Step 6: Begin a Security Models Summary

Confidentiality, integrity, and availability (CIA triad), as well as authentication and nonrepudiation, are fundamental security concepts that must be considered when assessing and developing security options. Cybersecurity models have been developed to address some or all of these security concepts.

While these models were generally created to address a specific business case, each of the models has attributes that could be used to assemble a custom security plan. In order to draft a custom security plan for your organization, you will need to understand basic security models. You will identify key features, weaknesses, and targeted sectors and/or infrastructures.

In this step and the following step, you will develop a short summary for each of the security models listed. These reports will serve as an Appendix A to the final memo and will document the security models and their attributes in advance of the memo that you will deliver with your recommended approach.

Each summary should include a descriptive and evaluative paragraph on the following attributes:

Include the origins of the model (who developed it, when was it developed, and the context under which it was developed), main characteristics of the model (details on the business, sector, industry for whom the model was developed), and key features of the model.

Write summaries for the following common models:

• Bell-LaPadula
• Biba’s Strict Integrity Policy
• Clark-Wilson
• Chinese Wall

When you have completed these summaries, continue to the next step, where you’ll write a summary for the next four security models

Project 1: Security Models
Step 7: Continue the Security Models Summary

Continue summarizing the various cybersecurity models, as in the previous step. Again, identify key features, weaknesses, and targeted sectors/infrastructures and develop a short summary for each of the security models listed below. These reports will be added to Appendix A for the final memo and will document the security models and their attributes in advance of the memo that you will deliver with your recommended approach.

Each summary should include a descriptive and evaluative paragraph on the following attributes:

Include the origins of the model (who developed it, when was it developed, and the context under which it was developed), main characteristics of the model (details on the business, sector, industry for whom the model was developed), and key features of the model. Write summaries for the following models:

• Clinical Information Systems Security
• Noninterference Security
• Deducibility Security
• Graham-Denning

When you have finished both steps and the Security Models Summary, submit Appendix A for feedback.

Step 8: Analyze the Security Models

Now that you are familiar with existing common security models, analyze each of the security models that you reviewed in the last two steps and their attributes against the needs of your organization as identified in the earlier steps. The information that you gather here will contribute to your security plan.

In the next step, you will look at features that will work for the organization.

Step 9: Identify Relevant Model Features

Next, identify features from the models that apply to your assigned organization’s security needs. Also include any security attributes that you believe are important for your organization but are not included in any of the models. The information that you gather here, along with the information gathered in the previous step, will contribute to the security plan.

When you are finished, in the next step you will put together a security plan for the organization.

Step 10: Design a Custom Security Plan

Having completed an assessment of your organization’s security posture and the analysis of security models, you will now design a custom security plan for the organization. The custom security plan should meet the following criteria:

• The security plan should coincide with the organization’s IT vision, mission, and goals.
• Include an information security program that aligns with business strategy.
• Incorporate all internal and external business functions within the organization’s security programs.
• Classify risks according to relevant criteria.
• Prioritize threats from both internal and external sources.
• Rank the most relevant security attributes for the organization and list them in priority order. This list will serve as Appendix B to your final assignment.

Submit Appendix B for feedback.

Step 11: Develop a Business Case for Your Organization

With the new security plan written, you will need to develop a business case for it to include in the memo to the CTO. Using your knowledge of the organization’s security posture from Step 1 and your understanding of applicable security model features, make the case for changes to the organization. Include the rationale for change and any impacts to the business.

Also include an implementation plan. Describe the present situation in the organization and the associated risks assumed given the security weaknesses.

The work you do in this step will become the first of three sections of the three-page memo in the last step of the project.

In the next step, you will work on another section of the memo, security models.

Step 12: Identify Security Model Attributes

Next, detail the security model attributes that best apply to the organization. Identify the model, if any, from which the attributes are derived and why the attribute applies to the organization.

The work you do in this step will become the second section of the memo in Step 14.

In the next step, you will look at how security in the organization could be improved, based on your recommendations.

Step 13: Assess Security Improvement Potential

Finally, give your best judgment on the potential to improve the security posture of the organization when your recommendations are implemented. You will need to evaluate the pros and cons of implementation in relation to CIA. Discuss the risks and impacts to include a high-level assessment of financials. Consider how business continuity and continued alignment will be maintained.

The work you do in this step will become the third section of the memo in the final step.

Project 1: Security Models
Step 14: Develop and Submit a Security Plan Recommendation Memorandum

Compile the analyses completed in the last three steps into a memorandum from you to your supervisor. This memo should be three pages, excluding Appendices A and B, and should clearly articulate the business case for adopting features from the reviewed security models. It should include the following:

• a description of the security model attributes
• an assessment of the weaknesses in the organization that the security features will address
• your rationale for selecting the specific security attributes and your prognosis of success, noting risks and impacts to include a high-level assessment of financials
• the policies and procedures that will need to be in place for the security plan to work
• the infrastructure that will need to be in place for the security program to operate and to align with each entity within the organization
• a plan for evaluating the security plan’s effectiveness

Update the appendices according to the feedback received. Submit the memorandum along with Appendices A and B