USA: +1(669)289-8683 
Sign in
Identify at least two vulnerabilities on your home computer and share them with your peers. Explain how you have/will mitigate those vulnerabilities.
SEC 4301, IS Disaster Recovery 1
Course Learning Outcomes for Unit I
Upon completion of this unit, students should be able to:
2. Develop an asset ranking report.
2.1 Categorize the seven domains of a typical information technology (IT) infrastructure.
2.2 Classify the different U.S. laws and regulations for IT industries.
2.3 Research the confidentiality, integrity, availability (CIA) triad on how these elements protect
information.
3. Analyze an impact assessment for organization threat analysis.
3.1 Differentiate between risks and mitigation in reference to the information technology (IT)
infrastructure.
3.2 Generalize the risks and mitigations of IT components and entities.
Chapter 1: Risk Management Fundamentals
Chapter 3: Understanding and Maintaining Compliance
What Is Risk?
Risk has been a challenge since the beginning of humankind. For example, early cave dwellers had to make
decisions of when to hunt for food. This might seem a very simple task; however, elements such as time of
day (daytime or nighttime), number of hunters in the party, weather conditions, and food rationing need to be
taken into consideration. Let’s take a look at some of these examples involving risks. If early cave dwellers
went hunting during the day, it will depend on the weather conditions and visibility. The ability to see the
animals is important, but the animals can also see the hunters. During the night, visibility is poor and worse
with weather conditions; the hunters will not be able to see the animals, and some animals have the ability to
see at night. How many or how large of an animal will determine how much food will be needed for the group
and food rationing. The size of the animal will determine the number of hunters needed, but at the same time,
there is a need to have people at home to protect the caves from intruders. Torches at night could be used to
find the animals, but the light can be seen by the animals. You can see from this example that there are many
risk variables to consider as well as possible solutions or mitigations (reducing the strictness based on the
risks) for the cave dwellers. Consequently, one does not just go out to hunt, one must consider the risks and
mitigations of all elements that are part of the act of hunting. Therefore, what is risk and mitigation? In
simplistic terms, risk is the act of relating oneself to danger, and mitigation is the act of reducing that danger.
Similarly, there are many risks that individuals in information technology (IT) need to be aware of and need to
prepare for. In this course, we will learn how to plan for risks and to take preventative measures that will
lessen the impact of a disaster.
Anatomy of the Seven IT Domains
According to Gibson (2015), risk is the possibility that some sort of loss will happen, and mitigation is the
ability to reduce the effects of loss from the risk(s) involved. Let’s examine the risks and mitigation with the
seven domains of a characteristic IT infrastructure. The seven domains are shown below in Figure 1.1.
UNIT I STUDY GUIDE
Overview of Risk Fundamentals and
Managing Compliance Laws
SEC 4301, IS Disaster Recovery 2
UNIT x STUDY GUIDE
Title
Figure 1.1: The Seven Domains
(Gibson, 2015, p. 7)
The User Domain identifies all individuals who are users either within the organization or outside the
organization. Human error will always be humankind’s nemesis; consequently, major risks are password
maintenance, social engineering, and security policy awareness (Gibson, 2015). These are threats and
vulnerabilities that impact the User Domain. Remembering passwords can be easy if the password is not
complex, and that is a problem. Passwords need to be complex in order to prevent pre-hacking attempt(s).
Writing passwords down and leaving them to be found is like an Easter egg hunt; they will be found. Speaking
with friends or co-workers and accidently mentioning your source of your password or how you created it can
occur within earshot of others. Giving your password away because you were told to do so for whatever
reason is a bad practice. Most importantly, ignoring the organizational security policies that must be followed
by everyone in the organization can be detrimental.
The Workstation Domain is comprised of computers and internal devices that users are authorized to use.
Notice in the previous sentence, the words users are authorized. There are users who are authorized or not
authorized to use certain workstations within the domain. This is known as need- to- know, which is
emphasized in the security management policy. All workstations should use an anti-virus protection
application, as this helps eliminate or detect malicious software attacks or malware that can damage the
Workstation Domain’s applications and or the operating system (Gibson, 2015). Applying patches and fixes to
the operating system or applications is one of the most ignored mitigation steps to protect the workstation.
When possible, patches and fixes need to be applied as soon as they are available in order to prevent
vulnerability attacks (Gibson, 2015).
The local area network (LAN) Domain is all about the different devices and services that make up the local
area trusted network. Such devices as the hub, switches, routers, and firewalls are located on the LAN but
are behind the firewall (Gibson, 2015). Data traffic transverses over the LAN between these devices allowing
certain data traffic to pass. Vulnerability exists when the attacker can physically plug into the devices, such as
a switch, to gain information. Protocol analyzers can be used by the perpetrator to capture data by sniffing the
LAN. Most importantly, these devices need to be secured in a restricted area for authorized personnel only.
LAN-to-WAN (wide area network) Domain has a dual function, which is to connect the LAN to the WAN and
permit remote access to the LAN or WAN Domain. This domain contains routers that pass authorized data
traffic from the LAN-to-WAN and vice versa. The firewall protects the LAN from intruders who try to attack the
LAN and prevents unwanted traffic from leaving the LAN to the WAN. The LAN-to-WAN is known as the
SEC 4301, IS Disaster Recovery 3
UNIT x STUDY GUIDE
Title
untrusted network; therefore, the demilitarized zone (DMZ) is located in this domain. The DMZ prevents
information from leaving or entering until the information has been authorized from the router and firewall
configurations. The ongoing system administration as well as auditing are very important and must be
monitored in a regular basis.
The WAN Domain is known as the World Wide Web, internet, or cyberspace as we recognize it today. The
WAN today is serviced by internet service providers (ISP), where security is dependent on the ISPs.
Therefore, organizations need to use virtual private networks (VPN) to ensure secure transmission of data or
the use of leased lines.
Users who are remote from the organization’s network will utilize the Remote Access Domain. This use is
very similar to how users are mentioned in the User Domain, however, with stricter security controls since
these users must negotiate through the internet to the LAN-to-WAN Domain. These security rules would
include a two-factor authorization that consists of the user’s password and application password to enter the
Remote Access Domain (Gibson, 2015). The risk and vulnerabilities for the Remote Access Domain exist in
the user’s password and remote authentication device.
The System and Application Domain security protocol requires that the user must have the need to know to
access certain applications, servers, databases, or devices. Such authorization allows the access to
information data that the user needs to process information for the organization. Consequently, the user must
have his or her password or other forms of authentication to access databases and to send and receive email
(Gibson, 2015). Authorization of who accesses what systems and applications should be dictated in the
organization’s security policy.
The Confidentiality, Integrity, and Availability Triad
Each of the above-mentioned domains are susceptible to the risks and mitigations from both inside and
outside threats and vulnerabilities, and each jeopardizes the security triad of confidentiality, integrity, and
availability. As illustrated in Figure 1.2, confidentiality, integrity, and availability, or the CIA triad, affect each
other and are vulnerable to risks and mitigation threats.
Figure 1.2: CIA Triad (Risks & Mitigation)
(Adapted from Gibson, 2015)
All information encapsulated within the domains must be protected by the triad in simplistic terms.
• Confidentiality: These are rules that limit the access to information by the user.
• Integrity: The ongoing maintenance of information in a consistent and accurate state.
• Availability: The organization information is readily available to authorized users by the organization.
SEC 4301, IS Disaster Recovery 4
UNIT x STUDY GUIDE
Title
Regulatory Laws and Compliances
The organizational IT systems will go amok without compliance. Compliance in the IT infrastructure can be
summed up as those guidelines, specifications, or processes by which the IT infrastructure must abide within
the organization’s business entity (Gibson, 2015). These compliances are generally in the form of a U.S. law
and/or regulation. As an example, if an organizational IT infrastructure is to primarily support medicine, then it
is appropriate to follow the Health Insurance Portability and Accountability Act (HIPAA) in order to protect the
health information data of all patients. If an organization is responsible for financial information, then the
organization must follow the Gramm-Leach-Bliley Act. These two examples are, of course, related to U.S.
laws that must be followed.
However, there are different regulations that help aid in U.S. laws. The majority of these regulations relate to
the federal government. The Federal Deposit Insurance Corporation (FDIC) is a regulation by which your
money in the U.S. banking system is protected and guaranteed. This, along with the Gramm-Leach-Bliley Act,
protects your information privacy and how information is collected and shared with other entities.
Customers today rarely use cash; credit cards are the mainstream money flow. Various credit card companies
must provide protection for your credit card in addition to the protection you provide. The Payment Card
Industry Data Security Standard (PCI DSS) provides standardizations for credit card companies to protect
customer’s private information, such as name, card number, security code, and date of expiration of the card.
It is the hope that such standards and protection would eliminate theft of cards and credit card fraud.
However, there is a rise in credit card fraud.
Summary
Risks, mitigations, and compliance must be understood to combat the possible vulnerabilities in which the
seven domains could be attacked by potential intruders. The different laws and regulations will aide in the
protection of information in which the CIA triad must be enforced. In the next unit, we will look at how risks
and mitigations are managed to reduce the threats, vulnerabilities, and exploits.
Reference
Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.
https://online.vitalsource.com/#/books/9781284107753
In order to access the following resources, click the links below.
The following presentations will summarize and reinforce the information from Chapters 1 and 3 in your
textbook.
Chapter 1 PowerPoint Presentation
PDF Version of Chapter 1 PowerPoint Presentation
Chapter 3 PowerPoint Presentation
PDF Version of Chapter 3 PowerPoint Presentation
Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit
them. If you have questions, contact your instructor for further guidance and information.
The following learning activities provide additional information that will assist you with the mastery of the
learning objectives for this unit.
https://online.columbiasouthern.edu/bbcswebdav/xid-145286805_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286804_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286811_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286810_1
SEC 4301, IS Disaster Recovery 5
UNIT x STUDY GUIDE
Title
Go to the CSU Online Library, and use the Discovery Search feature.
Utilizing the Discovery Search feature, type in the following phrases: “computer domains, seven domains,
confidentiality, integrity, and availability, computer laws, HIPAA.” Select and read two articles. Use the criteria
of peer-reviewed article (scholarly) and less than 5 years old. Here is a link straight to the CSU Online Library
Discovery Search.
Check Your Knowledge
These questions will help you assess whether or not you have mastered the unit content. Can you answer
them without looking in the textbook?
• Answer the Chapter 1 Assessment questions at the end of Chapter 1 in your textbook. After you have
answered the questions, you can find out how well you did by viewing the Chapter 1 Answer Key.
• Answer the Chapter 3 Assessment questions at the end of Chapter 3 in your textbook. After you have
answered the questions, you can find out how well you did by viewing the Chapter 3 Answer Key.
Word Search
Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle.
Access the Unit I Word Search puzzle, and see if you can find them.
http://libguides.columbiasouthern.edu/?b=p
http://libguides.columbiasouthern.edu/?b=p
https://online.columbiasouthern.edu/bbcswebdav/xid-145286855_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286856_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145458179_1
-
Required Unit Resources
Unit Lesson
What Is Risk?
Anatomy of the Seven IT Domains
Regulatory Laws and Compliances
Summary
Reference
Suggested Unit Resources
Learning Activities (Nongraded)
