enterprise key management plan and policy 1
Use template files provided below.
In this project, you will create both an enterprise key management plan and policy for a company. The length of the plan should be eight to 10 pages double-spaced. The length of this policy should be two to three pages double-spaced. There are seven steps to complete the project. Most steps of this project should take no more than two hours to complete. Begin with the workplace scenario, and then continue to Step 1, “Identify Components of Key Management.â€
An important part of the new electronic protected health information (or e-PHI) system will be key management. As a security architect, you know that key management is often considered the most difficult part of designing a cryptosystem.
The overall information in this step can be fictitious or modeled after an existing corporation, which should then be cited using APA format. The idea is to provide an overview of the current state of enterprise key management for Superior Health Care.
To do so, you’ll need to know about authentication and the characteristics of key management. Brush up on your knowledge of authentication by reviewing the authentication resources. Then, provide a high-level, top-layer network view (diagram) of the systems in Superior Health Care. To do this, start by reading these resources on data at rest, data in use, and data in motion. The diagram can be a bubble chart or Visio drawing of a simple network diagram with servers. Independent research may be used to find one to use.
Next, identify data at rest, data in use, and data in motion as it could apply to your company. Focus on where data is stored and how it’s accessed is a good place to start. Finally, review these resources on insecure handling, and identify areas where insecure handling may be a concern for your organization.
Use this information in your implementation plan.
You have successfully examined what are the major components of an enterprise key management system for Superior Health Care. Now you must begin your research into CrypTool, to better understand enterprise key management by using this product.
In the previous step, you identified the key components of an enterprise key management system. In this step, you will conduct independent research on key management issues in existing corporations. These will be used to help identify gaps in key management, in each of the key management areas within Superior Health Care.
First, conduct independent research to identify the gaps in key management that are in existing corporations. Any factual information should be cited using APA format. If data is lacking, use fictitious information.
Then, identify the posed risks to the cryptographic systems as a result of these gaps, including but not limited to crypto attacks. Read these resources to brush up on your understanding of crypto attacks.
Next, propose solutions that the companies could have used to address these gaps. Be sure to identify what is needed to implement these solutions.
Finally, identify challenges other companies have faced in implementing a key management system. Include any proposed remedies to these challenges.
You have satisfactorily identified key management gaps. Now, since you are compiling information for the CISO, consider these additional objectives of an enterprise key management system.
- Explain the uses of encryption and the benefits of securing communications by hash functions and other types of encryption. When discussing encryption, be sure to evaluate and assess whether or not to incorporate file encryption, full disc encryption, and partition encryption. Discuss the benefits to using DES, triple DES, or other encryption technologies. To complete these tasks, review the resources provided to you. You’ll need to understand the following topics:
- Describe the use and purpose of hashes and digital signatures in providing message authentication and integrity. Check out these resources on authentication to further your understanding. Focus on resources pertaining to message authentication.
- Review the resources related to cryptanalysis, then explain the use of cryptography and cryptanalysis in data confidentiality. Cryptanalysts are a very technical and specialized workforce. Your organization already has a workforce of SEs. Conduct research on the need, cost, and benefits to adding cryptanalysts to the corporation’s workforce. This is to support part of the operation and maintenance function of the enterprise key management system. You are determining if it’s more effective to develop the SEs to perform these tasks. If the corporation does not develop this new skilled community, what are other means for obtaining results of cryptanalysis?
- Research and explain the concepts, in practice, that are commonly used for data confidentiality: the private and public key protocol for authentication, public key infrastructure (PKI), the x.509 cryptography standard, and PKI security. Take time to read about the following cryptography and identity management concepts: public key infrastructure and the x.509 cryptography standard.
Use this information in your implementation plan.
In the next step, you will provide information on different cryptographic systems for the CISO.
Develop the Enterprise Key Management Plan
In the previous steps, you have gathered information about systems in use elsewhere. Using the learning and materials produced in those steps, develop your enterprise key management plan for implementation, operation, and maintenance of the new system. Address these as separate sections in the plan.
In this plan, you will identify the key components, the possible solutions, the risks and benefits comparisons of each solution, and proposed mitigations to the risks. These, too, should be considered as a separate section or could be integrated within the implementation, operation and maintenance sections.
Develop the Enterprise Key Management Policy
The final step in your assignment requires you to use the information provided in the previous steps to develop the enterprise key management policy that provides the processes, procedures, rules of behavior, and training within the enterprise key management system. Be sure to address different case scenarios and hypothetical situations. You may want to research different policies used by companies and adapt those frameworks for creating your policy.
Review and address the following within the policy:
- digital certificates
- certificate authority
- certificate revocation lists
For example, when employees leave the company, their digital certificates must be revoked within 24 hours. Another is that employees must receive initial and annual security training.
Include up to three corporate scenarios and devise policy standards, guidance, and procedures that would be invoked by the enterprise key management policy. Each should be short statements to define what someone would have to do to comply with the policy.
The overall information in the corporate scenarios can be fictitious or modeled after an existing corporation, which should then be cited using APA format. The length of this policy should be a two to three-page double-spaced Word document with citations in APA format.