Cybersecurity Processes & Technologies

Case Study #2: Technology & Product Review for Identity Governance & Administration
Case Scenario:
For this case study, our focus shifts to technologies and products used to implement the Identity Governance & Administration (IGA) business process and related security controls.
IGA is used to manage and mitigate insider threat. Insiders, because of their access to information and information resources (e.g. workstations, servers, networks), potentially have the opportunity and the means by which to steal intellectual property, commit fraud, and perform other types of mischief and mayhem (ranging from pranks to deliberate sabotage).
For our focus firm, Sifers-Grayson, access control and identity management have not been a serious concern … or so their executives and managers thought. The majority of employees and managers are from the local area where there is a strong sense of community. The founders of the company belong to families who were among the original settlers for the county. They contribute heavily to local charities and youth organizations. They rely upon these connections to family and community when hiring and have a strong tradition of promoting from within.
The problem is that Sifers-Grayson’s operations and sales have taken them into the vast geographies of the Internet and cyberspace. There is an emerging awareness among the engineering staff of the potential for outsiders to attack the company through its Internet connections. The thought that an insider might cause trouble for the firm is still hard for them to accept.
The company can no longer afford to depend upon social mores (pronounced “more-rays”) and norms to protect it against the possibility of insider threats. The new contracts specifically require proper labeling of information (“data classification”) and require control over access to government furnished information (“GFI”). This means that the company needs to change its culture and change its management processes.
The primary means for protecting against insider threats is to control insider access to information, information systems, and the information infrastructure. The two most basic processes used to protect against insider threat are (a) identity management and (b) access controls. Data classification is also an important protective process since it enables the use of the value or sensitivity of information when determining how and when to grant access. Privilege management is a third protective process, which is used to protect against the misuse of permissive access to software applications and operating system functions. The principle of least privilege is an important control over this permissive access. Finally, separation of duties is a key business process, which is used to prevent insiders from abusing access to information and information resources.
Case Study #2, which you will work on this week, provides you with an opportunity to explore technology-based solutions to the problems of managing identity and managing access. For this case study you will select and then review a commercially available Identity Governance & Administration (IGA) product. Your chosen product must a technology-based solution for managing who is granted access (identity), what access rights are granted (access to resources), and how much access is allowed (privilege).
Research:
1. Review the weekly readings.(see recommended resources below)
2. Choose an Identity Governance & Administration product which was mentioned in the readings. Research your chosen product using the vendor’s website and product information brochures.
3. Find three or more additional sources which provide reviews for (a) your chosen product or (b) general information about the characteristics of Identity Governance & AdministrationProducts.
Write:
Write at least3 pages summary of your research. At a minimum, your summary must include the following:
1. An introduction or overview for the security technology category (Identity Governance & Administration).
2. A review of the features, capabilities, and deficiencies for your selected vendor and product.
3. Discussion of how the selected product could be used by your client to support its cybersecurity objectives by reducing risk, increasing resistance to threats/attacks, decreasing vulnerabilities, etc.
4. A closing section in which you restate your recommendation for a product (include the three most important benefits).
As you write your review, make sure that you address security issues using standard cybersecurity terminology (e.g. protection, detection, prevention, “governance,” confidentiality, integrity, availability, nonrepudiation, assurance, etc.). See the ISACA glossary https://www.isaca.org/pages/glossary.aspx if you need a refresher on acceptable terms and definitions.
Submit For Grading
• Submit your case study in MS Word format (.docx or .doc file) using the Case Study #2:IGA Technology & Product Review assignment in your assignment folder. (Attach the file.)
• You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
• Consult the grading rubric for specific content and formatting requirements for this assignment.
• For the submission of this assignment (All Projects), you are required to submit your work through Turnitin.

Recommended Resources for Case Study #2
• 20 Best Identity Management Software in 2019- https://financesonline.com/identity-management/
• Privileged Access Management Solutions are Shifting to the Cloud-https://www.securityweek.com/privileged-access-management-solutions-are-shifting-cloud-survey
• Organizations are Failing Painfully at Securing Privileged Accounts-https://www.securityweek.com/organizations-failing-painfully-protecting-securing-privileged-accounts
• Identity Governance and Administration (Article)-https://www.csoonline.com/article/3113451/identity-governance-and-admin-beyond-basic-access-management.html

Rubric Name: Case Study: Technology & Product Review Rubric
Criteria Excellent
Provided an introduction or overview for the security technology category Provided an excellent overview of the security technology category assigned for this case study. The overview appropriately used information from 3 or more authoritative sources, i.e. journal articles, industry or trade publications, news articles, industry or government white papers and authoritative Web sites.
Identified and Reviewed a Vendor product Provided an excellent review of the features, capabilities, and deficiencies for a selected vendor product in the assigned security technology category. The review appropriately used information from 5 or more authoritative sources, i.e. journal articles, industry or trade publications, news articles, industry or government white papers and authoritative Web sites.
Reported on how the product could be used to support cybersecurity objectives (i.e. confidentiality, integrity, availability, authorization, authentication, etc.) Provided an excellent discussion of how the selected product could be used to support cybersecurity objectives by reducing risk, increasing resistance to threats/attacks, decreasing vulnerabilities, etc. Discussion provided five or more specific examples of how use of this product would positively impact cybersecurity for information, information systems, and/or networks. The discussion was supported by information drawn from authoritative sources.
Professionalism: Use of Cybersecurity Terminology Demonstrated excellence in the use of standard cybersecurity terminology to support discussion of the technology. Appropriately used 5 or more standard terms.
Professionalism: Use of Authoritative Sources / Resources Work contains a reference list containing entries for all cited resources. Sufficient information is provided to allow a reader to find and retrieve the cited sources. Reference list entries and in-text citations are consistently and correctly formatted using an appropriate citation style (APA, MLA, etc.). Five or more authoritative sources were used and cited.
Professionalism: Organization & Appearance Submitted work shows outstanding organization and the use of color, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.
Professionalism: Execution No formatting, grammar, spelling, or punctuation errors.