Chat with us, powered by LiveChat You are employed with Government Security Consultants, a subsid | Wridemy

You are employed with Government Security Consultants, a subsid

You are employed with Government Security Consultants, a subsid

2. Introduction 

You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As a member of IT security consultant team, one of your responsibilities is to ensure the security of assets as well as provide a secure environment for customers, partners and employees. You and the team play a key role in defining, implementing and maintaining the IT security strategy in organizations. 

A government agency called the Bureau of Research and Intelligence (BRI) is tasked with gathering and analyzing information to support U.S. diplomats. 

In a series of New York Times articles, BRI was exposed as being the victim of several security breaches. As a follow up, the United States Government Accountability Office (GAO) conducted a comprehensive review of the agency’s information security controls and identified numerous issues. 

The head of the agency has contracted your company to conduct an IT security risk assessment on its operations. This risk assessment was determined to be necessary to address security gaps in the agency’s critical operational areas and to determine actions to close those gaps. It is also meant to ensure that the agency invests time and money in the right areas and does not waste resources. After conducting the assessment, you are to develop a final report that summarizes the findings and provides a set of recommendations. You are to convince the agency to implement your recommendations. 

This learning activity focuses on IT security which is an overarching concern that involves practically all facets of an organization’s activities. You will learn about the key steps of preparing for and conducting a security risk assessment and how to present the findings to leaders and convince them into taking appropriate action. 

Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT personnel are expected to possess. Information security is a significant concern among every organization and it may spell success or failure of its mission. Effective IT professionals are expected to be up-to-date on trends in IT security, current threats and vulnerabilities, state-of-the-art security safeguards, and security policies and procedures. IT professionals must be able to communicate effectively (oral and written) to executive level management in a non-jargon, executive level manner that convincingly justifies the need to invest in IT security improvements. This learning demonstration is designed to strengthen these essential knowledge, skills, and abilities needed by IT professionals. 

3. Steps to Completion 

Your instructor will form the teams. Each member is expected to contribute to the team agreement which documents the members’ contact information and sets goals and expectations for the team. 

1) Review the Setting and Situation 

The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multiple-source intelligence to American diplomats. It must ensure that intelligence activities are consistent with U.S. foreign policy and kept totally confidential. BRI has intelligence analysts who understand U.S. foreign policy concerns as well as the type of information needed by diplomats. 

The agency is in a dynamic environment in which events affecting foreign policy occur every day. Also, technology is rapidly changing and therefore new types of security opportunities and threats are emerging which may impact the agency. 

Due to Congressional budget restrictions, BRI is forced to be selective in the type of security measures that it will implement. Prioritization of proposed security programs and controls based on a sound risk assessment procedure is necessary for this environment. 

The following incidents involving BRI’s systems occurred and reported in the New York Times and other media outlets: 

  • • BRI’s network had been compromised by nation-state-sponsored attackers and that attacks are still continuing. It is believed that the attackers accessed the intelligence data used to support U.S. diplomats. 
  • • The chief of the bureau used his personal e-mail system for both official business purposes and for his own individual use. 
  • • A software defect in BRI’s human resource system – a web application – improperly allowed users to view the personal information of all BRI employees including social security numbers, birthdates, addresses, and bank account numbers (for direct deposit of their paychecks). After the breach, evidence was accidently destroyed so there was no determination of the cause of the incident or of its attackers. 
  • • A teleworker brought home a laptop containing classified intelligence information. It was stolen during a burglary and never recovered. 
  • • A disgruntled employee of a contractor for BRI disclosed classified documents through the media. He provided the media with, among other things, confidential correspondence between U.S. diplomats and the President that were very revealing. 
  • • Malware had infected all of the computers in several foreign embassies causing public embarrassment, security risks for personnel and financial losses to individuals, businesses and government agencies including foreign entities. 

These reports prompted the U.S. Government Accountability Office to conduct a comprehensive review of BRI’s information security posture. Using standards and guidance provided by the National Institute of Standards and Technology and other parties, they had the following findings: 

Identification and Authentication Controls 

  • • Controls over the length of passwords for certain network infrastructure devices were set to less than eight characters. 

• User account passwords had no expiration dates. 

• Passwords are the sole means for authentication. 

Authorization Controls 

  • • BRI allowed users to have excessive privileges to the intelligence databases. Specifically, BRI did not appropriately limit the ability of users to enter commands using the user interface. As a result, users could access or change the intelligence data. 
  • • BRI did not appropriately configure Oracle databases running on a server that supported multiple applications. The agency configured multiple databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties. 
  • • At least twenty user accounts were active on an application’s database, although they had been requested for removal in BRI’s access request and approval system. 

Data Security 

  • • BRI does not use any type of data encryption for data-at-rest but protects data-in-transit using VPN. 
  • • A division data manager can independently control all key aspects of the processing of confidential data collected through intelligence activities. 
  • • One employee was able to derive classified information by “aggregating” unclassified databases. 
  • • Hackers infiltrated transactional data located in a single repository and went ahead and corrupted it. 

System Security 

  • • Wireless systems use the Wired Equivalent Privacy (WEP) standard for ensuring secure transmission of data. 
  • • The agency permitted the “Bring Your Own Device” (BYOD) concept and therefore users can utilize their personal mobile devices to connect to the agency network freely. 
  • • In the event of a network failure due to hacking, the data center manager has his recovery plan but has not shared it with anyone in or out of the center. He was not aware of any requirement to report incidents outside of the agency. 
  • • There has never been any testing of the security controls in the agency. 
  • • Processes for the servers have not been documented, but in the minds of the system managers. 
  • • Patching of key databases and system components has not been a priority. Patching systems have either been late or not performed at all. Managers explained that it takes time and effort to test patches on its applications. 
  • • Scanning devices connected to the network for possible security vulnerabilities are done only when the devices are returned to inventory for future use. 
  • • System developers involved with financial systems are allowed to develop code and access production code. 

Physical Security 

  • • An unauthorized personnel was observed “tailgating” or closely following an official employee while entering a secure data center. 
  • • The monthly review process at a data center failed to identify a BI employee who had separated from BRI and did not result in the removal of her access privileges. She was still able to access restricted areas for at least three months after her separation. 

End User Security 

  • • Users even in restricted areas are allowed to use social media such as Facebook. The argument used is that is part of the public outreach efforts of the agency. 
  • • Users receive a 5-minute briefing on security as part of their orientation session that occurs typically on their first day of work. There is no other mention of security during the course of employment. 
  • • Users are allowed to use public clouds such as Dropbox, Box, and Google Drive to store their data. 
  • • BRI has not performed continual background investigations on employees who operate its intelligence applications (one investigation is conducted upon initial employment). 
  • • There is no policy regarding the handling of classified information. 

An internal audit report indicated that the organization needed several security programs including a security awareness and training program, a privacy protection program and a business continuity/disaster recovery programs. These programs will need special attention. 

2) Examine Background Resources 

This learning demonstration focuses on the National Institute of Standards and Technology's (NIST) “Guide for Conducting Risk Assessments” 

( See Pg. 23 to view the description of the risk management process. 

Throughout this learning activity, feel free to use other references such as: 

Other NIST publications (, 

SANS Reading Room (, 


CSO Magazine (, 

Information Security Magazine (, 

Homeland Security News Wire ( 

Other useful references on security risk management include: 

3) Prepare the Risk Assessment Plan 

Using the NIST report as your guide, address the following items: 

  • • Purpose of the assessment, 
  • • Scope of the assessment, 
  • • Assumptions and constraints, and 
  • • Selected risk model and analytical approach to be used. 

Document your above analysis in the “Interim Risk Assessment Planning Report.” (An interim report will be consolidated to a final deliverable in a later step.) 

All interim reports should be at least 500 words long and include at least five references for each report. These reports will eventually be presented to management for their review. 

4) Conduct the Assessment 

Again, use the NIST report to address the following: 

1) Identify threat sources and events 2) Identify vulnerabilities and predisposing conditions 3) Determine likelihood of occurrence 4) Determine magnitude of impact 5) Determine risk 

You are free to make assumptions but be sure to state them in your findings. 

In determining risk, include the assessment tables reflect BRI’s risk levels. Refer to Appendix I. on risk determination in Special Publication 800-30. 

Document your analysis from this step in the “Interim Risk Assessment Findings Report.” Be sure to include the final risk evaluations in this report. 

5) Identify Needed Controls and Programs 

Research and specify security controls needed to close the security gaps in BRI. 

Also, be sure to include a description of the following programs for securing BRI: 

  • • Security Awareness and Training Program (i.e., communications to employees regarding security) 
  • • Privacy Protection Program 
  • • Business Continuity/Disaster Recovery Program 

You should justify the need for the agency to invest in your recommendations. 

Document your findings and recommendations from this step in the “Interim Security Recommendations Report.” 

6) Communicate the Overall Findings and Recommendations 

Integrate of your earlier interim reports into a final management report. Be sure to address: 

  • • Summary of the Current Security Situation at BRI (from Step 1) 
  • • Risk Assessment Methodology (from Step 2) 
  • • Risk Assessment Plan (from Step 3) 
  • • Risk Assessment Findings (from Step 4) 
  • • Σεχυριτψ Ρεχομμενδατιονσ Ρεπορτ (φρομ Στεπ 5) 
  • • Χονχλυσιονσ 

Also provide a presentation to management. The presentation should consist of 15-20 slides. It should include audio narration (directions are found at: The narration should also be captured in the slide notes. 

Prepare a peer evaluation report. 

4. Deliverables 

  • • Final Management report (as described in Step 6) 
  • • PowerPoint Presentation 

Except for the presentation, combine all of the files into one Word document. Provide an abstract, introduction, table of contents and conclusion in this one document. 

Title your files using this protocol: GroupNumber_G-2_AssignmentName_Date. 

In lieu of submitting the presentation, the team leader may provide a link to the presentation file. 

NOTE: At the end of the project, each member of the team should email a completed Peer Evaluation form to your instructor. 


Ross, R. (2014). Security and privacy controls for federal information systems and organizations. NIST Special Publication 800-53. Retrieved from 

Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J. & Thomas, R. (2002). Contingency planning guide for information technology systems. NIST Special Publication 800-34. Retrieved from 

Wilson, M. & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication 800-50. Retrieved from 



(If you download this file, use Ctrl+Click on the links below to access the specific project.)


I-1: Enterprise Architecture Plan (Page 3)

I-2: Technology Management Plan (Page 10)

I-3: Technology Innovation Project (Page 17)


G-1: Infrastructure Modernization Review (Page 24)

G-2: IT Security Risk Assessment (Page 30)

G-3: Health Information Technology Architecture (Page 38)


Individual Projects


Individual Project I-1

1. Title

Enterprise Architecture Plan

2. Introduction

Largo Corporation is a major multinational conglomerate corporation which specializes in a wide array

of products and services. These products and services include healthcare, finance, retail, government

services, and many more. The annual revenue is about $750 million and it has about 1,000 employees.

The parent company is headquartered in Largo, Maryland and its subsidiaries are located throughout

the United States.

The mission of the corporation is to bring the best products and services to people and businesses

throughout the world so they can then realize their full potential.

The corporate vision guides every aspect of their business to achieve sustainable, quality growth:

• Productivity: Be a highly effective, lean and fast-moving organization.

• People: Be a great place to work where people are inspired to achieve their maximum potential.

• Partners: Nurture a winning network of customers and suppliers, together we create mutual,

enduring value.

• Responsible: Be a responsible citizen that makes a difference through ethical behavior.

• Revenue: Maximize long-term return while being mindful of our overall responsibilities.

The company’s culture is reflected in their corporate values:

• Leadership: Courage to shape a better future.

• Collaboration: Leverage collective intelligence.

• Accountability: Own up to your responsibility.

• Passion: Committed to excellence.

• Diversity: Provide new perspectives into our business.

• Quality: We will want quality as part of our brand.

The corporation consists of the parent company and the following subsidiaries:

• Healthcare – Suburban Independent Clinic, Inc. (medical services)

• Finance – Largo Capital (financial services)

• Retail – Rustic Americana (arts and crafts), Super-Mart (office products)

• Government Services – Government Security Consultants (information security)

• Automotive – New Breed (electric cars)

• Systems Integration – Solutions Delivery, Inc. (communications)


• Media Design – Largo Media (website and app design)

The organization is headed by CEO Tara Johnson who completed her Master’s degree at UMUC and

eager to make worthwhile improvements to the corporation. She rose through the ranks of Largo

Corporation starting with systems integration, then retail and her last position before becoming CEO

was in finance.

The corporation is in a highly competitive environment so the CEO wants savvy employees at many

levels to make wise judgments and take an aggressive approach and deliver results towards improving

the bottom line yet maintaining corporate social responsibility.

Corporate Issues Ms. Johnson is aware of the many enterprise wide problems Largo Corporation and its subsidiaries are facing which include:

• The complexity of IT is constantly increasing

• Many disparate systems do not interoperate among the parent company and the subsidiaries and among the business units

• Many duplicate systems across different business units which perform the same function

• Each part of the organization has their own unique technology standards

• It is a major challenge to integrate technology into the daily operations of the organization

Because of these problems, IT systems in the corporation often failed to meet organizational goals and objectives. A Potential Solution A few months ago, Ms. Johnson attended a symposium for CEOs and other senior executives and learned about enterprise architecture and how it can enable business-IT alignment and agility. Upon her return, she floated the idea with the board of directors, her direct reports and vetted the idea with IT Operations head Mr. Sculley. With strong support from the board and Mr. Sculley, Ms. Johnson created an enterprise architect position reporting directly to her with dotted line reporting to all area heads. You have been handpicked to serve as the new Chief Enterprise Architect for Largo Corporation. Your assignment is to craft an enterprise architecture vision and explain how the vision enables business goals. Among other things, you need to justify the implementation of an enterprise architecture at Largo Corporation. According to the U.S. Government Accountability Office, “an enterprise architecture (EA) is an integral part of the IT investment management process. An EA provides a clear and comprehensive picture of the structure of an entity. This picture consists of snapshots of its current and proposed technical environments, and a roadmap for transitioning from the current to the target environment. When properly managed, an EA can help optimize the relationships among an organization's business operations and the IT infrastructure and applications supporting them.”


You will learn about the EA concept, various EA frameworks and apply one to the Largo Corporation. You will learn how to migrate the corporation to a well-defined enterprise architecture vision. As part of the migration effort you will need to identify the governance structure for the architecture. As an enterprise architect, your ability to understand and apply enterprise architecture principles and methodology enables the organization to achieve a business-IT aligned, agile and scalable IT asset. This in turn enables the organization to leverage IT as a competitive strategy to respond quickly to changing market conditions in a global economy. Additionally, you must be able to communicate effectively (oral and written) to executive level management in a non-jargon, executive level manner. This learning demonstration is designed to strengthen these essential knowledge, skills, and abilities needed by enterprise architects.

3. Steps to Completion

1) Understand the Enterprise Architecture Concept

You need to first understand the foundational concepts of an EA including what it is and why it is

needed. Conduct research to gain an understanding of the concept and determine how it might apply to

Largo Corporation.

An informative reference book is “An Introduction to Enterprise Architecture: Third Edition” by Scott A.

Bernard (start at Pg. 29).



The role of an enterprise architect is captured well in this article:

Deliverable: Prepare an interim report for corporate executives explaining the enterprise architecture

concept and discuss its applicability to Largo Corporation. Minimum 400 words and include at least 3

references. (An interim report will be consolidated to a final deliverable in a later step.)

2) Review EA Frameworks

Research various enterprise architecture frameworks. Examples include The Open Group Architecture

Framework (TOGAF), the Federal Enterprise Architecture (FEA), and the Zachman Framework. Compare

and contrast these frameworks. A good starting point is this article by Roger Sessions:


A variety of frameworks are also mentioned in this source (parting on Page 11):




Deliverable: Compare and contrast at four different major architectural frameworks based on various

attributes and report your findings in a summary table. Include brief descriptions and sources of your

information. Include at least 3 references.

3) Understand the TOGAF Framework

For this project we will use the TODAF architectural framework described starting at the Introduction

( Use the “Next>>>” link (upper

right hand corner and lower right hand corner) to advance to the next topic “Core Concepts.” Explore

this resource.

Next read “TOGAF as an Enterprise Architecture Framework”:

4) Execute the preliminary phase of the architecture development process.

Start by reviewing the Architecture Development Method (ADM) beginning at:


Walk through the Preliminary Phase (


Deliverables for this step include: (a) Define the architectural framework in the form of a diagram

specific to Largo. (b) Identify at architectural principles you feel are applicable to Largo Corporation. (c)

Create the future vision diagram for the company. Details on each deliverable are defined below.

(a) The framework diagram needs to be organization-specific. This architecture vision should

take into account the “corporate issues” identified in the Introduction of this learning activity.

You are free to make assumptions and hypothetical scenarios behind your architectural vision.

Examples of frameworks can be found at:


(b) Provide architecture principles for the following domains: business, data, application, and

technology for Largo Corporation. Examples can be found at:

Your principles should try to address the problems identified in the Introduction section of this

learning activity.

Identify at least 3 principles for each domain and explain its applicability to Largo Corporation.


To document your principles, you may use the template at:

093 (You will need to set up an account if you have not previously). Download the zip

file and open: TOGAF_9_Templates > Deliverables > Architecture Principles and open

the Word document.

(c) To define the future vision, you can create a solution concept or a value chain diagram. This

is an important step that articulates your perspective of the future architecture of Largo

Corporation. Include an explanation for your vision including why it is appropriate for the


Templates that you may use are downloadable from:

(You will need to set up an account). Download the zip file and open: TOGAF_9_Templates >

Artifacts > Core Diagrams > Architecture Vision and open the two PowerPoint presentations.

5) Prepare a Migration Plan

Research migration planning resources such as:


Another way to articulate the migration plan is through an Enterprise Direction Diagram – an example is

shown at:[email protected]/3642403169/

Another example is Slide 23 in this slide presentation:


Deliverable: Outline a plan and include an Enterprise Direction Diagram or similar graphic to address

migrating to the target architecture as defined in the architectural vision. In other words, this plan

should address how the organization will move from the “as-is” to the “to-be” state.

Minimum length is 400 words.

6) Define the Architecture Governance Process and Structure

Architecture governance is defined as the set of activities an organization uses to manage and control its

enterprise architectures and other architectures. This process institutionalizes decision making and

ensures accountability. More at:


Research this topic and for the Largo Corporation enterprise architecture, define the “who”, “what” and

“where” associated with this process. For example, who is responsible for governance (e.g., establish an

architectural governance board?), what will be managed and controlled and where in the organization

will controls be applied.

Deliverable: Summarize your findings in an interim architectural governance document. Minimum

length is 400 words.

7) Communicate the Architectural Vision.

The final deliverable is a narrated PowerPoint presentation that summarizes all of the key findings and

recommendations from the previous steps. The target audience is the CEO and other executives in the

organization. Be sure to address the following information:

– Introduction – Describe the issues facing the corporation then define an enterprise architecture

and explain why it is needed for Largo Corporation. Provide a short summary of the architectural

frameworks and explain why TOGAF is applicable to Largo Corporation. (From Steps 1, 2)

– Architecture Vision: Describe the architectural framework, architectural principles and future

vision specific to the corporation. (From Step 4)

– Migration Plan: Outline the steps needed to transition from the current state to the desired state

(From Step 5)

– Architectural governance structure: Provide highlights from the architectural governance

document. (From Step 6)

The presentation should consist of 10-15 slides. It should include audio narration (directions are found


b1e7-e47d8741161c). The narration should also be captured in the slide notes.

4. Deliverables

1) Interim Report on the EA concept

2) Summary matrix on architectural frameworks

3) Architectural framework for Largo Corporation

4) Architectural principles

5) Future vision diagram

6) Migration plan

7) Architecture governance process and structure

8) Architectural vision final presentation

Except for the presentation, combine all of the files into one Word document. Provide an abstract,

introduction, table of contents and conclusion in this one document.


Title your files using this protocol: LastName_FirstName_I-1_AssignmentName_Date.

In lieu of submitting the presentation, you may provide a link to your presentation file.

5. Rubrics

Criteria Weight


Define the enterprise architecture concept and identify key architectural

frameworks used in practice


Formulate an architectural framework for a given organization and

identify applicable architectural principles relevant for that organization


Design and develop an enterprise architecture vision that

accommodates components of the enterprise


Create a migration strategy in transforming an enterprise architecture 10

Evaluate the role of architectural governance in managing enterprise



Exhibit communication skills 10

Total 100


Individual Project I-2

1. Title

Technology Management Plan

2. Introduction

You have been selected to be the acting CIO for a subsidiary of Largo Corporation called Rustic

Americana. Its primary products include arts and crafts that reflect the history, geography, folklore and

cultural heritage of the United States. It specializes in direct marketing and sales through its call center.

Sales are through a web store, a brick and mortar store, and a direct mail catalogue. All services are

housed under one roof that include warehousing, order fulfillment, shipping, corporate management

and operations, and the call center. The success of the company hinges on its eye-catching direct mail

catalogue and the unique product line.

Unfortunately, annual sales have declined over the years due largely due to internal issues. The previous

CIO was terminated some say due to incompetence primarily related to the underperforming call center.

In addition, speculation swirled around the activities of the CIO. He was often absent from the building.

He secluded himself behind the closed door of his office. Associated rumors mounted, and it was

believed that he was running a consulting business on company time. When the Rustic Americana CEO

asked him about this during a formal review, the CIO answered that it was a weekend hobby that kept

him abreast of emerging technologies. The CEO asked him if one of their competitors was a client and he

vehemently denied the accusation. She was certain that the CIO was not being entirely truthful wit

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

About Wridemy

We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.

How It Works

To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Are there Discounts?

All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Hire a tutor today CLICK HERE to make your first order

Related Tags

Academic APA Writing College Course Discussion Management English Finance General Graduate History Information Justify Literature MLA