In this assignment, you assess security testing types and application tools that are appropriate for your chosen business application.

Preparation

• Research the following:
  • Pen testing, vulnerability scans, and performance testing as they relate to the application you chose in the first assignment. Choose which you believe would be the most important for testing your software. Consider what your criteria are.
  • Two software applications that perform the type of test you have chosen.

Instructions

Consider your research and do the following:

• Justify what you believe to be the most appropriate testing method by evaluating each type of test against at least 4 relevant criteria of your choosing.
• Describe 4 criteria that are appropriate for selecting commercial software for the selected test type.
• Justify your choice of testing software by comparing two commercially available solutions against each of your stated criteria.

This course requires the use of Strayer Writing Standards (SWS). The library is your home for SWS assistance, including citations and formatting. Please refer to the Library site for all support. Check with your professor for any additional instructions.

The specific course learning outcomes associated with this assignment are:

• Evaluate application technologies and the security issues associated with them.
• Define processes for ensuring web application security.

Before you begin this discussion, read this module’s resource about global digital privacy. In your initial post, address the following points:

• Choose a country from the report.
• Describe the country’s privacy laws.
• Discuss the country’s position on protecting private data by moving it out of a country’s jurisdiction.

In your response posts, compare your thoughts with those of your peers.

To complete this assignment, review the Discussion Rubric.

RESPONSE ONE

Hey everyone,

For my report, I chose Canada to examine their privacy framework. In Canada, there are two major laws at the federal level, as well as supplemental regulations at the state level, or provincial level in the case of Canada. The Privacy Act (1985) regulates how the federal government collects, uses, and discloses personal data, ensuring citizens’ information is handled responsibly. The Personal Information Protection and Electronic Documents Act (PIPEDA, 2022) applies to private-sector organizations engaged in commercial activities. PIPEDA requires businesses to obtain informed consent for data collection, grants individuals access to their personal data, and allows them to request its deletion once it has served its purpose. However, businesses can retain anonymized data and, in some cases, disclose information without consent for investigative purposes. Provincial governments enforce additional privacy protections, sometimes overriding PIPEDA when data remains within the province, creating a fragmented regulatory landscape. 

As far as information flowing in and out of Canada’s jurisdiction, they take a relatively relaxed approach as PIPEDA does not impose strict data localization requirements on private businesses. The general rule of thumb essentially for Canada’s privacy framework outside its geographical bounds, is that it relies on the good faith of foreign organizations to have the necessary precautions and safeguards in place to responsibly handle sensitive information and data in general. 

RESPONSE TWO

China’s Personal Information Protection Law (PIPL), passed in 2021, is often compared to the GDPR, but it reflects China’s state-centric approach to data privacy. While PIPL gives individuals rights similar to GDPR- such as the right to know, update, and delete their data- it does not limit the state’s ability to access personal information. The government maintains full control over citizen data and can collect it from companies at any time. The law mainly focuses on regulating how companies handle personal data, rather than restricting state access.

PIPL also enforces strict data security measures. Companies must implement strong technical protections, and in the case of a data breach, the data collector is held liable. If a company processes a large amount of data (as determined by the state), it must appoint a data protection officer. Encryption and pseudonymization are encouraged but not strictly defined. However, if data is fully anonymized, PIPL no longer applies.

One of the most significant aspects of PIPL is its strict data localization requirements. Data collected within China must remain in China unless the government explicitly approves its transfer. Foreign companies operating in China must appoint local staff to handle Chinese data within the country. This differs from GDPR, which allows cross-border data transfers under certain conditions. The strict localization rules could impact multinational businesses, as companies that violate PIPL risk being banned from operating in China.

China’s approach to digital privacy highlights the lack of true public privacy. While individuals have some control over how companies use their data, they have no privacy from the government. The state’s broad authority over citizen data raises concerns about mass surveillance and potential misuse, as there are no legal barriers preventing government access. This state-first approach differs from privacy laws in democratic countries, where laws aim to balance national security with individual rights.

China’s privacy laws highlight its emphasis on state control and national security, ensuring that personal data stays within its jurisdiction while still holding businesses accountable for data protection- though at the cost of true personal privacy form government oversight.

In this assignment, you will develop corporate policies for system security monitoring, patch management, and updates that cover both wired and wireless components. A web search will provide multiple examples of policy documents. The following resources may also be helpful as you draft your policy documents:

• SANS. No date. https://www.sans.org/blog/cis-controls-v8/?msc=main-nav . https://www.sans.org/critical-security-controls/?msc=main-nav
  • This resource provides a list of case studies highlighting how security professionals have made improvements in their security controls.
• SANS. No date. Security Policy TemplatesLinks to an external site.. https://www.sans.org/information-security-policy/
  • This resource provides a number of security policy templates that might be helpful in drafting your policy documents.

The specific course learning outcome associated with this assignment is:

• Recommend best practices for monitoring, updating, and patching systems.

Instructions

Write a paper in which you:

• Establish a system security monitoring policy addressing the need for monitoring, policy scope, and exceptions and supported by specific, credible sources.
  • Justify the need for monitoring.
  • Define the scope of the policy (the personnel, equipment, and processes to which the policy applies).
  • Provide guidelines for policy exceptions, if approved by the IT and Security departments.
• Establish a system security patch management and updates policy addressing the need for patch management and updates, policy scope, and exceptions and supported by specific, credible sources.
  • Justify the need for patch management and updates, aligned with ISO/IEC 27002.
  • Define the scope of the policy (the personnel, equipment, and processes to which the policy applies).
  • Provide guidelines for policy exceptions, if approved by the IT and Security departments.
• Support your main points, assertions, arguments, or conclusions with at least four specific and credible academic sources synthesized into a coherent analysis of the evidence.
  • Cite each source listed on your source page at least one time within your assignment.

1. Create a short multiple choice survey of 25 questions or less to determine an ACME employee’s level of knowledge regarding security awareness.
2. The survey should address items from your  CWUD Case Project Research Security Awareness Programs.docx  , and include things like password security, proper handling of sensitive information, data confidentiality, email security, social media security, secure communications, authentication, non-repudiation, and enforcing the organization information security policies.
3. The survey should require no more than 10 minutes for an ACME employee to complete.
4. The survey should gauge the security awareness of the employee and be able to be objectively scored.
5. Upload the survey in electronic form.

Example Survey Item:

1.     You receive an e-mail that looks like an official e-mail from your IT department.  The email says that there has been some suspicious activity with your username and are asking you to verify your username and password through a clickable link in the e-mail.  What do you do?

1. Comply by clicking the link and putting in your username and password
2. Ignore it and delete the e-mail
3. Report the e-mail to your supervisor
4. Contact your IT department and ask if the e-mail is legitimate
    

• What is the purpose of the mysql_install_db script?
• What are some of the problems that can occur while running the mysql_install_db script?
• Why are usernames considered just as important as passwords?