it244_r4_appendix_b-2

Associate Level Material

Appendix B

Information Security Policy

University of Phoenix

IT/244 Intro to IT Security

Table of Contents

TOC o “1-3” h z u HYPERLINK l “__RefHeading___Toc256012755″1.Executive Summary1

HYPERLINK l “__RefHeading___Toc256012756″2.Introduction1

HYPERLINK l “__RefHeading___Toc256012757″3.Disaster Recovery Plan1

HYPERLINK l “__RefHeading___Toc256012758″3.1.Key elements of the Disaster Recovery Plan1

HYPERLINK l “__RefHeading___Toc256012759″3.2.Disaster Recovery Test Plan1

HYPERLINK l “__RefHeading___Toc256012760″4.Physical Security Policy1

HYPERLINK l “__RefHeading___Toc256012761″4.1.Security of the facilities1

HYPERLINK l “__RefHeading___Toc256012762″4.1.1.Physical entry controls1

HYPERLINK l “__RefHeading___Toc256012763″4.1.2.Security offices, rooms and facilities1

HYPERLINK l “__RefHeading___Toc256012764″4.1.3.Isolated delivery and loading areas2

HYPERLINK l “__RefHeading___Toc256012765″4.2.Security of the information systems2

HYPERLINK l “__RefHeading___Toc256012766″4.2.1.Workplace protection2

HYPERLINK l “__RefHeading___Toc256012767″4.2.2.Unused ports and cabling2

HYPERLINK l “__RefHeading___Toc256012768″4.2.3.Network/server equipment2

HYPERLINK l “__RefHeading___Toc256012769″4.2.4.Equipment maintenance2

HYPERLINK l “__RefHeading___Toc256012770″4.2.5.Security of laptops/roaming equipment2

HYPERLINK l “__RefHeading___Toc256012771″5.Access Control Policy2

HYPERLINK l “__RefHeading___Toc256012772″6.Network Security Policy3

HYPERLINK l “__RefHeading___Toc256012773″7.References3

Executive Summary

Due in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario.

The first step to make sure that the company attains its vital information is to assess the problems. Sunica Music and Movie will deal with all the issues regarding its internal processes and planning of the upcoming security plan. The plan does not spend any ample sums on excess equipment and applications. The only tedious and time consuming process would only be prioritzing the issues. Making sure that a complete assessment is done will enable the company to evaluate the available resources.

The next process to the company is upgrading it resources and also implementing new ideas to safety guide lines. Also maintaining the companies valuable data is important during this process and the new data system should be tested. To make sure that the system is running correctly, survey results will be considered to provided that the employees agree with the companies data and procedures to begin training. When the training starts it is a critical step and has to be completed accuratly.

In making sure that the companies new system is working properly, their IT department should be monitoring it. When the new system is launched the security services in the company will be activated and every department will be allotted with a unique clearance. The Wide Area Networks in the system will be used by various entities to transmit and share data with employees along with buyers, suppliers and clients. Making sure that everything is running smoothly the WAN has to be ensured to perform everyday ectivites correctly.

Introduction

Due in Week One: Give an overview of the company and the security goals to be achieved.

Company overview

As relates to your selected scenario, give a brief 100- to 200-word overview of the company.

The Four locations that the Soncia Music and Movie company have are not netoworked together, and they want them all connected to have a more effective company. Since each store has been working independently their customer service and communication between stores has been very poor. They also have no way of sharing customers information between locations or share their inventory. It is because of this that the implementation of a WAN will be be soon. Once they achieve this they will be able to allow their customers to view there informaiton over the network. This will also help with their communciation problems between all four locations.

Security policy overview

Of the different types of security policies—program-level, program-framework, issue-specific, and system-specific—briefly cover which type is appropriate to your selected business scenario and why.

The type of security policy that the Sonica Movie and Music company should go with is the Issue-Specific Policy. With this polic being used they will be able to solve specific issues such as inventory, book keeping and E commerce. This will also allow them to solve any problems that will arrise that happen at that time.

Security policy goals

As applies to your selected scenario, explain how the confidentiality, integrity, and availability principles of information security will be addressed by the information security policy.

Confidentiality

Briefly explain how the policy will protect information.

With confidentiality this will refer to setting up all the authorized users with specfic access to certain material. All the authorized users will have a ID and password set up to allow them access to the network and the systems data. This will also allow the company to monitor what employees are being accessed to the information.

Integrity

Give a brief overview of how the policy will provide rules for authentication and verification. Include a description of formal methods and system transactions.

All the employees will have their own username and password and will be monitored. This is a way to make sure honesty or integrity is not being compromised. Based on the employees job and postion with in the company, certain rights and privlages will be allowed to the employee to perform their duties.

Availability

Briefly describe how the policy will address system back-up and recovery, access control, and quality of service.

This is a very important acspect that the company has to the employees along with their customers. This also refers to a system that is made and that is reliable. The ability to let their customers 24 access to their accounts and their information will be needed to allow the proper communication between company and customer. By accessing the compnanies network from the customers personal computer will give the customer convience. Also having a back up plan will need to be iplemented as well to elude and disasters that could arrise.

Disaster Recovery Plan

Due in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery Plan to be used in case of a disaster and the plan for testing the DRP.

Risk Assessment

Critical business processes

List the mission-critical business systems and services that must be protected by the DRP.

The Main goal of the data recovery plan is to keep the company`s internet and computer functions running. It is also meant to maintain the computer functions even during interruptions. With a well crafted DRP the firm or company may only sustain minimum damage to the system. When preparing for the disaster the planning team should prepare risk analysis and should be analyzed to determine the potential consequences and impact of several disaster scenarios. The plan should also include a checklist of activities to perform through a maneuver.

Internal, external, and environmental risks

Briefly discuss the internal, external, and environmental risks, which might be likely to affect the business and result in loss of the facility, loss of life, or loss of assets. Threats could include weather, fire or chemical, earth movement, structural failure, energy, biological, or human.

There are various risks that could happen internal,external and environmental to the company. The internal factors may include an intended disruption to the company`s system or even a power outage. The external or environmental risks that can occur is earthquakes, fires, floods, and hurricanes. Other occurences that could damage the companies system are explosions, smoke or environmental spills. With that being said it is important for the company to have personal on stand by to back up the system in case any of these problems happen.

Disaster Recovery Strategy

Of the strategies of shared-site agreements, alternate sites, hot sites, cold sites, and warm sites, identify which of these recovery strategies is most appropriate for your selected scenario and why.

For my selected scenario of Sunica Music and Movies, since they are using a WAN system now in order to coordinate their business. An appopriate disaster recovery plan would be using alternate sites in the even of emergency. In this case an outside vendor should provide a backup service in the even that the companies programs fail for any reason. This will help their financial feasability in case of an emergency or any disaster. This company should also implement a warm site in order to set up, if any of the home networks get damaged.

Disaster Recovery Test Plan

For each testing method listed, briefly describe each method and your rationale for why it will or will not be included in your DRP test plan.

Walk-throughs

In the walk through process there should be members of various business units to meet together to monitor their progress through the plan. These also require tests that will provide additional information regarding any furhter steps that may need to be taken that include changes to any procedures, and other adjustments.

Simulations

When personal at the company meet together in order to perform a “dry run” of the system this is when simulations are conducted. This will go ever any of the effects that are potential failures or emergencies that are intentionally mitigated. This process is also done in order to avoid any interferences to the actual activities.

Checklists

Checklists should be a passive type of testing and is the first step towards a more accurate test. There is a process that employees should follow in key departments and check off their duties and report them on the checklists. This is the best way to identify any problems in the plan. It is used to monitor their concurrence to the plan.

Parallel testing

For this process the back up process and production services should work in parallel. This is similar to complex computer systems running parallel to the existing production system. This will also work great for the companies ticketing system and any new up grades. With this process the systems will run continuously until the new system is complete.

Full interruption

With this process it is also referred to as the true or false test. This is one of the most exspensive methods to testing since it stops the production part of the system in order to see how the back up system operates. It is because of this that the full interruption test should be done with caution and research and is very time consuming.

Physical Security Policy

Due in Week Five: Outline the Physical Security Policy. Merkow and Breithaupt (2006) state, “an often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that, in order to protect logical systems, the hardware running them must be physically secure” (p.165).

Describe the policies for securing the facilities and the policies of securing the information systems. Outline the controls needed for each category as relates to your selected scenario.

These controls may include the following:

Physical controls (such as perimeter security controls, badges, keys and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas)

Technical controls (such as smart cards, audit trails or access logs, intrusion detection, alarm systems, and biometrics)

Environmental or life-safety controls (such as power, fire detection and suppression, heating, ventilation, and air conditioning)

Security of the building facilitiesPhysical entry controls

When dealing with physical entry controls, a proper system must be in place. There should be some restrinctions in place, that way it will limit access for people that are suppose to have access to certain rooms. By installing controls that will require key cards to access them, this will only grant access to certain personel. Other devices that could also be used is turnstiles and gates, along with guards being possioned at certain doors.

Security offices, rooms and facilities

In order to track movement through out the facility, the installation of security cameras should be first on the list. That is why security offices are needed as well because this is where the monitors can be viewed from. There should be also a need for motion sensors in ever hallway and room. This will ensure the proper authorized entry to these rooms are met.

Isolated delivery and loading areas

Ares like isolated delivery and loading area should be seperate from main offices. These areas should be monitored with secuity camera as well making sure that every blind spot is covered. All ares like these should have high security measure implemented. Also deliveries should be on a schedule, and only proper personal should receive all orders that are from the vendors.

Security of the information systems

Workplace protection

The companies information that they hold is important, that is why workplace protection is a must. There is information such as client information, employee records and sales transactions. A secure workplace will make sure that that this information will remain safe. This can be done by installing the proper physical and logical secuirty systems.

Unused ports and cabling

The facilities IT team should be in charge of this area. They should make a list of all the unused ports and cabling in the workplace. The ports and cables should be labled when not in use and when they are being used. This will make sure that they know what ports are being used and ones that need be hooked up. All the excess cabling will in turn be kept in the networking closet as needed.

Network/server equipment

All the network and secuity equipment should be behind monitored doors equiped with security cameras. The camers should be on the inside and out to ensure the proper secuirty measures are being followed. It is also important to make sure that these rooms holding this equipment has a controlled temperature. This will ensure that the equipment does not over heat.

Equipment maintenance

Equipment maintenance is a must, and the hardware and software at the facility should be updated and maintained on a regular basis. However this should only be done after the system is tested to prevent any risks to the system.

Security of laptops/roaming equipment

The personnel that have these devices such as mobile devices and lap tops, will agree to a security policy before use. That way they will be help personaly responsible for any misuse of the equipment with in the facility. This will ensure that employees are only using these devices for work purposes. There should also be authentication preferences for each device. This will ensure that the proper personnell has access to the device and they will know who it is.

Access Control Policy

Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems

Authentication

Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on.

Authenitcaion credentials are used to verify that certain users are the users that they say they are. There are ways to utilize authentication such as passwords, biometrics, multifactor authentications and etc. Authentication also makes it harder for a hacker to be granted access. There are a lot of companies that give their employees PIN numbers, which help HR issues and also can double as a username. The more secure the facility the more factors that are needed for authentication. Two factor authenticaiton could be a PIN and also an ID badge. A three factor authenitcation could be the listed to factors along with a third biometrics. Biometrics are needed for companies that have a top priority in security since it is much harder to hack.

Access control strategy

Discretionary access control

Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner who is responsible for the information and has the discretion to dictate access to that information.

The principle of discretionary access control (DAC) dictates that the informaiton owner is the one who decides who gets access to the system. The information for that owner is first established and they are responsible for that piece of information on the system. The DAC will then be established and will be used to designate the proper people for their own roles and responsibilites. By doing this it will make the informaiotn owner to held reliable for that portion of the network.

Mandatory access control

Describe how and why mandatory access control will be used.

Media access control (MAC) is where the administrator manages access control. The administrator determines how much access and who has access to certain parts of the system. The MAC will be used to establish levels of classificaiton to personnel at a company.

Role-based access control

Describe how and why role-based access control will be used.

Role based access control uses groups who need access to common portions or information on the network. This is where a user is only able to access files,folders from their certain department. However the informaiton at each divisin will have multiple people who can access that informaiton.

Remote access

Describe the policies for remote user access and authentication via dial-in user services and Virtual Private Networks (VPN)

The purpose of remote access is to instablish standards for connecting to a network from any remote host. The dial in user service(RADIUS) and the virtual Private Network (VPN) established for offsite conenction to the network. This is a form of authenticaiton which allows users in a remote area to gain access to a central server so work can be done without being interrupted.

Network Security Policy

Due in Week Nine: Outline the Network Security Policy. As each link in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices.

Data network overview

Provide an overview of the network configuration that the company uses. Discuss each network type of Local Area Network (LAN), Wide Area Network (WAN), Internet, intranet, and extranet. Include how the network type is employed in your selected scenario.

A LAN is the connection of computers in close proximity of each other. For instance, a small office, your house or a school would use a LAN. Now a WAN, like its name states covers a very wide area. A WAN will help keep a company that has multiple divisions in other cities, states or countries connected. A typical WAN is multiple LANs with the use of the Internet. The Internet is what keeps us connected with the world around us through the use of Internet Protocol. The Intranet also uses Internet Protocol but is localized for use from within the LAN or WAN.

Network security services

For each security service, briefly describe how it is used to protect a network from attack. Include why the service will be used for network security as relates to your selected scenario, or why it is not applicable in this circumstance.

Authentication

Authentication is used in order to stop people from entering any sensitive information. This can be done be issueing usernames and passwords and also biometrics to to ensure identity. The more sucure the facility, the more steps to authentication will be needed.

Access control

Access control is the process of determining the right person has access to to the system and how much authority they have on that system. This can be granted with physical or logical security.

Data confidentiality

Data confidentiality protects a companies information from any unauthorized users. In order to do this all employees will be issued user Ids and passwords to access the network.

Data integrity

Data integrity is a way of staying honest when employees are using the systems. In order to keep track of who is on the system, user names and passwords will be issued. This wil keep track of all records and transactions on the system and will let us know who was using the system at the time.

Nonrepudiation

Nonrepudiation is a way to ensure authenticaiton. If any messages are sent this will make sure that the authorized user either sent or received the message.

Logging and monitoring

Logging and Monitoring will help a company controll all the alterations to the network and the computers. This will also show all the records from the servers, warnings logs, and errors along with network switch and router observation.

Firewall system

Outline the roles of the following network security control devices and how these basic security infrastructures are used to protect the company’s network against malicious activity. Provide a description of each type of firewall system and how it is used to protect the network. Include how the firewall system is or is not applicable to the company’s network configuration in your selected scenario.

Packet-filtering router firewall system

Packet-filtering firewalls are based on the source and destiantion, and the IP

address. They are also based on the ports that are accessing the information

and protocols that are used. With packet-filtering the header of the packet

is then inspected and the access to data is either granted or denied.

Screened host firewall system

The screened host firewall system is found to offer higher levels of security then the previous option. This offers more security beucase it used the application layer of the OSI model and the network layer too. So it uses the protection of packet filtering and a proxy server. This will give a hacker two different systems to get through.

Screened-Subnet firewall system

The screened subnet firewall is even more secure then the last system. This system will add on to the screened host firewall by seperating the intranet from the internet. By doing this you will then have dematerialized zone and will sit in the middle of the public and private sectors of a network keeping it safer.

References

Cite all your references by adding the pertinent information to this section by following this example.

Merkow, M. & Breithaupt, J. (2006), Information security: Principles and Practices. Upper Saddle River, NJ: Pearson/Prentice Hall

American Psychological Association. (2001). Publication manual of the American Psychological Association (5th ed.). Washington, DC: Author.

Scalet, S. (n.d.). 19 ways to build physical security into a data center. Retrieved from http://www.csoonline.com/article/220665/19-ways-to-build-physical-security-into-a-data-center