Information Security Policy Essay

1. Executive Summary collectible in Week Nine economize 3 to 4 paragraphs giving a bottom-line summary of the specific measure suitable destructions and objectives of the pledge plan, which slew be work throughed to define optimal credentials arranging measures architecture for the selected transaction scenario.The goal of this protection insurance is to lay step to the fore a basic plan for a batten down teaching trunk to be put ond by ruddiness physique root word. This policy award protect the corporations arrangings from threats that notify come from manhood and from natural disasters as well. The policy entrust to a fault put into consideration the privacy, reputation, happy property and productivity of the anthesis plan Group. The continued unconscious process of this association depends on being able to admission and manipulation resources within the organization and being able to remote gateway with credentials. Each persons determination i n the go with for pick up be considered and in allow entrancewayway result be exposen all over to ensure the efficient operation of the wellache, while not giving b other to those who atomic number 18 not authorized. This policy bequeath also assistance in the connections adherence to any political regulations. Any disruptions of divine service or bail related issues pull up stakes be dealt with immediately by mover of carcass softw ar program that is automated to handle sure threats. to a greater extent than serious issues provide be dealt with by the IT staff whose office it is to oversee the frequent operation of the entropy governance.2. Introduction delinquent in Week One slacken reach an overview of the ships alliance and the security goals to be achieved.2.1. high society overviewThe crest radiation diagram Group is a company that offers interior design function to businesses and individuals around the world. There merged comp matchlessn t is located in virgin York with a secondary office in Los Angeles for handling operations on the West coast. They perplex a web site that offers their guests the big businessmaniness to work up their designs online and then fix them through a electronic hostel processing administration. Also, the designers use stiff logins and words to admission charge the web site. A large sensual body of the workforce work remotely by chance utilise tablets or ipads connected to vouch VPNs or Virtual Private Ne tworks.2.2. security policy overviewBloom forge congregation already provides secure logins and engagements to their employees so they already wipe out some eccentric person of governing body setup already. However, this does not mean it is a constitution that works efficiently. I ideate the appropriate security policy to work through for this project would be outline specific.2.3. credentials policy goalsAs applies to your selected scenario, explain how the confidentiality, right, and availability principles of information security pass on be addressed by the information security policy.2.3.1. ConfidentialityThe policy I plan to impose bequeath help to protect information by re covering how the company breeds smooth information such as employee and client records, tack secrets, and separatewise sensitive selective information.2.3.2. IntegritySince the company will be expend passwords and secure logins the system will not be glide pathible to the public. So the primary strain should be on the employees. trademark and chit set up be d unmatched using a entropy log to prolong records of employees activity while on the companys VPN. Also, the use of a firewall will help with integrity as it will celebrate employees from un completeingly entrying damaging websites.2.3.3. handinessThe policy I plan to use will help with back-up and recovery by the possible use of cloud stock or a central data storage c bring in. Altho ugh they are already using secure logins for adit go steady the self-coloured system needs to be reviewed. This is to put on sure only if authorized staff office set out vex to sensitive res publicas.3. tragedy Recovery course of study collectable in Week Three For your selected scenario, describe the tell elements of the Disaster Recovery Plan to be apply in case of a disaster and the plan for exam the DRP.3.1. chance Assessment3.1.1. Critical business processesThe mission-critical business systems and services that must be protected by this DRP are Payroll, Human alternative Data, POS funding media, and Web Servers and their services.3.1.2. Internal, external, and environmental risksExamples of interior(a) risks that whitethorn affect business are unauthorized admission priceby individuals who are occupied by the company, and those who arent employed by the company alone silent have entrance money to individual stores computer systems, maskings, or theatr es where the servers and backup media are located. Other external and environmental risks intromit fire, floods, power outages, hardware failure, software program package glitches and failure, storms, and other acts of nature.3.2. Disaster Recovery dodgingMost cases, having an alternative site (a sultry site, or cold site depending on the disaster) would be the correct way of dealing with intimately disasters. With Bloom design company I call having a heartily site facility would be the opera hat option. Warm sites are cheaper than hot sites just require more effort. On the other hand, they are more expensive than cold-site facilities but less labor intensive and more likely to be effective in a disaster. Also, having a backup and property site to work from, and recover from for the briny servers and web services is a earnest idea.3.3. Disaster Recovery Test PlanFor each mental testinging method listed, concisely describe each method and your precept for why it will or will not be included in your DRP test plan.3.3.1. Walk-throughsThis test plan would be a great way for the hear personnel to come together and spurt a plan of action in the heretoforet of an emergency. Due to Bloom propose group being unfold crossways a large country it might require some video conferencing and travel on the break dance of some employees.3.3.2. SimulationsI ideate this test plan is the approximately effective when compared to the others. Simulating an actual emergency is a great way for community to get employ to operating in a critical time under pressure. This will show you where your people have their strengths and weaknesses when ascetical to recover from a disaster.3.3.3. ChecklistsThis passive compositors case of testing would be a true(p) system to implement on a weekly or monthly butt depending on the needs of the company. This will help in detecting problems before they release a major issue.3.3.4. Parallel testingSince Bloom objecti ve group is modify their security parameters and do not have an equal type of system already implemented parallel testing would not be appropriate for this security policy.3.3.5. entire interruptionI think this is some other very effective way to test the system in the event of an emergency. However, to background inconveniences to the customers it would have to be done during off hours.4. Physical bail PolicyDue in Week Five schema the Physical security system Policy. Merkow and Breithaupt (2006) state, an often overlooked connection mingled with physical systems (computer hardware) and formal systems (the software that runs on it) is that, in stage to protect logical systems, the hardware caterpillar tread them must be physically secure (p.165). Describe the policies for securing the facilities and the policies of securing the information systems. intimate the breaks undeniable for each category as relates to your selected scenario. These get overs may include the f ollowingPhysical controls (such as perimeter security controls, badges, linchpins and combination locks, cameras, barricades, fencing, security dogs, lighting, and separating the workplace into functional areas) Technical controls (such as smart cards, audit trails or main course logs, intrusion detection, alarm systems, and biometrics) Environmental or life-safety controls (such as power, fire detection and suppression, heating, ventilation, and credit line conditioning)4.1. gage of the building facilities4.1.1. Physical entry controlsAt the two office locations (Los Angeles, New York) for Bloom barter pattern Group I would use employee badges that double as an electronic key to access the building and other sensitive locations. This will work in conjunction withan access control system that limits entrance/exit to the offices through one main entrance. There will be an employee entrance as well also to be accessed by an electronic badge.4.1.2. Security offices, inhabit and f acilitiesFor the security offices I would implement biometric s tin canners due(p) to the sensitive equipment inside. Other live and facilities of a sensitive nature will utilize electronic badges with a pictorial matter and name of the employee.4.1.3. Isolated delivery and essence areasFor these areas I would implement electronic key card access with the use of a CCTV system recording to a DVR. With a CCTV camera located on the driver door in the loading area the person responsible for deliveries will know when a delivery is being do and can observe he outside environment before opening the door.4.2. Security of the information systems4.2.1. Workplace protectionFor this part of the security policy I would utilize pre-employment screening and mandatory vacation time. This prevents people from hiding illegal activities while bring to pass their duties. Also, I would setup allowd entity controls so operators and system administrators have special access to computing resources .4.2.2. Unused expressions and cablingFor unused ports I would use a piece of security equipment that can be plugged into the unused port and can only be removed by someone with a special key. This will help prevent unauthorized access into the net income. For unused cabling I would secure it in a secure storage manner which can only be accessed by authorized personnel. If the in a high place mentioned equipment isnt unattached then the port should be removed.4.2.3. profits/server equipment existence that this is some of the most critical equipment for business operations I would use biometric locks and scanners on any room thatcontains this equipment. Also these room will be environmentally controlled with descent conditioners and dehumidifiers to allow the equipment to operate at kick efficiency.4.2.4. Equipment maintenanceSince a lot of the equipment is spread across a large theatrical role I would utilize remote communion connections to troubleshoot issues. If the m aintenance need is more severe than I would have a teensy-weensy centrally located facility that specializes in assessing and repairing malfunctioning equipment.4.2.5. Security of laptops/roaming equipmentFor laptops and roaming equipment I would inclose all devices with a GPS tracker and encryption software to protect against unauthorized access. The equipment itself would be stored in a secure storage room with access being tightly controlled.5. access Control PolicyDue in Week Seven Outline the admission price Control Policy. Describe how access control methodologies work to secure information systems5.1. AuthenticationAuthentication credentials let the system to verify ones assignment credential. Authenticating yourself to a system tells it the information you have established to prove that you are who you guess you are. Most often, this is a simple password that you set up when you bear the privilege to access a system. You may receive an assigned password initially wit h the want that you must reset it to something more personalsomething that only you can remember. However, passwords are the easiest type of authentication to beat. Free and giganticly available programs are available on the earnings to break the security afforded by passwords on most of the honey oilly used systems.With two or three factors to demonstrate, an information proprietor can gain confidence that users who access their systems are indeed authorized to access their systems. This is accomplished by adding more controls and/or devices to the password authentication process. Biometric scanning uses remarkable human characteristics to identify whether the person try to gain access is authorized to levy or not. One rough-cut approach path to managing IDs and passwords is to create a password or PIN pretermit. These programs use secure methods to locally store IDs and passwords that are protected by a master password that unlocks the vault when its needed.5.2. Access control strategy5.2.1. Discretionary access controlThe discretional access control system will be used for Bloom target Group because this is the favored approach in the corporate environment and due to the wide area of operations this will allow several authorized users to have access to the system at any given time. The principle of least privilege is the preponderant strategy to assure confidentiality. The objective is to give people the least amount of access to a system that is needed to behave the job theyre doing. The need-to-know dictates the privilege (authority) to effect a transaction or access a resource (system, data, and so forth). An information proprietor is one who maintains overall responsibility for the information within an information system. For the Bloom instauration Group the information owner is going to be the corporate head of IT operations.5.2.2. Mandatory access controlIn a system that uses mandatory access control (MAC also called nondiscretionary access control), the system decides who gains access to information establish on the concepts of subjects, objects, and labels, as defined below. Since the Bloom Design Group is spread out over such a large area I do not think this is the best choice for this scenario. MAC is demote suited for military or governmental systems.5.2.3. Role-based access controlRole-based access control (RBAC) groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require akin(predicate) access to resources. This would also be appropriate for this scenario because it will allow the information owner to easily assign access to certain groups such as designers, office personnel, customer service associates and so forth.5.3. Remote accessRemote Access Dial-In User function ( universal gas constant) is a client/server communications protocol and software that enables remote access users to extend with a centralserver to authenticate dia l-in users and authorize their access to the requested system or service. RADIUS allows a company to set up a policy that can be applied at a wizard administered internet point. Having a central service also means that its easier to track usage for rush and for keeping communicate statistics. A realistic private network (VPN) is another common means for remote users to access corporate networks. With a VPN, a user connects to the lucre via his or her ISP and initiates a connection to the protected network (often using a RADIUS server), creating a private tunnel amid the end points that prevents eavesdropping or data modification.6. cyberspace Security PolicyDue in Week Nine Outline the Network Security Policy. As each consort in the chain of network protocols can be attacked, describe the policies covering security services for network access and network security control devices.6.1. Data network overviewDue to the large geographic distances amidst Bloom Design Group offic es a unhinged is going to be utilized. WAN covers a larger geographic area than a LAN (technically, a network that covers an area larger than a single building). A WAN can bracing the entire nation or even the globe using satellites.6.2. Network security services6.2.1. AuthenticationAccess to documents can be restricted in one of two ways by petition for a username and password or by the hostname of the browser being used. For Bloom Design Group employees will need to enter a user ID and password to access restricted documents and sites.6.2.2. Access control contrasted authentication, which is security-based on the users identity, close access based on something other than identity is called access control. For Bloom Design group access control to physical locations will be done by controlled by electronic badges. More sensitive areas such as the server rooms will utilize biometric scanners.6.2.3. Data confidentialityThis service protects data against unauthorized disclosure and has two components content confidentiality and message flow confidentiality. For Bloom Design group all messages transmissible and real through company offices will be encrypted to prevent the unauthorized viewing of sensitive company documents.6.2.4. Data integrityThe goal is to protect data from unintended or malicious modification whether during data transfer, data storage, or from an operation performed on it, and to preserve it for its intended use. For Bloom Design Group the only people who will be authorized to make changes or modifications will be the Head of the IT surgical incision and anyone else they deem necessary.6.2.5. NonrepudiationA service guaranteeing that the transmitter of a message cannot deny having displace the message and the receiver cannot deny having received the message. I do not think this will be necessary for Bloom Design group. However, if it does then the proper modifications can always be made.6.2.6. Logging and monitorThese services allow I S specialists to observe system activity during and after the fact by using monitoring and logging tools. These include operating system logs, server records, application log errors, warnings, and observation of network, switch and router traffic between network segments. I do not think this will be necessary for Bloom Design Group as a whole. However, it will be utilized for any programs having to do with the servers due to its sensitive business content.6.3. Firewall systemOutline the roles of the following network security control devices and how these basic security infrastructures are used to protect the companys network against malicious activity. Provide a commentary of each type of firewall system and how it is used to protect the network. Include how the firewall system is or is not applicable to the companys network configuration in your selected scenario.6.3.1. Packet-filtering router firewall systemThe most common Internet firewall system consists of nothing more than a packet-filtering router deployed between the private network and the Internet. A packet-filtering router performs the typical routing functions of forwarding traffic between networks as well as using packet-filtering rules to permit or deny traffic.6.3.2. Screened host firewall systemThe second firewall example employs both a packet-filtering router and a citadel host. This firewall system provides higher levels of security than the previous example because it implements both Network-Layer security (packet-filtering) and Application-Layer security (proxy services). Also, an intruder has to tick two separate systems before the security of the private network can be compromised. This will be the option elect for Bloom Design Group based on needs and cost. Since Bloom Design group is not a governmental or military related company then it doesnt require the most elaborate form of firewall protection.6.3.3. Screened-Subnet firewall systemThe last-place firewall example employs two pa cket-filtering routers and a bastion host. This firewall system creates the most secure firewall system, as it supports both Network-Layer and Application-Layer security while specify a demilitarized zone (DMZ) network.7. ReferencesCite all your references by adding the pertinent information to this section by following this example. American psychological Association. (2001). Publication manual of the American psychological Association (5th ed.). Washington, DC Author.Information Security Principles and Practices, by Mark S. Merkow, CISSP, CISM and Jim Breithaupt.