e-Commerce Risk Analysis

Project #1: Supply Chain Risk AnalysisOverviewFor this project, you will write a research-based report on Cyber and IT supply chain risks which the client company, Sifers-Grayson must be aware of. This report will be presented to the company’s executive leadership to help them understand the overall problem of Cyber and IT supply chain risk. This problem has been raised to the attention of the company’s executive leadership by two influential customers — the US Department of Defense and US Department of Homeland Security. These two customers have raised concerns about the company’s preparedness to address and mitigate cybersecurity risks which could result from supply chain attacks. In their letter to Sifers-Grayson, these customers asked the company “what are you doing to prevent supply chain attacks?” BackgroundNofsinger consultants met with the government officials and learned that they were concerned about managing the risks from attacks such as the 2020 Solar Winds attacks and longstanding trojans/backdoor attacks in network hardware (e.g. Huawei routers) and computer system components. The Solar Winds attack compromised the software update mechanisms for a widely used set of network management tools (Korolov, 2021). Supply chain attacks which compromise hardware components purchased from non US sources are also of concern (Lee & Moltke, 2019).Nofsinger consultants also analyzed the internal business processes involved in the engineering supply chain for client Sifers-Grayson. They have learned that, when a Sifers-Grayson engineer needs parts to build a robot or drone, the engineer will place an internal order from the company’s parts stockroom. If the stockroom does not have the part immediately available, an employee will place an order with an approved vendor. These vendors are equipment resellers who purchase components from a number of manufacturers and suppliers. The company also makes purchases of components for some systems via e-Commerce websites and has encountered supply chain issues as a result of using these systems to purchase common components such as CPU chips, memory chips, programmable control chips, power supplies, graphics cards, network interface cards, and mass storage devices. Some may be brand-name components while other, less expensive products, are made by companies who are less well known. They also learned that Sifers-Grayson does not have a controlled process for testing software updates prior to the updates being installed on computer systems in the company’s R&D labs.Finally, the consultants learned through interviews that, at times, there are supply chain shortages which may result in a reseller substituting generic products for brand name products. The consultants informed Sifers-Grayson that such substitutions can increase risks associated with purchasing products from third parties whose reputations are unknown or less well established. The company responded that it has a quality assurance process which checks purchased parts for physical damage or lack of functionality. The consultants believe that this process can be improved to reduce the likelihood of an undetected supply chain attack (e.g. malware loaded onto a USB or SSID mass storage device, programmable control chip, etc.).Your TaskYour task is to build upon the business analysis previously conducted by the Nofsinger consultants (see overview section in this file). You must research the problems of hardware and software supply chain attacks and then write a research-based report for Sifers-Grayson executives which will provide them with information they can use to evaluate proposed solutions for addressing the identified supply chain risks. Use the authoritative sources provided below (under “Research”) to start your investigation into the issues. Then, follow the required outline (See “Write” in this file) to organize and write your report. You must paraphrase information from your authoritative sources and provide appropriate citations which identify your sources so that readers can fact check your work.Research Research Cyber Supply Chain Risks affecting industry in general. Here are some suggested resources to get you started:https://www.zdnet.com/article/supply-chain-attacks-are-getting-worse-and-you-are-not-ready-for-them/ https://www.cshub.com/attacks/articles/cyber-attacks-top-list-of-risks-impacting-supply-chain https://www.lmi.org/blog/securing-supply-chain-cybersecurity-and-digital-supply-chainInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Managements/documents/nist_ict-scrm_fact-sheet.pdf Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (NISTIR 8276) https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8276.pdf Research Hardware Supply Chain Attacks including trojans/backdoors in commercial network hardwarehttps://www.theguardian.com/technology/2019/apr/30/alleged-huawei-router-backdoor-is-standard-networking-tool-says-firmhttps://www.trendmicro.com/en_us/research/21/k/private-5g-security-risks-in-manufacturing-part-4.html https://www.techdesignforums.com/practice/guides/hardware-trojan-security-countermeasures/ Research Software Supply Chain Attacks including the Solar Winds Attackhttps://www.mitre.org/sites/default/files/publications/pr-18-0854-supply-chain-cyber-resiliency-mitigations.pdf https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoorhttps://www.datacenterknowledge.com/security/what-are-supply-chain-attacks-and-how-guard-against-them Research best practices and recommended strategies and approaches for managing Cyber and IT supply chain risksBest Practices in Cyber Security Supply Chain Risk Management https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/case_studies/USRP_NIST_Exelon_102215_05.pdf  Supply Chain Cybersecurity: Experts on How to Mitigate Third Party Risk https://digitalguardian.com/blog/supply-chain-cybersecurity 5 Cybersecurity Best Practices for your Supply Chain Ecosystem https://supply-chain.cioreview.com/cxoinsight/5-cybersecurity-best-practices-for-your-supply-chain-ecosystem-nid-14195-cid-78.html WriteAn introduction which addresses the problem of Cyber and IT supply chain security. Your introduction should clearly explain what a supply chain is and why it is important to a manufacturing firm like Sifers-Grayson.A section on Cyber and IT supply chain risks in which you identify and describe specific sources of cyber or IT supply chain risk which could impact Sifers-Grayson’s operations and its products and services. Begin this section with an overview followed by the two required sub-sections. You should have at least 3 hardware supply chain related risks and 3 software supply chain related risks (six or more total risks).Use a sub-section to address 3 or more risks of attacks which could impact hardware components used in manufacturing robots and drones (focus on components obtained from third-parties and vendors via the hardware supply chain). You should also address the networks and computers used in the manufacturing facility (which are also obtained via the hardware supply chain). Use a sub-section to address 3 or more risks of attacks against the software supply chain (e.g. attacks against the software supply chain for software used to program and test control systems for the robots and drones produced by Sifers-Grayson). A section on best practices for reducing risks in the Cyber and IT supply chain. In this section you must identify and discuss 5 or more best practices for managing Cyber and IT supply chain risks in a manufacturing industry. You must also provide an evaluation of the expected benefits from implementing each of these practices.A summary and conclusions section in which you present an overall picture of the supply chain risk problem in a manufacturing industry and best practices for managing Cyber and IT supply chain risks. Submit for Grading Submit your work in MS Word format (.docx or .doc file) using the Project 1 Assignment in your assignment folder. (Attach the file.)Additional InformationConsult the grading rubric for additional content and formatting requirements for this project.Your 4-5 page paper should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use section and sub-section headings in addition to page breaks to organize your paper. You are allowed to exceed the page count listed under item #2 but you should focus upon providing a clear and concise written analysis. Graphics, title page, table of contents, and reference list do not count towards the page count.Your paper should use standard terms and definitions for cybersecurity concepts. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Paper_Template(TOC+TOF,2021).docx. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count. The table of contents from the template is not required for this assignment and does not count towards the page count. However, if you leave the table in place, you must update it so that it shows correct headings and page numbers.You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.  You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.). If you paste in graphics, you MUST provide a caption with an in-text citation that identifies the source (treat it like a quotation).ReferencesKorolov, M. (2021, January 12). What are supply chain attacks, and how to guard against them. Retrieved from https://www.datacenterknowledge.com/security/what-are-supply-chain-attacks-and-how-guard-against-themLee, M. & Moltke, H. (2019, January 24). Everybody does it: The messy truth about infiltrating computer supply chains. Retrieved from https://theintercept.com/2019/01/24/computer-supply-chain-attacks/Project #2 – e-Commerce Risk AnalysisOverviewE-Commerce companies have become increasingly important in this era of global pandemics and resulting restrictions on businesses and individuals. Consumers are ordering products online in larger numbers than ever before due to business closures or restricted operating hours. Companies positioned in the e-Commerce industry are experiencing growth beyond previous predictions. But, at the same time, some E-commerce companies are seeing their business decline drastically due to travel restrictions and the reluctance of businesses and individuals to travel for any but the most critical of reasons. Added into the risk picture are risks from the actions of cybercriminals, hackers, and nation-state actors are taking advantage of these unsettled times resulting in increased risks for companies whose business models depend upon the Internet for financial transactions, orders, and communications both internal and external. For a company considering an expansion into e-Commerce there can be an increased number of risks overall especially in the areas of information technology and online ordering.For this project, you will prepare a Risk Analysis to be presented to the governance board (executives and senior managers) at Bay & Shore General Store. After their approval, the Risk Analysis will be sent to the company’s bankers as part of a loan application package for the planned e-Commerce expansion.Note: before proceeding, you should review NIST SP 800-30 R1: Guide for Conducting Risk Assessments. https://doi.org/10.6028/NIST.SP.800-30r1  Pay special attention to Appendix D: “Threat Sources: Taxonomy of Threats Sources Capable of Initiating Threat Events” and Appendix H: “Impact: Effects of Threat Events on Organizations, Individuals, and the Nation.”Review the Case Study for Information about Bay & Shore General StoreFor this project, you will begin by reviewing the Case Study description of Bay and Shore General Store (found in the course case study Identifying & Managing Cybersecurity Risk > The Clients > Bay & Shore General Store). Pay particular attention to the list of Use Cases which the company has provided. These are repeated below. Using your previous learning, brainstorm the types of security risks or threats could apply to each use case.Table 1. Bay & Shore General Store Use Cases for e-Commerce ActivitiesActorActionsCustomerCustomer browses an online catalog of productsCustomerCustomer makes a product purchase (email or phone now, using shopping cart in future)EmployeeEmployee fills order and ships to customerCompany (Automated Process)Company bills customer for items and shipping costsCustomerCustomer initiates return of a delivered productCustomerCustomer cancels purchase that has not been shippedEmployeeEmployee enters a price change for an item in inventoryEmployeeEmployee initiates reorder for low-stockManagerManager checks sales reportManagerManager authorizes refundManagerManager authorizes payment to vendors for stock Review the Security Requirements for Accepting Payments via Payment CardsRead the Payment Card Industry Data Security Standards Council’s document Maintaining payment security. https://www.pcisecuritystandards.org/pci_security/maintaining_payment_securityBrainstorm the types of cybersecurity risks which could affect Bay and Shore General Store’s payment transactions (review the Use Cases to identify which ones involve financial transactions).Review the Risk Statements from Three Comparable e-Commerce CompaniesReview the Risk statements prepared by three companies who operate similar e-Commerce infrastructures. These companies are shown in the table below along with links to public documents which contain their Risk statements. Table 2. e-Commerce Companies Similar to Bay & Shore General StoreCompanyWebsiteAnnual Report to Investors (Form 10K)1800Flowershttps://www.1800flowersinc.com/investors https://otp.tools.investis.com/clients/us/1-800-flowers1/SEC/sec-show.aspx?Type=html&FilingId=15219013&Cik=0001084869 Amazonhttps://ir.aboutamazon.com/overview/default.aspx https://s2.q4cdn.com/299287126/files/doc_financials/2021/ar/Amazon-2020-Annual-Report.pdf Etsyhttps://investors.etsy.com/home/default.aspx https://d18rn0p25nwr6d.cloudfront.net/CIK-0001370637/4e43d306-4e72-462c-8f1a-bcb19b770718.pdf Research the Three Comparison CompaniesUsing the URLs listed in Table 2 and your own research, review each company’s website to learn about the products and services which it sells via e-Commerce. After you have reviewed each company’s websites, identify 3 or more additional sources of information about each company and how it operates in cyberspace. These can be news articles, data breach reports, etc. Focus on finding information that addresses how the company is responding in the current cyberthreat and economic environment (2019 or later). Using the information obtained from your sources, identify the types of information, information systems, and business operations which drive each company’s need to purchase (or build its own) cybersecurity products and services.  Make certain that you clearly identify by company what assets, information, and operations need to be protected.Analyze each Comparison Company’s Form 10-K Annual Report to InvestorsUsing the links from Table 2, download a copy of each company’s Annual Report to Investors from its Form 10-K filing with the United States Securities and Exchange Commission. (Note: the company is the author of its Form 10-K. Do not list the SEC as the author.)Review each company’s description of itself including history, current operations, etc.Read and analyze the Risk Factors section in each company’s report to investors (Item 1.A). This section is a professionally written risk analysis that has been written for a specific audience. Pay close attention to what the company includes as risk factors and how the writers chose to present this information.Analyze the risk factors to determine which ones are related to e-Commerce / Internet operations or are otherwise affected by the use of information in digital form and Information Technology systems and infrastructures. Make a list that shows what information, digital assets, and/or business operations (processes) need to be protected from cyberattacks and/or cybercrime (including insiders and external threats) and the type of risk or threat that could affect those assets and processes. Determine which of the identified risks are likely to also apply to Bay & Shore General Store as it expands into e-Commerce operations.Construct Your Risk Analysis After analyzing each company’s e-Commerce operations and risk statements about those activities, you will construct and document your own cybersecurity risk analysis which focuses upon identifying risks that other e-Commerce companies face that Bay & Shore General Store is also likely to encounter during its planned expansion into e-Commerce (including all supporting business processes). Use the provided Bay & Shore General Store Use Cases as a starting point to organize your analysis. Your risk analysis should address 8 or more of the Use Cases listed under Bay & Shore General Store.WriteAn introduction section which identifies the company being discussed (Bay & Shore General Store) and provides a brief introduction to the company including when it was founded and significant events in its history. You should extract this information from the course case study.A section containing an introduction to the e-Commerce industry followed by a business profile (3 total) for each comparison company. Put your industry introduction (overview) at the top of this section. Include in your overview a discussion of the Payment Card Industry’s data security standards and how these apply to payment card transactions for e-commerce companies. Then, for each company, provide a separate sub-section in which you summarize their business activities and provide a brief business profile. The profile information should include: headquarters location, key personnel, primary types of business activities and locations, major products or services sold by the company, major competitors, recent financial performance, and additional relevant information from the annual report to investors. Describe this company’s needs or requirements for cybersecurity products and services. What information and/or business operations need to be protected? While your focus should be upon the company’s e-Commerce activities, you should also address the back-office or supporting information and business processes required to deliver those e-commerce activities. A section in which you identify and then discuss common risks, i.e. those affecting all three companies, which could also affect Bay & Shore General Store. Make sure that you consider risks associated with payment card transactions. Organize these risks using eight or more Use Cases from Table 1. For each of your selected Use Cases, explain how the identified risk could also impact Bay & Shore General Store (for example, a denial of service attack could prevent customers from placing orders). A separate section which provides a detailed summary of the identified risks and potential impacts upon the company’s operations as a whole. What are the likely sources of threats or attacks for each type of information or business operation? (E.g. protect customer information from disclosure or theft during online purchase transactions.). What are the possible impacts should these risks occur? You may present your summary in table format or using a list format (bullet points).IDUse CaseDescription of RiskPotential Impacts to BSGS  (Harm or Loss)12345678A recommendations section in which you list recommended high level (overview) cybersecurity strategy for Bay & Shore General Store. Answer the question: what are their business needs for cybersecurity and how can these be met? This section should present an overall risk management strategy and include how the four major risk treatments (accept, avoid, mitigate, and transfer) can be applied to the identified risks. If there are risk treatments that you do not recommend using, state that and provide an explanation as to why such risk treatments should not be used in the store’s risk management strategy.Submit for GradingSubmit your work in MS Word format (.docx or .doc file) using the Project #2 Assignment in your assignment folder. (Attach the file.)Additional InformationConsult the rubric for additional information about the requirements for this project.The recommended length for this project is 8-10 pages not including the required title page and list of references (also required).Your e-Commerce Risk Analysis should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources. An APA template file (MS Word format) has also been provided for your use CSIA_Paper_Template(TOC+TOF,2021).docx.  You are allowed to exceed the page count listed under item #2 but you should focus upon providing a clear and concise written analysis.Your paper should use standard terms and definitions for cybersecurity.  You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.  You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.). Consult the grading rubric for specific content and formatting requirements for this assignment.Identifying & Managing Cybersecurity Risk Applying Business Analysis Skills to Cybersecurity  Problems & Solutions Valorie J. King, PhD, CISSP Professor, University of Maryland Global Campus and Bruce deGrazia, JD, CISSP Professor, University of Maryland Global Campus 11/30/2021Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Table of Contents Table of Figures……………………………………………………………………………………………………………….. 4 Abstract………………………………………………………………………………………………………………………….. 5 Introduction to the Case Study ………………………………………………………………………………………….. 6 The Company ………………………………………………………………………………………………………………….. 6 The Clients………………………………………………………………………………………………………………………. 7 Sifers-Grayson……………………………………………………………………………………………………………… 8 Bay & Shore General Store ……………………………………………………………………………………………. 9 The Consultants …………………………………………………………………………………………………………….. 11 The Role of the Principals ……………………………………………………………………………………………. 11 The Role of the Consultants…………………………………………………………………………………………. 11 The Role of the Interns ……………………………………………………………………………………………….. 12 The Client Engagements …………………………………………………………………………………………………. 12 The Business Need for Cybersecurity (Week 1)………………………………………………………………….. 14 What is Cyberspace?…………………………………………………………………………………………………… 14 Cybersecurity in a Business Setting ………………………………………………………………………………. 15 Business Assets ………………………………………………………………………………………………………….. 16 The Business Case for Cybersecurity …………………………………………………………………………….. 16 Cybersecurity as an Industry………………………………………………………………………………………… 17 Business Analysis and the Structure of a Business (Week 2)………………………………………………… 19 What is Business Analysis?…………………………………………………………………………………………… 19 Functions of a Business……………………………………………………………………………………………….. 19 Accounting and Finance Functions……………………………………………………………………………. 20 Commercial Functions …………………………………………………………………………………………….. 21 General and Functional Management Functions ………………………………………………………… 21 Security Functions…………………………………………………………………………………………………… 21 Technical Functions…………………………………………………………………………………………………. 22 Risk and Risk Management (Week 3) ……………………………………………………………………………….. 24 Risk: Terminology and Definitions………………………………………………………………………………… 24 Risk Example: Evaluating Impact ………………………………………………………………………………….. 25 Risk Management ………………………………………………………………………………………………………. 25Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Risk Management as a Business Process……………………………………………………………………….. 26 Frame ……………………………………………………………………………………………………………………. 27 Assess……………………………………………………………………………………………………………………. 27 Respond ………………………………………………………………………………………………………………… 28 Monitor…………………………………………………………………………………………………………………. 30 Supply Chains and Supply Chain Risks (Week 4)…………………………………………………………………. 31 What is a Supply Chain?………………………………………………………………………………………………. 31 How Can Supply Chains be Attacked? …………………………………………………………………………… 31 Identifying Supply Chain Risks ……………………………………………………………………………………… 31 Implementing the Cybersecurity Program for an Organization (Week 5)……………………………….33 Cybersecurity Management: Frameworks and Standards ……………………………………………….. 33 International Standards Organization………………………………………………………………………… 34 ISACA…………………………………………………………………………………………………………………….. 34 Payment Card Industry Security Standards Council …………………………………………………….. 35 The National Institute of Standards and Technology …………………………………………………… 35 Roles and Responsibilities of Key Personnel in the Cybersecurity Program…………………………36 IT Security Policies, Plans, Procedures, and Standards…………………………………………………….. 37 Understanding the Market for Cybersecurity Products and Services (Week 6)……………………….39 The Market for Cybersecurity Products and Services………………………………………………………. 39 Analyzing the Market for Cybersecurity Products and Services…………………………………………40 Political-Legal Factors …………………………………………………………………………………………………. 40 Economic Factors……………………………………………………………………………………………………….. 41 Socio-Cultural Factors…………………………………………………………………………………………………. 41 Technological Factors …………………………………………………………………………………………………. 41 Corporate Governance (Week 7)……………………………………………………………………………………… 42 Governance as an Activity……………………………………………………………………………………………. 42 Governance Processes………………………………………………………………………………………………… 42 Legal and Regulatory Considerations ……………………………………………………………………………. 42 Governance for External Cooperation and Collaboration ………………………………………………… 43 Ethics and Ethical Decision Making (Week 8)…………………………………………………………………….. 44 Principal-Agent Relationships………………………………………………………………………………………. 44Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Duty………………………………………………………………………………………………………………………….. 44 Utility Theory (Utilitarianism) ………………………………………………………………………………………. 45 Normative Business Ethics…………………………………………………………………………………………… 45 Stakeholder Theory…………………………………………………………………………………………………. 45 Stockholder Theory…………………………………………………………………………………………………. 46 Social Contract Theory …………………………………………………………………………………………….. 46 Fairness and Justice: Equality, Equity, and Egality…………………………………………………………… 46 Negligence…………………………………………………………………………………………………………………. 48 References ……………………………………………………………………………………………………………………. 49 Table of Figures Figure 1. Nofsinger Consulting Services Organization Chart as of November 30, 2021………………7 Figure 2. IT Infrastructure for a Business…………………………………………………………………………… 15 Figure 3 Functions of a Business………………………………………………………………………………………. 20 Figure 4. Risk Management Process…………………………………………………………………………………. 27Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Abstract In this case study for CSIA 350 Cybersecurity in Business and Industry, students will encounter  three different businesses operating in a variety of industries. These industries are: (a) Services  (Nofsinger Consulting Services), (b) Product Development / Systems Engineering (Sifers-Grayson) and (c)  Retail Sales and e-Commerce (Bay and Shore General Store). As the case study unfolds, students will  learn about the cybersecurity needs of these businesses and how businesses meet the cybersecurity  needs of their customers and clients in the products and services they deliver. Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Introduction to the Case Study In this case study, you will learn about how a fictional company, Nofsinger Consulting Services,  LLP, uses Business Analysis to assist its clients in performing cybersecurity-focused risk analyses and risk  assessments. Readings from the course textbook, Business analysis for practitioners: A practice guide (Project Management Institute, 2015), will be used to support your learning in this course and will  introduce students to the knowledge, skills, and techniques which are collectively know as business  analysis. This case will also introduce you to the business characteristics of companies and the types of  risks they may face when doing business online (i.e. as an e-commerce firm) or when using the Internet  to support their business operations (e.g. equipment sales and support). In addition to presenting  information about businesses and their operations, this case study will help students learn more about  the roles that consultants and consulting firms play in the cybersecurity industry. This case study  supports the following course outcomes for CSIA 350 Cybersecurity in Business and Industry: • categorize, evaluate, and manage risks which impact an organization’s enterprise IT  operations • develop an information security governance and management program that aligns with  organizational strategies by evaluating business requirements, applicable laws,  regulations, standards, and best practices • analyze and evaluate political, legal, economic, social, cultural, and technology factors  which drive cybersecurity related investments by customers, suppliers, manufacturers,  and investors • identify and evaluate opportunities to improve cybersecurity across industry sectors and  internationally through cooperation, collaboration, and capacity building. Note: the course textbook is listed as a required text in the syllabus and purchase information is  available via the Course Materials link. An ebook version may be available from the UMGC library at this  link: http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=e025xna &AN=1244311&site=eds-live&scope=site&profile=edsebook The Company Nofsinger Consulting Services, LLP is a management consulting firm with operating locations  throughout the Delaware, Maryland, and Virginia region. The company is a limited liability partnership established under the laws of the State of Maryland. Nofsinger Consulting Services (NCS) is  headquartered in the historic district of Maryland’s state capitol, Annapolis. The company has been in  business for over fifty years and has a history of successful consulting engagements with small and  medium sized companies in the region. Originally, the firm served as management and business  development consultants to clients in the Annapolis, MD area. More recently, they have branched out  into e-Commerce, Information Technology (IT), and Cybersecurity with each business area (practice) being headed by a principal of the firm. The corporation’s partners (owners) are primarily family Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. members related to Eloise M. Nofsinger, Esq., the founder and general partner of the firm (see Figure 1).  Esther Nofsinger is the current Chief Executive Officer (CEO). She also serves as the firm’s ethics officer  and believes that the firm’s survival depends upon every principal and every consultant having and  acting from a firm grounding in business ethics. The firm’s operations are strategy driven and their strategic intent is to improve profits and  expand their influence by providing consulting services to a select group of businesses in the Delmarva region. In 2020, the firm’s partners approved a five-year strategic plan which includes expansion of their  existing footholds in the e-commerce, information technology (IT), and cybersecurity industries. They  also decided to combine their diverse governance, risk, and compliance (GRC) management consulting  activities into a focused practice under the leadership of Jeremy Calvert. In addition to building a client  base, each principal has also built a team of consulting professionals who are experts in their field of  practice and generalists with respect to consulting skills. Esther Nofsinger  (CEO) Eloise M. Nofsinger,  Esq. (Advisor to the  CEO) Kevin R. Sifers, CPA  (CFO)Adelia Nofsinger  Kline, MBA  (Principal) Business  Development  Consulting Practice Brandon K.  Nofsinger  (Principal) IT & Cybersecurity  Consulting Practice Jeremy R. Calvert,  CISSP (Principal) GRC Consulting  Practice Figure 1. Nofsinger Consulting Services Organization Chart as of November 30, 2021 The Clients Each client is assigned to a principal of the firm who is responsible for managing the consulting  relationship with the client’s organization. You have met the first client previously in CSIA 310 – Sifers Grayson. The second client, Bay and Shore General Store is a new client for Nofsinger Consultants. For  this case study, we will explore the business need for cybersecurity in the context of these two clients of  the firm. Each client has asked for assistance with developing solutions for business problems arising out  of their need to improve their governance and management of risk with a specific focus upon  cybersecurity. Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Sifers-Grayson Sifers-Grayson is a systems engineering firm specializing in industrial control systems, robotics,  and, more recently, drones used by emergency services and first responders. This family owned business  is headquartered in Pine Knob, Kentucky, USA. The president of the company is Ira John Sifers, III. He is  the great-grandson of one of the company’s founders and is also the head of the engineering  department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth  Sifers is the chief financial officer and also serves as the head of personnel for the company.  Brandon K. Nofsinger has been the principal in charge for the Sifers-Grayson engagement for  more than five years. The consulting relationship between Nofsinger Consultants and Sifers-Grayson  started when SG asked NCS to conduct a security posture review of their headquarters, Engineering R&D  labs, and a test range. This engagement included a Red Team / Blue Team exercise with penetration  testing of its buildings and networks, including the drone and robotics test range. This successful  consulting engagement helped SG ensure that its IT security program meets contractual requirements  for cybersecurity defenses of its engineering systems and the government furnished information stored  therein. This year, SG has encountered a new source of cyber threats – supply chain attacks. The  company’s government clients have asked for assurances that the company is proactively addressing  potential supply chain attacks that could impact the hardware, software, and firmware components  uses in the design and construction of the drones and robotic systems that SG sells and maintains under  contract to both commercial and governmental clients. The supply chain for Sifers-Grayson includes  electronics and computer components (“parts”) purchased from third parties – usually resellers. These  resellers in turn purchase the components from manufacturers whose factories may be located in the  US but, more frequently, are located in foreign countries. The company’s contracts with the Departments of Defense and Homeland Security imposed  security requirements upon the company and its R&D DevOps and SCADA labs operations. Specifically,  the company is contractually required to comply with NIST Special Publication 800-171 Protecting  Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company  must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including  section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These  requirements are designed to ensure that sensitive technical information, provided by the federal  government and stored on computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is  protected from unauthorized disclosure. This information includes software designs and source code.  The contractual requirements also mandate that Sifers-Grayson report cyber incidents to the federal  government in a timely manner. Nofsinger consultants have analyzed the internal business processes involved in the engineering  supply chain. They have learned that, when a Sifers-Grayson engineer needs parts to build a robot or  drone, the engineer will place an internal order from the company’s parts stockroom. If the stockroom  does not have the part immediately available, an employee will place an order with an approved vendor.  These vendors are equipment resellers who purchase components from a number of manufacturers and Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. suppliers. The company also makes purchases of components for some systems via e-Commerce  websites and has encountered supply chain issues as a result of using these systems to purchase common components such as CPU chips, memory chips, programmable control chips, power supplies,  graphics cards, network interface cards, and mass storage devices. Some may be brand-name  components while other, less expensive products, are made by companies who are less well known. At  times, there are supply chain shortages which may result in a reseller substituting generic products for  brand name products. This can increase risks associated with purchasing products from third parties  whose reputations are unknown or less well established. The company has a quality assurance process  which checks purchased parts for physical damage or lack of functionality. The consultants believe that  this process can be improved to reduce the likelihood of an undetected supply chain attack (e.g.  malware loaded onto a USB or SSID mass storage device, programmable control chip, etc.). Nofsinger’s consultants developed a set of use cases for supply chain activities at Sifers-Graysen using information from the company’s purchasing agent and stock room manager. These use cases will  be analyzed during the planned supply chain risk analysis. The use cases which impact the supply chain include the following. 1. Search for potential suppliers using online catalogs. 2. Select supplier for required products. 3. Order product(s) from vendor. 4. Product permanently not available. 5. Product temporarily not available. 6. Test products received for quality (meets specifications). 7. Test products received for security. 8. Product received is defective (not fit for use or non functioning). 9. Product received is compromised (defective due to intentional malicious changes). 10. Received product entered into inventory. 11. Received product placed in stockroom. Bay & Shore General Store Adelia Nofsinger Kline’s newest client is Bay & Shore General Store, a sole proprietorship with  three physical locations (Annapolis, MD, Bethany Bay, DE, and Ocean City, NJ). The store sells themed apparel, gifts, and home décor items, and locally made confections and candies. The Delaware and New  Jersey locations also sell locally sourced produce and specialty food items. The company’s marketing  focuses on its ties to local artisans, farmers, and watermen and the benefits to local communities from  its sales and operations. BSGS’s sales through physical locations have decreased substantially in the past  two years due to a downturn in tourism and foot traffic past its shops. Telephone and email sales have  increased, however, and the volume of these sales has the BSGS owner strongly considering setting up a  formal e-Commerce storefront. A business case for the expansion has been developed and, after  reviewing it, two banks have agreed to consider loaning the company the required funds. But, both loan  officers are insistent that BSGS provide a separate risk assessment that covers (a) the types of IT security Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. and cybersecurity risks that similar businesses have encountered and (b) how those risks can be  managed to decrease the overall financial risks to the business and to the lender. BSGS has asked Nofsinger Consultants to assist it in developing the required IT focused risk  assessment. After discussing the requirements with the owner and the most supportive of the two  bankers, Nofsinger Consultants has proposed that it provide a risk assessment with example controls  and mitigation strategies based upon publicly available information and NIST guidance (NIST  Cybersecurity Framework). The selected data sources for risk research will be the Risk Factors sections  of Annual Reports to Investors (SEC Form 10-K) which are a standard report published each year.  Nofsinger will select and review the most recent annual reports from several large, publicly held e Commerce companies. The initial list of companies includes: Company Website Annual Report to Investors (Form 10K)1800Flowers https://www.1800flowersinc.com/investo rshttps://otp.tools.investis.com/clients/u s/1-800-flowers1/SEC/sec show.aspx?Type=html&FilingId=15219 013&Cik=0001084869Amazon https://ir.aboutamazon.com/overview/def ault.aspxhttps://s2.q4cdn.com/299287126/files /doc_financials/2021/ar/Amazon-2020- Annual-Report.pdfEtsy https://investors.etsy.com/home/default. aspxhttps://d18rn0p25nwr6d.cloudfront.ne t/CIK-0001370637/4e43d306-4e72- 462c-8f1a-bcb19b770718.pdfBay and Shore General Store has provided Nofsinger Consultants with a list of Use Cases which  its staff developed based upon their experiences with telephone and email orders and fulfillment. These  are not exhaustive but do provide valuable information about how the stores currently operate and how  they expect to operate in the future. 1. Customer browses an online catalog of products 2. Customer makes a product purchase (email or phone now, using shopping cart in future) 3. Employee fills order and ships to customer 4. Company (automated process) bills customer for items and shipping costs 5. Customer initiates return of a delivered product 6. Customer cancels purchase that has not been shipped 7. Employee enters a price change for an item in inventory 8. Employee initiates reorder for low-stockCopyright © 2021 by University of Maryland Global Campus. All Rights Reserved. 9. Manager checks sales report 10. Manager authorizes refund 11. Manager authorizes payment to vendors for stock  The Consultants The Role of the Principals The principals work together to identify potential clients through their outside speaking  engagements, participation in the local and regional business communities, professional networking  activities, and through pro-bono services to charities and professional organizations. Cooperation and  collaboration between the three principals (A. N. Kline, B. K. Nofsinger, and J. R. Calvert) is an important  part of the firm’s business model. Each principal is also a consultant and will frequently participate in  consulting engagements by performing some of the required interviewing, analytical, and writing tasks. The principals are also responsible for hiring, training, and developing consultants to support the  current workload and anticipated growth in each of their business areas. Together, the principals have decided to increase the number of internships which the firm offers each year to college students and to  open those internships to participants outside the local area. These participants will telework each week  from their local campuses or homes. It is hoped that this new hiring strategy will enable the firm to  recruit, hire, train, and develop a cohort of consultants who will become consulting team leaders in the  firm as it expands and grows. The firm has determined that there are two areas in which it needs to  focus – business analysis and risk management. This year’s intern cohort will receive focused training in  both areas and additional training in the business areas for their assigned teams. (Note: similar to your  experiences in CSIA 300 and CSIA 310, your work in CSIA 350 will revolve around a “virtual internship”  with this company.) The Role of the Consultants In order to understand the role of a business consultant we must first understand what is a  business. A business is an organization that exists in order to convert resources into profits or increased  resources. Businesses use strategies and plans to organize the work to be accomplished. There are six basic activities or functions that every business uses to accomplish its work (Henri Fayol’s principles of  administrative management as cited in Voxted, 2017). The activity areas are (a) accounting, (b)  commercial, (c) financial, (d) management, (e) security, and (f) technical. The work of managers within each of these activity areas can be divided into five distinct areas of practice: (a) planning, (b)  organization, (c) command, (d) coordination, and (e) control. Each type of business activity is supported  by processes and assets. Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. Consultants accomplish their work by providing expert knowledge and analytical skills to help  identify and solve problems that a client business or its managers have not been able to address using  their own resources (Thomas, 2003). Consulting firms are businesses and some of their employees are  managers but, the work of a consultant differs in many ways from the work of their clients. Whereas the  client’s employees perform work that results in the creation and delivery of products or services to their  customers, the consultant’s primary role is to identify and solve problems related to a client’s business  operations (Thomas, 2003). Consultants can also help to close a gap in the client organization’s  knowledge or skills. Or, the consultant may be asked to help close a performance gap by identifying  problems with how a business process is defined or implemented.  Cybersecurity professionals may be called upon to act as internal consultants to  executives and managers in other operating units within a business or agency. Such  assignments usually serve to broaden an individual’s understanding of the larger organization  and can be career enhancing.In addition to subject matter expertise, consultants need to have mastery of soft skills such as  interviewing, meeting facilitation, budgeting, costing, and scheduling. They also need to have strong oral  and written communications skills and experience developing and producing a wide variety of written  work products including reports, memoranda, briefing papers, and presentations. These same skills are  required for managers in many different career fields. A strong understanding of ethical theories and the  ability to explain how those theories can and should be applied to developing solutions to business  problems are another important part of a consultant’s toolkit. Finally, business analysis knowledge and  skills are usually required for successful consulting engagements. These skills are used to analyze the  business problems, the environment in which the problems occur, the barriers to solving problems, and  potential solutions for those problems. The Role of the Interns Each intern (student) will contribute to the consulting work of the firm. Your first assignment  will be to the Bay and Shore General Store (BSGS) client team where you will help perform risk related  research and then help select and document controls that will help mitigate the identified risks. The  consulting team assigned to the BSGS engagement will have 4 weeks to prepare its draft risk assessment  for the principal to review. Your second 4-week internship assignment will be to the Sifers-Grayson (SG)  client team where you will help draft a supply chain risk report that will help SG meet its contractual  obligations when selling robotic systems and drones to federal and state government agencies. (You  may remember SG from your previous internship assignment to the Blue Team from Nofsinger during  the Red Team Pen Test that resulted in a stolen drone and malware infected engineering workstations.) The Client Engagements Now that we have a basic understanding of the context for consulting, who consultants are, and  the skills required to be a successful business consultant, let’s explore a typical consulting engagement.  Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. First, the consultant or consulting firm will enter into a consulting agreement with a client who has a  problem needing a solution and who recognizes that solving the problem requires outside expertise.  This agreement or contract will define an initial scope of work, timeline for when the work will be done,  where the work will take place, who will perform the work, and what services or deliverables will be  provided for the agreed upon cost. Contracts for consulting work will usually include non-disclosure  agreements which protect the intellectual property and trade secrets of both parties. These agreements  depend upon the ethical behavior of both client and consultant.  Consultants typically use a project management approach to define and perform the work  required for a consulting engagement. The three primary constraints are: cost, schedule, and quality.  Each of these must be managed in order to ensure that the client receives an acceptable end product  (quality) within the agreed to price (cost) and timeline (schedule). To learn more about the standard  processes involved in project management you should consult the Project Management Body of  Knowledge published by The Project Management Institute (2021). Consultants need additional skills beyond project management. They must understand how to  analyze a client’s business and business needs. In the textbook for this course, analysis skills can be  utilized to better understand the cybersecurity needs of our two businesses. We will also explore  cybersecurity frameworks and how they can be used when conducting a business analysis. The end goal  is to arrive at solutions to the clients’ problems as defined by the contract. However, consultants also  need to advise clients when additional work beyond the scope of the contract should be performed in  order to fully meet the client’s needs. And, at the same time, consultants need to be very careful not to  gold plate deliverables by doing work that the client did not agree to in advance. From an ethical  perspective, the consultant has a duty to inform and to provide the consultant’s best judgment based on  his or her expertise. That duty to inform however requires the client’s consent, preferably in writing,  before expanding the scope of a consulting engagement.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry The Business Need for Cybersecurity (Week 1) One of Nofsinger Consulting’s primary business areas is Cybersecurity and Information  Technology (King & DeGrazia, 2021). In this area of consulting practice, Nofsinger’s consultants  frequently find themselves needing to explain to clients what cybersecurity is and why their business  should implement a cybersecurity program. In this reading, we will explore the information that  Nofsinger’s consultants provide to clients about the business need for cybersecurity.  What is Cyberspace? Nofsinger’s clients do business in cyberspace as well as through their physical or real space  locations. They may not fully realize just how different cyberspace can be and how different the security  requirements are from the types of security required for buildings and other business assets. Before we  discuss their business needs (requirements) for cybersecurity, we need to learn a bit more about what  cyberspace is.  The term cyberspace was first used by science-fiction author William Gibson in his short story  “Burning Chrome” (1986). The word itself is a combination of cybernetics and space. In a 2010 interview,  the author remarked that he had considered using the terms infospace and dataspace but found that  neither conveyed his intended meaning nearly as well as the word cyberspace did. More recently,  Gibson has remarked upon the evolution of cyberspace as a concept and noted that “our grandchildren  will probably regard the distinction we make between what we call the real world and what they think  of as simply the world as the quaintest and most incomprehensible thing about us” (Gibson as quoted in  Ward, 2010, p. 1). Cyberspace is created when people and organizations use technology as a substitute for face-to face interactions as they live, work, and play. Some think of cyberspace as an actual place or location  while others view it as a creation of the mind and imagination. The existence of cyberspace depends  upon computing and communications technologies that include: • cloud storage and application hosting (Akami, AWS, Cloudflare) • electronic commerce (e.g. Amazon, EBay, Etsy, etc.) • e-mail (e.g. AOL Mail, Gmail, Outlook)  • global positioning systems (Garmin, Rand McNally, Tom-Tom) • Internet and Internet protocols (TCP/IP, UDP) • Internet of Things devices (appliances, light bulbs, personal assistants, thermostats) • personal computers (Windows, Apple iOS, Linux based devices) • search engines (Bing, Duck Duck Go, Google, etc.) • smartphones (Apple iPhone, Google Pixel, Motorola TracPhone, Samsung Galaxy)  • social media (e.g. FaceBook, Instagram, LinkedIn, Pinterest, Twitter)  • text messaging and online chat (Cisco Jabber, Microsoft Teams, Slack, Snapchat, WhatsApp)Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry • video conferencing services (Microsoft Teams, Webex, Zoom) • video streaming / sharing services (e.g. Amazon Fire, Roku, Tik-Tok, YouTube) • wired and wireless networks (e.g., LTE, 4G, 5G, cellular, copper, fiber optic, microwave,  satellite, Wi-Fi) • World Wide Web (browsers and servers) and Web services Businesses interact with Cyberspace through their Information Technology infrastructures (See  Figure 2). These infrastructures consist of information, computer systems (e.g. information systems and  operational systems), and networks and network infrastructures which are connected to external  networks, usually the Internet. Business processes, procedures, and policies govern how the business’s  personnel use the business’s assets and infrastructures to access external and internal resources. Figure 2. IT Infrastructure for a Business Cybersecurity in a Business Setting Businesses depend upon cyberspace to conduct business transactions, share information, and  interact with customers and suppliers. Any given business will need to implement cybersecurity  programs and protections to ensure the confidentiality, integrity, and availability of business assets.  These assets include information, information systems, and information infrastructures, e.g. networks  and servers. Businesses need to ensure that appropriate management structures and resources are in  place to implement and operate the cybersecurity program. The required programmatic structures  include people (staffing), policies, processes, and technologies, all of which are focused upon the  governance and operation of the cybersecurity program for an organization.  Business insurance providers require proof of insurability which frequently includes  requirements as to the level of controls and risk mitigation efforts the business has put in place to  protect its assets from cyber risks. The required protections may include establishing a formal  cybersecurity program to reduce and manage risks associated with the business’s information  technology operations.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Depending upon the industry and operating locations for a business, there will also be legal and  regulatory requirements at federal, state, local, and international governmental levels which can only be  met by implementing a cybersecurity program within the organization. These regulatory requirements  include compliance with privacy laws and restrictions on disclosure of information about a company’s  finances, customers, and technologies. You will learn more about these requirements in CSIA 360  Cybersecurity in Government Organizations and CSIA 413 Cybersecurity Policy, Plans, and Programs. Business Assets  An asset is a possession (item or object) that has value. This value must be protected against harm or loss. Information and information systems are assets. Information is an asset because the  organization must spend money to obtain it so that the information can be used to produce goods and  services. Examples of valuable information assets include recipes or formulas, customer and vendor lists,  sales plans, and marketing strategies. An information system is an asset because each component of the  system costs money to purchase or replace.  Business assets are resources used by the organization to produce goods and services or to  provide supporting services. Business assets that must be protected against harm or loss include:  • buildings and facilities, equipment, and furnishings • business processes • computer systems • financial instruments and cash (money) • information (databases, documents, and files) • inventory (completed products, parts, and supplies) • networks and infrastructures • personnel (skilled workforce) • intellectual property (e.g., patents, trade secrets, plans, and strategies) • reputation The Business Case for Cybersecurity A business case is a formal analysis which is used to present a justification for committing  resources to a project, investment, or other endeavor to be undertaken by an organization. The business  case is written for owners, executives, managers, and other key stakeholders and explains the who,  what, why, and how for the activities to be funded by the company. The key question answered by the  business case is what is the value to the business to be obtained by engaging in this activity? Typically, a  business case will focus on how the activity will affect the profitability of a company.  For activities which do not directly create profits, the business value of the activity may be  expressed in terms of cost avoidance or cost-benefit relationships. For Sifers-Grayson, the business case for cybersecurity can be made in two ways. First, the company is contractually required to implement Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry cybersecurity measures to protect client or customer furnished information. Failure to implement  appropriate cybersecurity measures could result in lost contracts. Second, the results of penetration  tests against its enterprise showed that the company could experience significant costs to recover from  a success cyberattack. Implementing cybersecurity measures to prevent attacks can produce a net  benefit to the company through cost avoidance (not incurring clean-up and recovery expenses). For Bay  and Shore General Store, cybersecurity measures are required as part of the merchant agreements  which allow the company to accept customer payments made via bank cards (credit and debit cards).  These agreements requirement compliance with the Payment Card Industry (PCI) Data Security  Standards (DSS). The PCI-DSS standards specify how payment card information and payment  transactions will be protected by merchants and by payment card clearing houses which act as  processing intermediaries. In addition to describing the scope of work, business cases should have cost information and  projected or notional schedules which answer the questions that decision makers need answers to  before determining the levels of effort and levels of expenditures that they will authorize. A risk analysis,  for both business risks and financial risks, may also be required to enable decision makers to make  informed decisions about potential risks which may be encountered if the company engages in the  proposed activity.  The basic structure of a written business case is shown below (adapted from Adobe (2021) and  Harvard Business School (2011)). 1. Executive Summary 2. Description of the Proposed Activity  3. Plan of Action and Milestones 4. Resource Requirements & Cost Estimates A business case should be written in language that is understood by the audience which means  that technical terms and cybersecurity jargon should be limited or replaced with more business friendly terminology. For example, when talking to executives, it would be better to use phrasing such as protect  business assets from harm or loss instead of defend the enterprise against attacks. That leads us to our  next question: what is a business asset? Cybersecurity as an Industry Before we close our discussion of the business need for cybersecurity, we should consider  whether or not cybersecurity is an industry. Technically, Cybersecurity is not recognized as a separate  industry under the North American Industry Classification System (NAICS) (Stuart, 2016). Instead,  cybersecurity is listed as a function of businesses who operate under a wide variety of industry codes  including:Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry • Computer and Office Machine Repair and Maintenance • Custom Computer Programming Services • Data Processing and Hosting • Management, Scientific, and Technical Consulting Services • Other Computer Related Services • Software Publishing As you can see, the industry classification system used by the US Government for economic reporting  and to qualify bidders for contracts, is not very useful for identifying companies that sell cybersecurity  related products and services. Industry and market analysts, however, describe the industry in terms of  types of products, how the products are provided (deployment), customers (e.g. health care, defense,  financial services, etc.), and locations (Mordor Intelligence, 2021).  For the purposes of this course, we will treat cybersecurity as both a functional area of a  business and as a standalone industry which provides products and services that are used by other  businesses to implement cybersecurity protections for their assets and operations. The Cybersecurity  Industry exists to help customers manage risks arising out of their use of Cyberspace and related  information technologies. It is closely related to computer security and information security. We will  learn more about the identification and management of cyber-related risks later in this case study.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Business Analysis and the Structure of a Business (Week 2) What is Business Analysis? Business analysis is the process of determining what a business does and what it needs in order  to conduct its business operations (Project Management Institute, 2015). Business analysis supports an  organization’s Governance, Risk, and Compliance activities by providing executives and other decision  makers with the information required to support their decision making processes. Business analysis also  supports business operations by helping identify and analyze business processes that can be improved  through increased effectiveness and efficiency.  Business analysis processes involve the identification, documentation, and management of  business functions and related requirements. The most important characteristic of Business Analysis is  that it is a formal process and results in well-defined work products containing statements of problems  (business needs), requirements, and solutions. Business analysis can be used to identify and manage  risks to information, information systems, information infrastructures, and the business processes and  operations which depend upon digital assets. The textbook for this course provides a detailed overview  of the knowledge, tools, and techniques required to perform business analysis to help identify and solve  the problems of a business. In the next section and subsections, we will explore a model of understanding what a business  does (organizational activities) as set forth in Henri Fayol’s six categories of general and industrial  management (Voxted, 2017). This model is helpful when organizing and planning a business analysis for  a client whether internal or external. Functions of a Business The day-to-day business operations of organizations are typically organized into five functional  areas (see Figure 3). Each functional area is supported by business processes and assets. As businesses  move some or all of their operations online, business can become e-business and commerce becomes e commerce. Online operations – operating in cyberspace — mean that businesses must reevaluate their  security programs to ensure that the confidentiality, integrity, and availability of business processes and  assets are protected against cyberthreats. The level of protection required is determined by evaluating  the potential impact of a successful attack. Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Accounting and Finance Functions  Accounting and Finance activities encompass the management of all financial resources  controlled by the company. This organization is responsible for managing the company’s budgets,  expenditures, and cash flow (including financial transactions with customers and vendors). This  organization also provides financial reports to managers and executives to help them control costs and  understand the profitability (or lack thereof) for activities they are responsible for. This functional area is  also responsible for maintaining records that can be audited by external auditors and for responding to  the findings of such audits. Accounting and Finance activities are a cost center. These activities may  prevent losses but do not normally contribute to profits. The cybersecurity needs for accounting and finance functions include:  • provision of authentication, authorization, and nonrepudiation for access to and use of  information systems providing financial management  • fiscal reporting • sales or other financial transaction processing • accounting systems  Additional security services may be required to ensure compliance with corporate finance laws  and regulations (e.g., Gramm-Leach-Bliley Act, Sarbanes-Oxley Act). For e-Commerce operations, a Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry company must also comply with industry standards such as the Payment Card Industry (PCI) Data  Security Standards (DSS)) or PCI-DSS. Commercial Functions  The commercial functions of a company encompass a wide variety of business activities related  to sales, marketing, customer relationship management, etc. These functions are how a company sells products or services to customers or clients. These functions result in either an increase or decrease in  resources (profits or losses). These functions are both profit centers and cost centers (sales lead to  profits but customer service and marketing are costs). The Cybersecurity needs for commercial functions  include: • provision of authentication, authorization, and nonrepudiation for access to and use of  information systems involved in the collection, use, reporting, and storage of customer  information  • protection of confidential business information (client lists, sales/marketing plans, etc.), trade  secrets, and other forms of intellectual property  Additional security services may be required to comply with data security and privacy provisions  of federal and state laws. For marketing and business intelligence functions, the organization may need  to incorporate auditing and control functions to ensure that the information collected about  competitors does not violate the Economic Espionage Act. General and Functional Management Functions  The general and functional management activities of a company include: (a) planning and  organizing, (b) coordinating, (c) directing, and (d) controlling. The information and confidential business  processes used in these management activities must be protected against unauthorized access or  disclosure. Such protections against cyberthreats must be balanced against management’s legitimate  uses of cyberspace to communicate, coordinate, and collaborate. Project management falls under this  activity category. The types of management information requiring cybersecurity protections include:  • confidential business information (client lists, sales/marketing plans, corporate strategies, etc.) • reports about business operations • trade secrets • other forms of intellectual property Security Functions  The security functions of an organization range from protecting buildings and other physical  assets to administrative security (asset protection, background checks on employees, fraud prevention, Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry intellectual property protection) to executive protection (body guards, travel security, etc.) (Kovacich &  Halibozek, 2003). The corporate security office is also responsible for implementing the organization’s  classification system to protect the confidentiality of information and infrastructures. Implementing  cybersecurity and IT security falls under this functional area of a business. In general, security functions  will accomplish the following: • protect against harm or loss • detect attempts to cause harm or loss  • react to events causing harm or loss  • document incidents and responses • prevent by planning and implementing security measures to prevent future incidents The corporate security function is responsible for identifying the cybersecurity needs of each  business activity area and then planning, organizing, and implementing the protections required to  assure that appropriate levels of security are maintained. These needs will vary by the types and  sensitivity levels of the processes and information required by the business activity and the degree to  which each activity interacts with or relies upon cyberspace. These activities require security protections  that ensure the confidentiality, integrity, and availability of information (data) and services. Many of  these activities also require auditing, monitoring, and control capabilities (security services) that provide  for nonrepudiation of actions taken by both insiders and external actors. Technical Functions  The technical functions of a business encompass the design, development, implementation,  testing, deployment, and support for the company’s products and services. They can include both  internal-use only and external-use (e.g. items sold to customers). These functions span the product  lifecycle and include:  • design of products or services • product or services evaluations and testing • production or manufacturing of products • delivery and support for services • logistics (operations and sustainment) • research and development • IT systems management and implementation (internal systems to support the business) • Systems engineering The technical functions are where we find the major structural differences between our two  client companies. Sifers-Grayson’s technical activities revolve around the systems engineering activities  associated with their drones and robotic systems. For Bay and Shore General Store, the company’s  technical activities revolve around the establishing and maintaining the stores and IT infrastructure  required to support their commercial activities, e.g. sales to customers.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved.CSIA 350 Cybersecurity in Business and Industry Risk and Risk Management (Week 3) The term risk has many different uses and meanings in society. On Wall Street or in the financial  markets, investors talk about calculating or taking risks in order to make a profit. In everyday speech, we  use the adjective risky to describe behaviors such as not wearing a seat belt or eating junk food. At work,  we talk about managing risk to reduce on-the-job injuries or to avoid cost overruns or schedule delays.  We can increase risk, decrease risk, manage risk, or avoid it. But, what exactly is risk? The answer is: It depends. How we define and use the term risk is dependent upon context and  perspective. For this course, we define and use the concept of risk as it is operationalized (used) within  the fields of cybersecurity and information security. Organizations are our context. Cybersecurity and  information security are our perspective. Risk: Terminology and Definitions Risk is the uncertain outcome of an event (incident) that has not yet occurred. Or, said another  way, a risk is the possibility that an event may occur that carries with it the potential for an organization  to either benefit or suffer a loss or harm. Within the cybersecurity industry, we tend to restrict the use  of the term risk to those events which cause harm or loss. (The beneficial risk definition tends to be used  in finance and investing to refer to the possibility that an investment will result in a profit or increase in  value.) An identified or specific risk is a statement of an event which could occur. For a business, an  identified risk is usually associated with an asset or business process. Each specific risk has a likelihood or probability of occurrence. It may be necessary to estimate  this probability using statistics from industry reports, subject matter expertise, or business judgement. A risk event is a projected event whose occurrence is uncertain (probability of occurrence is less  than 100%). A consequence is a potential outcome of a specific risk should it materialize (occur), that is the  risk becomes an actual event or incident.  Each consequence of an event or incident has a cost associated with it. This cost is referred to as  the impact of the event. Impacts are usually expressed in monetary terms and can require complex  calculations involving multiple consequences for a single event. Impact can also be expressed in relative  terms (low, medium, high). Some impacts may be difficult to express in terms of cost. Examples of these  include loss of or damage to reputation or loss of good will. Data breaches are a type of cyberattack  which frequently has impacts beyond clean-up or recovery. The company may suffer damage to its  reputation and may also suffer from a loss of good will from society at large. Both of these impacts may Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry have adverse effects upon a company’s profitability but the cause-effect relationship may not be  provable. Risk Example: Evaluating Impact For example, the loss of a thumb drive containing sensitive information is a possible future  event that could be a source of risk to an organization. The thumb drive could be lost forever (loss of  availability), or it could be found and returned. In the case of a returned thumb drive, the organization  needs to consider whether the information was accessed before the drive was returned (loss of  confidentiality) or if the contents were changed (loss of integrity). Each of these outcomes is uncertain  since it is not possible to determine in advance what the end result will be. A simple risk impact metric (see below) for a lost but empty thumb drive can be calculated using  the likelihood of the event and the cost (or loss) if the event occurs.  RISK_IMPACT= Likelihood × Cost_of_Event If the USB thumb drive costs $50 and the likelihood of loss is 10% within 1 year: RISK_IMPACT (thumb drive, one year) = 10% x $50.00 or $5.00 If, however, the USB device contained a backup copy of the command and control software for a  robotic system, the RISK IMPACT could be much higher. If the software is valued at $100,000 per copy  and the USB key would be required to reload the software to recover from a malware attack, we would  need to add the cost to buy another copy of the software to the risk impact calculation (note: this is a  very simplified calculation which ignores secondary and tertiary impacts of not having the software  immediately at hand.) RISK_IMPACT (lost thumb drive) + RISK_IMPACT (lost software) = 10% x $50.00 + 10% x  $100,000 = $10,005. Risk Management  Risk management is a key function of business. Risks related to cybersecurity can drive up costs  for business and liability insurance. Failure to properly address risk can also adversely impact  profitability and stock prices. A properly structured enterprise risk management program is a key  business activity which is used to manage risk throughout the company. Such risk management  programs should include the risks and risk mitigation strategies associated with three types of business  assets: information, information systems, and information infrastructures. Three additional categories of  risk that must be addressed are: people, processes, and technologies. As part of the risk management  program, businesses must engage in the management and mitigation of cybersecurity related risks. A  well designed risk management program will also include risk-based budgeting to ensure that Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry investments in people, processes, and technologies will support a company’s efforts towards meeting its  legal and regulatory obligations for safeguarding company assets. Risk Management as a Business Process Risk management should be an integral part of an organization’s management structures and  related business processes. NIST SP 800-39 defines the roles and responsibilities of risk management  executives – individuals who are part of the organization’s senior leadership– and the processes by  which an organization develops its risk management strategy (National Institute of Standards and  Technology, 2011). Key concepts discussed in this document include the relationships between risk, risk  tolerance (or “appetite”), trust, organizational culture, and governance. Chapter 3 in this document is of  particular interest as it defines a process for managing information security risk. This process is defined  as: • Risk Framing (assumptions, constraints, tolerance, & priorities) • Risk Assessment (how bad? how frequent?) • Risk Response (what will we do to mitigate?) • Risk Monitoring (what risks materialized? how has the risk picture changed?) NIST Special Publication 800-39 also provides a comprehensive resource for understanding risks  arising from the use of digital information, information systems, and information infrastructures. This  guidance document also explains information systems risk from three perspectives: • Organization • Mission / Business Processes • Information Systems Figure 4 (below) illustrates a generic risk management process that can be used to manage risk  at the organization level. This process is described in general terms in ISO Standard 31000 Risk  Management and is used in NIST Special Publication 800-39 to describe the process of managing  security risks associated with information and information systems (National Institute of Standards and  Technology, 2011). This risk management process is focused upon identifying and managing risks to the  organization as a whole. The four elements of this risk management process (frame, assess, respond,  monitor) are discussed in the sections that follow.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Figure 4. Risk Management Process Frame  Risk framing is a business process that uses organizational context (problem frame) to guide the  identification and categorization of risks to assets. Risk framing categorizes risks according to the type of  asset, source of the risk to that asset (threat), and the vulnerability of the asset to the threat. It is usually  the first step in the risk management process. Risk sources are divided into two categories: opportunities and threats. The opportunity  category is primarily used to frame risks in project management risk analyses and financial analyses  (investment planning). Security risks are usually expressed in terms of threats to assets and further  categorized by the type of threat.  Risks may also be identified using information from published lists and databases of known  threats and vulnerabilities for specific products (hardware and software). Authoritative vulnerability  identification and description information can be obtained from NIST, the Department of Defense  (Defense Information Systems Agency), the Department of Homeland Security (US-CERT), and the Mitre  Corporation (a government contractor). Assess  Risk assessment is a business process used to evaluate and rank the risks identified in the  framing process. The output of the risk assessment process is a risk register containing entries for  individual risks and their associated risk impact metrics (discussed in section I of this course module). Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Risk assessment may be quantitative or qualitative. Quantitative risk assessments use statistical  techniques to analyze data from simulations, experiments, and threat models. Qualitative risk  assessments use expert opinion and judgment. Both types of assessment may use historical information  obtained from documents and reports. Respond  Organizations use four types of risk response strategies: • acceptance • avoidance • transfer • mitigation  When a strategy is applied to a specific risk it is referred to as a risk treatment.  We will discuss each of the four types of risk response strategies below. Acceptance has two forms. For opportunity-based risks, an organization accepts the risk in the  expectation of a beneficial or profitable outcome. This form of acceptance usually involves a deliberate  action (e.g., signature on a memorandum) that authorizes the acceptance of the risk. For threat-based  risks, an organization accepts a risk when the costs of taking action to prevent harm exceed the  expected costs of doing nothing. This form of acceptance may be either de facto (through no action) or  de jure (formally approved or agreed to by an oversight group). Avoidance occurs when an organization makes a deliberate decision to avoid the circumstances  or situations in which a risk could arise. For example, after reviewing an opportunity to invest in a new  security technology, a venture capitalist could determine that the potential payoff is too low when  compared to other uses of the money and so decides to not invest in the security technology. Not  making the investment is an avoidance strategy.  Transfer is accomplished by transferring responsibility for the outcome of the risk to another  organization. Two common types of transfer strategies are insurance and outsourcing. Cyber insurance  is purchased to protect an organization from financial losses resulting from cyber attacks. Outsourcing  transfers financial responsibility for specific risks as part of a service-level agreement or other form of  contract-for-services. Under US law, ultimate responsibility for harm or loss to information and  information systems remains with the owners of those assets and cannot be transferred to an outside  organization.  Mitigation is the most complex of the four risk management strategies. This strategy requires  that organizations identify specific actions, processes, and technologies that can be used to lessen the  impact of a risk. Some mitigation measures focus upon reducing vulnerabilities in assets (e.g., patching Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry software) while others are used to lower the probability of occurrence (e.g., deploying antivirus  software to detect and block malware before an infection occurs). Most security controls are intended  as risk mitigation measures.  Defense-in-depth is a risk mitigation strategy that uses layers of protective measures to reduce  the likelihood that a cyber attack will be successful. Commonly used protective measures include: • antivirus software • content-filtering software • encryption • firewalls and intrusion detection systems • honeypots (decoy systems and networks) • strong authentication (e.g., two-factor with biometrics) Zero-Trust is another risk mitigation strategy which is used to reduce the likelihood of a  successful attack against authentication and authorization for resources including information systems  and networks (Rose, Borchert, Mitchel, & Connelly, 2020). This approach replaces the single sign on model which granted access to resources after a user logged in to a known system or network. Under  Zero-Trust, the user must be authenticated and authorized (again) before being granted to new or  different resources. The Zero Trust approach uses trust principles to determine when a user must be  reauthenticated. This in turn provides greater security for bring-your-own-device and cloud-based  services. The basic principles of Zero Trust include: • Resources are defined as all information, information systems, and information  infrastructures including servers and networks whether local or cloud-based. • All communication pathways must be secured regardless of where they are located or  accessed. • User access to each resource is granted on a per session basis and the user must be  authenticated (trust established) for access to the resource before the session is initiated.  Transitive trust is not allowed (i.e. logging into a laptop does not grant access to an email  account via the laptop’s desktop email client). • Access to resources is controlled by policies which are dynamic. These policies must be risk based and should consider the what (resource), who (user), and how (what systems and  software) of the access request. For example, a user may request access to an allowed  resource via a web browser on a laptop which is scanned for compliance with security  policies (software versions, updated and active anti-virus, VPN connection, etc.) before  access is granted. (Note: the user must also present acceptable credentials which are used  to authorize the access.) • Technical means are used to monitor and ensure the integrity of resources – no resource is  automatically trusted.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry • Authorization and authentication are required before access to a resource is granted. These  processes must be strictly enforced.  • Continuous monitoring is performed to ensure and improve the security posture of the  enterprise. Monitor  Risk monitoring is used to track the implementation and operation of security controls as part of  the organization’s risk management strategy. Continuous monitoring of information system risks can be  accomplished using automated tools that test security controls for networks, hardware devices, and  software applications. Audits and inspections are examples of intermittent risk monitoring. Both types  of monitoring, continuous and intermittent, are used to examine and assess the overall effectiveness of  the organization’s risk management activities.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Supply Chains and Supply Chain Risks (Week 4) Supply chains and supply chain risks have become a growing area of concern for businesses and  governments due to the lack of visibility into the processes and decisions made during the production  and transfer of products from one supply chain stage to the next (National Institute of Standards and  Technology, 2021c). This lack of visibility is further complicated as products delivered to one end-user  are incorporated into products which are then transferred via a new supply chain to the next end-user  before finally arriving at the ultimate consumer. The US Federal Government has developed the  National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to bring together private sector  businesses and governmental entities in public-private partnerships to develop tools, techniques, and  strategies for improving the overall security of supply chains, at both the national and international  levels (National Institute of Standards and Technology, 2021b). What is a Supply Chain? Supply chains are systems of activities, actors (people and organizations), information, and  resources involved in the production and movement of a product or service from the producer  (manufacturer) to the end-user (consumer — including businesses and resellers) (CFI Education, 2021).  Farm-to-table is an example of a simple and relatively well understood supply chain. That supply chain  can become more complex if there are intermediaries such as shipping companies and resellers (stores)  involved in the transfer of goods from producers (farms) to customers.  How Can Supply Chains be Attacked? Products within a supply chain can also be compromised through damage or intentional  modification or contamination as they move from one location to the next. For technology-based  products, this damage can be invisible or hard to detect if attackers change embedded software or  replace digital or electrical components with items that will grant the attacker access to or control over  the product and its functionality. Shrink-wrap attacks, in which a software product or hardware  component is modified at the manufacturer or producer (source) prior to shipment, is an example of an  insider threat which manufacturers need to protect against. (Note: it is possible for attacks to be  accomplished by external attackers who successfully compromise the systems or software used to  produce the compromised product.)  Identifying Supply Chain Risks Supply chain risks can be discovered by using business analysis to model the processes involved  in a company’s ordering of components and the subsequent fulfillment processes for those orders. Who  are the suppliers? How are orders placed? Where the suppliers located? What type of security does the  supplier have in place to prevent attacks against their parts of the supply chain? These are questions  that a business analyst must ask in order to assist with the identification of risks arising from a  company’s supply chains.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Consider this example: a relatively simple supply chain can be interrupted by a malware attack  against a laptop computer used for tracking orders and deliveries. Or, the supply chain could be  interrupted through a cyberattack against a bank or against an individual which compromises the ability  to transfer payments from purchaser to supplier. Complex supply chains can also be interrupted by  weather events, social unrest, and cyber attacks against the systems and information required to track  and control orders and deliveries.  Supply chain risks can also be introduced through error or negligence on the part of a producer or service provider. This type of risk can arise due to inadequate testing which fails to detect software or  hardware vulnerabilities in a product. Digital devices are particularly prone to this type of risk and such  risks affect the security posture of the end-user organization. Operating systems, software applications,  BIOS control programs and other software products are well known sources of vulnerabilities which end users must control for and which producers must address through updates and patches (Cybersecurity  and Infrastructure Security Agency, 2021). Third-party or vendor risks and vulnerabilities can also occur  through poor security practices on the part of service providers and other external organizations (Lester,  2019; Lord, 2020). These practices can result in data breaches or infrastructure compromises which  affect the vendor’s customers and the customers’ customers. Data breaches caused by third parties can  expose a company to risks associated with non-compliance with laws and regulations related to data  privacy and data security (e.g. the data protection regulations from the United Kingdom and European  Union) (Lester, 2019).Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Implementing the Cybersecurity Program for an Organization (Week 5) Once the organization has decided to implement a cybersecurity management program, it needs  to develop the mission, vision, policies, standards, and procedures which define and support that  program. There are many different approaches which can be taken to establish an operating unit which  manages cybersecurity / information security. Usually, these functions are assigned to the same unit  which manages the organization’s Information Technology resources and services. The executive or  manager responsible for cybersecurity / information security usually holds the title of Chief Information  Officer (CIO) or Chief Security Officer. Or, this responsibility may be assigned to a subordinate of the CIO  or CSO whose title is Chief Information Security Officer (CISO). The CISO (or equivalent) is responsible for  organizing, planning, implementing, executing, and monitoring all phases and aspects of cybersecurity  operations for the business. Since cybersecurity is a support function (expense), managing and  controlling costs is an important function for this executive. This executive’s cybersecurity  responsibilities usually include: • Acquisition & Contract Management (purchasing of products & services) • Investment / Portfolio Management for Cybersecurity Investments (hardware, software,  infrastructure) • Program/Project Management (cost, schedule, quality, security) • Performance Monitoring / Information Security Metrics • Technology Selection & Evaluation • IT Operations & Management • Incident Response Management • Disaster Recovery • Business Continuity Planning & Execution The cybersecurity program cannot operate in isolation. It must be integrated with the rest of the  business. This integration begins with coordination and collaboration for decision making via the involvement of executives and managers from each of the organization’s functional business areas:  accounting and finance, commercial, general and functional management, security, and technical. Cybersecurity Management: Frameworks and Standards There are a number of organizations which develop and publish frameworks and standards used  to implement and manage the cybersecurity program for an organization. Some frameworks focus on  the structure of an information security (cybersecurity) program – what should be done, how it should  be implemented, and how it should be reviewed or controlled by the organization. Other frameworks  focus on the functions that define how an organization implements cybersecurity, that is, what security  controls are put in place and what outcomes should result from those controls. Security controls can be  policies, managerial or administrative actions, technologies, etc. and are intended to implement Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry safeguards or countermeasures to ensure confidentiality, integrity, and availability of information and  information systems. (National Institute of Standards and Technology, 2021a). International Standards Organization  One of the most well known publishers of standards for information technology is the  International Standards Organization (ISO). The ISO/IEC 27000 Information Technology family of standards publications which define the activities required to implement a Information Security  Management System (ISMS). ISO/IEC 27001 Information Security Management provides a set of requirements for establishing and managing the ISMS (international Standards Organization, 2013a).  ISO/IEC 27002 Information Technology – Security techniques – Code of practice for information security  controls provides guidance on the selection and implementation of security controls(International  Standards Organization, 2013b). This document also provides guidance about establishing policies,  practices, and procedures for (a) the assessment of risks, (b) consideration of contractual, legal, and  regulatory requirements for security, and (c) identification and use of business requirements for secure  handling of information. ISO/IEC 27003 provides guidance for the implementation of the ISMS, including  risk assessments and risk treatments. This guidance includes requirements for implementing the ISMS  using the following elements: 1. A policy document which defines and establishes the organization’s ISMS. 2. A document which sets forth the roles and responsibilities for managing the ISMS 3. A set of management processes which address a. a system of policies used to govern and implement the ISMS b. requirements for security awareness, training, and competency c. planning for the ISMS d. implementation for the ISMS e. operations for the ISMS f. assessment of the functioning of the ISMS g. managerial review of the functioning of the ISMS h. quality improvement for the ISMS 4. A set of documentation for the management and operations of the ISMS (International  Standards Organization, 2017) ISACA  Control Objectives for Information and Related Technologies (COBIT) is a business oriented  framework for governance and management of Information Technology developed and published by  ISACA (IT Governance, 2021; Nussbaumer, 2020). COBIT’s focus is upon effective and efficient  governance and management of IT resources and is used to help integrate IT governance with the  organization’s overall governance structures and processes. The five basic principles of COBIT are:Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry • Meeting Stakeholder Needs  • Covering the Enterprise (managing IT as an asset; distributed accountability) • Using a single integrated framework to govern IT • Using a holistic approach (instead of piecemeal) • Keeping governance of IT separate from “management” of IT Requirements to implement and maintain and IT security program are embedded in the COBIT  standard under the Align, Plan, and Organize domain (one of the management domains in the  standard). Standard APO12 requires that organizations manage risk and standard APO013 requires that  security be managed. Payment Card Industry Security Standards Council  Another set of important standards for IT security are found in the Payment Card Industry (PCI)  guidance for businesses and organizations which accept payments via debit and credit cards (PCI  Security Standards Council, 2021). The PCI standards for data security (PCI-DSS), PIN Transaction  Security (PCI PTS), Payment Application Data Security (PA-DSS), and Point to Point Encryption (P2PE)  provide for a standardized supporting infrastructure and frameworks which are used worldwide to  secure electronic commerce transactions using payment cards. Using and auditing compliance with  these standards is an important risk management strategy for e-Commerce companies since failure to  comply with the PCI Data Security Standards will result in revocation of a business’s ability to accept  payments via payment cards. Requirements of the Data Security Standards include: • Implementation of Network Security to protect cardholder data • Protection of cardholder information (including use of encryption) • Vulnerability Management (including use of anti-virus and secure software applications) • Strong Access Control Measures (restricting access to information based upon need to  know, use of unique login identifiers – one per person, restricting physical access to  information and information systems) • Monitoring and Testing of Networks • Implementing Information Security Policies for the organization The National Institute of Standards and Technology  The US Department of Commerce’s National Institute of Standards and Technology (NIST) is  another source of well known and widely used frameworks and guidance documents for information  security. NIST is the publisher of The Framework for Improving Critical Infrastructure Security (2018)  commonly referred to as the Cybersecurity Framework (CSF). The CSF guides organizations in selecting  and implementing risk management actions to protect critical infrastructures from cyberattacks. The  framework also provides guidance similar to ISO/IEC 27001, 27002, 27003 as to the actions which should  be taken to establish or improve an organization’s cybersecurity management program. (Appendix A of Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry the Framework provides a cross-reference with mappings to standards and guidance documents  published by NIST and by other industry sources including ISO/IEC 27000 series and NIST SP 800-53). The  framework also discusses issues related to Supply Chain Risk Management (SCRM).  The NIST Cybersecurity Framework defines five (5) Core Functions which organizations should  implement to help them manage cybersecurity risks. These functions are defined as outcomes which  result when risks are appropriately managed and can be used to organize information for use in risk  management decision making. The Core Functions are: • Identify • Protect • Detect • Respond • Recover The NIST 800 Series Special Publications provide detailed guidance from which organizations  tailor specific policies, programs, and procedures to build their cybersecurity management programs and strategies. These documents have become de facto standards for information security. Important  guidance documents. Key documents in this series include: • NIST 800-37 Risk Management Framework for Information Systems and Organizations: A  System Lifecycle Approach for Security and Privacy • NIST 800-39 Managing Information Security Risk: Organization, Mission, and Information  System View • NIST 800-53 Security and Privacy Controls for Federal Information Systems and  Organizations • NIST 800-100 Information Security Handbook: A Guide for Managers • NIST 800-161 Supply Chain Risk Management Practices for Federal Information Systems and  Organizations • NIST 800-171 Protecting Controlled Unclassified Information in Non Federal Systems and  Organizations Roles and Responsibilities of Key Personnel in the Cybersecurity Program ISO/IEC 27001 requires that an organization identify, in writing, the roles and responsibilities of  key personnel for the cybersecurity program. Typically, these individuals are executives and managers in  the company. The list of roles may also include key stakeholders or sponsors for the program and its  activities. In some cases, the management and operation of the actual cybersecurity program may be  outsourced to a firm specializing in providing these functions as a service. But, there will always be an  executive or senior manager in the company who is responsible and accountable for the cybersecurity  program.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Typical roles for key personnel include the following: • Chief Information Officer (CIO): the CIO is the executive or senior manager responsible  for the overall management of an organization’s information technology infrastructure.  This individual may be directly responsible for the information security program or a  manager reporting to the CIO may be responsible for serving in that role.  • Chief Information Security Officer (CISO): executive or senior manager responsible for  the overall management of the cybersecurity program (Fruhlinger, 2021). This individual  needs to have both program management skills and technical knowledge for  cybersecurity and information technology. In some organizations, business knowledge is  prioritized over technical knowledge when selecting a CISO. This can become a serious  problem if the CISO is not supported by staff who are able to communicate effectively or  whose professional judgement on cybersecurity matters is discounted or not accepted.  The CISO should be a member of the organization’s governance board or have strong  support from that board. Otherwise governance decisions may be made that weaken or  otherwise impair the functioning of the cybersecurity program. Alternate titles for the  CISO include: Director of Information Security, Information Security Manager, Chief  Security Officer. • IT Project Manager: a project manager is responsible for managing the implementation  of IT projects which include the implementation of changes to the security technologies  used by the organization. • Network Operations Manager: the network operations manager runs the Network  Operations Center and is responsible for the overall management of the network  including monitoring and response for cyberattacks. • Security Operations Manager: similar to the Network Operations Manager, this role is  responsible for day to day security of all information technology including operational  technologies, building security, etc. • Additional roles for cybersecurity program personnel include: policy analyst, risk analyst,  help desk analyst, auditor, investigators, and strategists (Zeltser, 2021). IT Security Policies, Plans, Procedures, and Standards ISO/IEC 27001, 27002, and 27003 provide organizations with guidance as to the types of  documentation an organization should create in order to fully implement their cybersecurity or  information security program. Additional guidance for IT Security documentation can be found in a  variety of NIST SP 800 guidance documents including NIST SP 800-12 (Nieles, Dempsey, & Pillitteri,  2017). • Policies: policies are guidance documents that state requirements and include  consequences for non-compliance. A policy document should be used to authorize  establishment of a cybersecurity / IT security program. Such authorization will include Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry budget authority and commitment of resources to pay for the operating expenses. A  program policy should be used to establish organizational structures and assign  responsibilities within the IT security/cybersecurity program. Other types of policies  used for information security include (a) issue specific policies such as a Bring Your Own  Device policy and an Acceptable Use Policy for IT Resources (b) system specific policies  which address operating requirements and risk mitigation measures (e.g. requirements  for granting access, classifying sensitive of the system or information, etc.). • Plans: IT security plans typically focus on providing answers to the Who, What, When,  Where, and How questions for management of programs and systems. • Procedures: IT security procedures provide detailed guidance for how to perform well  defined activities. These procedures can include incident detection and response as well  as how to maintain equipment including patch deployment for software updates. • Standards: organizations usually adopt industry standards for use in their organization.  A list of standards or technical architecture will specific which standards the  organization has adopted.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Understanding the Market for Cybersecurity Products and Services (Week 6) Organizations need to protect information, information systems, and information  infrastructures. To accomplish this, they need to purchase hardware and software products which can  be used to implement security controls within their enterprises. In your previous coursework, you have  been exposed to a number of hardware and software products which can be used to meet requirements to protect information and related technologies from losses of confidentiality, integrity, and availability.  Such products include integrated hardware/software solutions such as firewalls, intrusion detection and  prevention systems, data loss prevention systems, access control and alarm systems for physical  buildings, and more. When properly installed, these products help to prevent / protect against threats,  detect attacks in progress (or indicators & warning signs for attacks), respond to attacks, and remediate  / correct vulnerabilities which could be exploited by attackers. In addition to integrated hardware/software products, customers may also want to buy or  contract for cybersecurity related services. Such services can include: • Managed Security Services • Disaster Recovery & Business Continuity Planning Services • Cybersecurity Consulting Services (Risk Management, Governance, etc.) • Cybersecurity Threat Research (Cyber Threat Intelligence) • Cybersecurity Training and Awareness • Cybersecurity Certifications & Talent Management (for cybersecurity personnel) The Market for Cybersecurity Products and Services Cybersecurity and IT Security products and services exist because businesses (customers) need  and want these products AND because a manufacturer (vendor) was interested in developing,  manufacturing, marketing, and supporting these products. Businesses conduct internal analyses  (business analyses and security analyses) to identify the types of products or services they need to put in  place in order to address their identified requirements for cybersecurity solutions including  implementation of security controls. If those products or services already exist in the marketplace, the  business takes its requirements and designs a technology based solution, hopefully from off-the-shelf or  commercially available products since this will usually be the most cost-effective solution. Companies who create, design, build, sell, and maintain cybersecurity products and services  (producers or suppliers) do not usually do so in a vacuum or without information about the potential  market for a planned or imagined product or service. They collect information from current and  potential customers as to what those businesses plan to purchase in the near future. These producers /  suppliers also develop business intelligence and other information based strategies that allow them to obtain information about the types of products or services that are needed by the market place. This  business intelligence allows them to concentrate their efforts on building things that businesses want to Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry buy. Their business intelligence and information gathering efforts (market research) focus on finding  answers to questions such as these: • Who are the potential customers?  • Why do those customers want to buy cybersecurity related products? Services?  • What business needs for cybersecurity do those potential customers have?  • What are the factors which drive a business to purchase and implement cybersecurity  solutions, i.e. products or services?  • What information about their business needs are potential customers willing to share  with solutions developers? Analyzing the Market for Cybersecurity Products and Services Sometimes, a company needs to expand the scope of its market research and business  intelligence efforts. Instead of focusing on known customers, the company may need to conduct a scan  of an entire region or locale. The PEST framework can be used to conduct such a scan. This framework is  used by business and market analysts understand existing and future markets for products and services.  The PEST tool (sometimes referred to as STEP or STEEPLE) is used to explore how the macro  environment influences the market. (A macro-environment is the larger eco-system which encompasses  geographic regions, nations, and international areas of operation.) Using a PEST analysis, it is possible to  uncover the factors which influence the types of products and services that customers in a particular  geographic locale wish to purchase. The PEST tool’s framework has four factors (categories): • Political-Legal • Economic • Socio-Cultural • Technological Political-Legal Factors The political-legal factors are defined and driven by laws, regulations, national policies, and the  general legal climate within the geographic area under study. For example, a domestic market for  encryption related products exists because numerous US laws (e.g. HIPAA, Sarbanes-Oxley, and the  Gramm, Leach, Bliley Act) require that companies protect certain types of information from  unauthorized disclosure. This is an example of a “political-legal” factor which influences the market to  provide a product. A global market for encryption products, to protect privacy and security, exists in part Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry due to the fines and penalties imposed for violations of the European Union’s General Data Protection  Regulation (GDPR). Economic Factors Salvatore Stolfo, writing in the ISACA Journal, presents statistics as to the economic costs of data  breaches (2019). He cites a 2018 IBM/Ponemon Institute study as stating that the average cost of a  databreach in the US in 2018 was over $3.8 million dollars. The costs include remediation, notification to  and compensation for affected parties, and fines imposed by governmental entities for failure to  prevent the breach from occurring. The author also noted that the faster a breach was detected, the  lower the costs to the organization. Cost-avoidance is a strong business driver when the economic  impacts of a successful cyberattack are so high. Socio-Cultural Factors The influence of social media upon society is, perhaps, one of the best know socio-cultural  factors influencing society today. Government officials, educators, and even social media companies  warn individuals and businesses about the dangers of disclosing personal or private information via  social media postings and accounts (National Cybersecurity Alliance, 2020). Such disclosures, they warn,  can enable identity theft and loss of control over financial accounts, social media accounts, and so forth.  Attackers are known to participate in social media platforms for the purpose of collecting information  from and about potential victims. Services such as Norton Lifelock, Identity Guard, and Experian Identity  Works exist because of a market driven need for services to help subscribers protect themselves against  identity theft (Kinney & Hampshire, 2021). Technological Factors The introduction of 5G networks for voice, video, and data transmission is an example of a  technology factor which influences the marketplace for cybersecurity products and services. According  to Vinod Kumar, writing for Forbes, “5G’s dynamic software-based systems” will increase the number of  access points thus increasing exponentially the attack surfaces which can be exploited by attackers  (2021, p.1). Other characteristics of 5G will make networks more complex and harder to segment or  partition. Vasant also remarked that risk factors caused by poor Internet of Things security will affect  and influence security in 5G networks used by Internet of Things devices. The same will be true for  operational technologies used to control critical infrastructures.Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Corporate Governance (Week 7) One of the key functions of corporate governance is to address the problem of shared risk. Or,  to put this another way: Risk accepted by one, is imposed on all. Governance as an Activity Governance is the means by which businesses organize, integrate, and control internal  operations (International Bureau of Education, 2021). Governance processes ensure accountability,  transparency, responsiveness to and operations in accordance with the rule of law, and are fundamental  to inclusion and empowerment of the leadership of an organization. Governance is the primary means  by which the senior most executives (C-suite) collaborate and come to agreement about financial  matters and the overall direction of the organization. For a small business, governance may be an  unstructured process involving the partners or owners who decide among themselves how they will  make decisions about the business and its operations. For large businesses, governance is a combination  of rules, processes, and relationships. This type of governance is established by an agreed upon set of  highly structured, formally documented policies and processes. Depending upon the size and nature of  the business, governance may be divided into specific areas of responsibility each of which is headed by  a C-suite executive. These governance areas are subordinate to the overall corporate governance  structure. Effective governance processes internal to the business have external effects as well. Good  governance can result in more favorable terms for borrowing needed capital (money) for expansion. It  also results in greater trust in the business community and in society at large. The Organisation for Economic Co-operation and Development (OECD) studies governance  processes for corporations worldwide and provides a factbook (OECD, 2021) which explains the various  forms and structures used in 50 jurisdictions (countries and regions). Governance Processes Governance processes are used by executives and senior managers to cooperatively control the  operations of a business (International Bureau of Education, 2021). Typically, there is a governance  board whose members are drawn from the C-suite or senior most executives of the organization.  Governance processes may involve individuals (experts) from all areas of the organization but, these  processes operate at a higher level than management and focuses on decision making and the resulting  interactions between organizational units with particular focus upon how executive level decisions guide  or control the actions of operating units and thereby affect or support the operations of other divisions  or departments. Legal and Regulatory Considerations Businesses must take into consideration the requirements of local and national laws and  regulations for each country or jurisdiction in which the firm operates. Criminal laws differ widely Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry between countries. These differences impact how a company writes and implements policies designed  to protect against insider threats to information and information resources. Privacy laws differ as well.  In the European Union, for example, there are privacy and data security directives (including the General  Data Protection Regulation) which have the force of law. Under these directives, customers and  employees can exercise specific rights which impact how a company gathers, stores, and disseminates  information. These directives can also be applied to restrict a company’s ability to implement  cybersecurity related protections, e.g. real-time monitoring of internal networks and the content of  traffic which is transmitted over those networks. Businesses must also be aware of export controls and bans on the transfer of technology  between countries. These restrictions can prevent a company from using some cybersecurity products  across a global IT enterprise. In the United States, the US Department of Commerce Bureau of Industry  and Security publishes regulations which implement export controls. Governance for External Cooperation and Collaboration  Globally, many businesses cooperate to accomplish mutual objectives. Such cooperation is  usually under the oversight of the corporate governance board or a sponsor appointed by the board.  Today’s Internet and globally interconnected networks used for business and commerce are examples of  such cooperation and collaboration. These activities promote an open yet secure Internet which  provides the infrastructure that enables both corporate operations and e-commerce. Businesses must  also interact with governments and treaty organizations which implement protections for commerce,  trade, and the Internet. These organizations exist to protect intellectual property rights (WIPO), impose  rules and structures which govern trade (WTO), combat cybercrime and cyber terrorism (Interpol), and  promote free and open access to information and communications technologies (ITU).Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Ethics and Ethical Decision Making (Week 8) The information in this section applies to a broad spectrum of career fields and professions. Our  focus, however, is the application of the principles of ethics when working as a consultant or when  working as a cybersecurity professional. We address ethics and ethical decision making in this case study  because businesses have ethical obligations to protect information from unauthorized disclosures such  as data breaches, theft, espionage, etc. (Steen, 2013). That is, the business has ethical obligations as to  how the company collects, processes, stores, uses, and transmits information it gathers about  customers, employees, vendors, competitors, and society in general. The managers and employees also  have ethical obligations with respect to the use of business assets and responsibilities to protect those  assets from harm or loss. Principal-Agent Relationships There are several ethical principles which consultants must be aware of and which they should  practice as they perform their work. The first of these is the obligation to put forth one’s best efforts in a  principal-agent relationship (Principal and Agent, 2018). In the context of the consulting engagement,  principal is the client and the consultant is the agent. The contract between the client and the consulting  firm, defines the specifics of the relationship between these two parties. In general, the agent performs  actions on behalf of the principal and those actions are governed by (a) the contract, (b) the ethical  standards of the profession (ISC2, 2021), and of society at large (Reynolds, 2018). (Note: Within the  consulting firm, the term principal is used to refer to the senior manager in charge of consulting  engagements. The individual members of the consulting team are not usually referred to as agents since  they are not parties to the consulting contract. The relationship between the consulting principal and  the team members is one of employment and not agency. Agents have a greater latitude than  employees in determining their actions on behalf of the principal.) Duty The concept of duty or obligation arises from Kantian ethics (Misselbrook, 2013) and is our  second set of ethical principles. Kant’s approach to ethics was that of reason and reasoned thought and  focuses on the individual’s actions in response to duty as the determinant of rightness or wrongness.  Ethicists describe this type of ethics as deontological. The universal principle embedded in Kant’s theory  of ethics is that the highest duty is the duty to respect others’ humanity. It is from this duty that we  derive the duty of care in the performance of a consultant’s work. Duty of care can be extended to  include duty to inform which is an obligation to provide information which allows an individual, in this  case a client, to make decisions based on adequate information. Within the cybersecurity profession the  duty to inform includes the duty to inform clients that certain actions or failure to perform actions may  increase risk which could result in significant harm to the client’s organization (ISC2, 2021).Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Utility Theory (Utilitarianism) A third set of ethical principles that consultants must be aware of are utilitarianism (utility  theory) and its sub-branches act-utilitarianism and rule-utilitarianism (Quinn, 2009). Utilitarianism is the  branch of ethics that focuses upon the outcomes of a person’s actions as the determinant of rightness  or wrongness. Under utilitarianism, the right decision is the one that results in the greatest good for the  greatest number of people. Act-utilitarianism judges rightness by looking at the net effect of the  outcome of a decision. Jeremy Bentham framed this as “The greatest good for the greatest number of  people.” In contrast, rule-utilitarianism holds that the way to achieve the greatest good is by adopting  good rules and then following those rules when making decisions. In cybersecurity, the profession tends  to rely more upon a rule-utilitarian approach to achieve goodness or beneficial outcomes. We adopt and  implement standards and guidelines which define actions which will result in greater, more robust  security that protects assets and infrastructures. The profession also uses the act-utilitarian approach.  For example, a decision to allocate budget to purchase network defense hardware may require that the  organization delay or defer upgrading workstations for some employees. Defending the network would  be judged as benefitting the organization as a whole as compared to upgraded workstations which  would benefit a smaller number of employees. A consultant may need to apply both approaches to  justify recommended solutions to a client. Neither approach is inherently right or wrong. What is  important is that decision makers understand how their ethical perspectives influence their choices. Normative Business Ethics Our fourth set of ethical principles – normative business ethics – work hand-in-hand with duty  and utility (Smith & Hasnas, 1999). These normative principles set standards for ethical behavior that are  specific to businesses and similar organization. These principles focus our decision making on “who”  when calculating benefits or harm (for example, when for performing a cost-benefit analysis for various  options or choices). These approaches to decision making are ones that you may already be very familiar  with: stakeholder theory, stockholder theory, and social contract theory. We also need to consider the  principles of equality, equity, and egality as they apply to the impact of decisions upon individuals and  groups. Let’s take a deeper look at each of these and how they can be applied to decision making for  cybersecurity. Stakeholder Theory  Stakeholders are a collection of individuals and groups who have a stake or vested interest in  the outcomes of a decision. Stakeholders are those who will be impacted – for good or for worse — by  that decision (Donaldson & Preston, 1995; Smith & Hasnas, 1999). In the context of a company or  business, stakeholders may include owners, executives and managers, and employees of a business or  organization. Insurance companies, banks (lenders), and other financial institutions may also be  stakeholders depending upon the type of decision under consideration. Stakeholder groups may also  include customers, contractors, and vendors who do business with the company or organization. In Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry making determinations of benefit and harm, the decision makers may need to consider how much of a  stake each group of stakeholders has and how much importance their wants and needs should be given  when calculating a cost-benefit analysis or otherwise determining which choices should be selected  prior to making a decision.  Stockholder Theory  Stockholders are those who have an ownership interest in the company (Smith & Hasnas, 1999).  In a sole proprietorship, there is a single owner. In a partnership, there are multiple owners with the  partnership agreement defining the percentage of the company that is owned by each individual  partner. In a stock corporation, whether publicly or privately held, each unit of stock represents  ownership of a portion of the corporation. Under stockholder theory, the rightness of a decision is  measured by the potential benefit or harm that could occur and would impact the stockholder’s  financial interests in the company. For example, a failure to comply with a law or regulation could result  in a fine which must be paid by the company. Ultimately, the owners of the company will receive lower  returns on their invested capital (money) because of this avoidable cost. Under Stockholder Theory, the  correct or right choice would be to avoid the unnecessary expense (the fine) by complying with the law  or regulation. Social Contract Theory  Social contract theory has two main parts – the government and the governed (society) (Smith &  Hasnas, 1999). The contract is between members of society as to the standards for acceptable behavior  (actions) and is implemented through governmental actions such as policies, laws, and regulations. The  rightness of an individual’s action is determined by compliance with societal norms including those  norms which require that all members of society follow the rule of law. For a business, the social  contract, establishes expectations and requirements for how the business will interact with society and  applies to all actions which impact the society in which the business operates. How it treats customers,  how it treats employees, how it treats the land and other resources which are shared with the residents  of the surrounding area – these are some of the types of decisions and behaviors that social contract  theory guides. Fairness and Justice: Equality, Equity, and Egality These concepts of equity, equality, and egality can be used in a policy-making context to  evaluate policy-based solutions to business problems. However, equality, equity, and egality can be  difficult to distinguish between. (Oppenheim (1970) provides a comprehensive examination of these  principles and their interrelationships.) Equality is focused more on opportunity to benefit than actual  outcome or received benefit. Everyone receives the same opportunity to benefit but, the outcomes are  dependent upon how that opportunity is used or acted upon. Equity is needs based. Everyone receives Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry opportunity to benefit based upon their needs or starting point with the goal of maximizing the  sameness of outcomes. Egality is when everyone receives exactly the same benefits or outcomes.  When making decisions, especially when allocating resources, questions of fairness can arise  (Oppenheim, 1970; Quinn, 2009). How do we determine what is fair? Is equal the same as fair? Whose  definitions of fairness should be accepted and used? We find some answers to this in John Rawls’s  principles of justice which Rawls proposed be used to extend society’s social contract (Quinn, 2009).  These principles required that all members of society have a fair and equal opportunity to benefit. But,  in some circumstances, an egalitarian solution where everyone gets the same, is a better or more ethical  solution. And, sometimes, fairness is more appropriately defined by considerations of equity or a needs  based solution. Here is an example where three alternative solutions for deploying firewalls throughout  an enterprise have been proposed. Technical considerations notwithstanding, which solution would you  consider to be the most ethical? Why? Proposed Alternative Solutions for Network Defense Problem Principle1. Every network segment gets a firewall (benefit) that costs the same (equality of  opportunity) but may have differing features or capacities (differing outcomes). Equality2. Every network segment gets a firewall (benefit) capable of handling its  projected peak load (need). Cost is not a primary consideration.Equity3. Every network segment gets the exact same model firewall (benefit). (Equal  inputs giving equal benefits)EgalityWhich solution would you have chosen before reading this section on equality, equity, and  egality? Would your decision be blind to the “who?” Would you choose solution #3 and buy the most  affordable firewall that meets the minimum or “average” performance requirements? What if one  network segment was for the business office of a hospital (which needs to transmit claims to insurance  companies) and another network segment was for the radiology department (which needs high  bandwidth to send images to offsite doctors for analysis)? Does this additional knowledge change your  decision? Does it change the ethics or goodness of your choice? Consider this: if the person making the  technology recommendations was not aware of the differential needs of these two departments, the  outcome of the firewall selection process might significantly and adversely impact patient care. One final thing to be aware of: when ethics labels are attached, those labels may affect and  possibly change the decision maker’s choices. If you are going to make arguments based upon your  judgment as to whether or not a choice would have ethical or unethical outcomes, it is important to  provide appropriate and well researched business cases. The person making recommendations must  understand the rationale behind the recommendations (what requirements set was used) and ensure Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry that rational decision-making processes are applied, including performing a cost-benefit analysis to  support financial decisions.  As cybersecurity professionals, we must act in ethical ways and apply the principles of  ethics in our decision-making but, we also need to be aware that the language of ethics can be  off-putting in a discussion of business matters. How we communicate information is as  important as what we mean to say or the reasons why we hold certain opinions or make certain  choices. Using terms such as cost-benefit analysis and fairness may be better received than using  the underlying theoretical terms, e.g. utilitarianism and equality, equity, or egality.Negligence Before we end our discussion of ethics and decision making, we need to address the problem of  negligence or failure to apply prudence or adequate care when performing work for a client or employer (Quinn, 2009; Reynolds, 2018). The concept of negligence is an outgrowth of duty ethics. A  determination of negligence requires examination of the outcomes of actions. Intention may be  considered as a mitigating factor but intent to do good does not excuse harmful results. Negligence  arises when an individual’s actions do not meet professional standards of performance or otherwise fail  the reasonable person test. In the context of the consulting engagement, we must consider the possible  outcomes or results of an action in the performance of one’s duties. The consultant must ensure that his  or her actions will not result in an accusation of negligence since such matters are actionable under civil  law and could result in a lawsuit with damages awarded to the harmed party (e.g. the client). Terms  related to negligence include: • Malfeasance – intentional or deliberate actions which are wrong or against the law • Misfeasance – doing a “right” action but in a manner than results in harm  • Nonfeasance – intentionally not taking an action required by law which results in harm Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry References Adobe. (2021). Business case. Retrieved from https://www.workfront.com/project-management/life cycle/initiation/business-case CFI Education. (2021). Supply chain. Retrieved from  https://corporatefinanceinstitute.com/resources/knowledge/strategy/supply-chain/ Cybersecurity and Infrastructure Security Agency. (2021, April). Defending against software supply chain  attacks. Retrieved from  https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chai n_attacks_508_1.pdf Donaldson, T. & Preston, L. E. (1995). The stakeholder theory of the corporation: Concepts, evidence,  and implications. The Academy of Management Review, 20(1), 65-91. Fruhlinger, J. (2021, April 1). How the CISO role is evolving. CSO. Retrieved from  https://www.csoonline.com/article/3332026/what-is-a-ciso-responsibilities-and-requirements for-this-vital-leadership-role.html Harvard Business School. (2011). Developing a business case (Pocket Mentor series). Boston: Harvard  Business Review Press. International Bureau of Education. (2021). Concept of governance. Retrieved from  http://www.ibe.unesco.org/en/geqaf/technical-notes/concept-governance International Standards Organization. (2013a). ISO/IEC 27001L2013(en) Information technology – Security techniques – Information security management systems – Requirements.  https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en International Standards Organization. (2013b). ISO/IEC 27002:2013(en) Information technology – Security techniques – Code of practice for information security controls. Retrieved from  https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:en International Standards Organization. (2017). ISO/IEC 27003:2017(en) Information technology – Security  techniques – Information security management systems – Guidance. Retrieved from  https://www.iso.org/obp/ui/#iso:std:iso-iec:27003:ed-2:v1:en International Standards Organization. (2018). ISO/IEC 27000:2018 Information technology – Security  techniques – Information security management systems – Overview and vocabulary. Retrieved  from https://www.iso.org/obp/ui/#iso:std:73906:en ISC2 (2021). Code of ethics. Retrieved from https://www.isc2.org/ethics IT Governance. (2021). What is COBIT? Retrieved from https://www.itgovernance.co.uk/cobit King, V. & deGrazia, B. (2021). Identifying and managing cybersecurity risk: Applying business analysis  skills to cybersecurity problems and solutions. Adelphi, MD: University of Maryland Global  Campus. Kinney, J. & Hampshire, K. (2021, November 23). Best identity theft protection services of 2021. U.S.  News & World Report. Retrieved from https://www.usnews.com/360-reviews/identity-theft protectionCopyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry Kovacich, G. L. & Halibozek, E. P. (2003). The manager’s handbook for corporate security: Establishing  and managing a successful assets protection program. Oxford, UK: Butterworth-Heinemann. Kumar, V. (2021, October 29). Why 5G networks are disrupting the cybersecurity industry. Forbes.  Retrieved from https://www.forbes.com/sites/forbestechcouncil/2021/10/29/why-5g networks-are-disrupting-the-cybersecurity-industry/ Lester, B. (2019, February 21). GDPR compliance and the supply chain: What organizations should know.  Retrieved from https://www.remedi.com/blog/gdpr-compliance-and-the-supply-chain-what organizations-should-know Lord, N. (2020, September 25). Supply chain cybersecurity: Experts on how to mitigate third party risk.  Retrieved from https://digitalguardian.com/blog/supply-chain-cybersecurity Misselbrook, D. (2013). Duty, Kant, and deontology. British Journal of General Practice, 63(609).  Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3609464/ Mordor Intelligence. (2021). Cybersecurity market-growth, trends, COVID-19 impact, and forecasts  (2021-2026). Retrieved from https://www.mordorintelligence.com/industry-reports/cyber security-market National Cybersecurity Alliance. (2020). Social media cybersecurity. Retrieved from  https://www.cisa.gov/sites/default/files/publications/NCSAM_SocialMediaCybersecurity_2020. pdf National Institute of Standards and Technology. (2011). Managing information security risk:  Organization, mission, and information system view (NIST SP 800-39).  https://doi.org/10.6028/NIST.SP.800-39 National Institute of Standards and Technology. (2021a). Glossary: Security control. Retrieved from  https://csrc.nist.gov/glossary/term/security_control National Institute of Standards and Technology. (2021b, November 16). Improving cybersecurity in  supply chains: NIST’s public-private partnership. Retrieved from  https://www.nist.gov/cybersecurity/improving-cybersecurity-supply-chains-nists-public-private partnership National Institute of Standards and Technology. (2021c, May 25). NIST cyber SCRM fact sheet. Retrieved  from https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk management/documents/C-SCRM_Fact_Sheet_Draft_May_25.pdf Nieles, M., Dempsey, K., & Pillitteri, V. (2017). An introduction to Information Security (NIST SP 800-12  rev 1). https://doi.org/10.6028/NIST.SP.800-12r1 Nussbaumer, G. (2020). COBIT 5 – Understand the framework. Retrieved from https://graser.co.at/cobit 5-understand-the-framework-2/ OECD. (2021). OECD corporate governance factbook – 2021. Retrieved from  https://www.oecd.org/corporate/corporate-governance-factbook.htm Oppenheim, F. E. (1970). Egalitarianism as a descriptive concept. American Philosophical Quarterly, 7 (2),  143-152. Retrieved from  http://ezproxy.umgc.edu/login?url=https://www.jstor.org/stable/20009343Copyright © 2021 by University of Maryland Global Campus. All Rights Reserved. CSIA 350 Cybersecurity in Business and Industry PCI Security Standards Council. (2021). Maintaining payment security. Retrieved from  https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security Principal and Agent. (2018). Funk & Wagnalls New World Encyclopedia, 1/ Retrieved from  http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=f unk&AN=pr134600&site=eds-live&scope=site&profile=edsebook Project Management Institute. (2015). Business analysis for practitioners: A practice guide. Newton  Square, PA: Author. Retrieved from  http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=e 025xna&AN=1244311&site=eds-live&scope=site&profile=edsebook Project Management Institute. (2021). A Guide to the Project Management Body of Knowledge (PMBOK®  Guide) – Seventh Edition. Newtown Square, Pennsylvania. Author. Retrieved from  http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=n lebk&AN=2942429&site=eds-live&scope=site&profile=edsebook Quinn, M. (2009). Ethics for the information age (3rd ed.). Boston: Pearson Education. Reynolds, G.W. (2018). Ethics in information technology (6th ed.). Boston: Cengage Learning. Rose, S., Borchert, O., Mitchell, S. & Connelly, S. (2020). Zero trust architecture (NIST SP 800-207).  Gaithersburg, MD: National Institute of Standards and Technology.  https://doi.org/10.6028/NIST.SP.800-207 Smith, H. J., & Hasnas, J. (1999). Ethics and Information Systems: The Corporate Domain. MIS Quarterly,  23(1), 109–127. https://doi-org.ezproxy.umgc.edu/10.2307/249412 Steen, M. (2013, February 1). Cyber security and the obligations of companies. Retrieved from  https://www.scu.edu/ethics/focus-areas/business-ethics/resources/cyber-security-and-the obligations-of-companies/ Stolfo, S. (2019). Cost of a data breach: Time to detection saves real money. ISACA Journal, 1, 1-4.  Retrieved from  https://cdn2.hubspot.net/hubfs/4039079/Current%20Collateral/013019_Cost%20of%20a%20D ata%20Breach.pdf Stuart, M. (2016, April 6). Cybersecurity and NAICS codes. Retrieved from  https://defensecraft.net/cybersecurity-and-naics-codes/ Thomas, M. (2003). High-performance consulting skills: The internal consultant’s guide to value-added  performance. London: Thoroughgood Publishing. Retrieved from  http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=e 025xna&AN=132019&site=eds-live&scope=site&profile=edsebook Voxted, S. (2017). 100 years of Henri Fayol. Management Revue. 28(2), 256-274. Retrieved from  http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=b th&AN=125163767&site=eds-live&scope=site Ward, M. (2010, October 12). William Gibson says the future is right here, right now. BBC News.  Retrieved from http://www.bbc.co.uk/news/technology-11502715 Zeltser, L. (2021). Which information security job titles are least and most common? Retrieved from  https://zeltser.com/information-security-job-titles-popularity/&'())(*+ ,-+.+/*01*2 3”(4+/5)(6((0.6((0. <12*1=1’/*+7849:;(8(* 7849:;(8(*+ +>1..1*2 :9?*/”(4+/5) (    NOKPPKMQ    GWXLMY    V QUK GWXLMY     KFHIOKS      ISQGFY`a  SKJ   GFK       Dd B      D  B     FGHIJKJ LMEFGHIJKJ LM EFGHIJKJ LMGRQSQLMJIM[ IMQFGJROQIGMIMQFGJROQIGM SKOQIGM TUIOUMQFGJROQIGMSKOQIGM TUIOU IJKMQIVIKJ QUKKOQIGM TUIOUIJKMQIVIKJ QUK OGWXLMYJKMQIVIKJ QUKOGWXLMY ZKIM[ XFGVIPKJZKIM[ XFGVIPKJ LMJ IMOPRJKJ LKIM[ XFGVIPKJLMJ IMOPRJKJ L ZFIKV GHKFHIKTMJ IMOPRJKJ LZFIKV GHKFHIKT GV QUKFIKV GHKFHIKTGV QUK OGWXLMYOGWXLMY TUKM IQ TLSTUKM IQ TLS TUKM IQ TLSVGRMJKJ] ZYGRMJKJ] ZYVGRMJKJ] ZY TUGW] WL^GFXFGJROQS GFUGW] WL^GFTUGW] WL^GF SKFHIOKSFGJROQS GFXFGJROQS GF XFGHIJKJ ZYSKFHIOKS XFGHIJKJ ZY FGHIJKJ ZYQUK OGWXLMY]UK OGWXLMY]QUK OGWXLMY] LMJ SI[MIVIOLMQLMJ SI[MIVIOLMQ KHKMQS IM QUKMJ SI[MIVIOLMQKHKMQS IM QUK OGWXLMY_SHKMQS IM QUKOGWXLMY_S UISQGFY`aGWXLMY_SUISQGFY`a bXXFGXFILQKPYXXFGXFILQKPYbXXFGXFILQKPY RSKJRSKJ IMVGFWLQIGMIMVGFWLQIGM MVGFWLQIGMVFGW  LRQUGFIQLQIHKFGW c GFVFGW e GF SGRFOKSaWGFK                            DD B        B     EFGHIJKJ LM bQQKWXQKJ QGIMQFGJROQIGM XFGHIJK LMIMQFGJROQIGMQG QUK OGWXLMY ZRQ QG QUKOGWXLMY ZRQQUK SKOQIGM QUIS SKOQIGMPLOfKJ SGWK PLOfKJ JKQLIPFKgRIFKJ LMJiGF TLSJKQLIPSa MGQ TKPPhMVGFWLQIGM SRXXGFQKJ ZYVFGW IMVGFWLQIGMLRQUGFIQLQIHK JFLTM VFGWSGRFOKS TLS LRQUGFIQLQIHKOIQKJ LMJ RSKJ SGRFOKSa IM QUK GHKFHIKTa   B     jUK IMQFGJROQIGM SKOQIGM TLS WISSIM[ GF JIJ MGQ OPKLFPY IJKMQIVY QUK OGWXLMYa                                              895::57;  69>        01?!;>5    ;>50         =!5D   5:6;54 EC375CC   6Q10     014E9;C!10 0123454!6791?@67ABC!5D 91?@67ABC!5D91??5095 91??5095250235<!1=69;323;35C!674 69;323;35C!674CE@@10;37F CE@@10;37F1?@67ABC!5D1@506;317CG 1@506;317CG1??5095HE??603I54 HE??603I549;323;35C!67437=10?6;317 37=10?6;317E@@10;37F6L1E;!569>=01?!;>5 @506;317CG91?@67A!=01?677E6:!05@10;C E??603I54674!1;>50 ;>5!677E6:7=10?6;3176E;>103;6;325 05@10;C!674C1E095CG!M>3C 1;>501?@67AJC37=10?6;317 6E;>103;6;32577E6:!05@10;K379:E454N C1E095CG5LC3;5K!674>564OE60;50C R@@01@036;5:A:196;317K!P5A EC54!674!93;54E;>103;6;325@50C1775:K 37=10?6;3171E095CG!M>3C=01?@03?60A!;A@5C 7=10?6;3176E;>103;6;3251=!5D 79:E454NC1E095CG91??5095 564OE60;50C69;323;35C!674 196;317K!P5A05:6;54 50C1775:KLEC375CC 03?60A!;A@5C69;323;35C!674 :196;317CK 1??5095?6Q10 9;323;35C!674@014E9;C!10 C502395C!C1:4 LA!;>5 9;323;35C!67491?@67AK!674 196;317CK6443;3176: 05:5267; 37=10?6;317                       91?@6735C 91?@603C17674!;>530 91?@67A!674LEC375CC ;>530!LEC375CC1@506;317C 1@506;317CG<3;>!C1?5 M>5!43C9ECC31745;63:C!=01? :69P54!45;63:677E6:!05@10;K 674S10!<6C71;!<5::<5LC3;5CK!674 CE@@10;54!LA1;>50 37=10?6;317C1E095CG! 406<7!=01?R@@01@036;5:A 6E;>103;6;325EC54!674!93;54 C1E095CG37=10?6;317 =01? 6E;>103;6;325 C1E095CG! @012345 37=10?6;317 6L1E;!;>5 91?@603C17 91?@6735C 674!;>530 LEC375CC 1@506;317CG!                    %&’&(%’)   +)+2’&1  ,-.!13+ 56%&+66 ,-$%)+67 **,-*,%’1+)9   ,-.  -5,(+67!&$-,.’1%-& ‘513-,%1’1%2+ +,$-,.’&(+/6-5,(+67&0!’00%1%-&’)6+0!’&0!(%1+0&$-,.’1%-&513-,%1’1%2+                                        /   .  % %2 .= % % 2 .= % % &  &.- +  &% & ,, 4  73 33 & /  (5!+-//  ( +-//  (.’! ?  .’! ?  ,.//.& ,.//.&/.&  +1+   +1+ & 3(+ +  & 3(+ +(+ + &,3-% &5  &,3-% &5% &54.  &   3 +./  &   3 /4 , +! . % +,-++ .&, +! ..’!4.++ 73  ?   %=  + 4 &(9,./4 &(9  /4 , +! .  ++ %@%%  ++ % !/.   ? I!. !/.    !8+ ,./4 &(9.’! ? !8+   + + +@%%  ++ % % %4 .= % % J!. !/.   (!)7(!B (!) .’! ? !8+ C?.    + + D &   3    34 .= % % 9!E? +C .  9!E? + 7(!B (!)+ ,  .& C?.   .&D &   3!,3   GF +!,3     + GC .  9 &% ,,-    9 @44 .4        9@44 .4      3(!-+ % .4     3(!-+ %  &’. /   .+ % &’. /   . &!’ ./&!’ ./  – ?.                                     2 .= % %!  @   /4  %+-//  (  .!4 .= % .’! ?   !+-//  (,.//.& .’! ?   +1+ ,.//.& & 3(+ +9   +1+E? +  & 3(+ ++ ,  .& 7- ! ? ++ ,  .&F + 3 ,1 %% +. 5 & 6  %    3+9!M G%!. !3 ,1 %  /4.   &   ? !+ ,  .&%    3+9 F +!&. L &  .& % F 33 &’. /   . +-44.   %&!’ ./ 7( – ?.        &’. /   .= !+.- , +9 &!’ ./ – ?.      = !+.- , +9E? + + ,  .& F + / ++ &5!. &.    3 = & !  ?   ++ 5&/  9                                                           ;=;6<@ A76;NB FB9=;BB ;;:B!76  76  76!9AB!;D         9BC   F;BA97=      L;B;!E; ;AZX  B;:   76;  56789:;:!<= <I!J!KL76;H<I!J!KL76;7FABA<=:9=T M;=;6<@69BCDE<B;: KA76;NB:9B?FBB97=!7G EFB9=;BBH<I!J!KL76; =;;:B!76M;=;6<@ 6;OF96;P;=AB;OF96;P;=ABKA76;NB G76EFB9=;BB IE;6B;?F69AI?IE;6B;?F69AI=;;:B!76 G76!9AB!;D6;OF96;P;=AB 7PP;6?;?7PP;6?;G76 7Q;6<A97=BR!Q;6<A97=BR!?IE;6B;?F69AI S=?@F:;:!<==?@F:;:!<=G76!9AB!;D 78;6<@@!69BC8;6<@@!69BC?7PP;6?; P<=<T;P;=A<=<T;P;=A7Q;6<A97=BR! BA6<A;TI!!<=:A6<A;TI!!<=:S=?@F:;:!< <::6;BB;:!<A::6;BB;:E69;G @;<BA!AW7<?L!7G!AL;!U;>Q@<=<A97=!7G :9GG;6;=A<=!78;6<@@!69BC 6;<AP;=ABRA6;<AP;=ABRP<=<T;P;=A =BW;6;:!AL;VQQ67Q69<A;@IBA6<A;TI!!<=: FB;:<::6;BB;:![ 9=G76P<A97=YL<A!<6;76!P76;!69BC L;96!EFB9=;BBG67P!!76A6;<AP;=ABR P76;;;:B!G76V=BW;6;:!AL; <FAL769A<A98;IE;6B;?F69AIOF;BA97= B7F6?;BR=:!L7W!?<=XYL<A!<6; AL;96!EFB9=;BB =;;:B!G76 QQ67Q69<A;@I?IE;6B;?F69AI <=:!L7W!?<= =G76P<A97=AL;B;!E; 67P![!76P;AZX                              !69BC ?7PQ<=I]B 6;OF96;P;=AB6;OF96;P;=AB G76?IE;6B;?F69AIG76 EFA!AL;?IE;6B;?F69AIR B;?A97=!W<B56789:;:!G;W @<?C9=T!9=:;A<9@B!<E7FA :;A<9@B!<=:^76AL;!AIQ;B!7G 9=G76P<A97= W<B!=7A!W;@@<=:^76 BFQQ76A;:!EIEFB9=;BB 9=G76P<A97=7Q;6<A97=B G67P<FAL769A<A98;AL<A!=;;: B7F6?;BR!Q67A;?A97=R!!_L ;!:9B?FBB97= W<B!BFQQ76A;: EI!9=G76P<A97= :6<W=!G67P <FAL769A<A98; B7F6?;BR <::6;BB!AL; ?7PQ<=INB EFB9=;BB =;;:B!76 6;OF96;P;=AB G76 ?IE;6B;?F69AIR!                         6789 :;<=78><:<>?9 @7;8A9@B                               ( ‘ Y!C% ( ‘!C% ( ‘ _!C% ( ‘ +!C% (  c!C% ( ‘ 78E!A7F<:>F@ D78E!A7F<:>F@D78E!A7F<:>F@ D78E!=:@!F7 D78E N9G989FA9!H>@< !89G989FA9 :!89G989FA9:!89G989FA9 6789!<=:F :<<96L<@!<7 >@!6>@@>FIB H>@<!A7F<:>F>FIH>@<!A7F<:>F>FI A89J><!@7;8A9@ >@<!A7F<:>F>FI D78E <=899 9F<8>9@!G78!:HH9F<8>9@!G78!:HH b;< J967F@<8:<9@ L:8:I8:L=@ F<8>9@!G78!:HH A><9JA><9J J967F@<8:<9@ ><9J :F!7?98:HH M><= 89@7;8A9@B89@7;8A9@B :!G;FJ:69F<:H 76>@@>7F@!7G 9@7;8A9@B K;GG>A>9F<G:>H;89!<7 K;GG>A>9F< A><:<>7F@ ;GG>A>9F< >FA78L78:<9 G:>H;89!<7 >FG786:<>7F!>@>FG786:<>7F!>@ A89J><>FI FG786:<>7F!>@ :FJ[78!A89J>< ;FJ98@<:FJ L87?>J9J!<7L87?>J9J!<7 @7;8A9@!G78 :;<=78><:<>?9 87?>J9J!<7 :FJ[78 @7;8A9@!G78 A7F@>@<9F<HQ :HH7M!:!89:J98:HH7M!:!89:J98 HH7M!:!89:J98 G:A<@!:FJ >FG786:<>7F 7!G>FJ!:FJ :LLHQ!: <7!G>FJ!:FJ<7!G>FJ!:FJ >FG786:<>7FB ;@9J!>F!<=9 L87G9@@>7F:H 89<8>9?9!<=989<8>9?9!<=9 D78E!A7F<:>F@ 9<8>9?9!<=9 A><9J!@7;8A9@BL:L98BA><9J!@7;8A9@B :!89G989FA9 ><9J!@7;8A9@B G786:<<>FI ZF9!78!<M7]7!6789!<=:F H>@<!A7F<:>F>FI 9G989FA9!H>@< @<QH9!G78!<=9 >FA7F@>@<9FA>9^ 9F<8>9@!G78 F<8>9@!:FJ!>FO 89G989FA9!H>@< >FA7F@>@<9FA>9 @!78!98878@!>FA><9J 9P<!A><:<>7F@ :FJ[78 @!78!98878@!>F 89@7;8A9@B 89 A><:<>7F@B G786:<!G78!>FOD78E!A7F<:>F@ 7F@>@<9F<HQ <9P<!A><:<>7F@G786:<!G78!>FO F7!6789!<=:F FJ!A7889A<HQ <9P<!A><:<>7F@ :FJ[78:FJ[78 `a 89G989FA9!H>@<786:<<9J 89G989FA9!H>@< >FA7F@>@<9FA>9 9F<8>9@B@>FI!:F 9F<8>9@B @!78!98878@!>F LL87L8>:<9 ><:<>7F!@<QH9 G786:<B STSU!VWSU <ABXB                     ;<K=CL   <JN!;C  D=  PO=NCC;GF:=F< 89:;<<=>789:;<<=> XAGEF;HE<;@F@AB!CD@?C?@AB!DEC EF>Y@A:;F@A!C<PK=!@A EOO=EAEFJ=!@I8<C<EF>;FGC89:;<<=>AGEF;HE<;@FI@A:E<<;FG F>!<D=!8C=!@IIKE?C!98<!C<;KK ?@AB!J@8K>!9=OA=C=F<C!E ;:OA@Z=>@K@AL!I@F<CLOA@I=CC;@FEK <DA@8GD!9=<<=AEOO=EAEFJ=N =E>;FGC!EF>8C=!@I!I@F<CL789:;<<=> J@K@AL!<;<K=CL89MD=E>;FGCLD=E>;FGCL!=<JN?@AB!;C!?=KK X[!789:;<<=>OOA@OA;E<=!<@@AGEF;H=>!EF> EOOA@OA;E<=KP ?@AB!DEC8C=C!J@K@AL :8K<;OK=!C<PK=@A!I@A:E<<;FGI@F<CL!EF> =AA@ACNC=J<;@F A@I=CC;@FEKD=E>;FGC!TO=A EOO=EAEFJ=<D= J@8K>!9=ECC;GF:=F<UC ;:OA@Z=>N>;A=J<;@FCVN                   789:;<<=> 789:;<<=>?@AB!DEC ?@AB!:==<C:8K<;OK=!C<PK= :;F;:8:@A!I@A:E<<;FG A=_8;A=:=F<C=AA@ACN 98<!DEC!:E`@AXAGEF;HE<;@F C<PK=!EF>EF> I@A:E<<;FGOA@I=CC;@FEK =AA@ACN!a@AB!;CEOO=EAEFJ= >;C@AGEF;H=>F==> EF>!F==>C!<@C89C<EF<;EK 9=!A=?A;<<=F;:OA@Z=:=F<N I@A!A=E>E9;K;<PEF>OA@I=CC;@FEKEOO=EAEFJ=Nb@!?@AB C89:;<<=>N!                              9979AG     C9:=>7D7?IG  7 879:;<<=>?@P79Q F7><;=>A U9979A =>9;::;9@879:;<<=>?@:=>79 C9979A ABCDD=>?@=> 879:;<<=>?@ BCDD=>?@ 79E>F<E;<=7>?9;::;9@ ?9;::;9@ 79ABCDD=>? 79 BE>F<E;<=7>BE>F<E;<=7> 799CF<DI ;>JRS=FS JC<9;F<88CF<=KCDIRS=FS J7 >7< 897:ACJ A<;>J;9JA=?>=8=F;><DI B978CAA=7>;D=:B;F< ;BBC;9;>FC 78ILC9ACFE9=<IB978CAA=7>;D <SC AEL:=<<CJ;BBC;9;>FCG R79QGH799CF<DI ;>J H799CF<DI C88CF<=KCDI EACJ A<;>J;9JEACJ A<;>J;9J FILC9ACFE9=<IFILC9ACFE9=<I <C9:=>7D7?IG <C9:=>7D7?IG                WEL:=<<CJ WEL:=<<CJR79Q S;A R79Q =A>E:C97EA J=88=FED< <7C9979A => 9C;J ZE>JC9A<;>J879:;<<=>?@ ;>J S;AABCDD=>?@ A=?>=8=F;><?9;::;9@ 79 C9979A =>BE>F<E;<=7>G P79Q =A 879:;<<=>?@E>B978CAA=7>;D ABCDD=>?@=> ;BBC;9;>FCG ?9;::;9@X=J >7< BE>F<E;<=7>@F799CF<DI EAC 79 R79JA<;>J;9J EA;?CG[AC 78FILC9ACFE9=<I A<;>J;9JFILC9ACFE9=<I<C9:=>7D7?IG  <C9:=>7D7?IR;A D;FQ=>?G 67 R79Q AEL:=<<CJG                       ]