project part 2 multi layered security plan
TRANSCRIPT
Project Part 2
Members:Adams, Jerold Lasane, AnthonyAlexander, Cliffton Lopez, MarieDubin, Chris Matthews, AmityIrvin, Janoyia Morales, Alejandro
Johns, PhilipSchulman, MatthewDavonte Brown
Jones, Xavier
Multi-Layered Security Plan: For Richman Investments
Main Branch: Phoenix, Arizona
Eight Branches: Atlanta, Georgia; Chicago, Illinois; Cincinnati, Ohio; Denver, Colorado; Los
Angeles, California; Montreal, Canada; NY City, New York; Washington, D. C.
Addressing this premise: Richman, has 5,000 employees throughout the main office and
several branch offices, you must research solutions and detail the appropriate access controls
including policies, standards, and procedures that define who users are, what they can do, which
resources they can access, and which operations they can perform on a system.
PART ONE: Description and definitionof the level of security classification from top to lower
and determining the person(s) or users for each security level. From highest level which is the
5th Level to the lowest level which is 1st Level.
Level A. 5th Level Security Clearance: Executives VP level and above
Level B. 4th Level Security Clearance: General Managers
Level C. 3rd Level Security Clearance: Supervisors, Leads and customers
Level D. 2nd Level Security Clearance: Hourly employees
Level E: 1st Level Security Clearance: Temp employees
PART TWO: Domain Security Plan ALEX
1. User Domain: This first layer of security in a multi-layer security plan is the weakest link in the IT Infrastructure, certain protocols and procedures need to be followed.• Implement and Conduct Security Awareness Training.• Implement Acceptable Use Policy (AUP). • Monitor employee behaviors.• Restrict access to users to certain programs and areas.
2. Workstation Domain: The second layer of security in a MLS plan. This is where most users connect via Workstation computers, PDA’s, Laptops and smartphones. • Admins create a strong password policy, enforcing users to create strong passwords.• Enable Up to date anti-virus programs.• Implement a mandated Employee Security Awareness Training.• Limit access to company approved devices only. • Disable CD drives and USB ports.
3. LAN Domain: The third layer of security in the MLS plan. This is the collection of computers in an area to one another or to a common connection medium. To prevent the unauthorized access, recommend implementing the following:• Physically secure the wiring closets and data centers.• Implement encryption procedures.• Implement strict access policies and second-level authentication.• Implement WLAN network keys that require a password for wireless access.• Implement LAN server and configuration standards, procedures, and guidelines.
4. LAN-to-WAN Domain: The fourth layer in the MLS plan. This is where the IT infrastructure is linked to a wide area network and the Internet.• Disable ping, probing and port scanning.• Apply strict security monitoring controls for intrusion detection and prevention.• Update devices with security fixes and software patches immediately.
PART THREE: Standard Enumeration and Definition
PART FOUR: Tiers of Protection for each level-Level A, Level B, Level C, Level D, Level E
PART FIVE: Policies
I. Acceptable Use Policy MARIE
Richman Investments do recognize the value of computer and other electronic resources to enhance the administration and operations of the company. Richman Investments encourages the responsible use of computers; computer networks, including the Internet; and other electronic resources in support of the mission and goals of the Richman Investments.
Richman Investments adopts this policy governing the use of electronic resources and the Internet to provide guidance to individuals and groups because the Internet is an unregulated, worldwide vehicle for communication, and information available to staff impossible to control.
Richman Investments Rights and Responsibilities
It is the policy of the Richman Investments to maintain an environment that promotes ethical and responsible conduct in all online network activities by staff and management. It shall be a violation of this policy for any employee or other individuals to engage in any activity that does not conform to the established purpose and general rules and policies of the network. Within this general policy, the Richman Investments recognizes its legal and ethical obligation to protect the well-being of all employees. Therefore, the Richman Investments retains the following rights and recognizes the following obligations:
1. Logging, use of the network, monitor fileserver space utilization by users, Richman Investments assumes no responsibility or liability for files deleted due to violation of fileserver space allotments.
2. In removing any user account on the network. 3. Monitoring the use of all online activities. Including real-time monitoring of network
activity and/or maintaining a log of Internet activity for later review. 4. Provision of internal and external controls as appropriate and feasible. These controls
shall include the right to determine who will have access to Richman Investments- owned equipment and, to exclude those who do not abide by the Richman Investments 's acceptable use policy or other policies governing the use of school facilities, equipment, and materials. Richman Investments reserves the right to restrict online destinations through software or other means.
5. Provision of guidelines and to make reasonable efforts to train staff in the acceptable use and policies governing online communications.
Staff Responsibilities:
1. All trainers who are supervising staff to control electronic equipment, or otherwise have occasion to observe staff’s use of said equipment online shall make reasonable efforts to monitor the use of this equipment to assure that it conforms to the mission and goals of the Richman Investments.
2. Staff should make reasonable efforts to become familiar with the Internet and its use so that effective monitoring, instruction, and assistance may be achieved.
User Responsibilities: The use of the electronic media provided by the Richman Investments is a privilege that offers a wealth of information and resources for the company. These resources are offered and available to all staff and other patrons at no cost. All users must agree to learn and comply with all of the provisions of this policy in order to maintain these privileges.
Acceptable Use:
1. The use of the Internet must be in support of Richman Investments. 2. All proper codes of conduct in electronic communication must be used. It is inappropriate
to give out personal information. Whenever a staff is using e-mail, extreme caution must always be taken in revealing any information of a personal nature.
3. All network accounts are to be used only by the authorized owner of the account for the authorized purpose.
4. It is assumed that all communications and information accessible via the network are private property.
5. All staff members must have prior approval from system administrator for subscriptions to mailing lists and bulletin boards. All mailing list subscriptions will be monitored and maintained, and files will be deleted from the personal mail directories to avoid excessive use of fileserver hard-disk space.
6. Be polite. All staff needs to exhibit exemplary behavior on the network as a representative of Richman Investment.
7. Once a year, Richman Investment will make determinations on whether specific uses of the network are consistent with the acceptable use practice.
Unacceptable Use-Prohibition:
1. It is prohibited to give out personal information about another person. This includes home address and phone numbers.
2. All or any use of the network for commercial or for-profit purposes.3. Use of the network in excess for personal business shall be cause for disciplinary action. 4. It is prohibited for any use of the network for product advertisement or political lobbying.5. No intentional use of the network to seek information on, obtain copies of, or modify
files, other data, or passwords belonging to other users, or misrepresent other users on the network.
6. No use of the network shall serve to disrupt the use of the network by others. Hardware and/or software shall not be destroyed, modified, or abused in any way.
7. Malicious use of the network to develop programs that harass other users or infiltrate a computer or computing system and/or damage the software components of a computer or computing system is prohibited.
8. It is prohibited to be involved in hate mail, chain letters, harassment, discriminatory remarks, and other antisocial behaviors. Also to access or process pornographic material, inappropriate text files (as determined by the system administrator or building administrator), or files dangerous to the integrity of the local area network is prohibited.
9. It is prohibited for unauthorized installation of any software, including shareware and freeware, for use on Richman Investments electronic devices.
10. The Richman Investments network may not be used for downloading entertainment software or other files not related to the mission and objectives of the Richman Investments for transfer to a user's home computer, personal computer, or other media. This prohibition pertains to freeware, shareware, copyrighted commercial and non-commercial software, and all other forms of software and files not directly related to the instructional and administrative purposes of the Richman Investments.
11. It is also prohibited to:A. Download, copy, otherwise duplicating, and/or distributing copyrighted materials
without the specific written permission of the copyright owner. B. Use of the network for any unlawful purpose.C. Use of profanity, obscenity, racist terms, or other language that may be offensive
to another user. D. Establishing network or Internet connections to live communications, including
voice and/or video (relay chat), is prohibited unless specifically authorized by the system administrator.
Disclaimer
1. The Richman Investments cannot be held accountable for the information that is retrieved via the network.
2. System administrators have access to all mail and will monitor messages. Pursuant to the Electronic Communications Privacy Act of 1986 (18 USC 2510 et seq.), notice is hereby given that there are no facilities provided by this system for sending or receiving private or confidential electronic communications. Messages relating to or in support of illegal activities will be reported to the appropriate authorities.
3. The Richman Investments will not be responsible for any damages you may suffer, including loss of data resulting from delays, non-deliveries, or service interruptions caused by our own negligence or your errors or omissions. Use of any information obtained is at your own risk.
4. The Richman Investments reserves the right to change its policies and rules at any time.
User Agreement to be signed by all employees of Richman Investments
I have read, understood, and will abide by the above Acceptable Use Policy when using computer and other electronic resources owned, leased, or operated by the Richman Investments. I further understand that any violation of the regulations above is unethical and may constitute a criminal offense. Should I commit any violation, my access privileges may be revoked, disciplinary action may be taken, and/or appropriate legal action may be initiated.
User Name (please print)
User Signature
Date
II. Backup Policy-JANOYIA
Purpose:
The purpose of this policy is to comply with being protected and prepared and pplying Security Rule’s and Requirements pertaining to its response to an emergency or other occurrence that damages systems that containElectronic protection of the companies System and Database.
Scope:
The scope of this Policy contains procedures regarding a contingency plan that shall be developed and implemented in the event of an emergency, disaster or other occurrence (i.e. fire, vandalism, system failure and natural disaster) when any system that contains electronic protecting the system and database is affected, including data backup, disaster recovery planning and emergency mode operation plan. This policy covers all electronic protection of companies database, Disk drives, Tape drives, Digital Audio Tapes, DAT drives, Auto Loader Tape Systems, Magnetic Optical Drives, Removable Disks, Disk Drives. Which is the employee’s identifiable data systems information. This policy covers all Systems Database, which is available currently, or which may be created, used in the future. This policy applies to all Financials, Information technology, Human Resources, Management, Legal and non-employees (including visiting clients, courtesy, affiliate, and adjunct departments, personnel, and others) who collect, maintain, use, or transmit all the companies Data and System Information of Richman Investment and Consulting Firm.
Policy:Richman Investments requires each system that collects, maintains, uses or transmits Information that has been documented. A data backup plan to create, maintain, and recover exact copies of all departments Information. The Data Backup Plan must require that all media used for backing up be stored physically in a secure environment, such as a protected, off-site storage facility. If an off-site storage facility or backup service is used, a written contract or agreement
must be used to ensure that the vendor will safeguard the Information and Database in an appropriate manner. If backup media remains on-site, it must be stored physically in a secure location other than the location of the backed up computer systems. Data backup procedures detailed in the Data Backup Plan must be tested on a periodic basis to ensure that exact copies of information so it can be recovered and made available.
Definitions:
Protected Database and Systems Information: Individually identifiable data information transmitted or maintained in any form.
Electronic Protected Network and Data Information: Individually identifiable information transmitted or maintained in electronic form.
Responsibilities:
Network administrators are responsible for adhering to the standards outlined in this policy when administering Richman Investment computers or network.
Administration and Interpretations:This policy shall be administered by Information Security. Questions regarding this policy should be directed to the Information Security Officer.
Amendment and Termination of this Policy:The Richman Investment reserves the right to modify, amend or terminate this policy at any time. This policy does not constitute a contract between the Database and Systems and its faculty or employees.
References to Applicable Policies:Richman Investment Final Security Rule, 45 CFR Parts 160, 162, and 164Department and Human Services, http://www.cms.hhs.gov/richmaninvestment/networks/regulations/security/default.asp, February 20, 2003.
Exceptions: None
Violations and Enforcement:
Any known violations of this policy should be reported to the Corporate Headquarters Located in Phoenix, Arizona Information SecurityOfficer at 402-280-2386 or via e-mail to [email protected]. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or
disciplinary action in accordance with Companies procedures. The Company may advise law enforcement agencies when a criminal offense may have been committed.
III. Incident Response Policy-ALEXIV. Virtual Private Network (VPN)policy- JEROLDV. Wireless Policy-JEROLDVI. Network Security Policy-ANTHONYVII. Confidential Data Policy-ANTHONYVIII. Mobile Device Policy-CLIFFIX. Outsourcing Policy-CLIFFX. Email Policy-CLIFF
XI. Password Policy-DAVID
XII. Network Access Policy
XIII. Remote Access Policy-DAVID
XIV. Guest Access Policy
XV. Third Party Connection Policy
XVI. Encryption Policy-MATTHEW
XVII. Data Classification Policy-MATTHEW
XVIII. Retention Policy-PHILIP
XIX. Physical Security Policy-PHILIP
PART SIX: Security Standard and procedures for customers.
There are three steps for adhering to the -
First, Assess; Second, Remediate; Third, Report
Network security is a never-ending task; it requires ongoing vigilance. Securing your wireless network can be particularly tricky because unauthorized users can quietly sneak onto your network, unseen and possibly undetected. To keep your WLAN secure, it’s important to stay on top of new wireless vulnerabilities. By regularly performing a vulnerability assessment on your wireless network, you can identify and close any security holes before a hacker can slip through them.
With a WLAN vulnerability assessment, you’re figuring out what your wireless network looks like to the outside world on the Internet. Is there an easy way in to your network? Can unauthorized devices attach themselves to your network? A WLAN vulnerability assessment can answer these questions—and more.
1. Discover wireless devices on your network. You need to know everything about each wireless device that accesses your network, including wireless routers and wireless access points (WAPs) as well as laptops and other mobile devices. The scanner will look for active traffic in both the 2.4GHz and 5GHz bands of your 802.11n wireless network. Then, document all the data you collect from the scanner about the wireless devices on your network, including each device’s location and owner.2. Hunt down rogue devices. Rogue devices are wireless devices, such as an access point, that should not be on your network. They should be considered dangerous to your network security and dealt with right away. Take your list of devices from the previous step and compare it to your known inventory of devices. Any equipment you don’t recognize should be blocked from network access immediately. Use the vulnerability scanner to also check for activity on any wireless bands or channels you don’t usually use.3. Test your authorized access points. Make sure the WAPs on your network are just as secure as your routers and any other device that can be accessed from the Internet. Because anyone can gain access to your network through a WAP, it must have the latest security patches and firmware installed. Make sure you’ve changed the default password from the factory-set ”admin“ to a strong, hard-to-crack password. Also, check that the WAP is configured to use the most secure options such as the strongest available authentication setting and an encrypted admin interface, is using filters to block unauthorized protocols, and is sending security alerts.4. Update your device inventory. Now is a good time to find out if users have brought in any new wireless devices and check for any other new 802.11g or n devices that are accessing your WLAN. Update your inventory to include every smartphone, tablet, laptop, desktop, voice-over-IP (VoIP) phone, and any other wireless device that is approved to access your network. For each of these devices, find out if it is running the most current operating system and associated security patches, is running current antivirus and antispam software, and is configured according to your company’s security policy.5. Take action and eliminate vulnerabilities. The last step is to plug the holes your vulnerability scanner reveals. For instance, install missing or new security patches to your WAPs and to users’ devices, change passwords so they’re more secure, and re-educate users about your security policy and acceptable.Of course, completing these five steps doesn’t mean your work is done. You should test your fixes, making sure they indeed closed the security holes. And then mark your calendar for the next regularly scheduled WLAN vulnerability assessment. http://blogs.cisco.com/smallbusiness/5-steps-for-assessing-your-wireless-network-security/
Vulnerability is a weakness in a covered device that can be exploited by an attacker to gain unauthorized access to covered data. An effective vulnerability assessment and remediation program must be able to prevent the exploitation of vulnerabilities by detecting and remediating vulnerabilities in covered devices in timely fashion. Proactively managing vulnerabilities on covered devices will reduce or eliminate the potential for exploitation and save on the resources otherwise needed to respond to incidents after exploitation has occurred. System and Network Security (SNS) provides a centrally managed campus service that campus units can use to comply with this requirement. https://security.berkeley.edu/content/continuous-vulnerability-assessment-remediation-guideline
A security report, in the simplest terms is a factual retelling of an incident, event or observation.
The purpose of the report is so that it is possible to access details of an occurrence long after
memories have faded. This can be useful for issues as serious as court cases and insurance claims
or to simply provide information which can contribute to improving the policies or procedures on a
site.
Let's take a look now at the five steps involved in making a great report!
1. It is a security report, not a security diary
This means that you should never personalize the report and write in the first person. You should
write in the third person and refer to yourself by name, or if you have established your name and that
you are the writer you may refer to yourself as 'the writer'.
To show how that might look,
"While on routine patrol the writer, Security Guard (S/G) Joe Blow discovered that..."
From this point on the report may refer to security guard Joe Blow as 'The writer' and not have to
write out his entire name each time.
It can be a bit tricky for some writing in the third person but you'll get used to it!
2. Who, What, When, Where, Why and How?
Sometimes, especially if a complicated and very dynamic event has occurred it can be a little
intimidating trying to figure what to write or even where to start.
In every instance it is best to remember that you will be trying to answer the following questions.
WHO: Who were the people involved. Did you get all their information?
WHAT: What were the actions and events that took place during the incident?
When: What was the date and time the incident took place?
Where: What is the specific location(s) where the incident took place?
Why: Describe and explain the purpose of your own actions as it pertains to the incident. Subject
persons may also volunteer motivations for their actions.
How: The vandal broke a window, but did she do it with a rock, or a stick, with her fist?
3. Paint a Clear Picture.
If you answered all the questions in #2 you are well on your way, but there are still a few things to be
mindful of.
Not everyone who reads the report will be from the world of security, so write the report in plain
language and avoid security jargon.
An acronym or abbreviation may be used only if its meaning has first been established. You will
see that this has been done for 'security guard' and 'S/G' in #1.
Avoid slang unless it is a direct quote from a subject person.
Proper grammar, punctuation and syntax all count and not only make your report easier to
understand, it makes it more credible to the reader.
Resist the urge to be poetic or erudite.
Include as much detail as possible and remember you can't assume the reader will know any of
the details unless you describe them.
Include photographs, or failing that sketches. A picture tells a thousand words, after all.
4. Be Objective
While it is virtually impossible to be a 100% neutral observer in what are sometimes very emotionally
charged events, every effort must be made to remain objective.
This means reporting the facts of your observations and not inserting your opinions and biases. To
keep your opinion out is not so hard a task, but to keep out your personal biases can be a little
trickier and maybe harder for you to see for yourself that you are doing it in the first place.
You might be tempted to make it clear in a situation who you think was in the wrong by how you
word your report, but most readers will be savvy enough to detect this and while it may be well
intentioned it could very well backfire.
Res Ipso Facto.
5. Get lots of information!
The more information you can provide the better your report will be. This does not mean to go on for
pages and pages of descriptive prose, but rather that a person who is reading your report who
wasn't present at the time it occurred will only know as much about that event as is written in the
report. Be concise but also information rich. Think back to #2, and if you are pretty sure you have
done a thorough job of answering all of those questions you should do just fine.
Also, it must be stressed that as uncomfortable as it can feel when asking your report will be much
stronger if you verify as much of the information as possible in regards to the persons involved.
There is a difference between knowing someone is Joe Smith because they told you so, and
knowing it because you have seen their passport or driver's license.
PART SEVEN: Standard Compliance for Card Brands used by the company
EXAMPLES: American Express, Discover Financial Services, JCB International,
MasterCard, Visa Inc., Visa Europe
PART EIGHT: Security Standard forms to implement security policies. (Attachments)
Policy Acknowledgement Form
Security Incident Report
Notice of Policy Noncompliance
Account Setup Request
Guest Access Request
Request for Policy Exemption
PART NINE: IT Department- Responsibilities and detailed description of responsibilities
Auditing
Monitoring
Back-up
Risk, Response and Recovery
Determine the types of Encryption to combat the type of malicious codes and malware
Description of the Flow of Communication
Education- Security Awareness and Training
PART TEN: SSCP Seven Domain: INFORMATION SECURITY Responsibilities
1. Access Controls – policies, standards and procedures that define who users are, what they can do, which resources and information they can access, and what operations they can perform on a system.
i. Logical Access Controls - Subjects & Objects ii. Authentication Mechanisms
iii. Access Control Concepts iv. Internetwork Trust Architectures v. Identity Management
vi. Cloud Computing 2. Security Operations and Administration – identification of information assets and
documentation of policies, standards, procedures and guidelines that ensure confidentiality, integrity and availability.
i. Code of Ethicsii. Security Administration
iii. Change Managementiv. Security Evaluation and Assistancev. Security Awareness
vi. Information Communication Technology Infrastructurevii. Endpoint Device Security
viii. Data Management Policiesix. Security Concepts
3. Monitoring and Analysis – determining system implementation and access in accordance with defined IT criteria. Collecting information for identification of, and response to, security breaches or events.
i. Continuous Monitoringii. Analysis of Monitoring Results
4. Risk, Response and Recovery – the review, analysis and implementation processes essential to the identification, measurement and control of loss associated with unplanned adverse events.
i. Risk Management Processii. Security Assessment Activities
iii. Incident Handling Analysisiv. Business Continuity Plan (BCP)v. Disaster Recovery Plan (DRP)
5. Cryptography – the protection of information using techniques that ensure its integrity, confidentiality, authenticity and non-repudiation, and the recovery of encrypted information in its original form.
i. Concepts & Requirements of Cryptography ii. Certificate and Key Management
iii. Secure Protocols6. Networks and Communications – the network structure, transmission methods and
techniques, transport formats and security measures used to operate both private and public communication networks.
i. Networksii. Telecommunications
iii. Remote Accessiv. Firewalls & Proxiesv. Wireless & Cellular Technologies
7. Malicious Code and Activity – countermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses and other related forms of intentionally created damaging code.
i. Malicious Codeii. Malicious Code Countermeasures
iii. Malicious Activityiv. Malicious Activity Countermeasures
Threat Countermeasures
Spoofing user identity
Use strong authentication.
Do not store secrets (for example, passwords) in plaintext.
Do not pass credentials in plaintext over the wire.
Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with dataUse data hashing and signing.
Use digital signatures.
Use strong authorization.
Use tamper-resistant protocols across communication links.
Secure communication links with protocols that provide message integrity.
RepudiationCreate secure audit trails.
Use digital signatures.
Information disclosure
Use strong authorization.
Use strong encryption.
Secure communication links with protocols that provide message confidentiality.
Do not store secrets (for example, passwords) in plaintext.
Denial of serviceUse resource and bandwidth throttling techniques.
Validate and filter input.
Elevation of privilegeFollow the principle of least privilege and use least privileged service accounts to run processes and access resources.
REFERENCES:
Sources: Mircosoftkb.acronis.com/knowledgebaseTechnetmircos
http://msdn.microsoft.com/en-us/library/ff648641.aspx
http://msdn.microsoft.com/en-us/library/ff648641.aspx