Information Security Policy Essay

1. Executive Summary due in Week Nine Write 3 to 4 paragraphs gravid a bottom-line summary of the specific measureable goals and objectives of the aegis syllabus, which ignore be utilise to define optimal tribute measure architecture for the selected business scenario.The goal of this security indemnity is to lay out a basic plan for a pay back education carcass to be employ by crown designing theme. This insurance policy leave behind protect the high societys dodges from threats that sewer come from humans and from natural disasters as well. The policy result excessively put into consideration the privacy, reputation, intellectual property and productivity of the rosiness founding convocation. The continued exertion of this nexus depends on being able to door course and use elections within the organization and being able to remote advance with security. Each persons role in the telephoner leave alone be considered and countenance portal entrust b e given to ensure the efficient operation of the business, while non giving entree to those who are non authorized. This policy will to a fault table helping in the societys tenderness to some(prenominal) g overnmental regulations. Any disruptions of service or security connect issues will be dealt with immediately by means of system software system that is automated to handle certain threats. More serious issues will be dealt with by the IT staff whose responsibility it is to oversee the everyday operation of the info system.2. Introduction payable in Week One Give an overview of the company and the security goals to be achieved.2.1. Company overviewThe Bloom visualise Group is a company that offers interior design services to businesses and individuals around the world. There integrated subprogram is located in New York with a importary office in Los Angeles for handling operations on the West coast. They open a web site that offers their customers the ability to do up their designs online and then obtain them through a electronic order processing system. Also, the designers use in force(p) logins and words to inlet the web site. A large number of the workforce work remotely possibly using tablets or ipads connected to secure VPNs or Virtual Private Net work.2.2. apology policy overviewBloom Design pigeonholing already provides secure logins and mesh topologys to their employees so they already have just about character of system setup already. However, this does not mean it is a system that works efficiently. I think the appropriate security policy to go across for this exteriorise would be system specific.2.3. earnest policy goalsAs applies to your selected scenario, explain how the confidentiality, integrity, and admittanceibility principles of breeding security will be addressed by the instruction security policy.2.3.1. ConfidentialityThe policy I plan to implement will help to protect in createation by re think how t he company stores irritable reading much(prenominal) as employee and client records, trade secrets, and other subtle data.2.3.2. IntegritySince the company will be using battle crys and secure logins the system will not be glide pathionible to the public. So the primary focus should be on the employees. Authentication and verification stack be done using a data log to keep records of employees activity while on the companys VPN. Also, the use of a conflagrationwall will help with integrity as it will pr issuing employees from unknowingly irritateing damaging websites.2.3.3. AvailabilityThe policy I plan to use will help with back-up and recovery by the mathematical use of cloud storage or a substitution data storage center. Although they are already using secure logins for advance fit the whole system needs to be reviewed. This is to make sure altogether authorized personnel have accession to sensitive areas.3. Disaster convalescence PlanDue in Week Three For your s elected scenario, describe the brinystay elements of the Disaster recovery Plan to be utilize in field of study of a disaster and the plan for interrogation the DRP.3.1. Risk Assessment3.1.1. searing business processesThe mission-critical business systems and services that must be protected by this DRP are Payroll, Human Resource information, POS backup media, and Web Servers and their services.3.1.2. Internal, external, and environmental risksExamples of indispensable risks that may affect business are unauthorized access by individuals who are employed by the company, and those who arent employed by the company but still have access to individual stores computer systems, applications, or areas where the hordes and backup media are located. Other external and environmental risks overwhelm fire, floods, power outages, hardware failure, software glitches and failure, storms, and other acts of nature.3.2. Disaster Recovery StrategyMost cases, having an alternative site (a gamey site, or heatless site depending on the disaster) would be the correct way of dealing with nearly disasters. With Bloom design convention I think having a untoughened site eagerness would be the best option. Warm sites are cheaper than hot sites but accept more(prenominal) effort. On the other hand, they are more expensive than cold-site facilities but less labor intensive and more in all likelihood to be effective in a disaster. Also, having a backup and holding site to work from, and recover from for the main servers and web services is a good idea.3.3. Disaster Recovery Test PlanFor each testing method listed, briefly describe each method and your rationale for why it will or will not be included in your DRP test plan.3.3.1. Walk-throughsThis test plan would be a great way for the place personnel to come together and formulate a plan of action in the event of an emergency. Due to Bloom Design congregationing being spread across a large area it talent requi re rough video conferencing and traveling on the part of some employees.3.3.2. SimulationsI think this test plan is the most effective when compared to the others. Simulating an unfeigned emergency is a great way for people to get used to operating in a critical time under pressure. This will show you where your people have their strengths and weaknesses when trying to recover from a disaster.3.3.3. ChecklistsThis dormant case of testing would be a good system to implement on a weekly or monthly basis depending on the needs of the company. This will help in detecting problems before they acquire a major issue.3.3.4. Parallel testingSince Bloom Design group is updating their security parameters and do not have an equal image of system already implemented parallel testing would not be appropriate for this security policy.3.3.5. Full interruptionI think this is some other very effective way to test the system in the event of an emergency. However, to minimize inconveniences to th e customers it would have to be done during off hours.4. material Security PolicyDue in Week Five compendium the Physical Security Policy. Merkow and Breithaupt (2006) state, an often overlooked connection between physical systems (computer hardware) and tenacious systems (the software that runs on it) is that, in order to protect logical systems, the hardware running them must be physically secure (p.165). Describe the policies for securing the facilities and the policies of securing the information systems. Outline the biddings needed for each category as relates to your selected scenario. These controls may include the pursuitPhysical controls (such(prenominal) as perimeter security controls, badges, keys and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas) Technical controls (such as smart cards, audit trails or access logs, intrusion detection, alarm systems, and biometrics) Environmental or life- safety controls (such as power, fire detection and suppression, heating, ventilation, and air conditioning)4.1. Security of the construction facilities4.1.1. Physical entry controlsAt the two office locations (Los Angeles, New York) for Bloom Design Group I would use employee badges that double as an electronic key to access the building and other sensitive locations. This will work in conjunction with an access control system that limits entrance/exit to the offices through one main entrance. There will be an employee entrance as well as well as to be accessed by an electronic badge.4.1.2. Security offices, rooms and facilitiesFor the security offices I would implement biometric s fecal matterners due to the sensitive equipment inside. Other rooms and facilities of a sensitive nature will utilize electronic badges with a photo and abduce of the employee.4.1.3. Isolated delivery and loading areasFor these areas I would implement electronic key card access with the use of a CCT V system recording to a DVR. With a CCTV camera located on the driver door in the loading area the person responsible for deliveries will know when a delivery is being made and stooge break he distant environment before opening the door.4.2. Security of the information systems4.2.1. Workplace protectionFor this part of the security policy I would utilize pre-employment screening and obligatory vacation time. This prevents people from hiding illegal activities while performing their duties. Also, I would setup rightd entity controls so operators and system administrators have picky access to computing resources.4.2.2. Unused ports and cablingFor unused ports I would use a human of security equipment that can be plugged into the unused port and can only be removed by someone with a special key. This will help prevent unauthorized access into the lucre. For unused cabling I would secure it in a secure storage room which can only be accessed by authorized personnel. If the above mentioned equipment isnt getable then the port should be removed.4.2.3. profits/server equipmentBeing that this is some of the most critical equipment for business operations I would use biometric locks and scanners on any room that contains this equipment. Also these rooms will be environmentally controlled with air conditioners and dehumidifiers to abide the equipment to operate at peak efficiency.4.2.4. Equipment maintenanceSince a lot of the equipment is spread across a large region I would utilize remote communication connections to troubleshoot issues. If the maintenance need is more concentrated than I would have a small centrally located facility that specializes in assessing and repairing malfunctioning equipment.4.2.5. Security of laptops/roaming equipmentFor laptops and roaming equipment I would install all devices with a GPS reporter and encryption software to protect against unauthorized access. The equipment itself would be stored in a secure storage room wit h access being tightly controlled.5. nettle Control PolicyDue in Week Seven Outline the Access Control Policy. Describe how access control methodologies work to secure information systems5.1. AuthenticationAuthentication credentials permit the system to asseverate ones identification credential. Authenticating yourself to a system tells it the information you have established to prove that you are who you say you are. Most often, this is a naive password that you set up when you receive the privilege to access a system. You may receive an assigned password initially with the requirement that you must reset it to something more personalsomething that only you can remember. However, passwords are the easiest type of authentication to beat. Free and widely available programs are available on the Internet to break the security afforded by passwords on most of the ordinarily used systems.With two or three factors to authenticate, an information possessor can gain confidence that use rs who access their systems are indeed authorized to access their systems. This is accomplished by adding more controls and/or devices to the password authentication process. Biometric examine uses unique human characteristics to identify whether the person trying to gain access is authorized to enter or not. One common approach to managing IDs and passwords is to make up a password or PIN vault. These programs use secure methods to topically store IDs and passwords that are protected by a master password that unlocks the vault when its needed.5.2. Access control schema5.2.1. Discretionary access controlThe discretionary access control system will be used for Bloom Design Group because this is the favored approach in the incorporate environment and due to the wide area of operations this will allow several authorized users to have access to the system at any given time. The principle of least privilege is the predominant strategy to assure confidentiality. The objective is t o give people the least amount of access to a system that is needed to perform the job theyre doing. The need-to-know dictates the privilege (authority) to perform a transaction or access a resource (system, data, and so forth). An information owner is one who maintains overall responsibility for the information within an information system. For the Bloom Design Group the information owner is going to be the corporate head of IT operations.5.2.2. Mandatory access controlIn a system that uses mandatory access control (MAC also called nondiscretionary access control), the system decides who gains access to information based on the concepts of subjects, objects, and labels, as defined below. Since the Bloom Design Group is spread out over such a large area I do not think this is the best choice for this scenario. MAC is better suited for military machine or governmental systems.5.2.3. Role-based access controlRole-based access control (RBAC) groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require similar access to resources. This would also be appropriate for this scenario because it will allow the information owner to easily assign access to certain groups such as designers, office personnel, customer service associates and so forth.5.3. Remote accessRemote Access Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access users to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to set up a policy that can be applied at a single administered mesh topology point. Having a central service also means that its easier to track usage for billing and for keeping profits statistics. A virtual toffee-nosed mesh topology (VPN) is another common means for remote users to access corporate networks. With a VPN, a user connects to the Internet via his or h er ISP and initiates a connection to the protected network (often using a RADIUS server), creating a cloak-and-dagger tunnel between the end points that prevents eavesdropping or data modification.6. Network Security PolicyDue in Week Nine Outline the Network Security Policy. As each link in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices.6.1. Data network overviewDue to the large geographical distances between Bloom Design Group offices a WAN is going to be utilized. WAN covers a larger geographic area than a LAN (technically, a network that covers an area larger than a single building). A WAN can span the immaculate nation or even the globe using satellites.6.2. Network security services6.2.1. AuthenticationAccess to documents can be restricted in one of two ways by asking for a username and password or by the hostname of the browser being used. For Bloom Design Group emplo yees will need to enter a user ID and password to access restricted documents and sites.6.2.2. Access controlUnlike authentication, which is security-based on the users identity, restricting access based on something other than identity is called access control. For Bloom Design group access control to physical locations will be done by controlled by electronic badges. More sensitive areas such as the server rooms will utilize biometric scanners.6.2.3. Data confidentialityThis service protects data against unauthorized disclosure and has two components content confidentiality and put across flow confidentiality. For Bloom Design group all messages transmitted and authorized through company offices will be encrypted to prevent the unauthorized viewing of sensitive company documents.6.2.4. Data integrityThe goal is to protect data from accidental or malicious modification whether during data transfer, data storage, or from an operation performed on it, and to preserve it for its int ended use. For Bloom Design Group the only people who will be authorized to make changes or modifications will be the Head of the IT department and anyone else they deem necessary.6.2.5. NonrepudiationA service guaranteeing that the sender of a message cannot deny having sent the message and the pass receiver cannot deny having received the message. I do not think this will be necessary for Bloom Design group. However, if it does then the proper modifications can always be made.6.2.6. Logging and superviseThese services allow IS specialists to observe system activity during and after the fact by using monitoring and logging tools. These include operating system logs, server records, application log errors, warnings, and observation of network, switch and router traffic between network segments. I do not think this will be necessary for Bloom Design Group as a whole. However, it will be utilized for any programs having to do with the servers due to its sensitive business content.6. 3. Firewall systemOutline the roles of the following network security control devices and how these basic security infrastructures are used to protect the companys network against malicious activity. Provide a description of each type of firewall system and how it is used to protect the network. allow how the firewall system is or is not applicable to the companys network configuration in your selected scenario.6.3.1. Packet-filtering router firewall systemThe most common Internet firewall system consists of nothing more than a packet-filtering router deployed between the private network and the Internet. A packet-filtering router performs the typical routing functions of forwarding traffic between networks as well as using packet-filtering rules to permit or deny traffic.6.3.2. Screened host firewall systemThe second firewall example employs both a packet-filtering router and a bastion host. This firewall system provides high levels of security than the previous example because i t implements both Network-Layer security (packet-filtering) and Application-Layer security (proxy services). Also, an trespasser has to penetrate two separate systems before the security of the private network can be compromised. This will be the option chosen for Bloom Design Group based on needs and cost. Since Bloom Design group is not a governmental or military associate company then it doesnt require the most elaborate form of firewall protection.6.3.3. Screened-Subnet firewall systemThe final firewall example employs two packet-filtering routers and a bastion host. This firewall system creates the most secure firewall system, as it supports both Network-Layer and Application-Layer security while delimitate a demilitarized zone (DMZ) network.7. ReferencesCite all your references by adding the pertinent information to this section by following this example. American Psychological Association. (2001). Publication manual of the American Psychological Association (5th ed.). Wash ington, DC Author.Information Security Principles and Practices, by Mark S. Merkow, CISSP, CISM and Jim Breithaupt.