Wan_Design

Information Security Policy Student Name: Cory Rhyne Axia College IT/244 Intro to IT Security Instructor’s Name: Jeff Colorossi Date: 12-12-10 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary With a secure building and company the Bloom Design Group will be able to feel confidant that with a few modifications in daily routines and a few more processes needed to perform their jobs, this company will be secure from possible threats. With some changes the Bloom Design Group can keep all records confidential be allowing only key personnel to make or copy any data, this will keep the integrity of all data intact and available to the employees who need to view the data. Change is not easy, however with the proper training the transition can be a smooth one. Knowing who in the building and who is delivering products to the building can be monitored by security personnel who will help keep any breeches to a minimum. The Bloom Design Group only needs to secure two buildings, with the majority of the employees working in remote places offsite, the need of secure networks are equally important. Introduction 1 Company overview The Bloom Design Group offers design services to people throughout the world. This company has a corporate office in New York and another office in Los Angeles. This is a web based company which features a virtual design tool which allows a person to see how their decorating choices will work and make changes as they go. Decorators have access to client files, company style guides and the ability to process orders for the different materials and furniture which a client is purchasing. The different designers use a secure login and password to access the website and the different features. This companies employees works remotely and accesses the corporate network through a secure VPN. 2 Security policy overview The system specific policy would be the appropriate policy for this company because this policy will dictate who is allowed to read as well as make changes to data in the system, the conditions which data can be read or modified and most importantly, who is allowed to dial into the system from a outside location. 3 Security policy goals 1 Confidentiality Confidentiality is important all the time, and this policy will protect the data by only allowing certain key individuals to have access to certain information. It will ensure that no unauthorized individuals will be able to gain access to the information with the use of ID authentication and passwords. 2 Integrity Data is kept trustworthy by protecting the data from intentional or accidental changes. It will do this by preventing unauthorized people to make changes to data and its programs. It will prevent authorized users from making improper or unauthorized changes and, this policy will maintain internal and external consistency of all data and its programs. 3 Availability Data and resources will be kept available to all authorized users during emergencies and/or disasters. All information will be stored at a remote location and all data will be backed up to this location to ensure the data is accessible to authorized users and the data is able to be recovered if needed. Again the data will only be accesses through ID authentication and the appropriate password used. By storing the data in this manner, all data will remain pure and trustworthy. Disaster Recovery Plan 1 Risk Assessment 1 Critical business processes The Bloom Design Group has two offices and a remotely accessed network system. This company needs to be able to communicate with its offices as well as well as the employees in the field. The computers, subsystems and the network need to stay intact so customers and employees can do business. 2 Internal, external, and environmental risks If the corporate office were to have a major fire, the company could lose major and minor systems as well as access to important personal customer data. This would result in a shutdown of business due to system loss. 2 Disaster Recovery Strategy With a shared site agreement, if all information were stored off site and it was secure and safe, then a warm site would be the best avenue to take because there would be minimal equipment needed in order to be able to access the information. This would help this company be up and running with minimal down time. This would minimize the response time to restore business. Recovery time would be held down also because business is restored. In the event that a disaster did happen, we can then look at exactly what happened and how we can prevent it from happening again. 3 Disaster Recovery Test Plan 1 Walk-throughs During the walk-through test, team members will meet and talk about all the specific steps of the DRP as it is described in the actual plan. The purpose of this is to see the overall effectiveness of the DRP in order to identify any issues like gaps, bottlenecks or any other problems in the plan. 2 Simulations The company will do a simulation of a disaster for this test. The simulation needs to consider the test purpose, various objectives, assignments, assumptions and the steps of the test. Testing should include notification procedures, operating procedures, backup and recovery operations. All personnel, software, hardware, communications, documentations and utilities should be thoroughly tested. 3 Checklists Checklists determine if there are enough supplies stored at a secondary site. There should be a copy of the DRP, up to date phone lists and operational manuals at this site. This test will ensure that the company is complying with the DRP. This test and the structured walk-through test should be done before more in-depth testing is done. 4 Parallel testing When doing this test, which can be done at the same time the above tests, you would use information such as transactions from a different day and they would be processed against the day before files on backup at the alternate site. All of the reports at the secondary site for the actual date of business should correspond with the reports at the real site. 5 Full interruption This test will actually activate the disaster recovery plan and could actually disrupt operations so it needs to be done with caution and enough time needs to be put aside for the test. Do not do this test during critical times in the day like the last days of the month. The test should last long enough to be able to measure an adequate time for response. Different scenarios should be planned which will determine the disaster type, amount of damage, recovery, availability of staff and equipment and available backup resources. This test needs to determine at which time any particular person needs to do any certain thing. This test should be done in stages so the workability of each stage can be worked out before you test the entire plan during the test. It might be beneficial to perform this test during hours which the business is closed or on weekends so any disruptions will be held to a minimum. Once the plan is widely known and everyone knows what they are expected to do, you can do a test which is not announced to see exactly how prepared everyone is in knowing how to proceed. Physical Security Policy 1 Security of the building facilities 1 Physical entry controls In order to enter each of the buildings, each employee should wear a photo ID badge which will have their department on it. 2 Security offices, rooms and facilities All security offices and secure rooms will be accessed by magnetic key cards. Each facility will have security cameras at each hallway intersection as well as inside each of the secure room and there will be a security desk with the security guards performing a walk through several times each day. 3 Isolated delivery and loading areas All delivery areas and loading areas will have monitored security cameras and delivery person will sign in showing their ID badge and will have security guards escorting them while on the premises each loading area will have external lights to keep it bright 24 hours a day. 2 Security of the information systems 1 Workplace protection Each building will have a secured parking area with roving security guards as well as on site security. There will be no visitors of a personal nature while onsite. 2 Unused ports and cabling Enter your text here 3 Network/server equipment All network and server equipment will be in a secure room and the only personnel who will be able to access this room will be IT personnel. This room will be will be under 24 hour monitoring and there will be the need of a key card and biometric scanner process to gain entry. 4 Equipment maintenance All routine maintenance will be performed after hours and any unscheduled maintenance will be done as needed and it will be done only by in house IT personal. 5 Security of laptops/roaming equipment All company laptops will have thumb print scanners and lo jack protection devices installed on them and all roaming equipment that may be needed will be signed for and have lo jack devices installed and all laptops and equipment will be password protected. All information from or to laptops or roaming equipment will be monitored and recorded for security purposes. Access Control Policy 1 Authentication For authentication you want to know who is accessing your data, what they are trying to get to and where the person is trying to access the information. This is done to guarantee that a person had permission to access the data by entering their user name and password. Once this is entered you can see their access privileges and rights 2 Access control strategy 1 Discretionary access control Discretionary access will protect the data by denying access for individuals because of who they are or because they may be involved with other persons who may form a threat. This is a useful security measure because only the reliable person can gain access to the data. The Bloom Design Group has the ultimate responsibility to secure the information and it is also their responsibility to set up the access controls needed for their employees so all information is safe and secure. 2 Mandatory access control Mandatory access control will always check the validity of credentials that validate aspects that the user cannot control ( IP address, host name). It will be used for restricting access based on data sensitivity of the data trying to be accesses until there has been formal authorization that the data can be accesses be that person. 3 Role-based access control Role based access will need to be used because The Bloom Design Group has several employees and each of these employees has their own job operation needs and even though they may need access to data, the type of access will be set up so the person will have only the basic clearance to access data for their job. 3 Remote access The Bloom Design group needs remote access available because there are several employees who work at remote locations performing their job duties. They need to be able to login to company computers from their laptop computers. Each remote employee will have their own private user ID and password capable of accessing computers inside the Bloom Group. Network Security Policy Due in Week Nine: Outline the Network Security Policy. As each link in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices. 1 Data network overview The Bloom Design Group uses local area, wide area networks and the internet to do business each day. These are used to communicate inside the buildings and to communicate between the two buildings as well as the employees working in remote locations communicating with the company placing and checking on orders from the customer. 2 Network security services For each security service, briefly describe how it is used to protect a network from attack. Include why the service will be used for network security as relates to your selected scenario, or why it is not applicable in this circumstance. 1 Authentication By monitoring and recording who is trying to access data, what data they are trying to access and where the person is will help authenticate employees and data. 2 Access control Access control will be achieved by only allowing employees access to the data that is needed for their work. There are employees who work off site at different locations the need for control is important. 3 Data confidentiality Data confidentiality will be kept confidential by tracking exactly who is accessing the data and ensuring only the right personnel are able to access, copy or make changes to a certain set of data. 4 Data integrity Enter your text here 5 Nonrepudiation Enter your text here 6 Logging and monitoring Enter your text here 3 Firewall system. 1 Packet-filtering router firewall system Packet filters block the transmission of packets based upon the protocol, address, and/or port identifier. This is useful because several types of routers employ filtering in some way. Since the Bloom Design group uses several routers, this system would be a good security tool to use. 2 Screened host firewall system This configuration relies on the router packet filter rules only to allow traffic between the Internet, firewall, and public web server, the web server communicates with the internal servers. If a hacker was able to gain access to the web server they would be able to use the web server to access the internal servers. This would not work for the Bloom Design Group. 3 Screened-Subnet firewall system The purpose of the screened subnet architecture is to isolate the DMZ and its publicly-accessible resources from the intranet, thereby focusing external attention and any possible attack on that subnet. The architecture also separates the intranet and DMZ networks, making it more difficult to attack the intranet itself. When a properly configured firewall is combined with the use of private IP addresses on one or both of these subnets, attack becomes that much more difficult References Information Security Principles of Success. (2006). A Pearson education company Mark S. Merkow and Jim Breithaupt: Authors