Deliverables
- Enterprise Key Management Plan: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Enterprise Key Management Policy: A two- to three-page double-spaced Word document.
- Lab Report: A Word document sharing your lab experience along with screenshots.
Step 1: Identify Components of Key Management
Key management will be an important aspect of the new electronic protected health information (e-PHI). Key management is often considered the most difficult part of designing a cryptosystem.
Choose a fictitious or an actual organization. The idea is to provide an overview of the current state of enterprise key management for Superior Health Care.
Review these authentication resources to learn about authentication and the characteristics of key management.
Provide a high-level, top-layer network view (diagram) of the systems in Superior Health Care. The diagram can be a bubble chart or Visio drawing of a simple network diagram with servers. Conduct independent research to identify a suitable network diagram.
Read these resources on data at rest, data in use, and data in motion.
Identify data at rest, data in use, and data in motion as it could apply to your organization. Start by focusing on where data are stored and how data are accessed.
Review these resources on insecure handlingand identify areas where insecure handling may be a concern for your organization.
Incorporate this information in your key management plan.
In the next step, you will consider key management capabilities.
Step 2: Learn Key Management Capabilities
You have successfully examined the major components of an enterprise key management system for Superior Health Care. Enter Workspace and complete the “Enterprise Key Management” exercise. Conduct independent research on public key infrastructure as it applies to your organization.
In the next step, you will identify the key management gaps, risks, solutions, and challenges found in corporations.
Lab Resources
- Access the MARS Virtual Lab Environment Guide: MARS Reference Guide.
You are highly recommended to fully read the MARS Reference Guide to help you set up, navigate, and connect to the MARS virtual environment, perform any lab setup activities, connect to your allocated VMs, and several others. The guide was quickly developed for students to get acquainted with the new MARS environment. Therefore, please use it as a supplement to any resources provided by UMGC and/or our EdTech team, and note that the guide in no way replaces those materials. If possible, all MARS-related materials will later be integrated into a common platform in the near future and made accessible to all students and faculty.
- Use the link to the MARS Portal: https://mars.umgc.edu.
Lab Instructions
- Open the Lab Instructions for this project: Analysis of Enterprise Key Management Systems.
Note: The lab instructions and other PDF documents such as the MARS guide have active hyperlinks (URLs) to external sources. Hence for best user experience, if a weblink does not automatically open in another tab, right-click and open it in a new tab. Be aware that this behavior can change depending on the specific types and settings of your browser and platform being used.
Lab Support
To obtain lab assistance, fill out the support request form, and please be as descriptive as possible in your responses to facilitate swift resolutions of your reported issues.
Make sure you complete all fields on the form including the following: Date of issue and time zone, your name, mail address, phone, your instructor’s name and the course you are taking, the type of device, operating system, the browser you are using, and any other useful information.
In the description box of the form, provide a detailed description of the issue with the requested information. Include details such as steps taken, system responses, screenshots or supporting documents, the type of your devices (PC, tablet, mobile device, etc.), OS platform and version (e.g. Windows or Mac), browser type/version, and others.
Note: It is imperative that you use your official email address that was used to enroll in the course—or you currently use for your classroom communications—to complete the support form.
Professionals in the Field
Being able to interact with a variety of stakeholders is a skill set on which you will want to evaluate yourself and improve where necessary so that you can present that skill on paper and in person.
As an example, consider the range of stakeholders in a health care setting: medical techs, doctors, data entry clerks, office and hospital administrators. Now consider the three technical domains that are interlinked in this setting: cybersecurity needs, the practice of medicine, and the legal requirements of HIPAA.
Hypothetically, which of these audiences might you need to talk to before, during, and after your team of SEs implements your plan?
Step 3: Identify Key Management Gaps, Risks, Solutions, and Challenges
In a previous step, you identified the key components of an enterprise key management system. In this step, you will conduct independent research on key management issues in existing organizations. You will use this research to help identify gaps in key management, in each of the key management areas within Superior Health Care.
Conduct independent research to identify typical gaps in key management within organizations. Incorporate and cite actual findings within your key management plan. If unable to find data on real organizations, use authoritative material discussing typical gaps.
Identify crypto attacks and other risks to the cryptographic systems posed by these gaps. Read these resources to brush up on your understanding of crypto attacks.
Propose solutions organizations may use to address these gaps and identify necessary components of these solutions.
Finally, identify challenges, including remedies, other organizations have faced in implementing a key management system.
Include this information in your enterprise key management plan.
Provide a summary table of the information within your key management plan.
Incorporate this information in your implementation plan.
In the next step, you will provide additional ideas for the chief information security officer (CISO) to consider.
Step 4: Provide Additional Considerations for the CISO
You have satisfactorily identified key management gaps. Incorporate these additional objectives of an enterprise key management system as you compile information for the CISO.
- Explain the uses of encryption and the benefits of securing communications by hash functions and other types of encryption. When discussing encryption, be sure to evaluate and assess whether or not to incorporate file encryption, full disc encryption, and partition encryption. Discuss the benefits of using triple DES or other encryption technologies. To complete this task, review the following resources:
- Describe the use and purpose of hashes and digital signatures in providing message authentication and integrity. Review these resources on authenticationto further your understanding. Focus on resources pertaining to message authentication.
- Review the resources related to cryptanalysis. Explain the use of cryptography and cryptanalysis in data confidentiality. Cryptanalysts are a very technical and specialized workforce. Your organization already has a workforce of security engineers (SEs). Cryptanalysts could be added to support part of the operation and maintenance functions of the enterprise key management system. Conduct research on the need, cost, and benefits of adding cryptanalysts to the organization’s workforce. Determine if it will be more effective to develop the SEs to perform these tasks. Discuss alternative ways for obtaining cryptanalysis if the organization chooses not to maintain this new skilled community in-house.
- Research and explain the concepts and practices commonly used for data confidentiality: the private and public key protocol for authentication, public key infrastructure (PKI), the X.509 cryptography standard, and PKI security. Read about the following cryptography and identity management concepts: public key infrastructureand the 509 cryptography standard.
Keep in mind that sometimes it takes considerable evidence and research for organizational leaders to buy in and provide resources.
Incorporate this information in your implementation plan.
In the next step, you will provide information on different cryptographic systems for the CISO
Step 5: Analyze Cryptographic Systems
In the previous step, you covered aspects of cryptographic methods. In this step, you will recommend cryptographic systems that your organization should consider procuring.
Independently research commercially available enterprise key management system products, discuss at least two systems, and recommend a system for Superior Health Care.
Describe the cryptographic system, its effectiveness, and its efficiencies.
Provide an analysis of the trade-offs of different cryptographic systems.
Review and include information learned from conducting independent research on the following topics:
- security index rating
- level of complexity
- availability or utilization of system resources
Include information on the possible complexity and expense of implementing and operating various cryptographic ciphers. Check out these resources on ciphers to familiarize yourself with the topic. Incorporate this information in your implementation plan.
In the next step, you will begin final work on the enterprise key management plan.
Step 6: Develop the Enterprise Key Management Plan
In the previous steps, you gathered information about systems used elsewhere. Using the materials produced in those steps, develop your Enterprise Key Management Plan for implementation, operation, and maintenance of the new system. Address these as separate sections in the plan.
In this plan, you will identify the key components, the possible solutions, the risks, and benefits comparisons of each solution, and proposed mitigations to the risks. These, too, should be considered as a separate section or could be integrated within the implementation, operation, and maintenance sections.
A possible outline could be:
- Introduction
- Purpose
- Key Components
- Implementation
- Operation
- Maintenance
- Benefits and Risks
- Summary/Conclusion
The following are the deliverables for this segment of the project:
Deliverables
- Enterprise Key Management Plan: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Lab Report: A Word document sharing your lab experience along with screenshots.
Step 7: Develop the Enterprise Key Management Policy
The final step in this project requires you to use the information from the previous steps to develop the Enterprise Key Management Policy. The policy governs the processes, procedures, rules of behavior, and training for users and administrators of the enterprise key management system.
Research similar policy documents used by other organizations and adapt an appropriate example to create your policy.
Review and discuss the following within the policy:
-
digital certificates
- certificate authority
- certificate revocation lists
Discuss different scenarios and hypothetical situations. For example, the policy could require that when employees leave the company, their digital certificates must be revoked within 24 hours. Another could require that employees must receive initial and annual security training.
Include at least three scenarios and provide policy standards, guidance, and procedures that would be invoked by the enterprise key management policy. Each statement should be short and should define what someone would have to do to comply with the policy.
The following is the deliverable for this segment of the project:
Deliverables
- Enterprise Key Management Policy: A two- to three-page double-spaced Word document.
Check Your Evaluation Criteria
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
- 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
- 1.4: Tailor communications to the audience.
- 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
- 2.4: Consider and analyze information in context to the issue or problem.
- 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
- 5.1: Knowledge of procedures, tools, and applications used to keep data or information secure, including public key infrastructure, point-to-point encryption, and smart cards.
- 7.3: Knowledge of methods and tools used for risk management and mitigation of risk.
- 7.4: Knowledge of policies, processes, and technologies that are used to create a balanced approach to identifying and assessing risks to information assets, personnel, facilities, and equipment, and to manage mitigation strategies that achieve the security needed at an affordable cost.
Take Action
Submit your assignment to your instructor for review and feedback.
Follow these steps to access the assignment:
- Click My Tools in the top navigation bar.
- Click Assignments.
- Select the relevant assignment.