Please turn in a PDF through Gradescope (this link works if you are logged in to Blackboard.) The answer to each question should begin on a new page. Gradescope is pretty self-explanatory, but if you'd like you can watch the ITaP video instructions. Make sure that you mark the start/end of each question in Gradescope. Assignments will be graded based on what you mark as the start/end of each question. Expect this to be enforced starting with this assignment. Please typeset your answers (You won't be doing handwritten responses during a Google phone interview, why would you do so for class?)
Questions 1 and 3 below are designed to give you experience in working with primary sources, rather than the refined/simplified/clarified view that is typically seen in textbooks (or lecture notes.) In the real world, you'll often be asked to address issues before such clarified explanations exist.
You are developing a Learning Management System (LMS) (e.g., Blackboard or Piazza) that is to be evaluated using Common Criteria. One part of this is a course evaluation module; the hope is that making this part of the LMS will give higher response rates than the current evaluations. This evaluation should be completely anonymous: the instructor should not even be able to determine if an evaluation comment comes from the same student as a previous anonymous post. However, only students should be able to submit course evaluations, and each student should be able to submit only one.
The Harrison-Rizo-Ullman access control matrix model can be used for formal evaluation. In particular, Question 10 on the second midterm captures a portion of a formal evaluation of a system satisfying the Bell-LaPadula model. Explain briefly (1-2 paragraphs) what would need to be done to extend the solution to Question 10 to a formal evaluation.
We discussed what constitutes a breach under Indiana's Breach Disclosure Law. While this taks about what must be protected, it doesn't say how data must be protected. Identify two sections in the Indiana breach disclosure law that discuss security requirements on how data must be protected. For each, give the section number (e.g., IC 24-4.9-2-10(a)(2)), and a one sentence description of why you think this section discusses how data must be protected.