I need assistance with a reply for the following questions. For reply Number 1 and Number 2, here is the criteria:
Evaluate your peer’s protocols and indicate aspects of their posts that effectively address the issues of prevention and detection of malicious insider activity. Suggest additional issues not considered in your peer’s initial post. Recommend changes to the protocols that would make them more effective. Support your suggestions and recommendations with evidence from your sources.
Your responses should be a minimum of 150 words.
For reply Number 3 and Number 4, here is the criteria:
Evaluate your peer’s software license language. Suggest at least one additional element for the boilerplate language that might strengthen the efficacy of it. Recommend changes that might clarify any missing points or address issues that should be considered. Explain why you offered these suggestions.
Your responses should be a minimum of 200 words.
Please provide a reply for each of the following responses:
Number 1
Malicious insider is anyone that has internal access or more knowledge about an organization’s structure and security procedures that aides them easy access and difficult to detect when abusing the use of the system. It is very difficult to detect a malicious insider but there are still steps and precaution that could be taken to prevent or detect a malicious insider from conducting unethical actions.
Monitoring employee abnormal behavior is one way to detect a malicious insider. When an employee is behaving abnormally from the standard or required norms of their duty or acting suspicious, this could be consisted red flags and needs to be monitored. The company has trained all employees especially managers to observe unusual or abnormal behaviors, have a conversation with the employee or person involved and if there are no changes, then the issue would be escalated to the appropriate authorities for further actions.
Imitating a look alike phishing or malicious attack is another way to detect malicious insider behaviors. This tests as conducted by my company periodically got me so bad because they looked so real, after failing the test the first time, I had to take a training to remind me of how to prevent and report any malicious or suspicious information. The second time, I failed the test due to ignorance and negligence (which anyone could be a victim of), I took the training again and was warned that I could be terminated or on probation on the third attempt (thankfully I passed) but this helped me know how to detect and prevent external or even internal attacks. This act could help determine an employee’s behavior and watch for patterns and immediately swig into action if the company is at a risk of exposure to internal or external attacks.
Two reasonable protocols that recon with me according to Reynolds (2015), are performing thorough background check as well as psychological and drug test for candidates handling sensitive information and positions, and define job roles and procedures so it is impossible for same person to both initiate and approve an action (p. 97). This two protocols are common in several organizations and have helped in preventing malicious insider behaviors, even though this does not entirely prevent such behaviors from happening, they are measures that have proven to detect any unusual or suspicious behaviors.
Number 2
As CIO of the company of 10,000 employees it is important to safeguard the valuable information held within the organization. The various types of proprietary and valuable data signifies the need for the organization to take the precautionary measures to ensure that this data is protected on all levels and from insider and outsider threats. Taking into consideration the broad legal issues related to data protection two reasonable protocols that could be used to detect malicious insiders and their activity within the organization are utilizing software that will monitor the employee’s activities and detect when malicious coding and intent is being utilized. Another protocol would be utilizing time lockouts to reduce employees accessing organizational equipment when employees should not be working. Legally overtime work should be going through a process to get approved and paid to do so instead of working longer hours and not being compensated for that time. It is unknown what the employee may be doing at the odd hours of the day using organizational equipment so safeguards such as these will mitigate a problem like that. Now taking into consideration the ethical issues related to employee monitoring, two protocols that could be used to prevent activities of malicious insiders so that they do not gain access to proprietary and valuable data is to instill the disciplinary measures and showcase them so that all employees know what to expect if they violate and partake in wrongdoings. Also training would be beneficial for the organization so that they will be able to recognize when an insider threat has been breached and also signs that indicate a potential threat may be forthcoming. It is important to bring awareness to the organization and so that all employees know the steps and measures to take if something may arise and situation occurs.
Number 3
Only authorized and authenticated site users are allowed to use software on this site. The Software available on this website are provided “as is” without warranty of any kind, either express or implied. Use at your own risk. The use of the software on this site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. You are solely responsible for adequate protection and backup of the data and equipment used in connection with any of the software, and we will not be liable for any damages that you may suffer in connection with using this software. No advice or information, whether oral or written, obtained by you from us or from this website shall create any warranty for the software. In no event shall we be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, and on any theory of liability, arising out of or in connection with the use of this software.
I added the first sentence to the above to add protection based on anonymous users, something that came to light in a 2017 case between Diageo and mySAP.Diageo had implemented a connection to mySAP through a Salesforce third party application, bypassing the mySAP requirements named user accounts (Saran, 2017).The implication was that Diageo was breaking the license with mySAP, but the issue in this case is disclaiming that only authorized users can use the system prevents unauthorized, anonymous users, a security risk anyway, from coming in, using the system, breaking it, and suing based on their use.That first sentence protects the company from such access.
Number 4
A software license agreement is an agreement between a company and its buyer for the use of a software you have rights to (LegalNature, n.d.). Several companies have investigated ways to limit or avoid liabilities claims even since an uncontrollable increase in security breach. Most organizations have concluded that to avoid these uncontrollable debt, loss, and lawsuit, they must adopt a fair remedy under Uniform Commercial Code (UCC) (Gilstrap, 2012). UCC allows businesses to spread costs more efficiently and give proper incentives to software vendors (Gilstrap, 2012). Below is a boilerplate language that could protect the company from liability risk should the third-party software crash or fail. “The Licensor agrees that the Licensee is not liable for any damages, loss or liability claims, including direct, indirect, compensatory, special, incidental, exemplary, punitive or consequential damages, connected with or resulting from use (access) of this software”.With the above language, licensee would be able to disclaim any potential liabilities claim. Although this does not eliminate the licensor’s ability to refuse claims due to negligent misrepresentation or fraudulent inducement (Gilstrap, 2012). A fictitious example that may not sufficiently protect the company is stated below (Karlyn, 2008): “Licensor shall not be liable to licensee for any lost profits, lost revenues or opportunities, downtime, or any consequential damages or costs, resulting from any claim or cause of action based on breach of warranty, contract, negligence, or any other legal theory, even if licensor knew or should have known of the possibility thereof”. This clause does not favor the company, it leaves the company zero to little protection whatsoever. A software license should include a mutual agreement with some clauses and protection to protect both licensor and licensee from aggregate liability. Also limitation on what damage is covered under the liability contract should be reviewed and should include the obligation of the licensor to indemnify the company for damages due to software infringes (Karlyn, 2008).