The Information Security and Privacy Tradeshow. CIS 8080 Security/Privacy of Information Richard Baskerville

Size: px

Start display at page:

Download "The Information Security and Privacy Tradeshow. CIS 8080 Security/Privacy of Information Richard Baskerville"

Britton McGee
8 years ago
Views:

1 The Information Security and Privacy Tradeshow CIS 8080 Security/Privacy of Information Richard Baskerville This activity simulates a market in which participants aim to offer the best information security and privacy products. In this market participants evaluate the products according to known criteria and acquire products from the market. Successes arise when products sell well in the market. Successes also arise when products are effectively evaluated. Each team (Aces, Kings, etc.) is allowed to offer a product to the course tradeshow. The product should be represented in a tradeshow booth. At a minimum, the booth should include a representative of the team and a product brochure. The booth may also include a poster, art, demos, video, etc., but at least a brochure is required for scoring purposes. At a minimum, the product brochure should be a product brief that summarizes the purpose of the product, the targeted market/customers for the product, the features of the product, its benefits relative to similar products on the market, and its business value. The brochure should also detail the team s name and the team member names. The booth and the brochure should aim to critically explain and assesses the product to be demonstrated in in the tradeshow. Along the way, they should demonstrate the students ability to research a technical problem and its solutions, analyze data, synthesize data from different sources, and to compare and to evaluate distinct solution technologies with a clear train of fact-based argumentation. Any and all conclusions must be clearly stated. To insure research originality, students are strongly encouraged to seek information beyond web pages, and from at least one original source (such as an interview with an authority on the subject). To be complete and authoritative, the booth and brochure should include citations and full references to all direct sources. Choosing a Product to Sell in the Tradeshow The product must be a real information security and privacy product available for purchase in the contemporary marketplace. The selected product must not replicate a product previously claimed by another team via the course BrightSpace/D2L discussion set aside for this purpose. See evaluation criteria for more hints on the qualities of a good product for this tradeshow. To claim your team s product: 1. Logon to the course BrightSpace/D2L page. 2. Choose Discussions from the Menu. 3. Choose Topic Claims from the course content items 4. Choose the Security product claim discussion. 5. Read the example from the instructor 6. Verify that no team has claimed your topic by reviewing all existing claims (threads) 7. Choose Start a new thread to add your claim to the discussion. Include a URL for the product. Choosing a Product to Buy in the Tradeshow Each team will also rank all products in the tradeshow. Each team is allowed to buy three products at the tradeshow. A team may NOT buy or rank its own product. The purchase decision should be based Page 1 of 5

Successes arise when products sell well in the market. Successes also arise when products are effectively evaluated. Each team (Aces, Kings, etc.

2 on the product s purpose/features and the team s evaluation of the product. At least one purchased product should treat the risk described by the purchasing team s threat scenario for Jashopper. In certain circumstances, highly ranked products may not be ideal for purchase. For example, if the three highest ranked products are all firewalls, purchasing three different kinds of firewalls could duplicate functionality and provide less security than buying the top ranked firewall and two other kinds of products. Tradeshow Operation At least one member of each team should tend the team s product booth to pitch the product to interested buyers. At least one member of each team should visit other product booths to evaluate and buy products. Scoring: Teams are graded on their ability to deliver a successful information security product to the market, and their ability to evaluate products available in this market. Each team must submit three items for scoring: (1) The team s product brochure. (2) A photo of the team s booth. (3) The team s evaluation and purchase report. Product Tradeshow Success: 80 Percent Scoring is based on product quality ranking by experts in the market, and success in the market product sales. Product Evaluation: 20 Percent Scoring is based on the team s rationale in applying the criteria to products in its product selection decision-making Tradeshow Evaluation Criteria (Overall criterion) 1. How well does this product deliver business value to its customers? (Criteria based on ISO/IEC Information Security Risk Management) 2. What kinds of organizations are vulnerable to these risks? 3. How prevalent are these risks? 4. How effective is the product in its treatment of these risks? 5. How difficult is it to acquire? What is the installation and training burden? 6. Does the product enable monitoring and review of its effectiveness? (Criteria based on ISO/IEC Requirements for bodies providing audit and certification of information security management systems) 7. Does the operation of this product require new/additional competencies in the organization or its auditors? 8. Does the product support certification of its performance (or security/privacy performance)? (Criteria based on ISO/IEC Code of practice for information security management) 9. Does the product fit needs for controls that are essential and/or common practice? E.g., a. Legislatively essential information security controls: i. data protection and privacy of personal information (see ); ii. protection of organizational records (see ); iii. intellectual property rights (see ). Page 2 of 5

For example, if the three highest ranked products are all firewalls, purchasing three different kinds of firewalls could duplicate functionality and provide less security than buying the top ranked

3 b. Common practice information security controls: i. information security policy document (see 5.1.1); ii. allocation of information security responsibilities (see 6.1.3); iii. information security awareness, education, and training (see 8.2.2); iv. correct processing in applications (see 12.2); v. technical vulnerability management (see 12.6); vi. business continuity management (see 14); vii. management of information security incidents and improvements (see 13.2). 10. Does the product treat the best categories of information security and privacy controls for the situation? a. Security Policy b. Organization of Information Security c. Human Resources Security d. Asset Management e. Access Control f. Cryptography g. Physical And Environmental Security h. Operations security i. Communications Security j. Information Systems Acquisition, Development, Maintenance k. Supplier Relationships l. Information Security Incident management m. Information Security Aspects of Business Continuity n. Compliance (Criterion based on immediate problem) 11. How effective would this product be for treating your team s Jashopper Threat Scenario? Page 3 of 5

business continuity management (see 14); vii. management of information security incidents and improvements (see 13.2). 10.

4 Team Evaluation and Purchase Report Team Name: Team Members: Products Purchased (Order is not significant): (1) (2) (3) Product Name Vending Team Name Rationale for selecting these three products: Comments on products usefulness for your Jashopper threat scenario: Page 4 of 5

Name Vending Team Name Rationale for selecting these three products:

5 Team s Vendor Product Ranking Team Name Ranking Reason Page 5 of 5

ISO 27002:2013 Version Change Summary

Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category