USA: +1(669)289-8683 
Sign in
490 WK5 DQ1 100-150 WORDS
In 2018, CEO Mark Zuckerburg responded to a data breach by writing in a Facebook post, “We have a responsibility to protect your data, and if we can’t, then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again.” (Schwalbe, 2018). Discuss how this problem could have been avoided. Explain why this problem is a product of poor quality.
REPLIES 75-100 WORDS
A Chad Pope
Hello Professor Gentry,
Based on my research and analysis of the circumstances surrounding the 2018 Facebook data breach, Facebook could and should have used project quality management processes and principles regarding third party applications offered on their platform. Did Facebook develop a quality management plan? If so, did they execute it? Did they implement quality control techniques? It would appear not. The Cambridge Analytica application compromised the information of Facebook users’ friends without their consent. Sound quality management could have at least reduced the risk associated with third party applications. I am not sure it would have completely mitigated the risk, but it could certainly have lowered it.
B Francheska Janosik
Class,
To me it would seem that the company should have required the privacy protection that they implanted in 2014 from the very beginning. There should always be strict requirements around the access and use of personal information. There should have been no point in time that a company should have been able to access private personal information.
C Jordan Ehresman
Hello Class,
The Facebook data breach of 2018 was caused by vulnerabilities in a new implemented feature that allowed for the attackers to gain control of millions of user accounts through stolen access tokens. According the research by Wong (2019) the breach attack was conducted from September 16 and finally discovered and patched on by September 25th. This attack was able to access all the data that presented on the users account as well login capabilities for third party applications that utilize Facebook login as a method of access. Software vulnerabilities are inevitable but mitigating and account for them should be prioritized by all organization to ensure that both the company and the users data integrity is upheld. Vulnerability assessment processes and vulnerability scanners should be utilized to identify and correct for all all discovered vulnerabilities (Hamilton, 2022). Vulnerability assessments allow for the organization to identify and resolve all found vulnerabilities in an efficient manner that ranks them accordingly and minimizes the chances that they can be exploited upon before correction. Vulnerability scanners are categorized into host based, network based and database based tools and are utilized to identify vulnerabilities over the differing source associated with each type. These tools should be used to monitor and detect vulnerabilities in a timely manner.
430 WK6 DQ1 100-150 WORDS
How can an organization apply the Common Criteria for Information Technology Security Evaluation (CC)? Is there value in applying CC within public companies?
REPLIES 75-100 WORDS
A Yamil Santana
Good Afternoon Class,
The Common Criteria for Information Technology Security Evaluation (CC) is a standard for evaluating the security of information technology (IT) products. It is used to certify that an IT product has been thoroughly evaluated and meets certain security standards.
To apply the CC, an organization can follow these steps:
1. Identify the security requirements of the IT product that needs to be evaluated.
2. Determine the level of assurance needed for the IT product. This will depend on the sensitivity of the data that the IT product will be handling and the potential impact of a security breach.
3. Select a CC evaluation facility that is accredited to perform evaluations to the desired level of assurance.
4. Submit the IT product for evaluation to the selected facility. This will involve providing documentation about the product and its security features, as well as making the product available for testing.
5. The evaluation facility will conduct a thorough review of the IT product and its security features. If the product meets the CC requirements, it will be granted a certificate of evaluation.
There is value in applying the CC within public companies, as it can help to ensure that their IT products are secure and meet high standards for protecting sensitive data. This can help to build trust with customers and stakeholders, and can also reduce the risk of security breaches, which can have serious consequences for a company.
B Idrisu Rabiu
Common Criteria (CC) is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria is more formally called “Common Criteria for Information Technology Security Evaluation.”
Common Criteria has two key components: Protection Profiles and Evaluation Assurance Levels. A Protection Profile (PPro) defines a standard set of security requirements for a specific type of product, such as a firewall. The Evaluation Assurance Level (EAL) defines how thoroughly the product is tested. Evaluation Assurance Levels are scaled from 1-7, with one being the lowest-level evaluation and seven being the highest-level of evaluation. A higher-level evaluation does not mean the product has a higher level of security, only that the product went through more tests.
To submit a product for evaluation, the vendor must first complete a Security Target (ST) description, which includes an overview of the product and product’s security features, an evaluation of potential security threats and the vendor’s self-assessment detailing how the product conforms to the relevant Protection Profile at the Evaluation Assurance Level the vendor chooses to test against. The laboratory then tests the product to verify the product’s security features and evaluates how well it meets the specifications defined in the Protection Profile. The results of a successful evaluation form the basis for an official certification of the product. The goal of CC certification is to assure customers that the products they are buying have been evaluated and that the vendor’s claims have been verified by a vendor-neutral third party.
C Autumn Keen
The common criteria is a international set of guidelines used to evaluate a computer security product and system evaluations. CC is also known as ISO/IEC 15408. It maintains certified products such as operating systems, access control system, databases and so on. Created by a multi country combined effort (United States, Canada, France, Germany, The Netherlands and the UK). A framework that computer system users can “Security Target” (functional and assurance requirements). It provides assurance that the process of implementation and evaluation of a security product has been performed in a rigorous standard at a level that is commensurate with the target audience / customer needs.
Seeing as CC is a checks and balance for products and services, I believe it is valuable to have CC within public companies to add one more layer of security due to all companies have devices, data and such that need to be protected.
