IT244 Final Assignment EXAMPLE

Associate Level MaterialAppendix B

Information Security Policy

Student Name: Enter Your Name Here

UNIVERSITY OF PHOENIX

IT/244 INTRO TO IT SECURITY

Instructor’s Name: Enter Your Instructor's Name Here

Date: Enter the date here

Table of Contents

1. Executive Summary.............................................................................................................................1

2. Introduction.........................................................................................................................................1

3. Disaster Recovery Plan........................................................................................................................1

3.1. Key elements of the Disaster Recovery Plan................................................................................1

3.2. Disaster Recovery Test Plan.........................................................................................................1

4. Physical Security Policy........................................................................................................................1

4.1. Security of the facilities................................................................................................................1

4.1.1. Physical entry controls.........................................................................................................1

4.1.2. Security offices, rooms and facilities....................................................................................1

4.1.3. Isolated delivery and loading areas......................................................................................2

4.2. Security of the information systems............................................................................................2

4.2.1. Workplace protection..........................................................................................................2

4.2.2. Unused ports and cabling....................................................................................................2

4.2.3. Network/server equipment.................................................................................................2

4.2.4. Equipment maintenance......................................................................................................2

4.2.5. Security of laptops/roaming equipment..............................................................................2

5. Access Control Policy...........................................................................................................................2

6. Network Security Policy.......................................................................................................................3

7. References...........................................................................................................................................3


1. Executive SummaryDue in Week Nine: Write 3 to 4 paragraphs giving a bottom-line summary of the specific measureable goals and objectives of the security plan, which can be implemented to define optimal security architecture for the selected business scenario.

Destructive acts using computer networks have cost billions of dollars and increasingly threaten the

resources of network-connected critical infrastructures. Threats to network infrastructures are

potentially extensive not only as their value increases in terms of the infrastructures themselves, the

value of hosted services, and the value of what is located on them, but also because of their widespread

and low-cost access. These infrastructures of cyberspace are vulnerable due to three kinds of failure:

complexity, accident, and hostile intent. However, we lack a comprehensive understanding of these

vulnerabilities—largely because of the extraordinary complexities of many of the problems, and perhaps

from too little effort to acquire this understanding. But there is ample evidence that vulnerabilities are

there: examples of all three kinds of failure abound, and vulnerabilities are found almost every time

people seriously look for them.

Within this vast, complex cyberspace system, it is so simple to connect that users of today’s systems

require few skills and little understanding of the underpinnings. Thus, we require not only technical

protections but also an awareness and alertness on the part of all users to the dangers inherent in the

use of any system connected to a network. Attacks so far have been limited. However, many believe

that it is only a matter of time before prolonged, multifaceted, coordinated attacks are going to find

those network vulnerabilities and exploit them to produce serious consequences. Prudence dictates

better protection against accidents and attacks before things get much worse. All realizations of “visions

of the information society” are going to be severely limited if the people in that society do not trust or

feel secure with the underlying infrastructures.

IT/244 Intro to IT Security Page 1


Alertness to the dangers requires protections that can stay abreast of changing attack modes. An

essential part of a defense strategy is continual network monitoring and innovation in monitoring

techniques to minimize the potential for damage from the actions of cybercriminals. However, there are

multiple stages of defense and a cycle of understanding, which is a complex system in itself. The

overlapping stages of prevention and/or thwarting an attack, incident management, reconstituting after

an attack, and improving defender performance by analysis and redesign are essential to understanding

the elements of each network intrusion attempt. Invariably, gaining this understanding involves some

ability to trace the route of attack to the source so that the attacker can be identified. International

cooperation can help to bring about success in this effort, in situations where it would be impossible

otherwise.

Faced with the possibility of disruption of critical infrastructures in ways that could have serious

consequences, governments should be expected to implement prudent defense plans. Each country

should first identify those infrastructures and their interdependencies that are critical to its survival and

to its social and economic well being. Planning for specific defenses of these identified infrastructures

may usefully include both passive5 and active defense forms.



2. IntroductionDue in Week One: Give an overview of the company and the security goals to be achieved.

2.1. Company overview

As relates to your selected scenario, give a brief 100- to 200-word overview of the company.

I have chosen Sunica Music and Movies. It is a multimedia chain that has four

locations. The issue that Sunica has encountered is that the four stores operate

as separate entities and are in need of an improvement in communication. The

four stores are not able to coordinate orders and inventory. Due to the lack of

internet base, Sunica’s sales, profit, and customer base have suffered. To

achieve an improvement in business productivity, Sunica will need to install web

servers in the corporate office located in their data center. These will enable the

stores to other sectors of the business such as inventory and accounting, and

update data in real time so that sales associates may relay current information

to customers.

2.2. Security policy overview

Of the different types of security policies—program-level, program-framework, issue-specific, and system-specific—briefly cover which type is appropriate to your selected business scenario and why.

Sunica should utilize a program-framework and system specific policy to ensure the

system structure has what the company needs in its entirety. A system specific policy

would assist to ensure that all employees and management comply with the policies.



2.3. Security policy goals

As applies to your selected scenario, explain how the confidentiality, integrity, and availability principles of information security will be addressed by the information security policy.

2.3.1. Confidentiality

Briefly explain how the policy will protect information.

User authentication would assist in the confidentiality aspect of security.

The company should implement passwords and deploy tools such as

virtual networking.

2.3.2. Integrity

Give a brief overview of how the policy will provide rules for authentication and verification. Include a description of formal methods and system transactions.

Since the company will be utilizing the authentication and passwords,

the network will not be accessible to the public. The company could

also create a data log to keep a record for what employee is using their

password to sign in, view, or modify information.

2.3.3. Availability

Briefly describe how the policy will address system back-up and recovery, access control, and quality of service.

Sunica should put in place a type of disaster plan in the event their

company suffers from an emergency. If they employ a disaster plan, the

company can back up and log, vital company information such as

financials.



3. Disaster Recovery PlanDue in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery Plan to be used in case of a disaster and the plan for testing the DRP.

3.1. Risk Assessment

3.1.1. Critical business processes

List the mission-critical business systems and services that must be protected by the DRP.

No business wants to face the horror of a disaster, be it from Mother

Nature, external threats, or other catastrophes, but will a well crafted

disaster recovery plan, the firm may sustain minimal damage. In

preparing for disaster, the planning committee should prepare risk

analysis and should be analyzed to determine the potential

consequence and impact of several disaster scenarios. The critical

needs of each department within Sunica Music and Movies will include

functional operations, key personnel, information, processing systems,

service, documentation, vital records, and policies and procedures.

Processing and operations should be analyzed to determine the

maximum amount of time that the department and organization can

operate without each critical system.

3.1.2. Internal, external, and environmental risks

Briefly discuss the internal, external, and environmental risks, which might be likely to affect the business and result in loss of the facility, loss of life, or loss of assets. Threats could include weather, fire or chemical, earth movement, structural failure, energy, biological, or human.



There are many potential threats that may be likely to affect the

functioning of Sunica Music and Movies. These risks may be internal,

external and environmental. For example, there are natural events that

can be devastating for any company. These may include things such as

earthquakes, fires, floods, mudslides, and the like. Even more unlikely

events such as power outages secondary to solar flares are a potential

concern. Furthermore, there are unfortunately multiple situations that

may be man-made rather than Mother Nature. These include things

such as strikes, work stoppages, sabotage, burglary, or any type of

hostile activity.

3.2. Disaster Recovery Strategy

Of the strategies of shared-site agreements, alternate sites, hot sites, cold sites, and warm sites, identify which of these recovery strategies is most appropriate for your selected scenario and why.

Considering that Sunica Music and Movies (SMM) is now using a WAN system

to coordinate its business processes, an appropriate disaster recovery plan will

include having an alternate sites to step in, in the event of an emergency. This

will include an outside vendor who will provide backup services in the event that

the programs at SMM fail for one reason or another. In the interest of financial

feasibility, SMM should contract for a warm site to step in if the home networks

are compromised.



3.3. Disaster Recovery Test Plan

For each testing method listed, briefly describe each method and your rationale for why it will or will not be included in your DRP test plan.

3.3.1. Walk-throughs

An initial test of the plan should be performed by conducting a

structured walk-through test. The test will provide additional information

regarding any further steps that may need to be included, changes in

procedures that are not effective, and other appropriate adjustments

(Wold, 1992). The plan should be updated to correct any problems

identified during the test. Initially, testing of the plan should be done in

sections and after normal business hours to minimize disruptions to the

overall operations of the organization. This is an excellent option to

include in SMM's disaster recovery plan (DRP).

3.3.2. Simulations

This is a situation where a mockup is created to closely simulate an attack

or other danger (Merkow, 2006). This will mimic the response to

emergency as closely as possible. This would also be an excellent option

to include in SMM's DRP.



3.3.3. Checklists

In this situation, the members of SMM reenlist of their responsibilities

during an emergency. This is also a great resource for SMM in the

beginning stages of testing their DRP.

3.3.4. Parallel testing

In this situation, both the current systems at SMM as well as the

systems at the warm site will operate at the same time. This is a way for

comprehensive test of the backup system's ability to handle the data

coming through the standard site at SMM. This should be integrated

into SMM's DRP to confirm the competence of the system.

3.3.5. Full interruption

In this test, the systems at SMM are shut down completely. This scary

but necessary evaluation is used to clarify the usefulness and

appropriateness of the backup system. If the backup system does not

work, SMM can take the necessary precautions in a situation hopefully

less painful than a true disaster. Again, this is a helpful test to include in

SMM's DRP.



4. Physical Security PolicyDue in Week Five: Outline the Physical Security Policy. Merkow and Breithaupt (2006) state, “an often overlooked connection between physical systems (computer hardware) and logical systems (the software that runs on it) is that, in order to protect logical systems, the hardware running them must be physically secure” (p.165).

Describe the policies for securing the facilities and the policies of securing the information systems. Outline the controls needed for each category as relates to your selected scenario.

These controls may include the following:

Physical controls (such as perimeter security controls, badges, keys and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas)

Technical controls (such as smart cards, audit trails or access logs, intrusion detection, alarm systems, and biometrics)

Environmental or life-safety controls (such as power, fire detection and suppression, heating, ventilation, and air conditioning)

4.1. Security of the building facilities

4.1.1. Physical entry controls

An often overlooked connection between physical systems (computer hardware)

and logical systems (the software that runs on it) is that in order to protect logical

systems, the hardware running them must be physically secure. If you can’t physically

protect your hardware, you can’t protect the programs and data running on your

hardware!

For this question, physical security deals with who has access to buildings,

computer rooms, and the devices within them. Controlling physical security involves

protecting sites from natural and man-made physical threats through proper location

and by developing and implementing plans that secure devices from unauthorized

physical contact. The level of physical security is typically proportional to the value of

the property that is being protected. For a firm such as Sunica Music and Movies



(SMM), challenges related to physical security lay in the need to make it simple for

people who actually belong in to the building to get in and get around but make it

difficult for those who do not belong to enter and navigate. Thus, physical security, like

many other areas of security, is a careful balancing act that requires trusted people,

effective processes that reduce the likelihood of harm from inadvertent and deliberate

acts, and appropriate technology to maintain vigilance. The optimal devices for SMM

include the use of perimeter security controls as well as badges for all personnel that

need to be displayed at all times. The workplace at SMM may be separated in to

functional areas so that only the desired workers have access to a given area at one

time.

4.1.2. Security offices, rooms and facilities

The physical security of the facilities needs to be handled by a small private security

force. The security force will have the use of security offices, for the administration of

the site's physical security through a site security supervisor. The security force will also

have rooms to house the supplies needed for the application of the security of the

facilities such as video monitoring and recording equipment, and other miscellaneous

monitoring equipment.



4.1.3. Isolated delivery and loading areas

Keeping areas of common access or frequent unsecured access separate from

secured areas is a requirement for the continued security of the facilities. By keeping

the loading and delivery areas separate and isolated from the secured areas of the

facility, the integrity of the facilities security can be assured.

4.2. Security of the information systems

4.2.1. Workplace protection

In work locations with high traffic, like SMM, audit trails allow examiners to trace or

follow the history of a transaction through the institution. Bank auditors or examiners, for

example, are able to determine when information was added, changed, or deleted

within a system with the purpose of understanding how an irregularity occurred and

hopefully how to correct it. The immediate goal is to detect the problem in order to

prevent similar problems in the future.

4.2.2. Unused ports and cabling

All unused ports must be secured at all times, and if the port is used for transient

purposes, such as when a sales or executive employee visits a facility, then provisions

must be made by and notice given to the information security department. Ports that are

unused that are needed for future expansion plans must be temporarily disconnected

until needed.



4.2.3. Network/server equipment

All network and server equipment must be kept in a secure, limited access room or

closet to ensure the physical security of the equipment from vandalism or theft. Server

equipment needs to be kept in locked, climate-controlled rooms and be locked in a way

that limits access only to employees with the need to have access to the equipment.

Network equipment, such as hubs and routers, should be secured in closets to prevent

tampering and access except by authorized employees.

4.2.4. Equipment maintenance

Computers are particularly sensitive to the smallest fluctuations in temperature and

humidity. We frequently take the HVAC environmental controls for granted, but the IT

manager or the person or persons responsible for these systems should know exactly

what to do and whom to contact in the event of failure. Routine maintenance of critical

infrastructure systems should prevent any significant failure of HVAC systems in the

event of an emergency.

4.2.5. Security of laptops/roaming equipment

All information technology equipment that does not have a fixed and permanent

location must be secured from unlawful use or access. The employees issued mobile

computing equipment must understand the importance of the company equipment that

they have been charged with. All roaming computing equipment must be secured with a

minimum of two-factor authentication, such as a user name and password combination

along with a smart card or biometrics authentication method.





5. Access Control PolicyDue in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems

5.1. Authentication

Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on.

Access controls are a collection of mechanisms that work together to create

security architecture to protect the assets of an information system. One of the

goals of access control is personal accountability, which is the mechanism that

proves someone performed a computer activity at a specific point in time. As

each of the four stores associated with Sunica Music and Movies (SMM) will

have access to the computerized files, there needs to be security measures put

in place to protect the financial and customer data.

5.2. Access control strategy

5.2.1. Discretionary access control

Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner who is responsible for the information and has the discretion to dictate access to that information.

The principle of discretionary access control (DAC) dictates that the information

owner is the one who decides who gets to access the system(s). This is how

most corporate systems operate. DAC authority may be delegated to others who

then are responsible for user setup, revocation, and changes (department

moves, promotions, and so forth). Most of the common operating systems on



the market today (Windows, Macintosh, Unix, Novell’s Net- ware, and so forth)

rely on DAC principles for access and operation. The highest management at

SMM will be responsible for determining who is granted access and the level

that is given.

5.2.2. Mandatory access control

Describe how and why mandatory access control will be used.

In a system that uses mandatory access control (MAC; also called

nondiscretionary access control), the system decides who gains access to

information based on the concepts of subjects, objects, and labels. MAC is most

often seen in military and governmental systems and is rarely seen in the

commercial world. In a MAC environment, objects (including data) are labeled

with a classification (e.g. Secret, Top Secret, and so forth), and subjects, or

users, are cleared to that class of access. MAC may be a bit too much control

for SMM at this time; however, it is a possibility for the future of the company.

5.2.3. Role-based access control

Describe how and why role-based access control will be used.

Role-based access control (RBAC) groups users with a common access need.

You can assign a role for a group of users who perform the same job functions

and require similar access to resources. Role-based controls simplify the job of

granting and revoking access by simply assigning users to a group, and then



assigning rights to the group for access control purposes. This is especially

helpful where there is a high rate of employee turnover or frequent changes in

employee roles. SMM has seen a great deal of employee turnover in the past,

and needs to be able to rescind access for employees who choose to leave the

company for whatever reason. Moreover, as SMM continues to increase its

security with improved access to customer and financial files, this type of

security is necessary.

5.3. Remote access

Describe the policies for remote user access and authentication via dial-in user services and Virtual Private Networks (VPN)

Remote Access Dial-In User Service (RADIUS) is a client/server protocol and

software that enables remote access users to communicate with a central server

to authenticate dial-in users and authorize their access to the re- quested

system or service. For example, you may need to dial-up an external network to

gain access for performing work, depositing a file, or picking up a file.

A virtual private network (VPN) is another common means for remote users to

access corporate networks. With a VPN, a user connects to the Internet via his

or her ISP and initiates a connection to the protected network (often using a

RADIUS server), creating a private tunnel between the end points that prevents

eavesdropping or data modification. VPNs use strong cryptography to both

authenticates senders and receivers of messages and to encrypt traffic so it’s



not vulnerable to a man-in-the-middle attack. In addition, many users take

advantage of VPN methods to access confidential information such as patient

information away from the hospital. This will be ideal for SMM employees to

access work information when they are away from the office for one reason or

another.



6. Network Security PolicyDue in Week Nine: Outline the Network Security Policy. As each link in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices.

6.1. Data network overview

Provide an overview of the network configuration that the company uses. Discuss each network type of Local Area Network (LAN), Wide Area Network (WAN), Internet, intranet, and extranet. Include how the network type is employed in your selected scenario.

Without a security policy, the availability of any network can be compromised. The policy

begins with assessing the risk to the network and building a team to respond. Continuation of

the policy requires implementing a security change management practice and monitoring the

network for security violations. Lastly, the review process modifies the existing policy and

adapts to lessons learned.

6.2. Network security services

For each security service, briefly describe how it is used to protect a network from attack. Include why the service will be used for network security as relates to your selected scenario, or why it is not applicable in this circumstance.

6.2.1. Authentication

Information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, perusal, inspection,

recording or destruction. In computing, e-Business, and information security, it is

necessary to ensure that the data, transactions, communications or documents

(electronic or physical) are genuine. It is also important for authenticity to validate

that both parties involved are who they claim they are.

6.2.2. Access control

Access to protected information must be restricted to people who are authorized to

access the information. The computer programs, and in many cases the computers



that process the information, must also be authorized. This requires that

mechanisms be in place to control the access to protected information. The

sophistication of the access control mechanisms should be in parity with the value of

the information being protected – the more sensitive or valuable the information the

stronger the control mechanisms need to be. The foundations on which access

control mechanisms are built begin with identification and authentication and lead to

limitations on access to the network.

6.2.3. Data confidentiality

Confidentiality is the term used to prevent the disclosure of information to

unauthorized individuals or systems. For example, a credit card transaction on the

Internet requires the credit card number to be transmitted from the buyer to the

merchant and from the merchant to a transaction-processing network. The system

attempts to enforce confidentiality by encrypting the card number during

transmission, by limiting the places where it might appear (in databases, log files,

backups, printed receipts, and so on), and by restricting access to the places where it

is stored. If an unauthorized party obtains the card number in any way, a breach of

confidentiality has occurred.

6.2.4. Data integrity

In information security, integrity means that data cannot be modified undetectably.

This is not the same thing as referential integrity in databases, although it can be

viewed as a special case of Consistency as understood in the classic ACID model of

transaction processing. Integrity is violated when a message is actively modified in

transit. Information security systems typically provide message integrity in addition

to data confidentiality.



6.2.5. Nonrepudiation

In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also

implies that one party of a transaction cannot deny having received a transaction nor can the

other party deny having sent a transaction. Electronic commerce uses technology such as

digital signatures and public key encryption to establish authenticity and non-repudiation.

6.2.6. Logging and monitoring

Change management is a formal process for directing and controlling alterations to the

information processing environment. This includes alterations to desktop computers, the

network, servers and software. The objectives of change management are to reduce the risks

posed by changes to the information processing environment and improve the stability and

reliability of the processing environment as changes are made. It is not the objective of

change management to prevent or hinder necessary changes from being implemented.

Any change to the information processing environment introduces an element of risk. Even

apparently simple changes can have unexpected effects. One of Managements many

responsibilities is the management of risk. Change management is a tool for managing the

risks introduced by changes to the information processing environment. Part of the change

management process ensures that changes are not implemented at inopportune times when

they may disrupt critical business processes or interfere with other changes being

implemented.

Not every change needs to be managed. Some kinds of changes are a part of the everyday

routine of information processing and adhere to a predefined procedure, which reduces the

overall level of risk to the processing environment. Creating a new user account or deploying

a new desktop computer are examples of changes that do not generally require change

management. However, relocating user file shares, or upgrading the Email server pose a

much higher level of risk to the processing environment and are not a normal everyday

activity. The critical first steps in change management are (a) defining change (and

communicating that definition) and (b) defining the scope of the change system.



Change management is usually overseen by a Change Review Board composed of

representatives from key business areas, security, networking, systems administrators,

Database administration, applications development, desktop support and the help desk. The

tasks of the Change Review Board can be facilitated with the use of automated work flow

application. The responsibility of the Change Review Board is to ensure the organizations

documented change management procedures are followed.

6.3. Firewall system

Outline the roles of the following network security control devices and how these basic security infrastructures are used to protect the company’s network against malicious activity. Provide a description of each type of firewall system and how it is used to protect the network. Include how the firewall system is or is not applicable to the company’s network configuration in your selected scenario.

6.3.1. Packet-filtering router firewall system

Firewalls, according to Cheswick and Bellovin, may be generally classified into three types: packet filters, application gateways, and circuit gateways. Packet filters block the transmission of packets based upon the protocol, address, and/or port identifier, while application gateways filter traffic using application-specific rules. Circuit gateways act as a TCP relay; an external remote host connects to a TCP port at the gateway and the gateway, in turn, establishes a TCP connection to the intended destination on the internal local network. Often, more than one of these types may be used together.

When setting up packet filters, you must first determine what filtering capabilities your router has and where you want to filter. If your router has one or more LAN ("inside") ports and/or one or more WAN ("outside") ports, you probably want to filter on the outside, to protect the router. Most routers do, in fact, allow you to build packet filters and apply them on a per-port basis.

6.3.2. Screened host firewall system

The screened host firewall is a more flexible firewall than the dual-homed gateway firewall,

however the flexibility is achieved with some cost to security. The screened host firewall is

often appropriate for sites that need more flexibility than that provided by the dual-homed



gateway firewall. The screened host firewall combines a packet-filtering router with an

application gateway located on the protected subnet side of the router. The application

gateway needs only one network interface. The application gateway's proxy services would

pass TELNET, FTP, and other services for which proxies exist, to site systems. The router filters

or screens inherently dangerous protocols from reaching the application gateway and site

systems.

6.3.3. Screened-Subnet firewall system

In network security, a screened subnet firewall is a variation of the dual-homed

gateway and screened host firewall. It can be used to separate components of the

firewall onto separate systems, thereby achieving greater throughput and flexibility,

although at some cost to simplicity. As each component system of the screened

subnet firewall needs to implement only a specific task, each system is less complex

to configure.



7. ReferencesCite all your references by adding the pertinent information to this section by following this example.

Merkow, M. & Breithaupt, J. (2006) Information Security: Principles and Practices.

Upper Saddle River, NJ: Pearson/Prentice Hall

Wack, J. (1995) Screened Host Firewall.

http://www.vtcif.telstra.com.au/pub/docs/security/800-10/node57.html. Las

accessed March 11, 2012.

Wold, G. (1992). Disaster Recovery Planning Process. Retrieved on from

http://www.drplan.com/ArticleDRP1.htm


IT244 Final Assignment EXAMPLE

Documents

screened host

screened subnet

change review

mandatory

discretionary

perimeter

based access

homed gateway