Вы находитесь на странице: 1из 25

Associate Level Material

Appendix B

Information Security Policy

Student Name: Enter Your Name Here





Instructors Name: Enter Your Instructor's Name Here Date: Enter the date here

Table of Contents
Associate Level Material..............................................................................................1
Table of Contents.....................................................................................................................1 Executive Summary.................................................................................................................1 Introduction.............................................................................................................................3 Disaster Recovery Plan............................................................................................................5 Physical Security Policy............................................................................................................9 Access Control Policy.............................................................................................................13 Network Security Policy..........................................................................................................17 References.............................................................................................................................23

Information Security Policy

Executive Summary
Due in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario. Destructive acts using computer networks have cost billions of dollars and increasingly threaten the resources of network-connected critical infrastructures. Threats to network infrastructures are potentially extensive not only as their value increases in terms of the infrastructures themselves, the value of hosted services, and the value of what is located on them, but also because of their widespread and low-cost access. These infrastructures of cyberspace are vulnerable due to three kinds of failure: complexity, accident, and hostile intent. However, we lack a comprehensive understanding of these vulnerabilitieslargely because of the extraordinary complexities of many of the problems, and perhaps from too little effort to acquire this understanding. But there is ample evidence that vulnerabilities are there: examples of all three kinds of failure abound, and vulnerabilities are found almost every time people seriously look for them. Within this vast, complex cyberspace system, it is so simple to connect that users of todays systems require few skills and little understanding of the underpinnings. Thus, we require not only technical protections but also an awareness and alertness on the part of all users to the dangers inherent in the use of any system connected to a network. Attacks so far have been limited. However, many believe that it is only a matter of time before prolonged, multifaceted, coordinated attacks are going to find those network vulnerabilities and exploit them to produce serious consequences. Prudence dictates better protection against accidents and attacks before things get much worse. All realizations of visions of the information society are going to be severely limited if the people in that society do not trust or feel secure with the

IT/244 Intro to IT Security

Page 1

Information Security Policy underlying infrastructures. Alertness to the dangers requires protections that can stay abreast of changing attack modes. An essential part of a defense strategy is continual network monitoring and innovation in monitoring techniques to minimize the potential for damage from the actions of cybercriminals. However, there are multiple stages of defense and a cycle of understanding, which is a complex system in itself. The overlapping stages of prevention and/or thwarting an attack, incident management, reconstituting after an attack, and improving defender performance by analysis and redesign are essential to understanding the elements of each network intrusion attempt. Invariably, gaining this understanding involves some ability to trace the route of attack to the source so that the attacker can be identified. International cooperation can help to bring about success in this effort, in situations where it would be impossible otherwise. Faced with the possibility of disruption of critical infrastructures in ways that could have serious consequences, governments should be expected to implement prudent defense plans. Each country should first identify those infrastructures and their interdependencies that are critical to its survival and to its social and economic well being. Planning for specific defenses of these identified infrastructures may usefully include both passive5 and active defense forms.

IT/244 Intro to IT Security

Page 2

Information Security Policy

Due in Week One: Give an overview of the company and the security goals to be achieved.

Company overview
As relates to your selected scenario, give a brief 100- to 200-word overview of the company.

I have chosen Sunica Music and Movies. It is a multimedia chain that has four locations. The issue that Sunica has encountered is that the four stores operate as separate entities and are in need of an improvement in communication. The four stores are not able to coordinate orders and inventory. Due to the lack of internet base, Sunicas sales, profit, and customer base have suffered. To achieve an improvement in business productivity, Sunica will need to install web servers in the corporate office located in their data center. These will enable the stores to other sectors of the business such as inventory and accounting, and update data in real time so that sales associates may relay current information to customers.

Security policy overview

Of the different types of security policiesprogram-level, programframework, issue-specific, and system-specificbriefly cover which type is appropriate to your selected business scenario and why.

Sunica should utilize a program-framework and system specific policy to ensure the system structure has what the company needs in its entirety. A system specific policy would assist to ensure that all employees and management comply with the policies.

IT/244 Intro to IT Security

Page 3

Information Security Policy

Security policy goals

As applies to your selected scenario, explain how the confidentiality, integrity, and availability principles of information security will be addressed by the information security policy.

Briefly explain how the policy will protect information.

User authentication would assist in the confidentiality aspect of security. The company should implement passwords and deploy tools such as virtual networking.

Give a brief overview of how the policy will provide rules for authentication and verification. Include a description of formal methods and system transactions.

Since the company will be utilizing the authentication and passwords, the network will not be accessible to the public. The company could also create a data log to keep a record for what employee is using their password to sign in, view, or modify information.

Briefly describe how the policy will address system back-up and recovery, access control, and quality of service.

Sunica should put in place a type of disaster plan in the event their company suffers from an emergency. If they employ a disaster plan, the company can back up and log, vital company information such as financials.

IT/244 Intro to IT Security

Page 4

Information Security Policy

Disaster Recovery Plan

Due in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery Plan to be used in case of a disaster and the plan for testing the DRP.

Risk Assessment Critical business processes

List the mission-critical business systems and services that must be protected by the DRP.

No business wants to face the horror of a disaster, be it from Mother Nature, external threats, or other catastrophes, but will a well crafted disaster recovery plan, the firm may sustain minimal damage. In preparing for disaster, the planning committee should prepare risk analysis and should be analyzed to determine the potential consequence and impact of several disaster scenarios. The critical needs of each department within Sunica Music and Movies will include functional operations, key personnel, information, processing systems, service, documentation, vital records, and policies and procedures. Processing and operations should be analyzed to determine the maximum amount of time that the department and organization can operate without each critical system.

Internal, external, and environmental risks

Briefly discuss the internal, external, and environmental risks, which might be likely to affect the business and result in loss of the facility, loss of life, or loss of assets. Threats could include weather, fire or chemical, earth movement, structural failure, energy, biological, or human.

There are many potential threats that may be likely to affect the

IT/244 Intro to IT Security

Page 5

Information Security Policy

functioning of Sunica Music and Movies. These risks may be internal, external and environmental. For example, there are natural events that can be devastating for any company. These may include things such as earthquakes, fires, floods, mudslides, and the like. Even more unlikely events such as power outages secondary to solar flares are a potential concern. Furthermore, there are unfortunately multiple situations that may be man-made rather than Mother Nature. These include things such as strikes, work stoppages, sabotage, burglary, or any type of hostile activity.

Disaster Recovery Strategy

Of the strategies of shared-site agreements, alternate sites, hot sites, cold sites, and warm sites, identify which of these recovery strategies is most appropriate for your selected scenario and why.

Considering that Sunica Music and Movies (SMM) is now using a WAN system to coordinate its business processes, an appropriate disaster recovery plan will include having an alternate sites to step in, in the event of an emergency. This will include an outside vendor who will provide backup services in the event that the programs at SMM fail for one reason or another. In the interest of financial feasibility, SMM should contract for a warm site to step in if the home networks are compromised.

Disaster Recovery Test Plan

For each testing method listed, briefly describe each method and your rationale for why it will or will not be included in your DRP test plan.

IT/244 Intro to IT Security

Page 6

Information Security Policy

An initial test of the plan should be performed by conducting a structured walk-through test. The test will provide additional information regarding any further steps that may need to be included, changes in procedures that are not effective, and other appropriate adjustments (Wold, 1992). The plan should be updated to correct any problems identified during the test. Initially, testing of the plan should be done in sections and after normal business hours to minimize disruptions to the overall operations of the organization. This is an excellent option to include in SMM's disaster recovery plan (DRP).

This is a situation where a mockup is created to closely simulate an attack or other danger (Merkow, 2006). This will mimic the response to emergency as closely as possible. This would also be an excellent option to include in SMM's DRP.

In this situation, the members of SMM reenlist of their responsibilities during an emergency. This is also a great resource for SMM in the beginning stages of testing their DRP.

IT/244 Intro to IT Security

Page 7

Information Security Policy

Parallel testing
In this situation, both the current systems at SMM as well as the systems at the warm site will operate at the same time. This is a way for comprehensive test of the backup system's ability to handle the data coming through the standard site at SMM. This should be integrated into SMM's DRP to confirm the competence of the system.

Full interruption
In this test, the systems at SMM are shut down completely. This scary but necessary evaluation is used to clarify the usefulness and appropriateness of the backup system. If the backup system does not work, SMM can take the necessary precautions in a situation hopefully less painful than a true disaster. Again, this is a helpful test to include in SMM's DRP.

IT/244 Intro to IT Security

Page 8

Information Security Policy

Physical Security Policy

Due in Week Five: Outline the Physical Security Policy. Merkow and Breithaupt (2006) state, an often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that, in order to protect logical systems, the hardware running them must be physically secure (p.165). Describe the policies for securing the facilities and the policies of securing the information systems. Outline the controls needed for each category as relates to your selected scenario. These controls may include the following: Physical controls (such as perimeter security controls, badges, keys and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas) Technical controls (such as smart cards, audit trails or access logs, intrusion detection, alarm systems, and biometrics) Environmental or life-safety controls (such as power, fire detection and suppression, heating, ventilation, and air conditioning)

Security of the building facilities Physical entry controls

An often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that in order to protect logical systems, the hardware running them must be physically se- cure. If you cant physically protect your hardware, you cant protect the programs and data running on your hardware! For this question, physical security deals with who has access to buildings, computer rooms, and the devices within them. Controlling physical security involves protecting sites from natural and man-made physical threats through proper location and by developing and implementing plans that secure devices from unauthorized physical contact. The level of physical security is typically proportional to the value of the property that is being protected. For a firm such as Sunica Music and Movies

IT/244 Intro to IT Security

Page 9

Information Security Policy

(SMM), challenges related to physical security lay in the need to make it simple for people who actually belong in to the building to get in and get around but make it difficult for those who do not belong to enter and navigate. Thus, physical security, like many other areas of security, is a careful balancing act that re- quires trusted people, effective processes that reduce the likelihood of harm from inadvertent and deliberate acts, and appropriate technology to maintain vigilance. The optimal devices for SMM include the use of perimeter security controls as well as badges for all personnel that need to be displayed at all times. The workplace at SMM may be separated in to functional areas so that only the desired workers have access to a given area at one time.

Security offices, rooms and facilities

The physical security of the facilities needs to be handled by a small private security force. The security force will have the use of security offices, for the administration of the site's physical security through a site security supervisor. The security force will also have rooms to house the supplies needed for the application of the security of the facilities such as video monitoring and recording equipment, and other miscellaneous monitoring equipment.

Isolated delivery and loading areas

Keeping areas of common access or frequent unsecured access separate from secured areas is a requirement for the continued security of the facilities. By keeping

IT/244 Intro to IT Security

Page 10

Information Security Policy

the loading and delivery areas separate and isolated from the secured areas of the facility, the integrity of the facilities security can be assured.

Security of the information systems Workplace protection

In work locations with high traffic, like SMM, audit trails allow examiners to trace or follow the history of a transaction through the institution. Bank auditors or examiners, for example, are able to deter- mine when information was added, changed, or deleted within a system with the purpose of understanding how an irregularity occurred and hope- fully how to correct it. The immediate goal is to detect the problem in order to prevent similar problems in the future.

Unused ports and cabling

All unused ports must be secured at all times, and if the port is used for transient purposes, such as when a sales or executive employee visits a facility, then provisions must be made by and notice given to the information security department. Ports that are unused that are needed for future expansion plans must be temporarily disconnected until needed.

Network/server equipment
All network and server equipment must be kept in a secure, limited access room or closet to ensure the physical security of the equipment from vandalism or theft. Server equipment needs to be kept in locked, climate-controlled rooms and be locked in a way

IT/244 Intro to IT Security

Page 11

Information Security Policy

that limits access only to employees with the need to have access to the equipment. Network equipment, such as hubs and routers, should be secured in closets to prevent tampering and access except by authorized employees.

Equipment maintenance
Computers are particularly sensitive to the smallest fluctuations in temperature and humidity. We frequently take the HVAC environmental controls for granted, but the IT manager or the person or persons responsible for these systems should know exactly what to do and whom to contact in the event of failure. Routine maintenance of critical infrastructure systems should prevent any significant failure of HVAC systems in the event of an emergency.

Security of laptops/roaming equipment

All information technology equipment that does not have a fixed and permanent location must be secured from unlawful use or access. The employees issued mobile computing equipment must understand the importance of the company equipment that they have been charged with. All roaming computing equipment must be secured with a minimum of two-factor authentication, such as a user name and password combination along with a smart card or biometrics authentication method.

IT/244 Intro to IT Security

Page 12

Information Security Policy

Access Control Policy

Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems

Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on.

Access controls are a collection of mechanisms that work together to create security architecture to protect the assets of an information system. One of the goals of access control is personal accountability, which is the mechanism that proves someone performed a computer activity at a specific point in time. As each of the four stores associated with Sunica Music and Movies (SMM) will have access to the computerized files, there needs to be security measures put in place to protect the financial and customer data.

Access control strategy Discretionary access control

Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner who is responsible for the information and has the discretion to dictate access to that information.

The principle of discretionary access control (DAC) dictates that the information owner is the one who decides who gets to access the system(s). This is how most corporate systems operate. DAC authority may be delegated to others who then are responsible for user setup, revocation, and changes (department moves, promotions, and so forth). Most of the common operating systems on

IT/244 Intro to IT Security

Page 13

Information Security Policy

the market today (Windows, Macintosh, Unix, Novells Net- ware, and so forth) rely on DAC principles for access and operation. The highest management at SMM will be responsible for determining who is granted access and the level that is given.

Mandatory access control

Describe how and why mandatory access control will be used.

In a system that uses mandatory access control (MAC; also called nondiscretionary access control), the system decides who gains access to information based on the concepts of subjects, objects, and labels. MAC is most often seen in military and governmental systems and is rarely seen in the commercial world. In a MAC environment, objects (including data) are labeled with a classification (e.g. Secret, Top Secret, and so forth), and subjects, or users, are cleared to that class of access. MAC may be a bit too much control for SMM at this time; however, it is a possibility for the future of the company.

Role-based access control

Describe how and why role-based access control will be used.

Role-based access control (RBAC) groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require similar access to resources. Role-based controls simplify the job of granting and revoking access by simply assigning users to a group, and then assigning rights to the group for access control purposes. This is especially

IT/244 Intro to IT Security

Page 14

Information Security Policy

helpful where there is a high rate of employee turnover or frequent changes in employee roles. SMM has seen a great deal of employee turnover in the past, and needs to be able to rescind access for employees who choose to leave the company for whatever reason. Moreover, as SMM continues to increase its security with improved access to customer and financial files, this type of security is necessary.

Remote access
Describe the policies for remote user access and authentication via dial-in user services and Virtual Private Networks (VPN)

Remote Access Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access users to communicate with a central server to authenticate dial-in users and authorize their access to the re- quested system or service. For example, you may need to dial-up an external network to gain access for performing work, depositing a file, or picking up a file.

A virtual private network (VPN) is another common means for remote users to access corporate networks. With a VPN, a user connects to the Internet via his or her ISP and initiates a connection to the protected network (often using a RADIUS server), creating a private tunnel between the end points that prevents eavesdropping or data modification. VPNs use strong cryptography to both authenticates senders and receivers of messages and to encrypt traffic so its not vulnerable to a man-in-the-middle attack. In addition, many users take

IT/244 Intro to IT Security

Page 15

Information Security Policy

advantage of VPN methods to access confidential information such as patient information away from the hospital. This will be ideal for SMM employees to access work information when they are away from the office for one reason or another.

IT/244 Intro to IT Security

Page 16

Information Security Policy

Network Security Policy

Due in Week Nine: Outline the Network Security Policy. As each link in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices.

Data network overview

Provide an overview of the network configuration that the company uses. Discuss each network type of Local Area Network (LAN), Wide Area Network (WAN), Internet, intranet, and extranet. Include how the network type is employed in your selected scenario. Without a security policy, the availability of any network can be compromised. The policy begins with assessing the risk to the network and building a team to respond. Continuation of the policy requires implementing a security change management practice and monitoring the network for security violations. Lastly, the review process modifies the existing policy and adapts to lessons learned.

Network security services

For each security service, briefly describe how it is used to protect a network from attack. Include why the service will be used for network security as relates to your selected scenario, or why it is not applicable in this circumstance.

Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,

modification, perusal, inspection, recording or destruction. In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.

IT/244 Intro to IT Security

Page 17

Information Security Policy

Access control
Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundations on which access control mechanisms are built begin with identification and authentication and lead to limitations on access to the

Data confidentiality
Confidentiality is the term used to prevent the disclosure of information

to unauthorized individuals or systems. For example, a credit card

transaction on the Internet requires the credit card number to be

transmitted from the buyer to the merchant and from the merchant to a transaction-processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Data integrity
In information security, integrity means that data cannot be modified

IT/244 Intro to IT Security

Page 18

Information Security Policy undetectably. This is not the same thing as referential integrity in
databases, although it can be viewed as a special case of Consistency

as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality.

In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation.

Logging and monitoring

Change management is a formal process for directing and controlling alterations to the information processing environment. This includes alterations to desktop computers, the network, servers and software. The objectives of change management are to reduce the risks posed by changes to the information processing environment and improve the stability and reliability of the processing environment as changes are made. It is not the objective of change management to prevent or hinder necessary changes from being implemented. Any change to the information processing environment introduces an element of risk. Even apparently simple changes can have unexpected effects. One of Managements many responsibilities is the management of risk. Change management is a tool for managing the risks introduced by changes to the information processing environment. Part of the change management process ensures that changes are not implemented at

IT/244 Intro to IT Security

Page 19

Information Security Policy

inopportune times when they may disrupt critical business processes or interfere with other changes being implemented. Not every change needs to be managed. Some kinds of changes are a part of the everyday routine of information processing and adhere to a predefined procedure, which reduces the overall level of risk to the processing environment. Creating a new user account or deploying a new desktop computer are examples of changes that do not generally require change management. However, relocating user file shares, or upgrading the Email server pose a much higher level of risk to the processing environment and are not a normal everyday activity. The critical first steps in change management are (a) defining change (and communicating that definition) and (b) defining the scope of the change system. Change management is usually overseen by a Change Review Board composed of representatives from key business areas, security, networking, systems administrators, Database administration, applications development, desktop support and the help desk. The tasks of the Change Review Board can be facilitated with the use of automated work flow application. The responsibility of the Change Review Board is to ensure the organizations documented change management procedures are followed.

Firewall system
Outline the roles of the following network security control devices and how these basic security infrastructures are used to protect the companys network against malicious activity. Provide a description of each type of firewall system and how it is used to protect the network. Include how the firewall system is or is not applicable to the companys network configuration in your selected scenario.

Packet-filtering router firewall system

Firewalls, according to Cheswick and Bellovin, may be generally classified into three types: packet filters, application gateways, and circuit gateways. Packet filters block the transmission of

IT/244 Intro to IT Security

Page 20

Information Security Policy

packets based upon the protocol, address, and/or port identifier, while application gateways filter traffic using applicationspecific rules. Circuit gateways act as a TCP relay; an external remote host connects to a TCP port at the gateway and the gateway, in turn, establishes a TCP connection to the intended destination on the internal local network. Often, more than one of these types may be used together. When setting up packet filters, you must first determine what filtering capabilities your router has and where you want to filter. If your router has one or more LAN ("inside") ports and/or one or more WAN ("outside") ports, you probably want to filter on the outside, to protect the router. Most routers do, in fact, allow you to build packet filters and apply them on a per-port basis.

Screened host firewall system

The screened host firewall is a more flexible firewall than the dual-homed gateway firewall, however the flexibility is achieved with some cost to security. The screened host firewall is often appropriate for sites that need more flexibility than that provided by the dual-homed gateway firewall. The screened host firewall combines a packet-filtering router with an application gateway located on the protected subnet side of the router. The application gateway needs only one network interface. The application gateway's proxy services would pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters or screens inherently dangerous protocols from reaching the application gateway and site systems.

Screened-Subnet firewall system

In network security, a screened subnet firewall is a variation of the
dual-homed gateway and screened host firewall. It can be used to

separate components of the firewall onto separate systems, thereby achieving greater throughput and flexibility, although at some cost to

IT/244 Intro to IT Security

Page 21

Information Security Policy simplicity. As each component system of the screened subnet firewall needs to implement only a specific task, each system is less complex to configure.

IT/244 Intro to IT Security

Page 22

Information Security Policy

Cite all your references by adding the pertinent information to this section by following this example.

Merkow, M. & Breithaupt, J. (2006) Information Security: Principles and Practices. Upper Saddle River, NJ: Pearson/Prentice Hall Wack, J. (1995) Screened Host Firewall. http://www.vtcif.telstra.com.au/pub/docs/security/800-10/node57.html. Las accessed March 11, 2012. Wold, G. (1992). Disaster Recovery Planning Process. Retrieved on from http://www.drplan.com/ArticleDRP1.htm

IT/244 Intro to IT Security

Page 23