Paper 1 Teacher comments:
Please see my comments on each section below. In general, make sure that you develop each of the required elements, technical requirements, proposed solution, justification, for each section. Following the templates provided can help with this.
Assessed the appropriate vulnerability assessment tools to support the requirements of the organization: Well done.
Identified the appropriate security policy for the organization: You have mentioned many good security controls here, but these items do not address security policy. This section should address the security policy requirement, propose a solution, and justify the solution. Be specific when defining the overall security outlook for the organization, discussing the various plans and documents that make up a security policy, their value to the organization, and how the policy meets the requirements of the given scenario.
Describe the proper risk management solution to reduce risk to an acceptable level: This section does not really address the topic of risk management. Discuss the requirements for a risk management practice, propose a solution (discuss the process in detail, including relevant formulas and methodologies), and justify your selection of methodologies. Be sure to use the proper risk management terminology.
Assessed the appropriate business continuity plan to enable critical organizational functions to continue: Some of the elements you discuss here are relevant to the BCP process overall. This section needs to discuss the BCP planning process. You will need to discuss the BCP activities in detail, including a discussion of each of the included plan type. Be sure to develop all three sections, requirements, proposal, and justification.
Assessed the proper access control models for the organization: You’ve got a good start here to the discussion of access controls. This section should discus the requirements in relation to the given scenario, propose a clear, detailed solution, and justify your selection of controls. Be specific about the access control model you select and why it’s appropriate.
Satisfy standards of writing style and grammatical correctness: No spelling and/or grammar errors are noted but the formatting and spacing changes throughout the document making it more difficult to read in addition to being inconsistent with the assignment guideline of producing a network proposal. I would recommend closely following the templates provided in the project project instructions section.
Paper 2 Teacher Comments:
Assessed the appropriate physical security for the organization: You have identified a few elements of physical security but this section fails to address adequately the three primary factors of prevention, detection, and recovery. For the requirements, discuss the physical threats present in the given scenario. For your proposal, suggest controls that meet those requirements, and then justify why you selected those controls.
Identified the appropriate mobile device security to implement: This section generically talks to a few specific controls but fails to address the topic with depth and detail. This section should include smartphones, laptops, tablets, and any other mobile device that may be introduced in the UMUC environment. Consider the implications of both university-owned devices and BYOD. Discuss the threats presented by these devices.
Assessed the proper perimeter defenses to defend the organization: This section addresses the appropriate controls and architecture for the perimeter. This section is missing the appropriate discussion of the the technical requirements. Discuss the types of threats present at the perimeter and how your recommendations address those threats.
Assessed the proper network defense devices to defend the organization: The identification and description of an IDS/IPS is one appropriate measure for network defense. IDS/IPS systems are just one element of a defense strategy for the network segment. Consider the different types of attacks in this segment, security appliances, infrastructure appliances, and the network configuration to implement.
Assessed the proper host defense to defend the organization: VPNs are related to host connectivity but do not address host-based security measures. Consider the various threats at the host segment and discuss a defense-in-depth solution to mitigate those threats. Be detailed and thorough.
Paper 3 Teacher Comments:
Assessed the appropriate public key infrastructure implementation: This is a very good discussion of what PKI is and the importance of issuing/using class 3 certificates. As with previous work submissions, this section does not address the primary assignment requirements or presenting the technical requirements, proposal, and justification. How does this information you presented apply to the given scenario? What is required to establish a PKI enviornment? Be specific when discussing the implementation and configuration required for the PKI solution, not just the certificate.
Identified the secure protocol implementation given the network design: This section should consider data as it is in transit and discuss the numerous scenarios and solutions to protect it. IPSEC is one possible protocol, but how and why is it implemented? How does it apply to the given scenario? There are numerous scenarios involving data in transit that should be addressed here.
Assessed the appropriate file encryption implementation: Disk encryption is one possible implementation of file encryption. How does it apply to the given scenario? Your discussion of encryption on mobile devices is interesting, but, is it applicable? As with the previous section, there are numerous scenarios relating to data at rest that should be discussed here.
Assessed the appropriate implementation for hashing method: This section should consider where hashing should be implemented in the network design and explain what it provides in each instance.
Assessed the proper backup and restoration implementation for the organization: This section should explain the backup process, where it is applicable in the UMUC network scenario, and how it will be achieved (process, hardware, and frequency).