Associate Level Material Appendix B Information Security Policy Student Name: Enter Your Name Here UNIVERSITY OF PHOENIX IT/244 INTRO TO IT SECURITY Instructor’s Name: Enter Your Instructor's Name Here Date: Enter the date here
Sep 05, 2014
Associate Level MaterialAppendix B
Information Security Policy
Student Name: Enter Your Name Here
UNIVERSITY OF PHOENIX
IT/244 INTRO TO IT SECURITY
Instructor’s Name: Enter Your Instructor's Name Here
Date: Enter the date here
Table of Contents
1. Executive Summary.............................................................................................................................1
2. Introduction.........................................................................................................................................1
3. Disaster Recovery Plan........................................................................................................................1
3.1. Key elements of the Disaster Recovery Plan................................................................................1
3.2. Disaster Recovery Test Plan.........................................................................................................1
4. Physical Security Policy........................................................................................................................1
4.1. Security of the facilities................................................................................................................1
4.1.1. Physical entry controls.........................................................................................................1
4.1.2. Security offices, rooms and facilities....................................................................................1
4.1.3. Isolated delivery and loading areas......................................................................................2
4.2. Security of the information systems............................................................................................2
4.2.1. Workplace protection..........................................................................................................2
4.2.2. Unused ports and cabling....................................................................................................2
4.2.3. Network/server equipment.................................................................................................2
4.2.4. Equipment maintenance......................................................................................................2
4.2.5. Security of laptops/roaming equipment..............................................................................2
5. Access Control Policy...........................................................................................................................2
6. Network Security Policy.......................................................................................................................3
7. References...........................................................................................................................................3
Information Security Policy
1. Executive SummaryDue in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario.
Destructive acts using computer networks have cost billions of dollars and increasingly threaten the
resources of network-connected critical infrastructures. Threats to network infrastructures are
potentially extensive not only as their value increases in terms of the infrastructures themselves, the
value of hosted services, and the value of what is located on them, but also because of their widespread
and low-cost access. These infrastructures of cyberspace are vulnerable due to three kinds of failure:
complexity, accident, and hostile intent. However, we lack a comprehensive understanding of these
vulnerabilities—largely because of the extraordinary complexities of many of the problems, and perhaps
from too little effort to acquire this understanding. But there is ample evidence that vulnerabilities are
there: examples of all three kinds of failure abound, and vulnerabilities are found almost every time
people seriously look for them.
Within this vast, complex cyberspace system, it is so simple to connect that users of today’s systems
require few skills and little understanding of the underpinnings. Thus, we require not only technical
protections but also an awareness and alertness on the part of all users to the dangers inherent in the
use of any system connected to a network. Attacks so far have been limited. However, many believe
that it is only a matter of time before prolonged, multifaceted, coordinated attacks are going to find
those network vulnerabilities and exploit them to produce serious consequences. Prudence dictates
better protection against accidents and attacks before things get much worse. All realizations of “visions
of the information society” are going to be severely limited if the people in that society do not trust or
feel secure with the underlying infrastructures.
IT/244 Intro to IT Security Page 1
Information Security Policy
Alertness to the dangers requires protections that can stay abreast of changing attack modes. An
essential part of a defense strategy is continual network monitoring and innovation in monitoring
techniques to minimize the potential for damage from the actions of cybercriminals. However, there are
multiple stages of defense and a cycle of understanding, which is a complex system in itself. The
overlapping stages of prevention and/or thwarting an attack, incident management, reconstituting after
an attack, and improving defender performance by analysis and redesign are essential to understanding
the elements of each network intrusion attempt. Invariably, gaining this understanding involves some
ability to trace the route of attack to the source so that the attacker can be identified. International
cooperation can help to bring about success in this effort, in situations where it would be impossible
otherwise.
Faced with the possibility of disruption of critical infrastructures in ways that could have serious
consequences, governments should be expected to implement prudent defense plans. Each country
should first identify those infrastructures and their interdependencies that are critical to its survival and
to its social and economic well being. Planning for specific defenses of these identified infrastructures
may usefully include both passive5 and active defense forms.
IT/244 Intro to IT Security Page 2
Information Security Policy
2. IntroductionDue in Week One: Give an overview of the company and the security goals to be achieved.
2.1. Company overview
As relates to your selected scenario, give a brief 100- to 200-word overview of the company.
I have chosen Sunica Music and Movies. It is a multimedia chain that has four
locations. The issue that Sunica has encountered is that the four stores operate
as separate entities and are in need of an improvement in communication. The
four stores are not able to coordinate orders and inventory. Due to the lack of
internet base, Sunica’s sales, profit, and customer base have suffered. To
achieve an improvement in business productivity, Sunica will need to install web
servers in the corporate office located in their data center. These will enable the
stores to other sectors of the business such as inventory and accounting, and
update data in real time so that sales associates may relay current information
to customers.
2.2. Security policy overview
Of the different types of security policies—program-level, program-framework, issue-specific, and system-specific—briefly cover which type is appropriate to your selected business scenario and why.
Sunica should utilize a program-framework and system specific policy to ensure the
system structure has what the company needs in its entirety. A system specific policy
would assist to ensure that all employees and management comply with the policies.
IT/244 Intro to IT Security Page 3
Information Security Policy
2.3. Security policy goals
As applies to your selected scenario, explain how the confidentiality, integrity, and availability principles of information security will be addressed by the information security policy.
2.3.1. Confidentiality
Briefly explain how the policy will protect information.
User authentication would assist in the confidentiality aspect of security.
The company should implement passwords and deploy tools such as
virtual networking.
2.3.2. Integrity
Give a brief overview of how the policy will provide rules for authentication and verification. Include a description of formal methods and system transactions.
Since the company will be utilizing the authentication and passwords,
the network will not be accessible to the public. The company could
also create a data log to keep a record for what employee is using their
password to sign in, view, or modify information.
2.3.3. Availability
Briefly describe how the policy will address system back-up and recovery, access control, and quality of service.
Sunica should put in place a type of disaster plan in the event their
company suffers from an emergency. If they employ a disaster plan, the
company can back up and log, vital company information such as
financials.
IT/244 Intro to IT Security Page 4
Information Security Policy
3. Disaster Recovery PlanDue in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery Plan to be used in case of a disaster and the plan for testing the DRP.
3.1. Risk Assessment
3.1.1. Critical business processes
List the mission-critical business systems and services that must be protected by the DRP.
No business wants to face the horror of a disaster, be it from Mother
Nature, external threats, or other catastrophes, but will a well crafted
disaster recovery plan, the firm may sustain minimal damage. In
preparing for disaster, the planning committee should prepare risk
analysis and should be analyzed to determine the potential
consequence and impact of several disaster scenarios. The critical
needs of each department within Sunica Music and Movies will include
functional operations, key personnel, information, processing systems,
service, documentation, vital records, and policies and procedures.
Processing and operations should be analyzed to determine the
maximum amount of time that the department and organization can
operate without each critical system.
3.1.2. Internal, external, and environmental risks
Briefly discuss the internal, external, and environmental risks, which might be likely to affect the business and result in loss of the facility, loss of life, or loss of assets. Threats could include weather, fire or chemical, earth movement, structural failure, energy, biological, or human.
IT/244 Intro to IT Security Page 5
Information Security Policy
There are many potential threats that may be likely to affect the
functioning of Sunica Music and Movies. These risks may be internal,
external and environmental. For example, there are natural events that
can be devastating for any company. These may include things such as
earthquakes, fires, floods, mudslides, and the like. Even more unlikely
events such as power outages secondary to solar flares are a potential
concern. Furthermore, there are unfortunately multiple situations that
may be man-made rather than Mother Nature. These include things
such as strikes, work stoppages, sabotage, burglary, or any type of
hostile activity.
3.2. Disaster Recovery Strategy
Of the strategies of shared-site agreements, alternate sites, hot sites, cold sites, and warm sites, identify which of these recovery strategies is most appropriate for your selected scenario and why.
Considering that Sunica Music and Movies (SMM) is now using a WAN system
to coordinate its business processes, an appropriate disaster recovery plan will
include having an alternate sites to step in, in the event of an emergency. This
will include an outside vendor who will provide backup services in the event that
the programs at SMM fail for one reason or another. In the interest of financial
feasibility, SMM should contract for a warm site to step in if the home networks
are compromised.
IT/244 Intro to IT Security Page 6
Information Security Policy
3.3. Disaster Recovery Test Plan
For each testing method listed, briefly describe each method and your rationale for why it will or will not be included in your DRP test plan.
3.3.1. Walk-throughs
An initial test of the plan should be performed by conducting a
structured walk-through test. The test will provide additional information
regarding any further steps that may need to be included, changes in
procedures that are not effective, and other appropriate adjustments
(Wold, 1992). The plan should be updated to correct any problems
identified during the test. Initially, testing of the plan should be done in
sections and after normal business hours to minimize disruptions to the
overall operations of the organization. This is an excellent option to
include in SMM's disaster recovery plan (DRP).
3.3.2. Simulations
This is a situation where a mockup is created to closely simulate an attack
or other danger (Merkow, 2006). This will mimic the response to
emergency as closely as possible. This would also be an excellent option
to include in SMM's DRP.
IT/244 Intro to IT Security Page 7
Information Security Policy
3.3.3. Checklists
In this situation, the members of SMM reenlist of their responsibilities
during an emergency. This is also a great resource for SMM in the
beginning stages of testing their DRP.
3.3.4. Parallel testing
In this situation, both the current systems at SMM as well as the
systems at the warm site will operate at the same time. This is a way for
comprehensive test of the backup system's ability to handle the data
coming through the standard site at SMM. This should be integrated
into SMM's DRP to confirm the competence of the system.
3.3.5. Full interruption
In this test, the systems at SMM are shut down completely. This scary
but necessary evaluation is used to clarify the usefulness and
appropriateness of the backup system. If the backup system does not
work, SMM can take the necessary precautions in a situation hopefully
less painful than a true disaster. Again, this is a helpful test to include in
SMM's DRP.
IT/244 Intro to IT Security Page 8
Information Security Policy
4. Physical Security PolicyDue in Week Five: Outline the Physical Security Policy. Merkow and Breithaupt (2006) state, “an often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that, in order to protect logical systems, the hardware running them must be physically secure” (p.165).
Describe the policies for securing the facilities and the policies of securing the information systems. Outline the controls needed for each category as relates to your selected scenario.
These controls may include the following:
Physical controls (such as perimeter security controls, badges, keys and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas)
Technical controls (such as smart cards, audit trails or access logs, intrusion detection, alarm systems, and biometrics)
Environmental or life-safety controls (such as power, fire detection and suppression, heating, ventilation, and air conditioning)
4.1. Security of the building facilities
4.1.1. Physical entry controls
An often overlooked connection between physical systems (computer hardware)
and logical systems (the software that runs on it) is that in order to protect logical
systems, the hardware running them must be physically se- cure. If you can’t physically
protect your hardware, you can’t protect the programs and data running on your
hardware!
For this question, physical security deals with who has access to buildings,
computer rooms, and the devices within them. Controlling physical security involves
protecting sites from natural and man-made physical threats through proper location
and by developing and implementing plans that secure devices from unauthorized
physical contact. The level of physical security is typically proportional to the value of
the property that is being protected. For a firm such as Sunica Music and Movies
IT/244 Intro to IT Security Page 9
Information Security Policy
(SMM), challenges related to physical security lay in the need to make it simple for
people who actually belong in to the building to get in and get around but make it
difficult for those who do not belong to enter and navigate. Thus, physical security, like
many other areas of security, is a careful balancing act that re- quires trusted people,
effective processes that reduce the likelihood of harm from inadvertent and deliberate
acts, and appropriate technology to maintain vigilance. The optimal devices for SMM
include the use of perimeter security controls as well as badges for all personnel that
need to be displayed at all times. The workplace at SMM may be separated in to
functional areas so that only the desired workers have access to a given area at one
time.
4.1.2. Security offices, rooms and facilities
The physical security of the facilities needs to be handled by a small private security
force. The security force will have the use of security offices, for the administration of
the site's physical security through a site security supervisor. The security force will also
have rooms to house the supplies needed for the application of the security of the
facilities such as video monitoring and recording equipment, and other miscellaneous
monitoring equipment.
IT/244 Intro to IT Security Page 10
Information Security Policy
4.1.3. Isolated delivery and loading areas
Keeping areas of common access or frequent unsecured access separate from
secured areas is a requirement for the continued security of the facilities. By keeping
the loading and delivery areas separate and isolated from the secured areas of the
facility, the integrity of the facilities security can be assured.
4.2. Security of the information systems
4.2.1. Workplace protection
In work locations with high traffic, like SMM, audit trails allow examiners to trace or
follow the history of a transaction through the institution. Bank auditors or examiners, for
example, are able to deter- mine when information was added, changed, or deleted
within a system with the purpose of understanding how an irregularity occurred and
hope- fully how to correct it. The immediate goal is to detect the problem in order to
prevent similar problems in the future.
4.2.2. Unused ports and cabling
All unused ports must be secured at all times, and if the port is used for transient
purposes, such as when a sales or executive employee visits a facility, then provisions
must be made by and notice given to the information security department. Ports that are
unused that are needed for future expansion plans must be temporarily disconnected
until needed.
IT/244 Intro to IT Security Page 11
Information Security Policy
4.2.3. Network/server equipment
All network and server equipment must be kept in a secure, limited access room or
closet to ensure the physical security of the equipment from vandalism or theft. Server
equipment needs to be kept in locked, climate-controlled rooms and be locked in a way
that limits access only to employees with the need to have access to the equipment.
Network equipment, such as hubs and routers, should be secured in closets to prevent
tampering and access except by authorized employees.
4.2.4. Equipment maintenance
Computers are particularly sensitive to the smallest fluctuations in temperature and
humidity. We frequently take the HVAC environmental controls for granted, but the IT
manager or the person or persons responsible for these systems should know exactly
what to do and whom to contact in the event of failure. Routine maintenance of critical
infrastructure systems should prevent any significant failure of HVAC systems in the
event of an emergency.
4.2.5. Security of laptops/roaming equipment
All information technology equipment that does not have a fixed and permanent
location must be secured from unlawful use or access. The employees issued mobile
computing equipment must understand the importance of the company equipment that
they have been charged with. All roaming computing equipment must be secured with a
minimum of two-factor authentication, such as a user name and password combination
along with a smart card or biometrics authentication method.
IT/244 Intro to IT Security Page 12
Information Security Policy
IT/244 Intro to IT Security Page 13
Information Security Policy
5. Access Control PolicyDue in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems
5.1. Authentication
Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on.
Access controls are a collection of mechanisms that work together to create
security architecture to protect the assets of an information system. One of the
goals of access control is personal accountability, which is the mechanism that
proves someone performed a computer activity at a specific point in time. As
each of the four stores associated with Sunica Music and Movies (SMM) will
have access to the computerized files, there needs to be security measures put
in place to protect the financial and customer data.
5.2. Access control strategy
5.2.1. Discretionary access control
Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner who is responsible for the information and has the discretion to dictate access to that information.
The principle of discretionary access control (DAC) dictates that the information
owner is the one who decides who gets to access the system(s). This is how
most corporate systems operate. DAC authority may be delegated to others who
then are responsible for user setup, revocation, and changes (department
moves, promotions, and so forth). Most of the common operating systems on
IT/244 Intro to IT Security Page 14
Information Security Policy
the market today (Windows, Macintosh, Unix, Novell’s Net- ware, and so forth)
rely on DAC principles for access and operation. The highest management at
SMM will be responsible for determining who is granted access and the level
that is given.
5.2.2. Mandatory access control
Describe how and why mandatory access control will be used.
In a system that uses mandatory access control (MAC; also called
nondiscretionary access control), the system decides who gains access to
information based on the concepts of subjects, objects, and labels. MAC is most
often seen in military and governmental systems and is rarely seen in the
commercial world. In a MAC environment, objects (including data) are labeled
with a classification (e.g. Secret, Top Secret, and so forth), and subjects, or
users, are cleared to that class of access. MAC may be a bit too much control
for SMM at this time; however, it is a possibility for the future of the company.
5.2.3. Role-based access control
Describe how and why role-based access control will be used.
Role-based access control (RBAC) groups users with a common access need.
You can assign a role for a group of users who perform the same job functions
and require similar access to resources. Role-based controls simplify the job of
granting and revoking access by simply assigning users to a group, and then
IT/244 Intro to IT Security Page 15
Information Security Policy
assigning rights to the group for access control purposes. This is especially
helpful where there is a high rate of employee turnover or frequent changes in
employee roles. SMM has seen a great deal of employee turnover in the past,
and needs to be able to rescind access for employees who choose to leave the
company for whatever reason. Moreover, as SMM continues to increase its
security with improved access to customer and financial files, this type of
security is necessary.
5.3. Remote access
Describe the policies for remote user access and authentication via dial-in user services and Virtual Private Networks (VPN)
Remote Access Dial-In User Service (RADIUS) is a client/server protocol and
software that enables remote access users to communicate with a central server
to authenticate dial-in users and authorize their access to the re- quested
system or service. For example, you may need to dial-up an external network to
gain access for performing work, depositing a file, or picking up a file.
A virtual private network (VPN) is another common means for remote users to
access corporate networks. With a VPN, a user connects to the Internet via his
or her ISP and initiates a connection to the protected network (often using a
RADIUS server), creating a private tunnel between the end points that prevents
eavesdropping or data modification. VPNs use strong cryptography to both
authenticates senders and receivers of messages and to encrypt traffic so it’s
IT/244 Intro to IT Security Page 16
Information Security Policy
not vulnerable to a man-in-the-middle attack. In addition, many users take
advantage of VPN methods to access confidential information such as patient
information away from the hospital. This will be ideal for SMM employees to
access work information when they are away from the office for one reason or
another.
IT/244 Intro to IT Security Page 17
Information Security Policy
6. Network Security PolicyDue in Week Nine: Outline the Network Security Policy. As each link in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices.
6.1. Data network overview
Provide an overview of the network configuration that the company uses. Discuss each network type of Local Area Network (LAN), Wide Area Network (WAN), Internet, intranet, and extranet. Include how the network type is employed in your selected scenario.
Without a security policy, the availability of any network can be compromised. The policy
begins with assessing the risk to the network and building a team to respond. Continuation of
the policy requires implementing a security change management practice and monitoring the
network for security violations. Lastly, the review process modifies the existing policy and
adapts to lessons learned.
6.2. Network security services
For each security service, briefly describe how it is used to protect a network from attack. Include why the service will be used for network security as relates to your selected scenario, or why it is not applicable in this circumstance.
6.2.1. Authentication
Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, perusal, inspection,
recording or destruction. In computing, e-Business, and information security, it is
necessary to ensure that the data, transactions, communications or documents
(electronic or physical) are genuine. It is also important for authenticity to validate
that both parties involved are who they claim they are.
6.2.2. Access control
Access to protected information must be restricted to people who are authorized to
access the information. The computer programs, and in many cases the computers
IT/244 Intro to IT Security Page 18
Information Security Policy
that process the information, must also be authorized. This requires that
mechanisms be in place to control the access to protected information. The
sophistication of the access control mechanisms should be in parity with the value of
the information being protected – the more sensitive or valuable the information the
stronger the control mechanisms need to be. The foundations on which access
control mechanisms are built begin with identification and authentication and lead to
limitations on access to the network.
6.2.3. Data confidentiality
Confidentiality is the term used to prevent the disclosure of information to
unauthorized individuals or systems. For example, a credit card transaction on the
Internet requires the credit card number to be transmitted from the buyer to the
merchant and from the merchant to a transaction-processing network. The system
attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in databases, log files,
backups, printed receipts, and so on), and by restricting access to the places where it
is stored. If an unauthorized party obtains the card number in any way, a breach of
confidentiality has occurred.
6.2.4. Data integrity
In information security, integrity means that data cannot be modified undetectably.
This is not the same thing as referential integrity in databases, although it can be
viewed as a special case of Consistency as understood in the classic ACID model of
transaction processing. Integrity is violated when a message is actively modified in
transit. Information security systems typically provide message integrity in addition
to data confidentiality.
IT/244 Intro to IT Security Page 19
Information Security Policy
6.2.5. Nonrepudiation
In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also
implies that one party of a transaction cannot deny having received a transaction nor can the
other party deny having sent a transaction. Electronic commerce uses technology such as
digital signatures and public key encryption to establish authenticity and non-repudiation.
6.2.6. Logging and monitoring
Change management is a formal process for directing and controlling alterations to the
information processing environment. This includes alterations to desktop computers, the
network, servers and software. The objectives of change management are to reduce the risks
posed by changes to the information processing environment and improve the stability and
reliability of the processing environment as changes are made. It is not the objective of
change management to prevent or hinder necessary changes from being implemented.
Any change to the information processing environment introduces an element of risk. Even
apparently simple changes can have unexpected effects. One of Managements many
responsibilities is the management of risk. Change management is a tool for managing the
risks introduced by changes to the information processing environment. Part of the change
management process ensures that changes are not implemented at inopportune times when
they may disrupt critical business processes or interfere with other changes being
implemented.
Not every change needs to be managed. Some kinds of changes are a part of the everyday
routine of information processing and adhere to a predefined procedure, which reduces the
overall level of risk to the processing environment. Creating a new user account or deploying
a new desktop computer are examples of changes that do not generally require change
management. However, relocating user file shares, or upgrading the Email server pose a
much higher level of risk to the processing environment and are not a normal everyday
activity. The critical first steps in change management are (a) defining change (and
communicating that definition) and (b) defining the scope of the change system.
IT/244 Intro to IT Security Page 20
Information Security Policy
Change management is usually overseen by a Change Review Board composed of
representatives from key business areas, security, networking, systems administrators,
Database administration, applications development, desktop support and the help desk. The
tasks of the Change Review Board can be facilitated with the use of automated work flow
application. The responsibility of the Change Review Board is to ensure the organizations
documented change management procedures are followed.
6.3. Firewall system
Outline the roles of the following network security control devices and how these basic security infrastructures are used to protect the company’s network against malicious activity. Provide a description of each type of firewall system and how it is used to protect the network. Include how the firewall system is or is not applicable to the company’s network configuration in your selected scenario.
6.3.1. Packet-filtering router firewall system
Firewalls, according to Cheswick and Bellovin, may be generally classified into three types: packet filters, application gateways, and circuit gateways. Packet filters block the transmission of packets based upon the protocol, address, and/or port identifier, while application gateways filter traffic using application-specific rules. Circuit gateways act as a TCP relay; an external remote host connects to a TCP port at the gateway and the gateway, in turn, establishes a TCP connection to the intended destination on the internal local network. Often, more than one of these types may be used together.
When setting up packet filters, you must first determine what filtering capabilities your router has and where you want to filter. If your router has one or more LAN ("inside") ports and/or one or more WAN ("outside") ports, you probably want to filter on the outside, to protect the router. Most routers do, in fact, allow you to build packet filters and apply them on a per-port basis.
6.3.2. Screened host firewall system
The screened host firewall is a more flexible firewall than the dual-homed gateway firewall,
however the flexibility is achieved with some cost to security. The screened host firewall is
often appropriate for sites that need more flexibility than that provided by the dual-homed
IT/244 Intro to IT Security Page 21
Information Security Policy
gateway firewall. The screened host firewall combines a packet-filtering router with an
application gateway located on the protected subnet side of the router. The application
gateway needs only one network interface. The application gateway's proxy services would
pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters
or screens inherently dangerous protocols from reaching the application gateway and site
systems.
6.3.3. Screened-Subnet firewall system
In network security, a screened subnet firewall is a variation of the dual-homed
gateway and screened host firewall. It can be used to separate components of the
firewall onto separate systems, thereby achieving greater throughput and flexibility,
although at some cost to simplicity. As each component system of the screened
subnet firewall needs to implement only a specific task, each system is less complex
to configure.
IT/244 Intro to IT Security Page 22
Information Security Policy
7. ReferencesCite all your references by adding the pertinent information to this section by following this example.
Merkow, M. & Breithaupt, J. (2006) Information Security: Principles and Practices.
Upper Saddle River, NJ: Pearson/Prentice Hall
Wack, J. (1995) Screened Host Firewall.
http://www.vtcif.telstra.com.au/pub/docs/security/800-10/node57.html. Las
accessed March 11, 2012.
Wold, G. (1992). Disaster Recovery Planning Process. Retrieved on from
http://www.drplan.com/ArticleDRP1.htm
IT/244 Intro to IT Security Page 23