Financial Service Security Engagement

Learning Team C

CMGT/400

April 8th, 2019

Ellen Gaston

Financial Service Security Engagement

· Create a plan that addresses the secure use of mobile devices by internal employees and external employees as they use mobile devices to access these applications.

· Recommend physical security and environmental controls to protect the data center which runs the on-site applications.

Introduction

Integrating cloud-based, customer relationship management (CRM) software application with the on-site software applications that manage customer accounts and investment portfolios can assist a firm to create more leads, increase revenue, minimize the cost of sales, and improve customer services. However, this system has some security risks and requires an organization to create a plan that addresses its secure use.

Mobile Gadget Security/Bring Your Own Device Plan (BYOD)

This involves creating a gadget usage policy, before issuing them to workers. This entails limitation of its use and probable actions against its violation (Michener, 2015). Employees also are taught on how to mitigate security risks of mobile phones. If workers can utilize their personal gadgets, BYOD security policy is created, which comprises of installing distant wiping application on all devices to store data accessed from the organization (Michener, 2015). Organization should install current antivirus software to all devices to prevent hacking and loss of data. The content stored in the mobile devices should be backed up on organization’s computers on regularly basis to make sure that the data is safe if a gadget is stolen or lost.

Selecting Passwords

Passwords meant for the devices should be strong enough and not common to any third party. This ensures privacy as it prevents data linkage to unwanted individuals. On a different point, carrying out consistent mobile security audits and penetration assessment is one of the physical securities and environmental control measures. In this case, a firm hires a recognized security testing company to audit their gadget security and carry out penetration assessment (Michener, 2015). This ensures data protection as any noticed channels of data linkage drives the firm to upgrade its system.

· Propose audit assessment and processes that will be used to ensure that the cloud-based CRM software provider uses appropriate physical security and environmental controls to protect their data centers which run your cloud-based CRM software.

· Develop identity and access management policies for both the on-site systems and the cloud-based CRM.

Customers should be aware that unique data security issues arise in a cloud computing environment. For example, in an ASP environment, a single physical server may be dedicated to the customer for hosting the application and storing the customer’s data. However, in a cloud computing environment, technologies and approaches used to facilitate scalability, such as virtualization and multi-tenancy, may result in customer data being stored on a physical server that also stores data of the provider’s other customers, which may increase the risk of unauthorized disclosure. We are recognizing the unique security and privacy risks related to a cloud computing service delivery model and calling on the government for legislation to enhance and strengthen security and privacy protections. (Foley & Lardner, 2013)

To address data security issues, customers should conduct due diligence regarding the security practices of a provider and include specific contractual protections relating to information security. Part of a customer’s due diligence should include identifying the location of the data center where the data will be physically stored and who may have access to the data. If the data center is in a foreign country, then the customer should be concerned as it may not have an opportunity to inspect the foreign location to ensure it complies with customer’s information security requirements. Even if the data center is in the United States, help desk personnel accessing the data could be in a foreign country with limited or different security and privacy laws. (Foley & Lardner, 2013)

In addition, the location of the data and the ability of data to be widely distributed across different jurisdictions present complex issues of which law is applicable in a given transaction. Currently, there is very little guidance from courts on these conflict of law issues. For example, if personally identifiable information is in Europe, then European law may govern that information regardless of what is provided for in the contract. Also, a Vendor may have multiple data centers, each located in a different state in the United States, with each state having its own law regarding data privacy and security. Therefore, to minimize potential issues, the customer should consider adding a restriction against offshore work and data flow to foreign countries, including a requirement that the data center (including the hosted software, infrastructure, and data) be located and the services be performed in the United States, and that no data be made available to those located outside the United States. (Foley & Lardner, 2013)

In addition, the customer should identify who will be operating the data center. If the provider is not operating the data center itself (e.g., the provider is the owner of the software and will be providing support, but is using a third-party data center to host the software), then the provider should be required to ensure that the third-party host complies with the terms of the agreement (including the data security requirements), accept responsibility for all acts of the third-party host, and be jointly and severally liable with the third-party host for any breach by the third-party host of the agreement. Also, the customer should consider entering into a separate confidentiality and nondisclosure agreement with the third-party host for the protection of the customer’s data. If the provider ever desires to change the host, the provider should be required to provide the customer with advance notice, and the customer should be given time to conduct due diligence about the security of the proposed host and the right to reject any proposed host. (Foley & Lardner, 2013)

· Recommend cryptography and public key infrastructure (PKI) uses which could be used to increase security for these systems.

Due to the sensitive nature of the accounts that we handle, and the need to uphold a reputation of trust encryption should be implemented. The use of public key infrastructure and the use of digital certificates that are company generated, outsourced, or public fills this space. The use of digital certificates is key to this infrastructure. The certificates can be issued to a user, computer, device, server, or webpage. This certificate must come from a place that is trusted. These certificates contain who issued the certificate, who the certificate is issued to, expiration dates, public key, digital signature. The digital signature involves hash value. The hash value is used in concert with public and private keys for encryption methods. A public key infrastructure being that this is infrastructure and if it is put into place it will give the business opportunities for use because it is there. The opportunities include SSL, digital signatures, Encryption, smart card login, software code signing, secure e-mail, encrypted file system, VPN, 802.1x port-based authentication. These benefit the company by giving an extra layer of security to employees. This also benefits customers in any applications or web-based services with the use of AES encryption from a man in the middle attack. The reputation of the company is an asset that gets overlooked until it is too late by using methods that will ensure the security of our employees and our customers, we make a stance that we are our services and our clients seriously. This will hopefully generate more revenue in the future as our clientele grows along with our business scalability by putting down a good security infrastructure.

References

Adams, C., & Lloyd, S. (2007). Understanding PKI: Concepts, standards, and deployment considerations. Boston: Addison-Wesley. Retrieved from https://books.google.com/books?hl=en&lr=&id=ERSfUmmthMYC&oi=fnd&pg=PP23&dq=pki&ots=nsynQXqjLp&sig=8aYQMuZvUxvfMVeSX5tULHD5jhI#v=onepage&q=pki&f=false.

Michener, W. K. (2015). Ten simple rules for creating a good data management plan. PLoS computational biology, 11(10), e1004525.

Gartner Highlights Five Attributes of Cloud Computing, Gartner, Inc. (June 23, 2009), at http://www.gartner.com/it/page.jsp?id=1035013.

Part4

Step-by-Step Guide to Assignment 8.4

Problem 4. Kaplan-Meier Survival Analysis (With Strata)

a. Run a Kaplan-Meier analysis in SPSS, using Time as the Time variable and Event as the Status variable (Be sure to define the event). Add Interval as the Strata variable.

Step 1. Analyze ( Survival ( Kaplan Meier.

Step 2. Remove the Treatment Status [tx] variable from the Factor box Select The order of the time interval [interval] and place it in the Strata box.

Step 3. Click Options. In statistics, select Survival table(s) and Mean and median survival. Select Survival in plots. Click continue. Click OK.

SPSS Output:

b. Produce a plot of the survival function for each strata.

c. Why would you want to produce Kaplan-Meier Survival Curves after stratifying for a variable?

Stratification allows you to compare survival by different levels of a variable, adding yet another layer of adjustment (control) in a model. In this example, total time on study was subdivided into 5 time intervals. Because the probability of survival changes over time, stratification enabled survival patterns to be compared at various stages or observation times. It may be that despite treatment, length of time lived beyond diagnosis has an affect on survival. Stratification controls for this effect.

Part3

Step-by-Step Guide to Assignment 8.3

Problem 3. Kaplan-Meier Survival Analysis (With Factor)

a. Run a Kaplan-Meier analysis in SPSS, using Time as the Time variable and Event as the Status variable (Be sure to define the event). Add Tx as the factor.

Step 1. Open the SPSS dataset. Go to Analyze (Survival ( Kaplan-Meier. The information from 8.2 should be saved. Select Treatment Status [tx] and place it in the Factor box.

(Note: Time to event/censor [time] should be in the Time box and event(“0” “1”) should be in the Status box from Problem 8.2; if not, you need to repeat steps to place them there and define Event again).

b. Test the difference between Tx groups (Compare Factor) using Log-Rank, Breslow, and Tarone-Ware

Step 2. Click on the Compare Factor button.

Step 3. In the open window, check Log-Rank, Breslow, and Tarone-Ware.. Click Continue.

Step 4. Click the Options button. (Make sure Survival table(s) and Mean and median survival are checked in Statistics and that Survival is checked in Plots.)

Click Continue.

Step 5. Click OK in the Kaplan-Meier window.

SPSS output:

c. Produce a plot of the survival function

d. Describe what the Overall Comparisons mean in terms of treatment groups and survival times.

Notes:

Recall that the log-rank test is based on a 2 x 2 table looking at the number of deaths and expected number of deaths for each group. The log-rank chi square statistic is 4.31. For 1 df, the chi square statistic must be greater than the 3.84 (table p. 466 in the text) to reject the null hypothesis of no difference between the two treatment groups (placebo and Thiotepa) at the 95% probability level. Since 4.31 > 3.84, we can reject the null. Additionally, since the significant value of the Log Rank test is less than 0.05 and the Breslow and Tarone-Ware tests are greater than 0.05, there is a difference in survival times between the two groups. This is confirmed by the log-rank p-value = 0.038, which is p < 0.05.

Part2

Step-by-Step Guide to Assignment 8.2

Problem 2. Kaplan-Meier Survival Analysis (Without factor or Strata)

Run a Kaplan-Meier analysis in SPSS, using Time as the Time variable and Event as the Status variable (Be sure to define the event). Do not add a factor or strata at this time.

Step 1. In the Practice_Week08_dataset with the added Time variable, Analyze ( Survival ( Kaplan-Meier.

Step 2. In the Kaplan-Meier window, select the Time to event/censor [Time] variable and place it in the Time box.

Step 3. Select the Tumor [event] variable and place it in the Status box.

Step 4. Click on the Define event button.

Step 5. In this window, select the List of values radio button, type 0 in the List of values box then click Add.

Step 6. Type 1 in the List of variables box. Click Add then click Continue.

Step 7. In the Kaplan-Meier window, click on Options.

Step 8. In the Options window, check Survival table(s) and Mean/ median survival in the Statistics area; check Survival in the Plots area. Click Continue. Click OK when you are returned to the Kaplan-Meier window.

SPSS output:

a. Produce a Survival Table (you do not need to submit this)

Your Output window should contain small Case-Processing Summary table with a VERY long Survival Table below it. This is the table you are asked to produce, but not turn in, in Problem 2b.

SPSS output:

b. Produce a plot of the survival function

c. What is the mean survival time (include confidence intervals)? What is the median survival time (include confidence intervals)? Why do you think they are so different from each other?

Recall that means are affected by extreme values where the median is not. Consider the frequency distribution for the Time variable that you ran in Problem 1.

PART1

Step-by-Step Guide to Assignment 8.1

Problem 1. Data

a. Create a variable for Time-to-event by subtracting the start time (variable = start) from the stop time (variable = stop). Label the new variable “Time”.

Step 1. Open Practice_Week08_dataset.sav. Under Transform, select Compute variable.

Step 2. Type “Time” in the Target Variable box. Select the Time of event or censor [stop] variable and move it to the Numeric Expression box.

Step 3. Stop will appear in the Numeric Expression box. Click on the minus sign on the key pad then click on the Start time for each interval [start] variable and transfer it to the Numeric Expression box. The numeric expression should read “stop – start”. Click OK.

Step 4. Bring up the Data Editor screen in Variable View. Note the new Time variable has 2 decimals. Change this to 0 using the down arrows in the decimal cell for Time.

Step 5. Select Define Variable Properties under Data.

Step 6. In the Define Variable Properties window, select Time in the Variables box and move it to the Variables to Scan box. Click Continue.

Step 7. In the new Define Variable Properties window, type “Time to event/censor” in the Label box. Click OK.

Step 8. Switch to Variable View in the Data Editor Window. The Time variable label should appear as below.

Step 9 Switch to Data View and review the data in Time. Each value should equal the stop value minus the start value.

b. Produce the appropriate descriptive statistics, numerical and graphical, for the following variables:

Step 1. Review each variable to determine whether it is categorical or continuous.

Step 2. Analyze ( Descriptive statistics (Frequencies.

Step 3. Select one variable in Frequencies window and place in Variables box.

For each categorical variable, run frequencies and bar graphs for frequencies:

Step 4. Click on Charts and select Bar Charts and Frequencies. Click Continue. Click OK.

For each continuous variable , run descriptive statistics (mean, standard deviations, minimum, and maximum) and produce histograms for continuous variables.

Step 5. Click on Statistics. Select Mean, Median, and Mode in Central Tendency area. Select Std deviation, Variance, Range, Minimum, Maximum, and SE mean in Dispersion area. Select Skewness and Kurtosis in Distribution area. Click Continue.

Step 6. Click on Charts and select Histogram and Show normal curve on histogram. Click Continue. Click OK.

· Event (categorical)

· Interval (categorical)

· Tx (categorical)

· Num (categorical)

· Size (categorical)

· Time (continuous)