 4: Bruce Schneier says one should consider the following things when considering implementing a security system:
- What assets are you trying to protect?
- What are the risks to those assets?
- How well does the proposed solution mitigate those risks?
- What other risks might the proposed solution cause?
- What are the costs and trade-offs of the proposed solution?
Assume your cousin lives with a spouse, a pre-teen daughter and a teenage son. Your cousin has asked for advice on whether to install a monitored burglar alarm in their home. What advice do you give? You do not have to find out the cost of burglar alarm systems for this assignment, but address all the rest of Schneier's considerations.
Part 5: The president of Acme Corporation has just learned that the company can be held responsible for what employees write in electronic mail. He is very worried! Acme has a long-standing, but unwritten, practice that brief personal phone calls are permitted at work, so long as they do not interfere with performance. The company president would like to treat email the same way.
In a couple of paragraphs, explain how personal phone calls and personal email messages are alike.
In a couple of more paragraphs, explain how they are different.
Write a draft policy for personal use of Acme's email system. (You don't need the standards and practices for this one, just the policy. Remember, policies state what must happen, may happen, or must not happen. This can be as short as a couple of paragraphs, but a sentence or too will not do.)
Grading Rubric
This section describes how your assignment will be graded. Except in the case of plagiarism, cheating, or copying, you cannot lose more than 100 points.
This assignment is worth 100 points in the "Assignments" category of the course grading plan.
The Assignment as a Whole
Failure to follow instructions: Up to three points subtracted per part, 18 points for the entire assignment.
Grammar, spelling, and organization: Up to three points subtracted per part, 18 points for the entire assignment.
Incorrect citation or use of the works of others: Up to ten points subtracted per part, 60 points for the assignment as a whole. When you use the words or ideas of others, you need a citation in the text that ties to an entry in your "References" section. When you quote another's work, you need quotation marks. For an example, see An Example of Proper Writing in the "Required Reading" module.
Plagiarism, cheating, or copying another's work: A zero on the assignment and referral to the Student Conduct and Academic Integrity office for other penalties.
Late work: Late work will not be accepted by Desire2Learn and will be recorded as a zero.
The Assignment by Parts
| Part | Criteria | Points Available |
|---|---|---|
| 1 |
The description of Acme's actions is incorrect or missing: -20 The description is correct but superficial, or omits important points: -10 |
20 |
| 2 |
The description of MidCorp's actions is incorrect or missing: -20 The description is correct but superficial, or omits important points: -10 |
20 |
| 3 |
The cost-benefit formula used is incorrect: -20 The computation contains arithmetic errors: -20 Assumptions are not explicitly stated: -20 Assumptions are given, but justification for each is absent or superficial: up to -10 |
20 |
| 4 | For each of the five items missing, incorrect, or superficial: -4 Note: the student was not asked to find out the cost of a burglar alarm. |
20 |
| 5 |
The comparison of similarity of email to phone use is absent, incomplete, or superficial: -5 The comparison of differences between email and phone use is absent, incomplete, or superficial: -5 The email policy is absent, omits important points, or is superficial: -10 |
20 |