case study

To complete this assignment, review the prompt and grading rubric in the

Module Three Case Study Activity Guidelines and Rubric

. You will also need to access the

Module Three Case Study Template Word Document

. For reference, refer to the

CIA Triad and Fundamental Security Design Principles PDF

document.

When you have finished your work, submit the assignment here for grading and instructor feedback.

CYB 200 Module Three Case Study Activity Guidelines and Rubric

Overview

In this case study assignment, we will con�nue to inves�gate the Fundamental Security Design Principles at work in a real-world scenario. Through the lens of privacy protec�on, we will

analyze the following principles:

Isola�on

Encapsula�on

Complete Media�on

Minimize Trust Surface (Reluctance to trust)

Trust rela�onships

Case Study Scenario

The security team at your organiza�on receives an alert from your organiza�on’s cloud storage provider, DataStore. DataStore is a popular cloud-based data hos�ng service that your

organiza�on has contracted with to store public-facing informa�on such as product briefs and adver�sements in a “shared” pla�orm with many other customers. Your organiza�on has a

policy against transferring confiden�al data to the cloud and has asked DataStore to alert your security team if they detect unusual data-transfer ac�vi�es. DataStore no�ced that an ac�ve

connec�on transferred large numbers of files to their pla�orm and promptly inves�gated. Upon closer inspec�on, the DataStore employee recognized that customer names and social

security numbers were clearly displayed in the uploaded files.

The security team, with the help of DataStore, discovered that an intern was responsible for the large data transfer. The intern accidentally saved confiden�al email a�achments to a folder

on his system that synchronized with DataStore. The intern apologized and stated that he would delete the data from the cloud storage loca�on. However, the problema�c files were

available for public download for a short period of �me.

Prompt

A�er reading the scenario above, complete the Fundamental Security Design Principles mapping table in the Case Study Template and answer the short response ques�ons. You’ll no�ce that

the Fundamental Security Design Principles listed differ from those presented in previous ac�vi�es. In the cybersecurity trade, there are many different design principles and frameworks.

Successful prac��oners learn to work with many different (but conceptually similar) principles to achieve their security goals.

Specifically, you must address the cri�cal elements listed below:

I. Fundamental Security Design Principles Mapping: Fill in the table in the Module Three Case Study Template by comple�ng the following steps for each control recommenda�on:

A. Specify which Fundamental Security Design Principle applies to the control recommenda�ons by marking the appropriate cells with an X.



9/16/24, 3:18 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102835/View 1/3

https://app.readspeaker.com/cgi-bin/rsent?customerid=9568&url=https%3A%2F%2Flearn.snhu.edu%2Fcontent%2Fenforced%2F1698647-CYB-200-13406.202481-1%2FModule%2520Three%2520Case%2520Study%2520Activity%2520Guidelines%2520and%2520Rubric.html&lang=en_us&readid=d2l_read_element_1

B. Indicate which security objec�ve (confiden�ality, availability, or integrity) applies best to the control recommenda�ons.

C. Explain your choices in one to two sentences with relevant jus�fica�ons.

II. Short Response Ques�ons:

A. Is it possible to use Data Store and maintain an isolated environment? Explain your reasoning.

B. How could the organiza�on have more effec�vely applied the principle of minimizing trust surface with Data Store to protect its confiden�al data? Explain your reasoning.

C. How can the organiza�on build a more security-aware culture from the top down to prevent mistakes before they happen? Explain your reasoning.

What to Submit

Submit your completed Fundamental Security Design Principles map and short response answers in the Module Three Case Study Template. Your submission should be 1–2 pages in length

(plus a cover page and references, if used) and wri�en in APA format. Use double spacing, 12-point Times New Roman font, and one-inch margins. Use a file name that includes the course

code, the assignment number, and your name—for example, CYB_100_1-4_Neo_Anderson x.

Module Three Case Study Activity Rubric

Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value

Mapping: Fundamental

Security Design Principle

Specifies which Fundamental Security

Design Principle applies to at least 8 of the

control

recommenda�ons

Specifies which Fundamental Security

Design Principle applies to fewer than 8 of

the

control recommenda�ons

Does not complete any of the

Fundamental Security Design Principle

cells

20

Mapping: Security Objec�ve

Indicates which security objec�ve (CIA)

best applies to 8 or more control

recommenda�ons

Indicates which security objec�ve (CIA)

best applies to fewer than 8 control

recommenda�ons

Does not complete any of the CIA triad 20

Mapping: Explain

Explains choices with relevant

jus�fica�ons for at least 8 of the control

recommenda�ons

Explains choices with relevant

jus�fica�ons for fewer than 8 of the

control recommenda�ons

Does not address cri�cal element, or

response is irrelevant

2

5

Short Response: Isolated

Environment

Explains if it is possible to use Data Store

and maintain an isolated environment

Addresses “Proficient” criteria, but there

are gaps in clarity, logic, or detail

Does not address cri�cal element, or

response is irrelevant

10

Short Response: Minimizing

Trust Surface

Explains how the organiza�on could have

more effec�vely applied the principle of

minimizing trust surface to protect its

confiden�al data

Addresses “Proficient” criteria, but there

are gaps in clarity, logic, or detail

Does not address cri�cal element, or

response is irrelevant

10

9/16/24, 3:18 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102835/View 2/3

Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value

Short Response: Security-

Aware Culture

Explains how the organiza�on can build a

more security-aware culture from the top

down to prevent mistakes before they

happen

Addresses “Proficient” criteria, but there

are gaps in clarity, logic, or detail

Does not address cri�cal element, or

response is irrelevant

10

Ar�cula�on of Response Submission has no major errors related to

cita�ons, grammar, spelling, or

organiza�on

Submission has some errors related to

cita�ons, grammar, spelling, or

organiza�on that nega�vely impact

readability and ar�cula�on of main

ideas

Submission has cri�cal errors related to

cita�ons, grammar, spelling, or

organiza�on that prevent understanding of

ideas

5

Total: 100%

9/16/24, 3:18 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1698647/viewContent/35102835/View 3/3

CIA Triad and

Fundamental Security Design Principles

The terms listed below are essential in the field of cybersecurity and will be a topic of conversation and
application throughout the program. It is therefore important for you to familiarize yourself with these
terms and their definitions.

Note that the CIA triad is sometimes referred to as the tenets of cybersecurity. The Fundamental
Security Design Principles are sometimes called fundamental design principles, cybersecurity first
principles, the cornerstone of cybersecurity, and so on.

CIA Triad

Information that is secure satisfies three main tenets, or properties, of information. If you can ensure
these three tenets, you satisfy the requirements of secure information (Kim & Solomon, 2013).

 Confidentiality
Only authorized users can view information (Kim & Solomon, 2013).

 Integrity
Only authorized users can change information (Kim & Solomon, 2013).

 Availability
Information is accessible by authorized users whenever they request the information (Kim &
Solomon, 2013).

Fundamental Security Design Principles

These principles offer a balance between aspirational (and therefore unobtainable) “perfect security,”
and the pragmatic need to get things done. Although each of the principles can powerfully affect
security, the principles have their full effect only when used in concert and throughout an organization.
These principles are a powerful mental tool for approaching security: one that doesn’t age out of
usefulness or apply only to a few specific technologies and contexts; one that can be used for
architecture, postmortem analysis, operations, and communication. The principles are ultimately only
one piece in the security practitioner’s toolkit, but they are a flexible piece that will serve different roles
for different people (Sons, Russell, & Jackson, 2017).

 Abstraction
Removal of clutter. Only the needed information is provided for an object-oriented mentality.
This is a way to allow adversaries to see only a minimal amount of information while securing
other aspects of the model (Tjaden, 2015).

 Complete Mediation
All accesses to objects should be checked to ensure that they are allowed (Bishop, 2003).

 Encapsulation
The ability to only use a resource as it was designed to be used. This may mean that a piece of
equipment is not being used maliciously or in a way that could be detrimental to the overall
system (Tjaden, 2015).

 Fail-Safe Defaults / Fail Secure
The theory that unless a subject is given explicit access to an object, it should be denied access
to that object (Bishop, 2003).

 Information Hiding
Users having an interface to interact with the system behind the scenes. The user should not be
worried about the nuts and bolts behind the scenes, only the modes of access presented to
them. This topic is also integrated with object-oriented programming (Tjaden, 2015).

 Isolation
Individual processes or tasks running in their own space. This ensures that the processes will
have enough resources to run and will not interfere with other processes running (Tjaden,
2015).

 Layering
Having multiple forms of security. This can be from hardware or software, but it involves a series
of checks and balances to make sure the entire system is secured from multiple perspectives
(Tjaden, 2015).

 Least Astonishment (Psychological Acceptability)
Security mechanisms should not make the resource more difficult to access than when security
mechanisms were not present (Bishop, 2003).

 Least Privilege
The assurance that an entity only has the minimal amount of privileges to perform their duties.
There is no extension of privileges to senior people just because they are senior; if they don’t
need the permissions to perform their normal everyday tasks, then they don’t receive higher
privileges (Tjaden, 2015).

 Minimization of Implementation (Least Common Mechanism)
Mechanisms used to access resources should not be shared (Bishop, 2003).

 Minimize Trust Surface (Reluctance to Trust)
The ability to reduce the degree to which the user or a component depends on the reliability of
another component (Bishop, 2003).

 Modularity
The breaking down of larger tasks into smaller, more manageable tasks. This smaller task may
be reused, and therefore the process can be repurposed time and time again (Tjaden, 2015).

 Open Design
The security of a mechanism should not depend on the secrecy of its design or implementation
(Bishop, 2003).

 Separation (of Domains)
The division of power within a system. No one part of a system should have complete control
over another part. There should always be a system of checks and balances that leverage the
ability for parts of the system to work together (Tjaden, 2015).

 Simplicity (of Design)
The straightforward layout of the product. The ability to reduce the learning curve when
analyzing and understanding the hardware or software involved in the information system
(Tjaden, 2015).

 Trust Relationships
A logical connection that is established between directory domains so that the rights and
privileges of users and devices in one domain are shared with the other (PC Magazine, 2018).

 Usability
How easy hardware or software is to operate, especially for the first-time user. Considering how
difficult applications and websites can be to navigate through, one would wish that all designers
took usability into greater consideration than they do (PC Magazine, 2018).

References

Bishop, M. (2003). Computer security: Art and science. Boston, MA: Addison-Wesley Professional.
Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security (2nd ed.). Burlington,

MA: Jones & Bartlett Publishers.
PC Magazine. (2018). Encyclopedia. Retrieved from https://www.pcmag.com/encyclopedia
Sons, S., Russell, S., & Jackson, C. (2017). Security from first principles. Sebastopol, CA: O’Reilly Media,

Inc.
Tjaden, B. C. (2015). Appendix 1: Cybersecurity first principles. Retrieved from

https://users.cs.jmu.edu/tjadenbc/Bootcamp/0-GenCyber-First-Principles

CYB 200 Module Three Case Study Template

After reviewing the scenario in the Module Three Case Study Activity Guidelines and Rubric document, fill in the table below by completing the following steps:

1. Specify which Fundamental Security Design Principle applies to the control recommendations by marking the appropriate cells with an X.
2. Indicate which security objective (confidentiality, availability, or integrity) applies best to the control recommendations.
3. Explain your choices in one to two sentences with relevant justifications.

Control
Recommendations

Isolation Encapsulation Complete
Mediation

Minimize
Trust Surface

(Reluctance to
Trust)

Trust
Relationships

Security
Objective
Alignment

(CIA)

Explain Your Choices

(1–2 sentences)

Deploy an automated
tool on network
perimeters that
monitors for
unauthorized transfer of
sensitive information
and blocks such
transfers while alerting
information security
professionals.

Monitor all traffic
leaving the organization
to detect any
unauthorized use.

Use an automated tool,
such as host-based data
loss prevention, to
enforce access controls
to data even when data
is copied off a system.

Physically or logically

Control
Recommendations

Isolation Encapsulation Complete
Mediation

Minimize
Trust Surface

(Reluctance to
Trust)

Trust
Relationships

Security
Objective
Alignment

(CIA)

Explain Your Choices

(1–2 sentences)

segregated systems
should be used to
isolate higher-risk
software that is
required for business
operations.

Make sure that only the
resources necessary to
perform daily business
tasks are assigned to
the end users
performing such tasks.

Install application
firewalls on critical
servers to validate all
traffic going in and out
of the server.

Require all remote login
access and remote
workers to authenticate
to the network using
multifactor
authentication.

Restrict cloud storage
access to only the users
authorized to have
access, and include
authentication
verification through the

Control
Recommendations

Isolation Encapsulation Complete
Mediation

Minimize
Trust Surface

(Reluctance to
Trust)

Trust
Relationships

Security
Objective
Alignment

(CIA)

Explain Your Choices

(1–2 sentences)

use of multi-factor
authentication.

Make sure all data-in-
motion is encrypted.

Set alerts for the
security team when
users log into the
network after normal
business hours, or when
users access areas of
the network that are
unauthorized to them.

After you have completed the table above, respond to the following short questions:

1. Is it possible to use DataStore and maintain an isolated environment? Explain your reasoning.

2. How could the organization have more effectively applied the principle of minimizing trust surface with DataStore to protect its confidential data?
Explain your reasoning.

3. How can the organization build a more security-aware culture from the top down to prevent mistakes before they happen? Explain your reasoning.