INFO5301 Information Security Management
information security to include the security of us. Ref: Miller, Lawrence C; Gregory, Peter H.
CISSP For Dummies 2018, 6th edition, Chapter 3: Security and Risk Management
Authentication is also important that supports the CIA in IoT. Each device needs to reliably
identify itself and prove that it can securely communicate with other devices in the system.
This can be achieved using a combination of digital certificates and hardware-based anchor
of trust. Strong user authentication should also be used to control user access.
Non-repudiation: This serves as irrefutable proof of the validity and origin of all data trans-
mitted. Digitally signed documents and transactions using hardware security device can
provide strong non-repudiation for the date and origin of transaction
Duration: 15 min
Exercise 7:
Company A provides cloud computing services to their customers. To maintain the Con-
fidentiality, Integrity and Availability, what practices that the company should leverage to
maintain these measures?
Answer:
Confidentiality: To keep the cloud computing confidential, the company must use encryp-
tion scheme to protect data "at rest" and "in transit". Identity Access Management, and
Multi-Factor Authentication; network firewalls
Data Integrity: to protect data from unauthorized modification or deletion. There must be
a system of permissions and logs that can demonstrate that there is no inappropriate access
to customer data. Multi-Factor Authentication, Version Control are also used when users
trying to delete things in the Cloud.
Data Availability: ensure that data continues to be available, at a required level of perfor-
mance, in situations ranging from normal to disastrous. Load balancing is also important.
For example, strategies used by Amazon Web Service (AWS) including Auto-scaling, Multi-
ple Availability Zones, using Route 53 with health checks, to detect the failure and automatic
failover (switching to a redundant or standby computer server, system).
Duration: 15 min
Exercise 8:
A server called Server1 is running Windows Server 2016. On Server1, a folder called Data
is created and shared on the C drive. Within the Data folder, subfolders are created with
each user’s name within the organization. Each person’s electronic paycheck is placed in
each user’s folder. Later, you find out that John was able to go in and change some of the
electronic paycheck amounts, while also deleting some of the electronic paychecks. Explain
which one (or more) of the CIA components was not followed.
Answer: All three CIA components were not followed properly.
Information Security Management Page 5of 6