Final Exam
Swastika Dhakal
Webster University
470 E. Lockwood Avenue, St. Louis
Introduction to Cybersecurity
Prof. Mark Dalle
March 14, 2025
Dhakal_Swastika_FinalExam_5000_2025_S1
1
1. Answer:
Public Key Infrastructure (PKI) is a framework that enables secure communication and
authentication by using cryptographic techniques. It consists of several key components that work
together to issue, manage, and revoke digital certificates. According to Principles of Information
Security (Whitman & Mattord, 7th ed.), the most significant components of PKI include:
1. Certificate Authority (CA)
A CA is a trust organization that issues and manages digital certificates. It verifies the
identities of entities (users, organizations, or machines) and digitally signs the distributed
certificates to build trust. Government agencies, in Nepal, as well as banks, avail global CAs like
DigiCert or Entrust to safeguard online transactions safely. The majority of e-commerce websites
also utilized CA-distributed SSL/TLS certificates in order to safely encrypt customer information.
2. Registration Authority (RA)
RA also acts as an intermediary between a user and the CA and performs the verification
before issuing a certificate. It verifies user credentials and approves or denies certificate requests
before sending them to the CA for processing. An RA may be employed by a government agency
that is tasked with digital identity verification for e-passports or electronic signatures to verify an
applicant's identity before issuing a certificate.
3. Certificate Management System
Certificate Management System computerizes the life cycle of digital certificates,
including issuance, renewal, revocation, and monitoring. This ensures certificates are valid and
secure and avoids problems like unexpected expirations or the use of compromised certificates.
Organizations handling a large volume of certificates, such as Nepal Rastra Bank, use certificate
Dhakal_Swastika_FinalExam_5000_2025_S1
2
management systems to computerize PKI operations and ensure compliance with financial security
regulations.
4. Certificate Database
Certificate Database is a unified database that maintains a record of all the certificates that
have been issued, revoked, and expired. It ensures only valid certificates are used for safe
communication and provides organizations with awareness of their certificate status. Certificate
databases are employed by large organizations and government bodies to maintain digital
certificates of employees for use in supplying authentication in safe e-mail communication and
network access control.
5. Certificate Policy
Certificate Policy defines the guidelines and regulations for issuance, use, and revocation
of digital certificates. It ensures that PKI functionality is aligned with security best practices and
compliance requirements. Certificate policies are implemented by various industries and
governments to manage digital authentication processes. For example, the e-governance system of
the Nepalese government may implement certificate policies to manage digital signatures on legal
documents, tax filings, and encrypted communication between government agencies.
6. Central Directory
Central Directory is a publicly accessible database wherein digital certificates are deposited
and exchanged. It allows users and systems to retrieve and verify certificates as and when needed.
Such a directory has a key role in trusting PKI-based authentication systems. In web security,
SSL/TLS certificates of websites are lodged in such directories, and web browsers can verify their
authenticity while establishing encrypted HTTPS connections.
Dhakal_Swastika_FinalExam_5000_2025_S1
3
2. Answer:
Certification and Accreditation in Information Systems Security Management:
Certification and accreditation (C&A) are the primary processes for ensuring information
systems are secure. Certification refers to security control testing of an information system to
guarantee that they meet developed security requirements and standards. It normally refers to
testing and auditing security controls such as encryption, access controls, and vulnerability
management. Accreditation is the official procedure where a specified party evaluates the results
of the certification process and grants authorization for the system to be accredited to utilize, in
consideration of residual risks (Whitman & Mattord, 2022).
Two Certification or Accreditation Processes:
1. Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP is an effort by the US government to authenticate that cloud services used by
the government agencies are secure. FedRAMP involves screening and checking such cloud
services to make them conform to security standards. The process involves testing a cloud service
provider against specific security standards, for example, the NIST SP 800-53 ones. If the
infrastructure of the provider survives these tests, they receive an Authorization to Operate (ATO)
from a federal agency or the Joint Authorization Board (JAB). It is a declaration that the provider
is able to securely offer their services to the government.
2. ISO/IEC 27001 Certification
ISO/IEC 27001 is a worldwide standard for information management of the way
information is kept secure. It helps organizations safeguard their information and make it nonvulnerable to damage. Certification ensures organizations implement thorough security controls to
Dhakal_Swastika_FinalExam_5000_2025_S1
4
manage and protect sensitive information. Obtaining the certification itself demands the internal
assessment of information security threats and the implementation of controls, followed by ensuing
external auditing through a certified institution. Organizations undergoing certification must be
subjected to regular audits to ensure continued conformance and security improvement (Whitman
& Mattord, 2022).
3. Answer:
To create information security policies and procedures for an investment company with
500 employees, a good starting point for research would be:
i.
Industry Standards and Frameworks – Based on proven security frameworks such as NIST
Cybersecurity Framework (CSF), ISO/IEC 27001, and CIS Controls provides the best
practices to structure security policies (Whitman & Mattord, 2022).
ii.
Regulatory Compliance Requirements – Being an investment company, regulations such
as SEC (Securities and Exchange Commission) cybersecurity regulations, FINRA
(Financial Industry Regulatory Authority) regulations, and GDPR (in case of global
operations) must be reviewed for compliance.
iii.
Available Current Threat Intelligence Reports – Citing reports released by companies such
as Verizon's Data Breach Investigations Report (DBIR) or vertical-specific threat
intelligence feeds help identify common attack routes in financial entities.
Dhakal_Swastika_FinalExam_5000_2025_S1
5
Three Policies that I will adopt first are:
i.
Access Control Policy
Investment firms handle sensitive financial data, and therefore access control is the
crutch for safeguarding client information and preventing malicious transactions. It dictates
who to grant access to, how to grant access, and when to deny the access (Whitman & Mattord,
2022). Role-based access control (RBAC) ensures employees gain access to information
required in their line of business.
ii.
Data Handling and Classification Policy
Investment firms deal with extremely sensitive financial data, personally identifiable
information (PII), and proprietary trading strategies. An unambiguous data classification policy
would label data (e.g., Public, Internal, and Confidential) and handle it suitably. Encryption
needs, safe transmission guidelines, and storage retention strategies would be established in an
effort not to expose it by mistake and to adhere to regulations (ISO/IEC 27001, 2013).
iii.
Incident Response Policy
Cybercriminals would attack a bank, and thus it is a significant process that will deal
with incidents from a security point of view. Incident detection, reporting procedures,
escalation processes, and roles/responsibilities to act against cyber incidents should be defined
in this policy. Establishment of an Incident Response Team (IRT) and educating employees
about how to reach individuals in case of a breach can minimize financial and reputational loss
(NIST SP 800-61, 2012).
Dhakal_Swastika_FinalExam_5000_2025_S1
6
My recommendation for Password Policy:
A strong password policy should ensure security with convenience so, the following
conditions have to be enforced:
1. Minimum Length & Complexity – Passwords have to be 12 characters long with a combination
of upper case and lower case letters, numbers, and special characters.
2. Multi-Factor Authentication (MFA) – All personnel who access sensitive data or remote
networks shall employ MFA as an added layer of security.
3. Password Expiration & Reuse – The passwords should never expire unless when there is
suspicion of compromise (NIST SP 800-63B, 2020). The reusing of the previous 5 passwords
should be prohibited for the users, though.
4. Account Lockout Policy – The account needs to be locked for 15 minutes after 5 login failure
attempts to counter brute-force attacks.
5. Robust Storage – Passwords need to be stored in robust hashing algorithms (such as bcrypt,
Argon2) so that they are not vulnerable when there is a breach.
4. Answer:
The C.I.A. model, or Confidentiality, Integrity, and Availability, is widely known to be
incomplete because it does not account for other critical aspects of security like accountability,
authenticity, and non-repudiation. Other than this, it is an easy model to implement in information
security because it is easy, extremely convenient, and has been utilized before.
It is easy and thus easy to understand, especially for those new to the discipline of
information security. The model gives answers to the fundamental goals of any secure system: that
sensitive information is kept confidentially, information is correct and unaltered (integrity), and
Dhakal_Swastika_FinalExam_5000_2025_S1
7
information is available to authorized users when needed. The three principles are the foundation
in protecting any information system, and therefore the C.I.A. triangle is highly relevant and
practical for everyday use in various industries (Whitman & Mattord, 2022).
Secondly, the broad applicability of the triangle assists in maintaining its prevalence. For
government, businesses, or cloud computing, confidentiality, integrity, and availability apply
globally. While it may not cover everything related to information security, these three goals are a
good basis for safeguarding a wide range of systems and technologies (Zeltser, 2019).
Lastly, the historical significance of the C.I.A. triangle helps explain its continued
relevance today. It has been a norm in security training and thinking over the course of several
decades, and this has helped establish it as an essential framework for thinking about security. With
the progression of the field of information security, the triangle has served as a basis for more
complex models that expand on its ideas to incorporate other items like accountability and nonrepudiation (Anderson, 2021).
While not exhaustive, the C.I.A. triangle remains in use today because it offers a simple,
concise, and universally applicable model that paves the way for more specialized security
systems.
Dhakal_Swastika_FinalExam_5000_2025_S1
8
5. Answer:
An automated asset inventory system brings tremendous value to the risk identification
process through complete, real-time visibility into an organization's assets. Here is how it does it:
Increased Visibility: The system guarantees all assets, such as hardware, software, and data,
can be tracked within the organization. For example, an automated inventory system can be used
in a business organization to track the servers, network appliances, and employee workstations.
With the presence of a large history of all the assets, recognizing potential security risks, such as
out-of-date software or foreign hardware that can be vulnerable to exploitation is simpler. This
increased visibility keeps unmanaged devices out of the network (Whitman & Mattord, 2022). I’ve
seen firsthand how organizations with automated asset tracking systems can detect rogue devices
or unpatched systems that could otherwise remain unnoticed.
Vulnerability Identification: Automated asset systems can be combined with vulnerability
scanning tools, and security vulnerabilities can be identified in the assets of the organization with
ease. For example, if an organization's system identifies missing patches or old operating systems,
it can send remediation alerts at once. This allows security teams to identify missing patches or
old software that can introduce vulnerabilities into the environment (Zeltser, 2019). From my
experience, the fact that such systems are in place enables security teams to respond to issues
proactively and not reactively.
Prioritization of Critical Assets: Based on the clear overview of assets, the system
facilitates organizations to give priority to the most critical assets as far as risk exposure is
concerned. For instance, in a financial institution, the asset inventory would indicate that the core
banking servers hold sensitive data and, on finding that they are exposed, would require urgent
priority. Having knowledge of what assets are most vital in the conduct of the business ensures
Dhakal_Swastika_FinalExam_5000_2025_S1
9
that resources and efforts expended on the mitigation of the threats are targeted to the most
vulnerable or essential assets. Prioritization is aimed at having groups concentrate in dangerous
areas so that they get priority.
Compliance Support: Many regulatory frameworks require organizations to discover and
protect specific assets. Automated asset inventories render organizations regulation compliant like
this by ensuring all their assets have been inventoried and secured according to industry best
practices. For example, HIPAA (Health Insurance Portability and Accountability Act) requires
health care organizations to protect patient information, and an automated asset inventory system
will ensure such devices holding this type of information are inventoried and protected.
Computerized systems' compliance functionalities can automate documentation and reporting,
thereby saving time and removing the potential for human errors.
Continuous Monitoring: The automation supports continuous and real-time updating of the
asset inventory. This allows for the rapid identification of any change in the asset environment—
e.g., new assets added or configuration changes—that could potentially create new risks in the
system. An automated system can alert administrators whenever a new device is added to the
network or a software patch is rolled out, allowing the organization to have its assets constantly
monitored for potential risks. I think this is important because security threats are changing very
fast, and with a current understanding of assets, organizations can remain ahead of these
developments.
I believe automated asset inventory systems are a key component in the risk identification
and management plan of every organization. With real-time asset tracking, companies can end
blind spots and answer quickly to threats. They also enable more coordination among security staff
and compliance officers, which results in overall efficiency being greater.
Dhakal_Swastika_FinalExam_5000_2025_S1
10
References
Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.).
Cengage Learning.
Schneier, B. (2015). Data and Goliath: The hidden battles to collect your data and
control your world. W.W. Norton & Company.
ISO/IEC 27001. (2013). Information technology — Security techniques — Information
security management systems — Requirements. International Organization for Standardization.
NIST. (2012). Computer security incident handling guide (SP 800-61 Rev. 2). National
Institute of Standards and Technology.
NIST. (2020). Digital identity guidelines (SP 800-63B). National Institute of Standards
and Technology.
Anderson, R. (2021). Security engineering: A guide to building dependable distributed
systems (3rd ed.). Wiley.
Zeltser, L. (2019). Fundamentals of information security. InfoSec Institute.