[Kevin Mehok]

Hey Class,

We will soon need to understand the value of implementing solid steps to IT Risk Management.
I feel that IT risk management is the application of risk management methods to information technology to manage the risks inherent in that space (Bridges, 2019). I have learned this week that in order to do that means assessing the business risks associated with the use, ownership, operation and adoption of IT in an organization (Bridges, 2019). If we can work together and discuss the following steps in order to manage risk with confidence, or not (Bridges, 2019).

1. Identify the Risk
We can’t prepare for risk without first figuring out, to the best of our abilities, where and when it might arise (Bridges, 2019). Therefore, both manager and team must be alert to uncovering and recognizing any risks, then detailing them by explaining how they might impact the project and outcomes (Bridges, 2019). One method is using an IT risk assessment template (Bridges, 2019).

2. Analyze the Risk
Once we’ve identified risk, we then must analyze it and discern if it’s big, small or minimal in its impact (Bridges, 2019). Also, what would be the impact of each of the risks? Study the risk and how it might influence the project in various ways. We’ll add these findings to our risk assessment (Bridges, 2019).

3. Evaluate and Rank the Risk
Once we evaluate the impact of risks and prioritize them, we can begin to develop strategies to control them (Bridges, 2019). This is done by understanding what the risk can do to the project, which is determining the likelihood of it occurring and the magnitude of its impact (Bridges, 2019). This is a massive piece of assessment evaluation. Then we can say that the risk must be addressed or can be ignored without faulting the overall project (Bridges, 2019). Again, these rankings would be added to our risk assessment.

4. Respond to the Risk
After all this, if the risk becomes an actual issue, then we’re no longer in the theoretical realm (Bridges, 2019). It’s time for action. This is what’s called risk response planning in which we can take our high-priority risks and decide how to treat them or modify them, so they place as a lower priority (Bridges, 2019). Risk mitigation strategies apply here, as well as preventive and contingency plans. Add these approaches to our risk assessment (Bridges, 2019).

5. Monitor & Review the Risk
Once we act, we must track and review the progress of mitigating the risk. Use our risk assessment to track and monitor how our teams are dealing with the risk to make sure that nothing has been left out or forgotten (Bridges, 2019).

God Bless,

Kevin

References:

Bridges, J. (2019) https://www.projectmanager.com/training/it-risk-management-strategies

[Kevin Mehok]

Marcena,

I love that you discussed encryption and it’s connection to ransomware. Even good things with good intentions can be the most dangerous of weaponry in cyber attacks. Security threats and defenses do start with a plan, then the implementation of a strategy. I am learning that the aftermath of data breaches can be absolutely endless. The resources needed to regain consumer confidence and trust may be limitless.

Great job as always.

God Bless,

Kevin

[Kevin Mehok]

IST3100 Information Systems Security Officer
Week Four
Discussion #3
WK4 Breaching Discussion
Kevin Mehok

Hey Class,

Breaching is real, and I do think as future professional, we need to understand the mind of a hacker. In June of 2021 Hackers broke into the systems of Electronic Arts, one of the world’s biggest video game publishers, and stole source code used in company games (Vallinsky, 2021). The company made the announcement in June of 2021, which may or may not have shocked the world. I say this, sadly, we are like sitting ducks and we wait for the next digital breach.

As for EA, an online forum posts reviewed by CNN Business and vetted by an independent cybersecurity expert show that on June 6, hackers claimed to have obtained 780 gigabytes of data from EA, including source code for Frostbite, the game engine that powers games that include titles in the FIFA, Madden and Battlefield series (Vallinsky, 2021). In a digital era, to me, this should not be a surprise. The audience surrounding EA are tech savvy, and they are looking to gain ways in, and perform better in gaming sectors.

Interestingly enough, Mr. Brett Callow, a threat analyst at cybersecurity software maker Emsisoft, said losing control over source code could be problematic for EA’s business (Vallinsky, 2021). You think? Of course, it is. How could it not be?

“Source code could, theoretically, be copied by other developers or used to create hacks for games,” Callow said (Vallinsky, 2021). we has Security Professionals need to be in front of these attacks and be better prepared, and well informed.

An EA spokesperson said “no player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business” (Vallinsky, 2021). The time spent and the value that needs to be reassured in these attacks destroy businesses.

This has been an awesome discussion.

God Bless,

Kevin

References:

Vallinsky, J. (2021) https://www.cnn.com/2021/06/26/tech/cyberattacks-security-breaches-june/index.html

[Kevin Mehok]

Marcena,

I have a huge database guy, and I have data sorted literally all over the place. I track daily metrics, and through put, however, I have learned to save and compile data, always. I do so using SQL often. However, some of this data my be none company areas like my Microsoft cloud. I keep work and school data there. I can understand the risks involved here, even when I think that this data is being responsibly kept and secured. This week, for me, personally, has been an eye opener.

God Bless,

Kevin

[Kevin Mehok]

Thanks Marcena,

I think the importance of being flexible is somewhat invaluable in a world where everything changes and quickly. I love Agile, but I see value still using waterfall. I feel that age of the technique or concept is not relevant if it works and still proves to be effective. Thanks for taking time to comment and share your thoughts.

God Bless,

Kevin

[Kevin Mehok]

IST3100 Information Systems Security Officer
Week Four
WK4 Database Security Discussion
Kevin Mehok

Hey Class,

This is wide scope to discuss. As database security includes a variety of measures used to secure database management systems from malicious cyber-attacks and illegitimate use (Imperva, 2023). I have learned this week that database security programs are designed to protect not only the data within the database, but also the data management system itself, and every application that accesses it, from misuse, damage, and intrusion (Imperva, 2023). I felt that this is an extreme important point to fully comprehend as an Security Officer (SO).

Database security encompasses tools, processes, and methodologies which establish security inside a database environment (Imperva, 2023). Okay, so what are we fighting against or potentially defending against? THREATS! Even insider threats. For example, an insider threat is a security risk from one of the following three sources, each of which has privileged means of entry to the database:

A malicious insider with ill-intent (Imperva, 2023).

A negligent person within the organization who exposes the database to attack through careless actions (Imperva, 2023).

An outsider who obtains credentials through social engineering or other methods, or gains access to the database’s credentials (Imperva, 2023).

An insider threat is one of the most typical causes of database security breaches and it often occurs because a lot of employees have been granted privileged user access (Imperva, 2023).

Another attack type worth discussing is a database-specific threat involving the use of arbitrary non-SQL and SQL attack strings into database queries (Imperva, 2023). Typically, these are queries created as an extension of web application forms or received via HTTP requests (Imperva, 2023). This may seem like super power hacker stuff, but it is not really that complicated. In fact, nearly all database system are vulnerable to these attacks, if developers do not adhere to secure coding practices, and if the organization does not carry out regular vulnerability testing (Imperva, 2023).

The defense starts with understanding the enemy.

That’s all I’ve got.

God Bless,

Kevin

[Kevin Mehok]

Marcena,

I love being in class with you and you are always on point. The need to ensure software applications are designed, developed, and are securely deployed is absolutely crucial. Why because careful planning reduces risks. When risks are mitigated and/or reduced, we are being successful as a Security Officer.

Great job.

God Bless,

Kevin

[Kevin Mehok]

IST3100 Information Systems Security Officer
Week Four
WK4 SDLC Discussion
Kevin Mehok

This week’s discussion focusing on the ask of ‘why is using an SDLC important?’
I believe that the SDLC is important because it helps ensure that the right people are involved in the right activities at the right times (Coursera, 2023). A well-defined SDLC also allows an Security Officer (SO) to measure their progress relative to team goals and gives them a way to ensure everything is on track (Coursera, 2023).

I have learned this week that the process of the software development life cycle encompasses all aspects of the software-making process (Coursera, 2023). It begins with scoping the requirements Security Officers need for their program and ends with he or she delivering it and managing maintenance protocols (Coursera, 2023). Each stage in the SDLC has its own set of activities that need to be performed by the team members involved in the development project (Coursera, 2023).

Let’s discuss two approaches that we can implement with our current teams or future teams. First, let’s discuss the Waterfall model. Waterfall model. This model remains one of software development’s most popular process models (Coursera, 2023). The approach has stood the test of time and has been used since the 1970s (Coursera, 2023). The Waterfall model is a sequential design process that moves in a straight line from one phase to the next (Coursera, 2023).

Developers use this approach when the requirements for a product are well-defined and resources are available. However, this model performs inconsistently when requirements change frequently.

Secondly, let’s discuss that Agile model. This software development process aims to deliver high-quality software early, often, and at a low cost (Coursera, 2023). Agile methods prioritize working software over comprehensive pre-planning and documentation, which can slow the creative process (Coursera, 2023). It is a modern approach with short phases that works well when software requirements are likely to emerge as the development process begins (Coursera, 2023). I love this model and I have used it several times at the work place.

The Agile model offers more flexibility than the Waterfall model, but it is not always suitable for large-scale projects with complex requirements because it lacks initial documentation (Coursera, 2023). Keep in mind when planning that the size of the task has been determined prior to using this model.

That’s all I’ve got.

God Bless,

Kevin

References:

https://www.coursera.org/articles/software-development-life-cycle

[Kevin Mehok]

Hello Class,

I feel that we must first ask ourselves, “What is specifically cybersecurity framework?” Frame in the IT realm can literally means countless things. Cybersecurity framework provides a common language and establishes a clear set of standards for cybersecurity professionals (Cisternelli, 2023).

The goal for such framework is to reduce and mitigate cyber criminal activity. This week I have discovered seven different frameworks:

1.NIST
2. ISO27001 & ISO27002
3. SOC2
4. NERC-CIP
5. HIPAA
6. GDPR
7. FISMA

For the sake of this discussion, let’s pick only two to elaborate upon, shall we?

First let’s discuss SOC2. Service Organization Control (SOC)Type 2; specifies more than 60 compliance requirements and extensive auditing processes for 3rd party systems and controls (Cisternelli, 2023).

Secondly, let’s dive into NERC-CIP North American Electric Reliability Corporation- Critical Infrastructure Protection: Designed to assists folks in the utility and power sector reduce cyber risk and ensure reliability of bulk electric systems (Cisternelli, 2023). The framework consists of a range of controls by categorizing and prioritizing systems critical assets and having recovery plans in place in the event of a cyber attack (Cisternelli, 2023). This framework must implement several vulnerability assessments to stay informed.

This is a super fun topic.

God Bless,

Kevin

References:

Cisternelli, E. (2023) 7 Cybersecurity Frameworks That Help Reduce Cyber Risk. BitSight; https://www.bitsight.com

[Kevin Mehok]

Marcena,

I really liked your challenge perspective on segmentation, redundancies via links, and the need for regular testing. I do not think that it gets anymore challenging than that, so awesome job. In today’s world, networking needs to be highly automated to keep manual time crushing processes out of the way.

It is great to be read your posts again.

God Bless,

Kevin

[Kevin Mehok]

Kelly,

Great topologies choices. I remember studying both mech and ring topologies in one of our prior classes together. I remember mesh by meshing it to one core device. I remember ring topology by the circular connection.

Your post was fantastic and perhaps me favorite part of your post was the reminder that mesh topologies do require credentials when trying to perform a restore. I value in your advice to test regularly should not be taken lightly.

God Bless,

Kevin

[Kevin Mehok]

IST3100 Information Systems Security Officer
Week Three
Assignment #2
WK3 Topology Discussion
Kevin Mehok

Hey Class,

First of all let’s review, “What is Network Topology”? Network Topology to me describes the physical and even the logical layout of one’s network. It is all about the nodes and how we move our data around, right?

Two keep things super simple and to be effective, I have opted to discuss:
Physical Topology
and
Logical Topology

How did you guess?

Starting with ‘Physical Topology’ this to me can be described as the actual layout of devices within a network. Objects that you and I can physically touch.

The second one is ‘Logical Topology’ which can be described as the method for which data travels through the network.

Think of things this way, the roads are the ‘physical network’ whereas the vehicles are the logical networks that carry the data, but through the roadways.

I am a huge Tron fan, so understand the dataverse world but getting through via the physical world is actually more simple than it sounds.

That’s all I’ve got.

God Bless,

Kevin

[Kevin Mehok]

IST3011
Information System Security Officer
Week One
Assignment #1
WK1 Devotional
Kevin Mehok
This week’s devotional dives directly into Isaiah 34:16 (TLB) and I cannot help to think about the
massive amount of knowledge that has been written in the Bible, but perhaps just as
astonishing, how many people don’t know what is even in the Bible.
To start things off with a bang, knowledge in all things may be considered as ‘essential’, it is
tremendously taken for granted. We as people gravitate towards personal desire. Meaning,
we opt to learn about the things we are interested in, or like. For example, if you like a sport,
you will study it, learn all you can about it, and invest your time into it. If you do not like
something, you will not make an effort to learn more.
The brutal truth here is that Jesus is essential to a meaningful and purposeful life on earth.
Your time here is limited, our time on earth is limited. I have learned, personally, if I don’t have
a relationship with Christ, I am missing my purpose.
I am challenging my classmates to answer with real research the following:
Who is God?
Where is God?
Does he care about you?
The answer as to ‘who is God’ is simple: He is everything. He is everywhere, and in everything
all at once. God is the Creator, the Maker of all things. The question of whether or not He
cares about you and me, well, yes, He does. We were made in His image. He has provided us
with life and all that we need. He did not have to make us, but He did so because He loves us.
In-closing, God is beyond my words. My thoughts, and far beyond my comprehension. I am
honored to serve Him and honor Him.
That’s all I’ve got.
God Bless,
Kevin

[Kevin Mehok]

IST3100 Information Systems Security Officer
Week Two
Assignment #1
WK2 Devotional
Kevin Mehok
This week’s devotional is about Romans 10:9
Intellects and faith, such a beautiful combination. Recently, NASA put the latest and greatest telescope
ever created into Space. They are able to see things that they have never seen before. During footage
of this spectacular moment, a report asked one of physicists “to explain what he saw.” He answered,
“We see a dark matter that we have never seen before. In fact, I do not even know what we are seeing.
My understanding of the solar system, the Big Bang Theory, everything, has changed. I don’t know.”
We have learned about our solar system through our understanding, our theories, and our scientific
studies. Yet, one new bit of technology has shaken everything. Science claims to be knowledge based,
yet as soon as a new discovery has been made, we must re-think everything. That the difference
between Faith and Science, as faith cannot be shaken. As faith, cannot be simply explained. God cannot
be fully explained. Faith can only be trusted and obeyed; whereas, science has to be tested and tried.
I felt this goes well with this week’s devotional. We are to trust God, despite not being able to explain
God. His Creation may never be fully explained, yet here we are. The more I learn about science, the
more I understand faith.
God Bless,
Kevin

[Kevin Mehok]

IST3100 Informaon Systems Security Officer
Week Three
Assignment #1
WK3 Devoonal
Kevin Mehok
I love that this week’s devotional is based on Romans 10:9. I am not completely convinced that we
cannot believe anything into existence. For example, we can believe in ourselves to accomplish a goal,
but the goal is not real until we reach it or achieve it. Does this make sense class?
I wrestled a bit with the core point of this devotional because I do not think that it is impossible to
believe anything into existence. The devotional suggested that ‘The Gospel’ did not come into being
because men or women believed it. While, sure some of that is true, but we must trust and believe
that this is the word of God. The tomb was not emptied of Christ’s body that first Easter because
some faithful persons believed it; again true, but I personally did not see the tomb, but I believe this
story to be true. This devotional explains the fact preceded the faith; honestly, this can be argued
either way. I also am not 100% convinced that we are psychologically incapable of believing without
an object of our faith. I proudly believe in a God that I have never seen. I believe in my God via
faith, not of an object. The point of the devotional boiled down to the object of Christian faith is
Christ. As a theology graduate, I am not comfortable referring to Christ as an object. Instead, I
believe that He is God in the Flesh. While the Devotional states that faith means more than an
intellectual assent to the claims of Christ; again, true but God cannot be intellectual understood. We
can only comprehend at a level of human comprehension. We are not God, nor can explain fully the
power of God. Forgive me, but furthermore the devotional stated we are not called upon to believe
something that is not credible, but to believe in the fact of history that in reality transcends all
history. Hmmm, I do know if I agree with this theory either. You see, there is historical evidence of
Jesus Christ. While, the term faith actually means surrender, it does not mean completely to deny
logic, and/or commitment to the claims of Christ. If fact, faith at times makes more sense than
science. For example, NASA recently sent the greatest space camera/telescope in space yet. They
discovered this ‘black matter’ beyond the realm of Pluto and scientists were able to see things that
they never saw before. Thus, everything in terms of gravity, the solar system, is in question. In fact,
physicists are more confused now than they were prior to this discovery. Humans, yes, us humans,
we do not know Christ through the five physical senses, but we know Him through the sixth sense
that God has given every man—the ability to believe. Therefore, faith in moments throughout our
lives will make more sense than science. It is faith that generates hope. Hope again is not something
we can see, hold, or keep like an object.
I appreciate this devotional, but I think it is safe to say, that the author’s opinion may have missed
the mark for Romans 10:9.
God Bless,
Kevin

[Author]

Posts