SlideShare a Scribd company logo

IS4799 Final Project (1)

Download as DOCX, PDF
M
Mark Milburn
1 of 27
City of New Orleans Response for Proposals Unit 10 Assignment 1: Team RFP Response Report Delivery INFORMATION SECURITY AND CYBERSECURITY PROGRAM IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE BACHELOR’S DEGREE Submitted to: ADVISOR, Mr. Evans Submitted by: Mark Milburn ITT TECHNICAL INSTITUTE ARLINGTON, TEXAS May, 2016
Table of Contents I. Research i. Review of Firm’s Qualifications II. Data Analysis i. RFP Clarification Questions ii. RFP Technical Requirements and Differences from Existing Controls iii. Data Privacy Legal Requirements as per RFP’s Compliance iv. Data Protection and Privacy v. Risk Assessment Project Plan Definition vi. Risk Prioritization and Mitigation Project Plan Definition vii. Risk Mitigation Actions Based on Qualitative Risk Assessment’s Risk Prioritization III. Solution Design i. Benefits of Our Recommendations ii. Data Privacy Legal Requirements as per RFP’s Compliance iii. Procedure to Conduct a Security Assessment and Risk Identification iv. Data Security Mitigation Actions Based on Qualitative Risk Assessment v. Phased Project Approach and High-Level Project Plan Including Prioritized Security Controls IV. Evaluation Design i. Phased Project Approach and High-Level Project Plan Outline ii. High-Level Description of Current Client’s Need iii. IT Security Compliance and Governance Gap Analysis Plan Outline iv. Compliance Project Plan Definition v. Disaster Recovery Plan Outline vi. Business Continuity Plan Outline V. Executive Summary i. Layered Solution Executive Summary
I. Research i. Review of Firm’s Qualifications We have reviewed the vendor minimum requirements and would like to provide a statement of our meeting of the RFP requirements.  Must be in business for at least the last five consecutive years: Telecon Security Services Inc. has been in business now for ten years.  Report annual gross sales of at least one million U.S. dollars: Our annual gross sales are currently $1.9 million dollars.  Present at least three references of previous engagements-within the last three years-that are materially similar to the requirements contained in this document: Telecon Security Services Inc. has won five major contracts and ten small contracts in the last seven years for vulnerability assessments and penetration tests.  Must have at least one person who will be a primary participant in delivering products and services who holds a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or equivalent: Our team of thirty-five employees holds certifications in the areas asked. Of the nine employees that work on the new prospective products and services, seven hold Certified Information Systems Security Professional (CISSP) certifications, six hold Certified Information Security Manager (CISM), and seven hold Global Information Assurance Certification (GIAC)
and seven hold Security Essentials Certification (GSEC).  Cannot have any active managed security service provider contracts with any other agency in this state: We do not have any active contracts and are in the process of expanding our own business in the state of New Orleans. We can provide samples of previous reports for other clients that contain four of the five fields you requested:  Risk Assessment  Vulnerability Assessment  Penetration Testing  Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) Telecon Security Services Inc has identified gaps in two areas that the state of minimum requirements request:  Must maintain at least one permanent office in this state: We are currently looking to expand our business but have not yet decided on the best location for our organization.  Provide previous reports for other clients for source code review: Security Patching Inc. does not have the means to assess source code security and does not employ development security specialist
II. Data Analysis i. RFP Clarification Questions After reviewing the RFP for technology consulting services, Telecon Security Services Inc. has identified the following questions: 1. The scope of the RFP states the State wants a review of its entire system security program. How many locations and agencies will this comprise of? 2. Task #1 asks Telecon Security Services Inc. to conduct a vulnerability assessment for the State’s system. In order to do this properly Cyber-Link will be conduction penetration testing. What limitations, if any, will Cyber-Link have when it comes to performing penetration testing on the State’s systems? 3. Task #3 asks Telecon Security Services Inc. to provide training to State employees. Should there be multiple levels of training for different types of employees or more board training material that covers every user? ii. RFP Technical Requirements and Differences from Existing Controls After reviewing the RFP’s description of the current IT security policy and technical description the following comparisons of the two descriptions have been made, along with a list of differences and/or gaps.  Application Control - Current Gap  Media Disposal and Reuse - Current control calls for drives to be wiped by a tool that wipes bit by bit and sanitizes the drive before it is given to a new user.
 User Identification and Authorization - Current control calls for the users to have a minimum of username and password with the correct access over network resources.  User Privilege Control - Current Gap  User Account Lockout - Current control calls for multiple login attempts be blocked after a certain amount of tries.  Mobile and Workstation Computing - Current control calls for protection from unauthorized use, modification or destruction.  Mobile Computing - Current control calls for no saving of sensitive organizational data and mobile workstations require full disk encryption.  Operating System Access Controls - Current Gap  Use of Shared Technology Resource - Current Gap  Personnel Background Investigation - Current Gap  Acceptable Use Policy - Current control is a full access control policy.  Software Control - Current control asks for support of security mechanisms that provide data integrity, confidentiality and availability as well as an auditing mechanism.  Malicious Software Control - Current control calls for anti-virus and anti-malware installed on every workstation to mitigate the risk of data leakage.  Segregation of Duties - Current Gap
iii. Data Privacy Legal Requirements as per RFP’s Compliance After reviewing the RFP’s current IT security policy framework, privacy data legal requirements, and the security gap analysis the following security gaps that relate to protecting privacy data have been identified along with the impact it could have on the client’s organization and its importance.  Compliance with Legal Requirements - All State Government agencies must be compliant with any State or Federal regulatory requirements which supersede this policy document  Threat level very high - Could be subject to fines and/or lawsuits if found not in compliance.  Applicable Legislation - All State Government agencies must be compliant with any legislation enacted by the State Government in regards to the management of information resources on behalf of the State.  Agencies must be in compliance with all legislation passed by the state government. iv. Data Protection and Privacy  All State Government agency data custodians must ensure that all “Personal Information” data assets, as defined by applicable State and/or Federal law and regulations are protected from unauthorized use, Modification, or disclosure.  Threat level very high would be subject to a large amount of torts if personal information is stolen. - Data Breach and Disclosure Any State Government agency that discovers a breach of the information security controls set forth in this which results in disclosure of unencrypted “personal information” about
persons to unauthorized third parties shall provide notice of the disclosure in accordance with State law, mandates, and acts. Threat level very high  Would be subject to a large amount of torts if personal information is stolen. v. Risk Assessment Project Plan Definition The following project plan outlines conducting a qualitative risk analysis to analyze identified risks, threats, and vulnerabilities with the requirements to implement the risk analysis solution and mitigation recommendations.  Segmentation and Layered Security  Developers’ implement layered security technologies and configurations based on role, risk, sensitivity, and access control rules.  Media Handling and Security  Auditing and enforcement to ensure that only licensed software is installed on systems.  User Access Management  Management and employees to handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion.  Network Access Control  Network designers to design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. Employees to keep the network running.
vi. Risk Prioritization and Mitigation Project Plan Definition After conducting the following review of the data security requirements, current RFP technical description, and output from the qualitative risk assessment the following project plan has been developed.  User Identification and Authorization - System in place to that requires the use of a user ID and password that uniquely identifies the user before providing access to protected information resources.  User Password Management - Guidelines developed which require user to create and maintain passwords to protect against unauthorized access.  Segregation in Networks - Design a network that at a minimum has separate public, demilitarized, and private security zones based on risk.  Data Protection and Privacy - Systems in place to ensure all personal information is protected from unauthorized use, modification, or disclosure. vii. Risk Mitigation Actions Based on Qualitative Risk Assessment’s Risk Prioritization The initial phase in information security is to cutoff client access. All state government offices will create, archive, and keep up client get to and account administration techniques. These systems might incorporate, yet are not constrained to, new record creation, account exchange, and/or work profile changes and record end and/or cancellation. Likewise, at least, client access to ensured data assets requires the use of client distinguishing proof and secret key that exceptionally recognizes the client. Sharing access qualifications proposed to verify and approve a solitary client between
any two or more people is denied. Finally, passwords allotted to clients must be made and figured out how to ensure against unapproved revelation or utilization and must meet the base Password prerequisites. The following stride in information insurance is legitimate system access control. All endeavor system structures worked by, or in the interest of, the state government might be intended to bolster, at any rate, separate open, neutralized, and private security zones in view of part, hazard, and affectability. Connecting between discrete security zones is entirely restricted. All entrance between discrete security zones might be controlled by a security instrument designed to deny all entrance of course unless unequivocally approved and affirmed by the security administration group. The last stride is to guarantee all administration organizations are in consistence with the security strategy. All state organizations should likewise be in consistence with any state or government administrative necessities that supersede the nearby approach. This is to guarantee that all individual data information resources, as characterized by pertinent state and/or government law and controls, are shielded from unapproved use, change, or exposure. III. Solution Design i. Benefits of Our Recommendations Below are a list of the of the IT security gaps that we have identified along with the recommend mitigation action.  Application Control - Hire a procurement staff to keep track of licenses for specific applications and purchased applications by the users.
 User Privilege Control - Set up user groups to certain areas of the network and limit what departments can see.  Operating System Access Controls - Remove administrative access from non- power users in order to keep computers from damaging acts/virus installation.  Use of Shared Technology Resources - Time out settings through GPO to a short period of time so that users cannot use each other’s profiles. Do not allow users admin rights to see other profile folders.  Personnel Background Investigation - Use a third party background check company to research potential employees.  Segregation of Duties - Management staff to congregate on the specific job titles for the organizations personnel. This allows us to segregate access control. ii. Data Privacy Legal Requirements as per RFP’s Compliance After conducting an IT security compliance and governance gap analysis, the following gaps related to privacy data have been and a mitigation control has been recommended  Compliance with Legal Requirements - Would have legal experts review regulatory requirements and create a framework for auditors and managers to ensure all regulatory requirements are being followed/enforced.  Applicable Legislation- Would have legal experts review legislation and create a framework for auditors and managers to ensure all regulatory requirements are being followed/enforced.  Data Protection and Privacy- Would create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Would empower
auditors and managers to ensure policies are being followed/enforced.  Data Breach and Disclosure - Would train employees to provide notices of disclosure to those individuals affected. iii. Procedure to Conduct a Security Assessment and Risk Identification The following procedures, explanations, and actions have been developed in order to conduct a security assessment for the workstation and system/applications domains. Workstation Domain  Educating and retraining of users of acceptable use. Educating and constant training of the users will mitigate most of the risk experienced the workstation domain. Users will know how to handle specific situations that can potentially bring harm to the network. Training the first week of a new employees training. Yearly training with new threats.  Setting an auto lock policy when the user is away from the PC.This mitigates the risk of others users seeing/tampering with data they are not supposed to have access to. Create a GPO policy that will auto lock the computer within a ten minute of non-use.  Securely deleting data from computers recycle bin. This mitigates the risk of a user or hacker trying to find hidden data/erased data by
writing zeros over any data that has been deleted. Create a GPO policy that will securely delete all files from the drive.  Securely dispose of computers and drives once the computer has been deemed inactive. This mitigates data leakage by making sure the drives have been removed and erased bit by bit. Buy tools to write zeros over every bit on the drive to safely dispose of.  Installing antivirus on an enterprise level. This mitigates data leakage and stops malicious software from destroying hardware. Enterprise level antivirus that can be controlled from a server. System/Application Domain  Patching servers, firewalls, and workstations.-This mitigates hackers from using known vulnerabilities with server, firewall, and workstation operating systems  Software to scan incoming/outgoing emails and server hardening. The software will scan all incoming and outgoing emails for virus’s and hidden data. Also removing any services not being used by email servers. Installation of software like Iron Mail.  Protect database servers from attacks and server hardening. This mitigates any attack on SQL servers. Also removing any services not being used by email servers. Programming the cells to the exact type of information needed.  Protect web servers from attacks and server hardening. Also removing any services not being used by email servers.
 Seal off firewalls ports that are not in use. This mitigates attackers from using unused open ports to gain access to the network. Turn off ports not being used by system servers/workstations. iv. Data Security Mitigation Actions Based on Qualitative Risk Assessment The following plan aligns the tasks and deliverables for risk assessment, analysis, and remediation with specific recommendations for addressing the risks identified.  Segmentation and Layered Security -The State Government’s operational environment shall support segmentation and layered security technologies and configurations based on role, risk, and sensitivity. Developers will implement layered security technologies and configurations based on access control rules.  Media Handling and Security - Only licensed software procured through the State Government contracts shall be installed in the State’s environment. Auditors and managers will ensure that only licensed software is installed on systems.  User Access Management- All State Government agencies shall develop, document, and maintain user access and account management procedures. Management and employees will handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion.
 Network Access Control - All access and connectivity to the State Government’s network must comply with the State Government’s security requirements for network interconnectivity. Network designers will design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. IV. Evaluation Design i. Phased Project Approach and High-Level Project Plan Outline We have develop a phased approach to the scope of work and built an outline for a high-level project plan.  Definition of scope of analysis  Identification of the State's critical assets  Determination of the best analytical (qualitative/quantitative) base for an evaluation  Identification of potential risks, threats, and vulnerabilities  Evaluation of the risk profile (risk, threat, & vulnerability assessment)  Risk remediation recommendations: short-term and long-term with cost magnitude estimates Tasks.  Provide a narrative that illustrates the proposer's understanding of the state's requirements and project schedule.  Provide a narrative that illustrates how the proposer will complete the scope of services accomplish required objectives, and meet the state's project schedule.  Provide a narrative that illustrates how the proposer will manage the project, ensure completion of the scope of services, and accomplish required objectives within the state's project schedule.  Provide a narrative illustrating your methodology for conducting vulnerability assessments and penetration tests.  Provide a narrative describing how you apply your vulnerability assessment and penetration testing's methodologies in performing the services for customers. Including: project management, incident and emergency procedures, etc.  Provide a narrative detailing the systems that you are able to assess for vulnerabilities. Including but not limited to: operating systems, databases, and infrastructure/networking.
 Provide a narrative illustrating your methodology for reviewing code. ii. High-Level Description of Current Client’s Need The state has an immediate requirement for contractual support for technical security consulting services for its information security program. The state is undertaking a review of his entire system security program to include risk analysis/vulnerability assessments of the system, assessment of the automated security program, security awareness training, development and enhancement of security plans, continuity and contingency planning, and infrastructure protection review. Cyber-Link plans to tackle these requests head on. Our organization offers the security assessments by top-level certified technicians. Our team also offers penetration testing. Our team takes pride in our work and shows it through the care they provide. iii. IT Security Compliance and Governance Gap Analysis Plan Outline The following project plans identifies privacy data and related gaps and recommends a mitigation action for each.  Segregation of Duties - Management staff to congregate on the specific job titles for the organizations personnel. This allows us to segregate access control.  Personnel Background Investigation - Use a third party background check company to research potential employees.  Use of Shared Technology Access Controls - Time out settings through GPO to a short period of time so that users cannot use each other’s profiles. Do not allow users admin rights to see other profile folders.  Operating System Access Controls - Remove administrative access from non- power users in order to keep computers from damaging acts/virus installation.  User Privilege Control - Set up user groups to certain areas of the network and limit what departments can see.  Application Control - A procurement staff to keep track of licenses for specific applications. iv. Compliance Project Plan Definition We have developed a project plan that identifies gaps related to privacy data and recommend mitigation actions for each gap outlined in the RFP regarding the current IT policy framework description.  Data Breach and Disclosure - Workers trained to provide notices of disclosure to those individuals affected.  Data Protection and Privacy - Policy writers to create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed / enforced.
 Compliance with Legal Requirements - Lawyers and legislation subject matter experts to review legislation. Auditors and managers to ensure regulatory requirements are being followed / enforced.  Compliance with Legal Requirements - Lawyers and regulatory requirement subject matter experts to review requirements. Auditors and managers to ensure regulatory requirements are being followed / enforced. v. Phased Project Approach and High-Level Project Plan Outline We have develop a phased approach to the scope of work and built an outline for a high-level project plan.  Definition of scope of analysis  Identification of the State's critical assets  Determination of the best analytical (qualitative/quantitative) base for an evaluation  Identification of potential risks, threats, and vulnerabilities  Evaluation of the risk profile (risk, threat, & vulnerability assessment)  Risk remediation recommendations: short-term and long-term with cost magnitude estimates Tasks.  Provide a narrative that illustrates the proposer's understanding of the state's requirements and project schedule.  Provide a narrative that illustrates how the proposer will complete the scope of services accomplish required objectives, and meet the state's project schedule.  Provide a narrative illustrating your methodology for conducting vulnerability assessments and penetration tests.
 Provide a narrative describing how you apply your vulnerability assessment and penetration testing's methodologies in performing the services for customers. Including: project management, incident and emergency procedures, etc.  Provide a narrative detailing the systems that you are able to assess for vulnerabilities. Including but not limited to: operating systems, databases, and infrastructure/networking.  Provide a narrative illustrating your methodology for reviewing code.  Provide a narrative that illustrates how the proposer will manage the project, ensure completion of the scope of services, and accomplish required objectives within the state's project schedule.  Provide a narrative illustrating your methodology for conducting vulnerability assessments and penetration tests.  Provide a narrative describing how you apply your vulnerability assessment and penetration testing's methodologies in performing the services for customers. Including: project management, incident and emergency procedures, etc.  Provide a narrative detailing the systems that you are able to assess for vulnerabilities. Including but not limited to: operating systems, databases, and infrastructure/networking.  Provide a narrative illustrating your methodology for reviewing code.
vi. High-Level Description of Current Client’s Need The state has a quick prerequisite for legally binding backing for specialized security counseling administrations for its data security program. The state is embraced a survey of his whole framework security project to incorporate danger investigation/weakness appraisals of the framework, evaluation of the computerized security program, security mindfulness preparing, advancement and improvement of security arrangements, congruity and possibility arranging, and foundation insurance audit. Telecon Security Services Inc. plans to tackle these requests head on. Our organization offers the security assessments by top-level certified technicians. Our team also offers penetration testing. Our team takes pride in our work and shows it through the care they provide. vii. I.T Security Compliance and Governance Gap Analysis Plan Outline The following project plans identifies privacy data and related gaps and recommends a mitigation action for each.  Segregation of Duties - Management staff to congregate on the specific job titles for the organizations personnel. This allows us to segregate access control.  Personnel Background Investigation - Use a third party background check company to research potential employees.  Use of Shared Technology Access Controls - Time out settings through GPO to a short period of time so that users cannot use each other’s profiles.
Do not allow users admin rights to see other profile folders. Operating System Access Controls Remove administrative access from non-power users in order to keep computers from damaging acts/virus installation. viii. Compliance Project Plan Definition We have developed a project plan that identifies gaps related to privacy data and recommend mitigation actions for each gap outlined in the RFP regarding the current IT policy framework description.  Data Breach and Disclosure - Workers trained to provide notices of disclosure to those individuals affected.  Data Protection and Privacy - Policy writers to create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed/enforced.  Compliance with Legal Requirements - Lawyers and legislation subject matter experts to review legislation. Auditors and managers to ensure regulatory requirements are being followed/enforced.  Compliance with Legal Requirements - Lawyers and regulatory requirement subject matter experts to review requirements. Auditors and managers to ensure regulatory requirements are being followed/enforced. ix. Disaster Recovery Plan Outline Our Business Continuity services offer the following to keep your company prepared for a wide range of emergency situations:
Ready For Any Emergency. Telecon Security Services Inc. prepares your company for any disaster that could affect your IT infrastructure, whether it is a natural occurrence, cybercrime, power outages or human error. Proactive Planning. By developing effective policies and procedures, we can help you and your staff operate effectively and efficiently in the case that your business is affected by an emergency of any kind. Reliable Backups. Telecon Security Services Inc keeps your data up to date, secure, and stored both locally onsite and virtually through the Cloud. This technology protects your business from data loss and ensures that in the event of a natural disaster you can continue to access your systems and files. Regularly Tested Systems. By testing the backup systems on a regular basis, we can ensure they are ready for use at the moment they are needed. With each step New Orleans business owner’s takes in becoming a more developed and profitable operation, you need to be sure that your IT systems can support its growth. Arranging one-off consultations with IT companies is inconvenient and expensive, but without the right knowledge, your technology may fail to meet the requirements of the next stage of business grow.
In any recuperation arrangement there will be a wide exhibit of catastrophe potential outcomes and recuperation methods to consider. To pare the issue down, in this way, preparatory suppositions are produced as rules. For the recuperation push to be effective, all included staff are required to guarantee that these suspicions are present and right. Supervisors will keep all work force influenced by this arrangement mindful of its present systems and practices. All staff influenced by this arrangement is in charge of comprehension their part under a catastrophe circumstance. This arrangement will be constantly kept up. The recuperation procedure archived in the arrangement ought to be tried yearly. All staff must respond rapidly and viably amid the recuperation procedure. Calamity Recovery must be fruitful if there is an underlying reinforcement of static segments including the framework programming, restrictive bundles, projects, and information, and a standard reinforcement, in any event day by day, of all progressions and alteration of these electronic parts, and there is a general testing of equipment and correspondences reinforcement offices. This arrangement ought to be overhauled every year and ought to dependably be promptly accessible to approved work force. Destinations ought to be looked into and upgraded by administration on a yearly premise. The Disaster Recovery Plan may require redesigns if issues or changes incorporate a few or any of the accompanying: Mainframe and Mid-Range Disaster Recovery Test results, new basic applications or basic clients, expanded application intricacy, new gear acquisitions, and/or changes to: equipment, programming, system, applications, and/or information. Things to be inspected for Plan overhaul ought to
include: Personnel changes, mission changes, need changes, New Business Organizations, Mainframe and Mid-range Disaster Recovery Test strategies and results, reinforcement techniques, recuperation methodology, Relocation/Migration Plan, programming (working framework, utilities, application programs), equipment (centralized server, mid-extent and peripherals), and Communications Network Facilities DRP typical systems. Include creating, recording, executing and testing the Disaster Recovery Plan. The state government will have the capacity to reestablish the accessibility of basic applications in an opportune and sorted out way taking after a fiasco event. With a specific end goal to perform these destinations, the innovation zone will rely on upon backing from senior administration, end clients and staff offices. Testing the arrangement is intended to prepare the faculty who will be in charge of executing the Disaster Recovery Plan. IT-related crises can strike whenever, whether they are malware assaults, regular fiascos or framework crashes. It's crucial to have an arrangement set up to ensure your business can keep inefficient downtime to a base. Consistently that your frameworks are down costs you all the more, so make sure to set up your business for most noticeably awful by arranging ahead! In case of a pronounced debacle, key work force will make prompt move to caution the Disaster Recovery Center. Rebuilding of the Critical Coverage will be given after a Disaster is pronounced and after turnover of the catastrophe recuperation reinforcement site. It will incorporate, without impediment, the accompanying: Delivery of the Authorized User Data and Software documented in
off-site stockpiling to the Disaster Recovery Center, Connecting Network lines to the Disaster Recovery Center, Operating the Critical Applications on the Configuration at the Disaster Recovery Center, Provide Critical Coverage at the Disaster Recovery Center, and Provide workspace and required gear. Recuperation exercises will be directed in a staged methodology. The accentuation will be to recuperate the basic applications adequately and effectively. Basic applications will be recouped over a timeframe after server farm enactment. x. Business Continuity Plan Outline Purpose – This Business Continuity Plan (BCP) will be updated in response to changes in the business environment. The state of Georgia will review the plan at least annually. This document outlines the steps required to operate the state of Georgia in the event of an unanticipated interruption of normal operations. This document will articulate the triggers for when alternate business processes need to be deployed, the steps to deploy alternate business processes, the methods for verifying that business has been properly restored and ensuring data integrity, and activities for returning to “normal” business processing. Scope – This BCP is applicable for the IT Department of this RFP. Assumptions – The plan will be implemented if systems are unavailable for 48 hours.  Facilities will provide temporary space for critical staff  IT will provide technical assistance for temporary location  Telecommunications will have phone lines available in temporary
location  Equipment can be rented or otherwise acquired as needed  IT can restore files from the latest off-site backups Critical Business Functions:  Accounting  Human Resources  Administration  Information Services  Purchasing Risks to Operation and Strategies to Address Risk Natural Risks:  High Winds/Tornados: Have backup sites spread through the state in order to keep the network up and running.  Lightening: Have backup generators ready to give the building power.  Flooding: Keep essential equipment on 2nd floor and above.  Fire: Install fire suppression systems and fireproof drywall to protect important assets. Intentional Acts:  Theft: Install camera systems within the office. Encrypt any machine that goes off site.  Cyber Attack: Server hardening, patching of all network assets, firewall hardening.  Malware: keep anti-virus up to date to mitigate this risk.
Resources Needed: • Personnel: Certified IT department, training instructors
v. Executive Summary i. Layered Security Solution Executive Summary To guarantee the security of business-basic data, it is vital to build up a multi- layered technique to address the dangers. Associations center their cautious controls at the border in the conviction that this makes it troublesome for assailants to enter frameworks. Be that as it may, once this edge is ruptured, the assailants have moderately free rule inside the system. Solidified, border guards alone likewise neglect to deal with the danger from interior sources. Associations need to build up a multilayered security procedure that spotlights on the classification, honesty and accessibility of the data being ensured. A multi-layered way to deal with security guarantees that on the off chance that one layer falls flat or is bargained; different layers will remunerate and keep up the security of that data. Thus, each of these layers ought to have various controls sent to protect the secrecy, respectability and accessibility of the data. Some of these more basic controls incorporate framework setup solidifying, record uprightness observing, and log administration. You deserve the best in IT support, and that only comes from those who work with the best themselves! Telecon Security Services Inc has the best strategic partners in the business, so to learn more about what we can do for your New Orleans business, call us at (504) 848-0571 or email us at info@teleconsecurity.com today.

Recommended

Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
M014 Confluence Presentation 08 15 06
M014 Confluence Presentation 08 15 06M014 Confluence Presentation 08 15 06
M014 Confluence Presentation 08 15 06gbroadbent67
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
 

Recommended

Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
M014 Confluence Presentation 08 15 06
M014 Confluence Presentation 08 15 06M014 Confluence Presentation 08 15 06
M014 Confluence Presentation 08 15 06gbroadbent67
 
Cybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementCybersecurity Law and Risk Management
Cybersecurity Law and Risk ManagementKeelan Stewart
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyButlerRubin
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINCOMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAINamiable_indian
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
CYBER51-FYLER
CYBER51-FYLERCYBER51-FYLER
CYBER51-FYLERCyber 51 LLC
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPace IT at Edmonds Community College
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnairePriyanka Aash
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...EMC
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)Pace IT at Edmonds Community College
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKnowledge Management Associates, LLC
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
Alberta's EHR System - PIN
Alberta's EHR System - PINAlberta's EHR System - PIN
Alberta's EHR System - PINbrighteyes
 
Evaluation of a Multi-EMR web-based Form
Evaluation of a Multi-EMR web-based FormEvaluation of a Multi-EMR web-based Form
Evaluation of a Multi-EMR web-based FormKarim Keshavjee
 

More Related Content

What's hot

An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsDoubleHorn
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksTechWell
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPace IT at Edmonds Community College
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnairePriyanka Aash
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterButlerRubin
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...EMC
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)Pace IT at Edmonds Community College
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 

What's hot (20)

An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
CYBER51-FYLER
CYBER51-FYLERCYBER51-FYLER
CYBER51-FYLER
 
Privacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal RisksPrivacy and Data Security: Minimizing Reputational and Legal Risks
Privacy and Data Security: Minimizing Reputational and Legal Risks
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 
Supplier security assessment questionnaire
Supplier security assessment questionnaireSupplier security assessment questionnaire
Supplier security assessment questionnaire
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
Cyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan CotterCyber Liability Coverage in the Marketplace with Dan Cotter
Cyber Liability Coverage in the Marketplace with Dan Cotter
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterp...
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law
 
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threat
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data Mining
 

Viewers also liked

Alberta's EHR System - PIN
Alberta's EHR System - PINAlberta's EHR System - PIN
Alberta's EHR System - PINbrighteyes
 
Evaluation of a Multi-EMR web-based Form
Evaluation of a Multi-EMR web-based FormEvaluation of a Multi-EMR web-based Form
Evaluation of a Multi-EMR web-based FormKarim Keshavjee
 
Pitfalls and realities of working with Big Data
Pitfalls and realities of working with Big DataPitfalls and realities of working with Big Data
Pitfalls and realities of working with Big DataKarim Keshavjee
 
The cost of data quality in EMRs
The cost of data quality in EMRsThe cost of data quality in EMRs
The cost of data quality in EMRsKarim Keshavjee
 
2.4.2016. Dudovica
2.4.2016. Dudovica2.4.2016. Dudovica
2.4.2016. Dudovicaskola
 
Luke Todd CS Consultant
Luke Todd CS ConsultantLuke Todd CS Consultant
Luke Todd CS ConsultantLuke Todd
 
Recent changes in conveyancing transactions in South Australia
Recent changes in conveyancing transactions in South AustraliaRecent changes in conveyancing transactions in South Australia
Recent changes in conveyancing transactions in South AustraliaThomas Brown
 
VIRLEN-MENDEZ-ROCO-CV
VIRLEN-MENDEZ-ROCO-CVVIRLEN-MENDEZ-ROCO-CV
VIRLEN-MENDEZ-ROCO-CVVirlen Roco
 

Viewers also liked (11)

Alberta's EHR System - PIN
Alberta's EHR System - PINAlberta's EHR System - PIN
Alberta's EHR System - PIN
 
Evaluation of a Multi-EMR web-based Form
Evaluation of a Multi-EMR web-based FormEvaluation of a Multi-EMR web-based Form
Evaluation of a Multi-EMR web-based Form
 
EMR NG
EMR NGEMR NG
EMR NG
 
Pitfalls and realities of working with Big Data
Pitfalls and realities of working with Big DataPitfalls and realities of working with Big Data
Pitfalls and realities of working with Big Data
 
The cost of data quality in EMRs
The cost of data quality in EMRsThe cost of data quality in EMRs
The cost of data quality in EMRs
 
E-Catalog
E-CatalogE-Catalog
E-Catalog
 
2.4.2016. Dudovica
2.4.2016. Dudovica2.4.2016. Dudovica
2.4.2016. Dudovica
 
Luke Todd CS Consultant
Luke Todd CS ConsultantLuke Todd CS Consultant
Luke Todd CS Consultant
 
Recent changes in conveyancing transactions in South Australia
Recent changes in conveyancing transactions in South AustraliaRecent changes in conveyancing transactions in South Australia
Recent changes in conveyancing transactions in South Australia
 
Editors Choice: Reining - 2005
Editors Choice: Reining - 2005Editors Choice: Reining - 2005
Editors Choice: Reining - 2005
 
VIRLEN-MENDEZ-ROCO-CV
VIRLEN-MENDEZ-ROCO-CVVIRLEN-MENDEZ-ROCO-CV
VIRLEN-MENDEZ-ROCO-CV
 

Similar to IS4799 Final Project (1)

Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
ISE 620 Final Project Guidelines and Rubric Overview .docx
ISE 620 Final Project Guidelines and Rubric Overview .docxISE 620 Final Project Guidelines and Rubric Overview .docx
ISE 620 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAGeorge Delikouras
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)stevemeltzer
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4stevemeltzer
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxanitramcroberts
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA Domain 3 Security Operations and Monitoring.pptxCompTIA CySA Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA Domain 3 Security Operations and Monitoring.pptxInfosectrain3
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceLumension
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1stevemeltzer
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 

Similar to IS4799 Final Project (1) (20)

Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
ISE 620 Final Project Guidelines and Rubric Overview .docx
ISE 620 Final Project Guidelines and Rubric Overview .docxISE 620 Final Project Guidelines and Rubric Overview .docx
ISE 620 Final Project Guidelines and Rubric Overview .docx
 
PTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIAPTX12_Presentation_George Delikouras AIA
PTX12_Presentation_George Delikouras AIA
 
The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)The New Massachusetts Privacy Rules (February 2, 2010)
The New Massachusetts Privacy Rules (February 2, 2010)
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
Application security Best Practices Framework
Application security Best Practices FrameworkApplication security Best Practices Framework
Application security Best Practices Framework
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4The New Massachusetts Privacy Rules V4
The New Massachusetts Privacy Rules V4
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA Domain 3 Security Operations and Monitoring.pptxCompTIA CySA Domain 3 Security Operations and Monitoring.pptx
CompTIA CySA Domain 3 Security Operations and Monitoring.pptx
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC ComplianceSix Keys to Securing Critical Infrastructure and NERC Compliance
Six Keys to Securing Critical Infrastructure and NERC Compliance
 
The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1The new massachusetts privacy rules v5.35.1
The new massachusetts privacy rules v5.35.1
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 

IS4799 Final Project (1)

  • 1. City of New Orleans Response for Proposals Unit 10 Assignment 1: Team RFP Response Report Delivery INFORMATION SECURITY AND CYBERSECURITY PROGRAM IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE BACHELOR’S DEGREE Submitted to: ADVISOR, Mr. Evans Submitted by: Mark Milburn ITT TECHNICAL INSTITUTE ARLINGTON, TEXAS May, 2016
  • 2. Table of Contents I. Research i. Review of Firm’s Qualifications II. Data Analysis i. RFP Clarification Questions ii. RFP Technical Requirements and Differences from Existing Controls iii. Data Privacy Legal Requirements as per RFP’s Compliance iv. Data Protection and Privacy v. Risk Assessment Project Plan Definition vi. Risk Prioritization and Mitigation Project Plan Definition vii. Risk Mitigation Actions Based on Qualitative Risk Assessment’s Risk Prioritization III. Solution Design i. Benefits of Our Recommendations ii. Data Privacy Legal Requirements as per RFP’s Compliance iii. Procedure to Conduct a Security Assessment and Risk Identification iv. Data Security Mitigation Actions Based on Qualitative Risk Assessment v. Phased Project Approach and High-Level Project Plan Including Prioritized Security Controls IV. Evaluation Design i. Phased Project Approach and High-Level Project Plan Outline ii. High-Level Description of Current Client’s Need iii. IT Security Compliance and Governance Gap Analysis Plan Outline iv. Compliance Project Plan Definition v. Disaster Recovery Plan Outline vi. Business Continuity Plan Outline V. Executive Summary i. Layered Solution Executive Summary
  • 3. I. Research i. Review of Firm’s Qualifications We have reviewed the vendor minimum requirements and would like to provide a statement of our meeting of the RFP requirements.  Must be in business for at least the last five consecutive years: Telecon Security Services Inc. has been in business now for ten years.  Report annual gross sales of at least one million U.S. dollars: Our annual gross sales are currently $1.9 million dollars.  Present at least three references of previous engagements-within the last three years-that are materially similar to the requirements contained in this document: Telecon Security Services Inc. has won five major contracts and ten small contracts in the last seven years for vulnerability assessments and penetration tests.  Must have at least one person who will be a primary participant in delivering products and services who holds a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or equivalent: Our team of thirty-five employees holds certifications in the areas asked. Of the nine employees that work on the new prospective products and services, seven hold Certified Information Systems Security Professional (CISSP) certifications, six hold Certified Information Security Manager (CISM), and seven hold Global Information Assurance Certification (GIAC)
  • 4. and seven hold Security Essentials Certification (GSEC).  Cannot have any active managed security service provider contracts with any other agency in this state: We do not have any active contracts and are in the process of expanding our own business in the state of New Orleans. We can provide samples of previous reports for other clients that contain four of the five fields you requested:  Risk Assessment  Vulnerability Assessment  Penetration Testing  Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) Telecon Security Services Inc has identified gaps in two areas that the state of minimum requirements request:  Must maintain at least one permanent office in this state: We are currently looking to expand our business but have not yet decided on the best location for our organization.  Provide previous reports for other clients for source code review: Security Patching Inc. does not have the means to assess source code security and does not employ development security specialist
  • 5. II. Data Analysis i. RFP Clarification Questions After reviewing the RFP for technology consulting services, Telecon Security Services Inc. has identified the following questions: 1. The scope of the RFP states the State wants a review of its entire system security program. How many locations and agencies will this comprise of? 2. Task #1 asks Telecon Security Services Inc. to conduct a vulnerability assessment for the State’s system. In order to do this properly Cyber-Link will be conduction penetration testing. What limitations, if any, will Cyber-Link have when it comes to performing penetration testing on the State’s systems? 3. Task #3 asks Telecon Security Services Inc. to provide training to State employees. Should there be multiple levels of training for different types of employees or more board training material that covers every user? ii. RFP Technical Requirements and Differences from Existing Controls After reviewing the RFP’s description of the current IT security policy and technical description the following comparisons of the two descriptions have been made, along with a list of differences and/or gaps.  Application Control - Current Gap  Media Disposal and Reuse - Current control calls for drives to be wiped by a tool that wipes bit by bit and sanitizes the drive before it is given to a new user.
  • 6.  User Identification and Authorization - Current control calls for the users to have a minimum of username and password with the correct access over network resources.  User Privilege Control - Current Gap  User Account Lockout - Current control calls for multiple login attempts be blocked after a certain amount of tries.  Mobile and Workstation Computing - Current control calls for protection from unauthorized use, modification or destruction.  Mobile Computing - Current control calls for no saving of sensitive organizational data and mobile workstations require full disk encryption.  Operating System Access Controls - Current Gap  Use of Shared Technology Resource - Current Gap  Personnel Background Investigation - Current Gap  Acceptable Use Policy - Current control is a full access control policy.  Software Control - Current control asks for support of security mechanisms that provide data integrity, confidentiality and availability as well as an auditing mechanism.  Malicious Software Control - Current control calls for anti-virus and anti-malware installed on every workstation to mitigate the risk of data leakage.  Segregation of Duties - Current Gap
  • 7. iii. Data Privacy Legal Requirements as per RFP’s Compliance After reviewing the RFP’s current IT security policy framework, privacy data legal requirements, and the security gap analysis the following security gaps that relate to protecting privacy data have been identified along with the impact it could have on the client’s organization and its importance.  Compliance with Legal Requirements - All State Government agencies must be compliant with any State or Federal regulatory requirements which supersede this policy document  Threat level very high - Could be subject to fines and/or lawsuits if found not in compliance.  Applicable Legislation - All State Government agencies must be compliant with any legislation enacted by the State Government in regards to the management of information resources on behalf of the State.  Agencies must be in compliance with all legislation passed by the state government. iv. Data Protection and Privacy  All State Government agency data custodians must ensure that all “Personal Information” data assets, as defined by applicable State and/or Federal law and regulations are protected from unauthorized use, Modification, or disclosure.  Threat level very high would be subject to a large amount of torts if personal information is stolen. - Data Breach and Disclosure Any State Government agency that discovers a breach of the information security controls set forth in this which results in disclosure of unencrypted “personal information” about
  • 8. persons to unauthorized third parties shall provide notice of the disclosure in accordance with State law, mandates, and acts. Threat level very high  Would be subject to a large amount of torts if personal information is stolen. v. Risk Assessment Project Plan Definition The following project plan outlines conducting a qualitative risk analysis to analyze identified risks, threats, and vulnerabilities with the requirements to implement the risk analysis solution and mitigation recommendations.  Segmentation and Layered Security  Developers’ implement layered security technologies and configurations based on role, risk, sensitivity, and access control rules.  Media Handling and Security  Auditing and enforcement to ensure that only licensed software is installed on systems.  User Access Management  Management and employees to handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion.  Network Access Control  Network designers to design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. Employees to keep the network running.
  • 9. vi. Risk Prioritization and Mitigation Project Plan Definition After conducting the following review of the data security requirements, current RFP technical description, and output from the qualitative risk assessment the following project plan has been developed.  User Identification and Authorization - System in place to that requires the use of a user ID and password that uniquely identifies the user before providing access to protected information resources.  User Password Management - Guidelines developed which require user to create and maintain passwords to protect against unauthorized access.  Segregation in Networks - Design a network that at a minimum has separate public, demilitarized, and private security zones based on risk.  Data Protection and Privacy - Systems in place to ensure all personal information is protected from unauthorized use, modification, or disclosure. vii. Risk Mitigation Actions Based on Qualitative Risk Assessment’s Risk Prioritization The initial phase in information security is to cutoff client access. All state government offices will create, archive, and keep up client get to and account administration techniques. These systems might incorporate, yet are not constrained to, new record creation, account exchange, and/or work profile changes and record end and/or cancellation. Likewise, at least, client access to ensured data assets requires the use of client distinguishing proof and secret key that exceptionally recognizes the client. Sharing access qualifications proposed to verify and approve a solitary client between
  • 10. any two or more people is denied. Finally, passwords allotted to clients must be made and figured out how to ensure against unapproved revelation or utilization and must meet the base Password prerequisites. The following stride in information insurance is legitimate system access control. All endeavor system structures worked by, or in the interest of, the state government might be intended to bolster, at any rate, separate open, neutralized, and private security zones in view of part, hazard, and affectability. Connecting between discrete security zones is entirely restricted. All entrance between discrete security zones might be controlled by a security instrument designed to deny all entrance of course unless unequivocally approved and affirmed by the security administration group. The last stride is to guarantee all administration organizations are in consistence with the security strategy. All state organizations should likewise be in consistence with any state or government administrative necessities that supersede the nearby approach. This is to guarantee that all individual data information resources, as characterized by pertinent state and/or government law and controls, are shielded from unapproved use, change, or exposure. III. Solution Design i. Benefits of Our Recommendations Below are a list of the of the IT security gaps that we have identified along with the recommend mitigation action.  Application Control - Hire a procurement staff to keep track of licenses for specific applications and purchased applications by the users.
  • 11.  User Privilege Control - Set up user groups to certain areas of the network and limit what departments can see.  Operating System Access Controls - Remove administrative access from non- power users in order to keep computers from damaging acts/virus installation.  Use of Shared Technology Resources - Time out settings through GPO to a short period of time so that users cannot use each other’s profiles. Do not allow users admin rights to see other profile folders.  Personnel Background Investigation - Use a third party background check company to research potential employees.  Segregation of Duties - Management staff to congregate on the specific job titles for the organizations personnel. This allows us to segregate access control. ii. Data Privacy Legal Requirements as per RFP’s Compliance After conducting an IT security compliance and governance gap analysis, the following gaps related to privacy data have been and a mitigation control has been recommended  Compliance with Legal Requirements - Would have legal experts review regulatory requirements and create a framework for auditors and managers to ensure all regulatory requirements are being followed/enforced.  Applicable Legislation- Would have legal experts review legislation and create a framework for auditors and managers to ensure all regulatory requirements are being followed/enforced.  Data Protection and Privacy- Would create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Would empower
  • 12. auditors and managers to ensure policies are being followed/enforced.  Data Breach and Disclosure - Would train employees to provide notices of disclosure to those individuals affected. iii. Procedure to Conduct a Security Assessment and Risk Identification The following procedures, explanations, and actions have been developed in order to conduct a security assessment for the workstation and system/applications domains. Workstation Domain  Educating and retraining of users of acceptable use. Educating and constant training of the users will mitigate most of the risk experienced the workstation domain. Users will know how to handle specific situations that can potentially bring harm to the network. Training the first week of a new employees training. Yearly training with new threats.  Setting an auto lock policy when the user is away from the PC.This mitigates the risk of others users seeing/tampering with data they are not supposed to have access to. Create a GPO policy that will auto lock the computer within a ten minute of non-use.  Securely deleting data from computers recycle bin. This mitigates the risk of a user or hacker trying to find hidden data/erased data by
  • 13. writing zeros over any data that has been deleted. Create a GPO policy that will securely delete all files from the drive.  Securely dispose of computers and drives once the computer has been deemed inactive. This mitigates data leakage by making sure the drives have been removed and erased bit by bit. Buy tools to write zeros over every bit on the drive to safely dispose of.  Installing antivirus on an enterprise level. This mitigates data leakage and stops malicious software from destroying hardware. Enterprise level antivirus that can be controlled from a server. System/Application Domain  Patching servers, firewalls, and workstations.-This mitigates hackers from using known vulnerabilities with server, firewall, and workstation operating systems  Software to scan incoming/outgoing emails and server hardening. The software will scan all incoming and outgoing emails for virus’s and hidden data. Also removing any services not being used by email servers. Installation of software like Iron Mail.  Protect database servers from attacks and server hardening. This mitigates any attack on SQL servers. Also removing any services not being used by email servers. Programming the cells to the exact type of information needed.  Protect web servers from attacks and server hardening. Also removing any services not being used by email servers.
  • 14.  Seal off firewalls ports that are not in use. This mitigates attackers from using unused open ports to gain access to the network. Turn off ports not being used by system servers/workstations. iv. Data Security Mitigation Actions Based on Qualitative Risk Assessment The following plan aligns the tasks and deliverables for risk assessment, analysis, and remediation with specific recommendations for addressing the risks identified.  Segmentation and Layered Security -The State Government’s operational environment shall support segmentation and layered security technologies and configurations based on role, risk, and sensitivity. Developers will implement layered security technologies and configurations based on access control rules.  Media Handling and Security - Only licensed software procured through the State Government contracts shall be installed in the State’s environment. Auditors and managers will ensure that only licensed software is installed on systems.  User Access Management- All State Government agencies shall develop, document, and maintain user access and account management procedures. Management and employees will handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion.
  • 15.  Network Access Control - All access and connectivity to the State Government’s network must comply with the State Government’s security requirements for network interconnectivity. Network designers will design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. IV. Evaluation Design i. Phased Project Approach and High-Level Project Plan Outline We have develop a phased approach to the scope of work and built an outline for a high-level project plan.  Definition of scope of analysis  Identification of the State's critical assets  Determination of the best analytical (qualitative/quantitative) base for an evaluation  Identification of potential risks, threats, and vulnerabilities  Evaluation of the risk profile (risk, threat, & vulnerability assessment)  Risk remediation recommendations: short-term and long-term with cost magnitude estimates Tasks.  Provide a narrative that illustrates the proposer's understanding of the state's requirements and project schedule.  Provide a narrative that illustrates how the proposer will complete the scope of services accomplish required objectives, and meet the state's project schedule.  Provide a narrative that illustrates how the proposer will manage the project, ensure completion of the scope of services, and accomplish required objectives within the state's project schedule.  Provide a narrative illustrating your methodology for conducting vulnerability assessments and penetration tests.  Provide a narrative describing how you apply your vulnerability assessment and penetration testing's methodologies in performing the services for customers. Including: project management, incident and emergency procedures, etc.  Provide a narrative detailing the systems that you are able to assess for vulnerabilities. Including but not limited to: operating systems, databases, and infrastructure/networking.
  • 16.  Provide a narrative illustrating your methodology for reviewing code. ii. High-Level Description of Current Client’s Need The state has an immediate requirement for contractual support for technical security consulting services for its information security program. The state is undertaking a review of his entire system security program to include risk analysis/vulnerability assessments of the system, assessment of the automated security program, security awareness training, development and enhancement of security plans, continuity and contingency planning, and infrastructure protection review. Cyber-Link plans to tackle these requests head on. Our organization offers the security assessments by top-level certified technicians. Our team also offers penetration testing. Our team takes pride in our work and shows it through the care they provide. iii. IT Security Compliance and Governance Gap Analysis Plan Outline The following project plans identifies privacy data and related gaps and recommends a mitigation action for each.  Segregation of Duties - Management staff to congregate on the specific job titles for the organizations personnel. This allows us to segregate access control.  Personnel Background Investigation - Use a third party background check company to research potential employees.  Use of Shared Technology Access Controls - Time out settings through GPO to a short period of time so that users cannot use each other’s profiles. Do not allow users admin rights to see other profile folders.  Operating System Access Controls - Remove administrative access from non- power users in order to keep computers from damaging acts/virus installation.  User Privilege Control - Set up user groups to certain areas of the network and limit what departments can see.  Application Control - A procurement staff to keep track of licenses for specific applications. iv. Compliance Project Plan Definition We have developed a project plan that identifies gaps related to privacy data and recommend mitigation actions for each gap outlined in the RFP regarding the current IT policy framework description.  Data Breach and Disclosure - Workers trained to provide notices of disclosure to those individuals affected.  Data Protection and Privacy - Policy writers to create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed / enforced.
  • 17.  Compliance with Legal Requirements - Lawyers and legislation subject matter experts to review legislation. Auditors and managers to ensure regulatory requirements are being followed / enforced.  Compliance with Legal Requirements - Lawyers and regulatory requirement subject matter experts to review requirements. Auditors and managers to ensure regulatory requirements are being followed / enforced. v. Phased Project Approach and High-Level Project Plan Outline We have develop a phased approach to the scope of work and built an outline for a high-level project plan.  Definition of scope of analysis  Identification of the State's critical assets  Determination of the best analytical (qualitative/quantitative) base for an evaluation  Identification of potential risks, threats, and vulnerabilities  Evaluation of the risk profile (risk, threat, & vulnerability assessment)  Risk remediation recommendations: short-term and long-term with cost magnitude estimates Tasks.  Provide a narrative that illustrates the proposer's understanding of the state's requirements and project schedule.  Provide a narrative that illustrates how the proposer will complete the scope of services accomplish required objectives, and meet the state's project schedule.  Provide a narrative illustrating your methodology for conducting vulnerability assessments and penetration tests.
  • 18.  Provide a narrative describing how you apply your vulnerability assessment and penetration testing's methodologies in performing the services for customers. Including: project management, incident and emergency procedures, etc.  Provide a narrative detailing the systems that you are able to assess for vulnerabilities. Including but not limited to: operating systems, databases, and infrastructure/networking.  Provide a narrative illustrating your methodology for reviewing code.  Provide a narrative that illustrates how the proposer will manage the project, ensure completion of the scope of services, and accomplish required objectives within the state's project schedule.  Provide a narrative illustrating your methodology for conducting vulnerability assessments and penetration tests.  Provide a narrative describing how you apply your vulnerability assessment and penetration testing's methodologies in performing the services for customers. Including: project management, incident and emergency procedures, etc.  Provide a narrative detailing the systems that you are able to assess for vulnerabilities. Including but not limited to: operating systems, databases, and infrastructure/networking.  Provide a narrative illustrating your methodology for reviewing code.
  • 19. vi. High-Level Description of Current Client’s Need The state has a quick prerequisite for legally binding backing for specialized security counseling administrations for its data security program. The state is embraced a survey of his whole framework security project to incorporate danger investigation/weakness appraisals of the framework, evaluation of the computerized security program, security mindfulness preparing, advancement and improvement of security arrangements, congruity and possibility arranging, and foundation insurance audit. Telecon Security Services Inc. plans to tackle these requests head on. Our organization offers the security assessments by top-level certified technicians. Our team also offers penetration testing. Our team takes pride in our work and shows it through the care they provide. vii. I.T Security Compliance and Governance Gap Analysis Plan Outline The following project plans identifies privacy data and related gaps and recommends a mitigation action for each.  Segregation of Duties - Management staff to congregate on the specific job titles for the organizations personnel. This allows us to segregate access control.  Personnel Background Investigation - Use a third party background check company to research potential employees.  Use of Shared Technology Access Controls - Time out settings through GPO to a short period of time so that users cannot use each other’s profiles.
  • 20. Do not allow users admin rights to see other profile folders. Operating System Access Controls Remove administrative access from non-power users in order to keep computers from damaging acts/virus installation. viii. Compliance Project Plan Definition We have developed a project plan that identifies gaps related to privacy data and recommend mitigation actions for each gap outlined in the RFP regarding the current IT policy framework description.  Data Breach and Disclosure - Workers trained to provide notices of disclosure to those individuals affected.  Data Protection and Privacy - Policy writers to create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed/enforced.  Compliance with Legal Requirements - Lawyers and legislation subject matter experts to review legislation. Auditors and managers to ensure regulatory requirements are being followed/enforced.  Compliance with Legal Requirements - Lawyers and regulatory requirement subject matter experts to review requirements. Auditors and managers to ensure regulatory requirements are being followed/enforced. ix. Disaster Recovery Plan Outline Our Business Continuity services offer the following to keep your company prepared for a wide range of emergency situations:
  • 21. Ready For Any Emergency. Telecon Security Services Inc. prepares your company for any disaster that could affect your IT infrastructure, whether it is a natural occurrence, cybercrime, power outages or human error. Proactive Planning. By developing effective policies and procedures, we can help you and your staff operate effectively and efficiently in the case that your business is affected by an emergency of any kind. Reliable Backups. Telecon Security Services Inc keeps your data up to date, secure, and stored both locally onsite and virtually through the Cloud. This technology protects your business from data loss and ensures that in the event of a natural disaster you can continue to access your systems and files. Regularly Tested Systems. By testing the backup systems on a regular basis, we can ensure they are ready for use at the moment they are needed. With each step New Orleans business owner’s takes in becoming a more developed and profitable operation, you need to be sure that your IT systems can support its growth. Arranging one-off consultations with IT companies is inconvenient and expensive, but without the right knowledge, your technology may fail to meet the requirements of the next stage of business grow.
  • 22. In any recuperation arrangement there will be a wide exhibit of catastrophe potential outcomes and recuperation methods to consider. To pare the issue down, in this way, preparatory suppositions are produced as rules. For the recuperation push to be effective, all included staff are required to guarantee that these suspicions are present and right. Supervisors will keep all work force influenced by this arrangement mindful of its present systems and practices. All staff influenced by this arrangement is in charge of comprehension their part under a catastrophe circumstance. This arrangement will be constantly kept up. The recuperation procedure archived in the arrangement ought to be tried yearly. All staff must respond rapidly and viably amid the recuperation procedure. Calamity Recovery must be fruitful if there is an underlying reinforcement of static segments including the framework programming, restrictive bundles, projects, and information, and a standard reinforcement, in any event day by day, of all progressions and alteration of these electronic parts, and there is a general testing of equipment and correspondences reinforcement offices. This arrangement ought to be overhauled every year and ought to dependably be promptly accessible to approved work force. Destinations ought to be looked into and upgraded by administration on a yearly premise. The Disaster Recovery Plan may require redesigns if issues or changes incorporate a few or any of the accompanying: Mainframe and Mid-Range Disaster Recovery Test results, new basic applications or basic clients, expanded application intricacy, new gear acquisitions, and/or changes to: equipment, programming, system, applications, and/or information. Things to be inspected for Plan overhaul ought to
  • 23. include: Personnel changes, mission changes, need changes, New Business Organizations, Mainframe and Mid-range Disaster Recovery Test strategies and results, reinforcement techniques, recuperation methodology, Relocation/Migration Plan, programming (working framework, utilities, application programs), equipment (centralized server, mid-extent and peripherals), and Communications Network Facilities DRP typical systems. Include creating, recording, executing and testing the Disaster Recovery Plan. The state government will have the capacity to reestablish the accessibility of basic applications in an opportune and sorted out way taking after a fiasco event. With a specific end goal to perform these destinations, the innovation zone will rely on upon backing from senior administration, end clients and staff offices. Testing the arrangement is intended to prepare the faculty who will be in charge of executing the Disaster Recovery Plan. IT-related crises can strike whenever, whether they are malware assaults, regular fiascos or framework crashes. It's crucial to have an arrangement set up to ensure your business can keep inefficient downtime to a base. Consistently that your frameworks are down costs you all the more, so make sure to set up your business for most noticeably awful by arranging ahead! In case of a pronounced debacle, key work force will make prompt move to caution the Disaster Recovery Center. Rebuilding of the Critical Coverage will be given after a Disaster is pronounced and after turnover of the catastrophe recuperation reinforcement site. It will incorporate, without impediment, the accompanying: Delivery of the Authorized User Data and Software documented in
  • 24. off-site stockpiling to the Disaster Recovery Center, Connecting Network lines to the Disaster Recovery Center, Operating the Critical Applications on the Configuration at the Disaster Recovery Center, Provide Critical Coverage at the Disaster Recovery Center, and Provide workspace and required gear. Recuperation exercises will be directed in a staged methodology. The accentuation will be to recuperate the basic applications adequately and effectively. Basic applications will be recouped over a timeframe after server farm enactment. x. Business Continuity Plan Outline Purpose – This Business Continuity Plan (BCP) will be updated in response to changes in the business environment. The state of Georgia will review the plan at least annually. This document outlines the steps required to operate the state of Georgia in the event of an unanticipated interruption of normal operations. This document will articulate the triggers for when alternate business processes need to be deployed, the steps to deploy alternate business processes, the methods for verifying that business has been properly restored and ensuring data integrity, and activities for returning to “normal” business processing. Scope – This BCP is applicable for the IT Department of this RFP. Assumptions – The plan will be implemented if systems are unavailable for 48 hours.  Facilities will provide temporary space for critical staff  IT will provide technical assistance for temporary location  Telecommunications will have phone lines available in temporary
  • 25. location  Equipment can be rented or otherwise acquired as needed  IT can restore files from the latest off-site backups Critical Business Functions:  Accounting  Human Resources  Administration  Information Services  Purchasing Risks to Operation and Strategies to Address Risk Natural Risks:  High Winds/Tornados: Have backup sites spread through the state in order to keep the network up and running.  Lightening: Have backup generators ready to give the building power.  Flooding: Keep essential equipment on 2nd floor and above.  Fire: Install fire suppression systems and fireproof drywall to protect important assets. Intentional Acts:  Theft: Install camera systems within the office. Encrypt any machine that goes off site.  Cyber Attack: Server hardening, patching of all network assets, firewall hardening.  Malware: keep anti-virus up to date to mitigate this risk.
  • 26. Resources Needed: • Personnel: Certified IT department, training instructors
  • 27. v. Executive Summary i. Layered Security Solution Executive Summary To guarantee the security of business-basic data, it is vital to build up a multi- layered technique to address the dangers. Associations center their cautious controls at the border in the conviction that this makes it troublesome for assailants to enter frameworks. Be that as it may, once this edge is ruptured, the assailants have moderately free rule inside the system. Solidified, border guards alone likewise neglect to deal with the danger from interior sources. Associations need to build up a multilayered security procedure that spotlights on the classification, honesty and accessibility of the data being ensured. A multi-layered way to deal with security guarantees that on the off chance that one layer falls flat or is bargained; different layers will remunerate and keep up the security of that data. Thus, each of these layers ought to have various controls sent to protect the secrecy, respectability and accessibility of the data. Some of these more basic controls incorporate framework setup solidifying, record uprightness observing, and log administration. You deserve the best in IT support, and that only comes from those who work with the best themselves! Telecon Security Services Inc has the best strategic partners in the business, so to learn more about what we can do for your New Orleans business, call us at (504) 848-0571 or email us at info@teleconsecurity.com today.