Purpose of Assignment:
Nurses need to understand their influence on healthcare policy and the importance of engaging in legislation that impacts healthcare and nursing practice.
Course Competency:
· Debate current healthcare policy as it relates to nursing practice.
Scenario:
You are a nursing member of a healthcare organization on a policy subcommittee. The subcommittee has been asked to prepare an advocacy policy brief on a current policy that can be presented for facility adoption. As an active nurse advocate, it is important your voice is heard on a matter important to you as this is your chance to influence policy.
Instructions:
Prepare a policy brief. Identify and support your stance by addressing the following:
1. Explain your selected healthcare policy.
2. Address the background of the problem requiring the policy.
3. Address how the policy is relevant to your nursing practice or area of interest.
4. Identify if this policy impacts practice at the local, state and/or national level.
5. Evaluate how this policy could impact health care and further explain how this policy would influence nursing practice.
6. Provide evidence to support your stance on how you can implement the current policy.
7. Explain ways you can assist in implementing this policy as a nurse advocate.
Resources:
· For additional assistance on writing a policy brief, please read the Library Answer to:
What is a policy brief?
· For additional assistance finding policies related to nursing, please visit the
GovTrack website .
A. Describe the policies adopted as a result of your implemented project.
1. Summarize how the solution improves cybersecurity decision-making.
B. Describe how your solution meets the following cybersecurity assurance criteria:
• promotes automation in cybersecurity
• improves and modernizes security
• implements industry-standard security tools and infrastructure or environment
C. Explain how your solution addresses the following data collection and implementation elements:
• collects digital evidence, including data for analysis or forensics
• implements confidentiality, integrity, and availability
D. Explain how your solution investigates and mitigates cybersecurity incidents or crimes within the environment where the solution was implemented.
E. Describe the cybersecurity plans, standards, or procedures that were developed for the solution.
1. Explain how the solution is aligned with cybersecurity initiatives or regulatory compliance in the environment where the solution was implemented.
2. Summarize the applications, tools, installation guides, or user guides you developed in conjunction with the solution.
F. Discuss the post-implementation environment, including the new systems implemented, new processes developed, or network diagrams created demonstrating the new infrastructure.
1. Describe how the solution improved the security posture and efficiency of the organization.
2. Analyze the new data (e.g., new reports, logs, processes in place) collected, including how the solution will affect business processes.
3. Describe the summative evaluation plan from Task 2, including the test results and a plan of action to correct any weaknesses or deficiencies.
4. Discuss post-implementation risks, including their likelihood, organizational impact, and mitigation.
5. Explain how the security solution meets each of the project stakeholders' needs, including a description of the stakeholder needs as identified in Task 2.
G. Describe the post-implementation maintenance plan for the solution.
H. Provide one original artifact (e.g., security policy, procedure, network diagram) of the completed project.
I. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
DDN1: Capstone Topic Approval and Release Forms
Cybersecurity Graduate Capstone
Topic Approval Form
The purpose of this document is to help you clearly state the research question for this capstone project, as well as your project’s scope and timeline, to ensure these align with your degree emphasis. While you may not have a complete and realistic overview of your project at this time, the acceptability of your project for the purposes of this course cannot be accurately assessed without clearly defining each of these areas. Many students use a project they have already completed within the past two years. If you choose a finished project, you will write the proposal as if the project is not yet complete. Then, when you report on your project, use your complete after-implementation report.
If you have not yet started your project, this document can help ensure the scope is in the acceptable range for this capstone. An instructor must approve this form before you submit your capstone for evaluation. The task will not be evaluated without an instructor’s signature. The instructor may ask for additional information before approving the form.
Capstone Project Name: Evaluating Compensating Controls for Insecure SCADA Protocols
Project Topic: Assessing the security risks of legacy SCADA protocols and proposed mitigations
Summary of the Problem: Supervisory Control and Data Acquisition, otherwise known as SCADA, systems are the primary source of technology that manages sensitive and critical infrastructure such as power generation, oil/gas operations, water treatment, and many manufacturing applications. It is extremely common to see the use of legacy and insecure communication protocols such as Modbus and DNP3. When initially designed, security was not taken in to consideration so commonly lack authentication, encryption, and data integrity verification. If these protocols were used freely in modern systems, they would be prone to man-in-the-middle attacks, tampering, and even unintended command execution. Being a multibillion-dollar industry, this could be a prime target vector for malicious threat actors. Risk rapidly increases as interconnectedness and remote access become more and more prevalent. Across the U.S., there have been countless incidents involving SCADA systems including the Colonial Pipeline Ransomware Attack, Bowman Dam, and several water sector intrusions. It is extremely paramount that proper security measures are in place to mitigate, as much as possible, the possibility of disrupting our critical infrastructure.
Outline of a Technology-Supported Security Solution: Using network segmentation with the Purdue Model as a framework, deployment of industrial firewalls capable of deep packet inspection (NGFWs), intrusion detection systems, continuous monitoring, and implementing VPN solutions for remote access.
Context: Explain why the situation or question would benefit from your security solution. The dated protocols are an absolute requirement for some of these SCADA systems to functions correctly. The implementation of a new technology often isn’t immediately possible so compensating controls must be put in place to optimize the strength of cybersecurity. Since systems must be run and technology can’t be altered, defense in depth is best practice.
Stakeholders: Identify the project stakeholders. Stakeholders include SCADA operators, SCADA owners, SCADA engineers, IT, incident response teams, C-suite personnel, and risk management
Project Plan: Describe the project plan, scope, goals, and objectives. Project plan: Describe SCADA systems and where they are used, identify security weaknesses, risks associated with the weaknesses, introduce technologies and strategical compensating controls, describe defense in depth/how it reduces attack surface/status of residual risk
Methodology: Outline the project approach. Research current accepted strategies/best practices and examine case studies where failures have occurred. Use threat modeling to assess attack vectors specifically in ICS systems.
Implementation Plan: Identify the project phases. Collect data on SCADA protocols, identify vulnerabilities and impact to the CIA triad, threat model, discuss the most practical defense strategy, evaluate how well the mitigations reduce risk, document findings
Project Outcomes: List the key anticipated project outcomes and deliverables in 500 words or less. Expected outcomes from this capstone include a detailed analysis of security risks from SCADA/ICS systems, threat modeling with an emphasis on SCADA systems, best practice mitigation strategies, residual risk within specific SCADA systems, failures of the past, and a framework of what can be done by current systems without needing to completely replace technology/infrastructure
Sources: Include a list for all references and citations that support the summaries above and are used in-text and as outside sources. NIST SP 800-82, CISA ICS Advisories, MITRE ATT&CK framework for ICS systems, case studies relevant to SCADA systems, previous SCADA attacks
2
A. Describe the security problem under investigation.
1. Explain the importance of the security problem, including background information and the environment in which the problem exists.
2. Provide documentation related to the security problem demonstrating the need for a solution, referencing applicable white papers or articles.
3. Summarize each root cause of the problem in the identified environment where the security problem is situated, including supporting evidence, if applicable.
B. Summarize each internal and external project stakeholder role by including each of the following:
• individual stakeholder implementation involvement and associated individual needs
• how the security problem affects the stakeholder
• stakeholder influence on the projects’ objectives and outcomes
C. Describe the historical data used to support decision-making throughout the project (e.g., vulnerability scans, penetration testing, testing or validation scenarios, audit results, etc.).
D. Provide a detailed explanation of the project requirements to implement the solution.
1. Describe the industry-standard methodologies guiding the solution’s design and development.
2. Describe the project launch, including all phases of the rollout, the criteria used to determine the conclusion of implementation, and the project management methodology for implementation.
3. Describe the likelihood of all implementation risks and their impact on the project.
E. Describe the training approach, including the audience, delivery, content, and duration.
F. Describe the required resources necessary to execute each project phase, and provide sources for all costs.
G. Describe all final project deliverables associated with the design and development of the technology solution.
1. Estimate the projected timeline, including each of the following:
• each milestone and its duration
• start and end dates
• resources assigned to each task
H. Detail the project evaluation approach that will be used to assess the project, addressing the following:
1. Describe the formative and summative test plans for the solution, including all required procedures and tools.
2. Describe the minimal acceptance criteria and key performance indicators for project acceptance as they align with your formative and summative test plans.
3. Justify the test cases and scenarios in the environment of the security problem being addressed.
4. Explain how you will analyze your results.
I. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
DDN1: Capstone Topic Approval and Release Forms
Cybersecurity Graduate Capstone
Topic Approval Form
The purpose of this document is to help you clearly state the research question for this capstone project, as well as your project’s scope and timeline, to ensure these align with your degree emphasis. While you may not have a complete and realistic overview of your project at this time, the acceptability of your project for the purposes of this course cannot be accurately assessed without clearly defining each of these areas. Many students use a project they have already completed within the past two years. If you choose a finished project, you will write the proposal as if the project is not yet complete. Then, when you report on your project, use your complete after-implementation report.
If you have not yet started your project, this document can help ensure the scope is in the acceptable range for this capstone. An instructor must approve this form before you submit your capstone for evaluation. The task will not be evaluated without an instructor’s signature. The instructor may ask for additional information before approving the form.
Capstone Project Name: Evaluating Compensating Controls for Insecure SCADA Protocols
Project Topic: Assessing the security risks of legacy SCADA protocols and proposed mitigations
Summary of the Problem: Supervisory Control and Data Acquisition, otherwise known as SCADA, systems are the primary source of technology that manages sensitive and critical infrastructure such as power generation, oil/gas operations, water treatment, and many manufacturing applications. It is extremely common to see the use of legacy and insecure communication protocols such as Modbus and DNP3. When initially designed, security was not taken in to consideration so commonly lack authentication, encryption, and data integrity verification. If these protocols were used freely in modern systems, they would be prone to man-in-the-middle attacks, tampering, and even unintended command execution. Being a multibillion-dollar industry, this could be a prime target vector for malicious threat actors. Risk rapidly increases as interconnectedness and remote access become more and more prevalent. Across the U.S., there have been countless incidents involving SCADA systems including the Colonial Pipeline Ransomware Attack, Bowman Dam, and several water sector intrusions. It is extremely paramount that proper security measures are in place to mitigate, as much as possible, the possibility of disrupting our critical infrastructure.
Outline of a Technology-Supported Security Solution: Using network segmentation with the Purdue Model as a framework, deployment of industrial firewalls capable of deep packet inspection (NGFWs), intrusion detection systems, continuous monitoring, and implementing VPN solutions for remote access.
Context: Explain why the situation or question would benefit from your security solution. The dated protocols are an absolute requirement for some of these SCADA systems to functions correctly. The implementation of a new technology often isn’t immediately possible so compensating controls must be put in place to optimize the strength of cybersecurity. Since systems must be run and technology can’t be altered, defense in depth is best practice.
Stakeholders: Identify the project stakeholders. Stakeholders include SCADA operators, SCADA owners, SCADA engineers, IT, incident response teams, C-suite personnel, and risk management
Project Plan: Describe the project plan, scope, goals, and objectives. Project plan: Describe SCADA systems and where they are used, identify security weaknesses, risks associated with the weaknesses, introduce technologies and strategical compensating controls, describe defense in depth/how it reduces attack surface/status of residual risk
Methodology: Outline the project approach. Research current accepted strategies/best practices and examine case studies where failures have occurred. Use threat modeling to assess attack vectors specifically in ICS systems.
Implementation Plan: Identify the project phases. Collect data on SCADA protocols, identify vulnerabilities and impact to the CIA triad, threat model, discuss the most practical defense strategy, evaluate how well the mitigations reduce risk, document findings
Project Outcomes: List the key anticipated project outcomes and deliverables in 500 words or less. Expected outcomes from this capstone include a detailed analysis of security risks from SCADA/ICS systems, threat modeling with an emphasis on SCADA systems, best practice mitigation strategies, residual risk within specific SCADA systems, failures of the past, and a framework of what can be done by current systems without needing to completely replace technology/infrastructure
Sources: Include a list for all references and citations that support the summaries above and are used in-text and as outside sources. NIST SP 800-82, CISA ICS Advisories, MITRE ATT&CK framework for ICS systems, case studies relevant to SCADA systems, previous SCADA attacks
2
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
CRIME SCENE BULLET
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
CRIME SCENE BULLET
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
CRIME SCENE BULLET
,
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #1 (SMITH & WESSON 9MM)
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #1 (SMITH & WESSON 9MM)
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #1 (SMITH & WESSON 9MM)
,
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #2 (RUGER 9MM)
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #2 (RUGER 9MM)
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #2 (RUGER 9MM)
,
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #3 (BERETTA 9MM)
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #3 (BERETTA 9MM)
ADVANCED CRIMINALISTICS – FSC 620
FIREARMS COMPARISON EXERCISE
SUSPECT FIREARM #3 (BERETTA 9MM)
a day ago
11
