SlideShare a Scribd company logo

NASA IT Security Policy Outline

Download as DOCX, PDF
C
charisellington63520

Running head: IT SECURITY POLICY IT SECURITY POLICY 4 Enterprise IT Security Policy Outline IT Security Policy Introduction Enterprise IT security is a vital aspect especially when it comes to the protection of information assets. This is more so when these assets can be classified as of strategic national importance, otherwise regarded as critical infrastructure. From historical data, to current operations data, future plans and the systems that house these data, IT security is necessary to prevent them from being compromised by external parties. Enterprise IT security encompasses a wide range of areas in a bid to ensure that the implementation is done holistically without leaving room for potential malicious parties. One of the most important critical infrastructures is that belonging to NASA. NASA Overview The National Aeronautics and Space Administration is a federal government agency responsible for the American civilian space flight program and research. Established under the National Aeronautics and Space Act in 1958, NASA has conducted all federally funded civilian space programs and the corresponding research into the field. Apart from the manned and unmanned missions to space, it has also contributed in the building of the International Space Station, and its research has gone on to contribute to a myriad of consumer and industrial applications. The Jet Propulsion Laboratory is a division of NASA based in California that is responsible research and development mostly in robotic spacecraft. The center also operates the agency’s current fleet of robotic spacecraft. The information contained at this facility is vast and of great importance to NASA. This includes information on its current operations, plans for future development as well the trove of ground-breaking research being conducted by its team of scientists. To fully protect this vast information requires the implementation of a robust enterprise IT security policy that fully appreciates the importance of this facility and the necessity for its protection (“The Jet…”). Policy Outline 1. Access Control Under the framework core, Access Control is a category that falls under the function of protection. It mostly involves limiting access to cyber resources only to those who have prior authorization to do so. Implementing this will include: a) Assigning user privileges according to responsibility. A robotics operator would not need to access the future strategic plans to adequately perform their duties. b) Single User Sign-in for all user profiles. This will prevent multiple users from using the same credentials to access the resources (“Framework...,” 2014). 2. Application Development Application development can be done to improve existing systems by adding functionalities onto them or building entirely new applications. Wh.

Education
1 of 22
Running head: IT SECURITY POLICY IT SECURITY POLICY 4 Enterprise IT Security Policy Outline IT Security Policy Introduction Enterprise IT security is a vital aspect especially when it comes to the protection of information assets. This is more so when these assets can be classified as of strategic national importance, otherwise regarded as critical infrastructure. From historical data, to current operations data, future plans and the systems that house these data, IT security is necessary to prevent them from being compromised by external parties. Enterprise IT security encompasses a wide range of areas in a
bid to ensure that the implementation is done holistically without leaving room for potential malicious parties. One of the most important critical infrastructures is that belonging to NASA. NASA Overview The National Aeronautics and Space Administration is a federal government agency responsible for the American civilian space flight program and research. Established under the National Aeronautics and Space Act in 1958, NASA has conducted all federally funded civilian space programs and the corresponding research into the field. Apart from the manned and unmanned missions to space, it has also contributed in the building of the International Space Station, and its research has gone on to contribute to a myriad of consumer and industrial applications. The Jet Propulsion Laboratory is a division of NASA based in California that is responsible research and development mostly in robotic spacecraft. The center also operates the agency’s current fleet of robotic spacecraft. The information contained at this facility is vast and of great importance to NASA. This includes information on its current operations, plans for future development as well the trove of ground-breaking research being conducted by its team of scientists. To fully protect this vast information requires the implementation of a robust enterprise IT security policy that fully appreciates the importance of this facility and the necessity for its protection (“The Jet…”). Policy Outline 1. Access Control Under the framework core, Access Control is a category that falls under the function of protection. It mostly involves limiting access to cyber resources only to those who have prior authorization to do so. Implementing this will include: a) Assigning user privileges according to responsibility. A robotics operator would not need to access the future strategic plans to adequately perform their duties. b) Single User Sign-in for all user profiles. This will prevent
multiple users from using the same credentials to access the resources (“Framework...,” 2014). 2. Application Development Application development can be done to improve existing systems by adding functionalities onto them or building entirely new applications. Whichever reason, it is important that whatever application is being developed that it will not jeopardize the specific network by creating loopholes. The following policies address this. a) Rigorous application testing before testing. This rids the applications of any and all buds that might otherwise endanger the system. b) Peer review. This ensures that more people get to appraise the application before it is deployed (“Framework...,” 2014). 3. Asset Management Asset management is largely about identifying the components of the system and inventorying them according to their functions and their criticality to the operations of the organization. While a communication mechanism within the system is important, it is not as important as the database hosting vast amounts of research on robotics. The exact policies include: a) Mapping out the data flow. This provides knowledge on how data moves which is important when troubleshooting network problems. b) Inventorying all hardware and software on a regular basis. This monitoring not only ensures they are up to date but also that none of them is being misused. (“CIS Critical...”) 4. Business Operations JPL is a division of a federal government agency. As such, its operations are required to conform to the functions set out for NASA under the National Aeronautics and Space Act. Policies include: a) Strictly sticking to the roles of JPL as set out for it. Doing this ensures that whatever activities being conducted not only adhere to the law but also does not expose sensitive data to
those not authorized, even in government. b) Following the set out official procedures within NASA whenever there is major decision to be made. While some departmental heads in private entities might enjoy total control over their duties, the same can’t be said of a government institution (“Framework...,” 2014). 5. Communications Communication comes into an enterprise security policy two-fold. This is during the response to a crisis to ensure correcting reporting and coordination of various stakeholders in managing the crisis. It also applies in managing the aftermath of the crisis through public relations exercises. The following are necessary: a) Establishing clear and coherent reporting mechanisms within the organization. This ensures information is gathered more efficiently. b) Having a designated communications team. This ensures that any information being released is from a single point and talking in different voices that might create entropy (“Framework...,” 2014) 6. Compliance Given the sensitive nature of the work being done by the JPL team, it is necessary that all of its employees be vetted under Federal Information Processing Standards 201 also known as FIPS 201. It is only after complying with this are employees then allowed to continue working for the lab. The policies for this are: a) Knowing and understanding the rules and regulations on cyber-security. This way, no one falls prey to the pitfalls of ignorance and its corresponding mistakes. b) Coordinate with the Sector Coordinating Councils to review the Cyber-security Framework of the federal government (“Framework...,” 2014) 7. Corporate Governance These are policies and procedures that need to be undertaken for the management of regulatory and operational
requirements. They include: a) Establishing an information security policy. This will cover all the information assets belonging to the organization. b) Establishing information security roles and responsibilities for all employees. This should align with their roles internally (“CIS Critical...”). 8. Customers These are policies are policies that implemented to govern and organization’s relationship with its customers. But all of JPL’s projects are for the benefit of NASA. Still, policies that can be implemented in this regard include: a) Aligning with the overall NASA IT security policy. It creates organizational uniformity to avoid instances of confusion. b) Establishing clear communication channels with the rest of NASA that serve to ensure further IT security. E.g. utilizing technology used in the rest of the agency and adopting those developed by others. 9. Incident Management With admission that incidents can still happen, incident management policies are drawn to guide the organization on how best to mount a response. These include: a) Developing incident containment processes. This deals with first stopping and incident following by activities that will lessen the effects of the incident. b) Identifying new risks. Once they are identified and accepted, mitigation measures can then be prepared (“Framework...,” 2014). 10. IT Operations Policies on IT operation largely deal with the conduct of activities like configuring databases, installing and managing applications, configuring networks and so forth. Policies include: a) Assigning roles over such activities on the basis of the importance of the activity. The more importance of an activity, the more seniority attached to the role. b) Establishing a monitoring mechanism. This will provide a
continuous assessment of the hardware and software (“Framework...,” 2014). 11. Outsourcing These policies are about the involvement of outside contractors to carry out functions that would otherwise have been done in-house but are not really central. It includes hardware maintenance among others. Policies are: a) Subjecting contractors to the same rigorous vetting as employees. This will uphold the level of security already established. b) Agreeing on an acceptable level of service that will maintain the already established security regime. This ensures that the services do not risk internal systems. (“Framework...,” 2014) 12. Physical/Environmental These policies govern security in regard to the environment around the system and how it affects it. They include: a) Taking regard for the environment. This relates to the impact of the system on the environment and how best to reduce it. E.g. efficient energy use. b) Facility access controls. Largely deals with the security of the data center in regards to physical access of to it. Can involve use of keypad locks and biometric scanners. 13. Policies & Procedures Policies and procedures govern how specific activities should be conducted. They ensure that regard to security is acknowledged at all times and the necessary steps taken to ensure so. a) Employee code of conduct. This will obligate employees to always adhere to the set out rules on policies and procedures. b) Management input. The contribution of the management in the drawing and maintenance of rules and procedures ensures that the overall goals of the organizations can be included (“CIS Critical...”). 14. Privacy It is important that civil liberties not be trampled on in a
quest for security. A right balance can be achieved by involving all stakeholders. a) Notifying employees on all areas that will be under surveillance. This way, they are always aware of the security accorded to the various areas. b) Demarcating applicable areas. This keeps the personal and professional aspects of employees separate (“CIS Critical...”). 15. IT Security Program Implementation These policies dictate how these policies will be carried out within the entire organization. It largely deals with assigning responsibilities. a) Stating each employee’s responsibility in the implementation process. This promotes clarity as everyone knows what they are required to do. b) Drawing a security implementation schedule. Not only does it set timelines for completion of given tasks, it also promotes accountability by having those responsible adhere to those timelines (“CIS Critical...”). Works Cited Framework for Improving Critical Infrastructure Cybersecurity. (2014). Retrieved January 19, 2016, from http://www.nist.gov/cyberframework/upload/cybersecurity- framework-021214.pdf CIS Critical Security Controls. Retrieved January 19, 2016, from https://www.sans.org/critical-security-controls The Jet Propulsion Laboratory. Retrieved January 19, 2016, from http://www.jpl.nasa.gov/
Data Center Local Policy Policy Document Access Control Policy Enter your Name: _____________________________________ Professor Last Name: Landreville
Document Control [CSIA 413, Today’s Date] Organization [Name of your chosen organization] Title [Name of the Local Policy ] Author [Your Name ] Owner Data Center Manager Subject IT Local Access Policy Review date Date of Completion of Policy Revision History Revision Date Reviser Previous Version
Description of Revision Changes to your draft are provided here Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved [CEO, CISO, etc.] Enter date of submission to folder Document Distribution This document will be distributed to: Name Job Title Email Address All Data Center Staff Technicians Enter your email address
Contributors Development of this policy was assisted through information provided by the following organization: · Enter your organization Contents List the contents of the policy Table of Contents 1 2 3 4 5 Policy Statement [ ] will establish specific requirements for protecting information and information systems against unauthorized access. [ ] will effectively communicate the need for information and information system access control. Purpose Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of [ name of your chosen organization ] which must be secured from threats and vulnerabilities must be identified and patched. All information has a value to the organization. Access controls are essential to protect information by controlling user rights for information resources and by guarding against unauthorized use. Formal
procedures must control how access to information is granted and how such access is changed. This policy includes the following access control measures [enter 5 local policy protections for your chosen organization based on a brief risk assessment using FIPS 199 and FIPS 200]. Scope This policy applies to all [ BE THOROUGH IN SCOPE ] (including system support staff, contractual third parties and agents with any form of access to the data center information and information systems. Definition Access control rules and procedures are required to regulate who can access information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing information in any format, and on any device. Risks On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorization and clearance may intentionally or accidentally gain unauthorized access to business information which may adversely affect day to day business. This policy is intended to mitigate that risk. Non-compliance with this policy could have a significant effect on the efficient operation of the data center and may result in financial loss and an inability to provide necessary services to
our customers. Risk Assessment and level of risk Identify weaknesses in the system. Identify possible threats and vulnerabilities in the system. SIGNATORY AUTHORITY (Enter CISO Name) Include the following information in your local policy Applying the Policy – Employee Access User Access Management Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorized user access and to prevent unauthorized access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed by the system administrator. Each user must be allocated access rights and permissions to computer systems and data that: · List constraints on what the user in the data center is allowed to view, read, change User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
User Registration A request for access to the computer systems must first be submitted to the [Name a department – e.g. Information Services Helpdesk] for approval. Applications for access must only be submitted if approval has been gained from [Name a role – e.g. your line manager]. When an employee leaves access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the [Name a role – e.g. your line manager] to request the suspension of the access rights via the [Name a department – e.g. Information Services Helpdesk]. User Responsibilities It is a user’s responsibility to prevent their userID and password being used to gain unauthorized access to systems by: · Following the Password Policy Statements outlined above in Section 6. · Add three more user responsibilities Network Access Control The use of modems on non-owned PC’s connected to the network can seriously compromise the security of the network. The normal operation of the network must not be interfered with. Specific approval must be obtained from [Name a department – e.g. Information Services] before connecting any equipment to the network.
User Authentication for External Connections Where remote access to the [ Name] network is required, an application must be made via the [Name a department – e.g. IT Helpdesk]. Remote access to the network must be secured by two factor authentication consisting of a username and one other component, for example a [Name a relevant authentication token]. For further information please refer to [name a relevant policy -likely to be Remote Working Policy]. Supplier’s Remote Access to the Network Partner agencies or 3rd party suppliers must not be given details of how to access the network without permission from [Name a department – e.g. IT Helpdesk]. Any changes to supplier’s connections must be immediately sent to the [Name a department – e.g. IT Helpdesk] so that access can be updated or ceased. All permissions and access methods must be controlled by [Name a department – e.g. IT Helpdesk]. Partners or 3rd party suppliers must contact the [Name a department – e.g. IT Helpdesk] before connecting to the [ Name] network and a log of activity must be maintained. Remote access software must be disabled when not in use. Operating System Access Control Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section (section 7.1) and the Password section (section 6) above must be applied. The login procedure must also be protected by:
· Provide security controls to protect unauthorized access from the table below All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights). System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities. Application and Information Access Access within software applications must be restricted using the security features built into the individual product. The [Name a department – e.g. IT Helpdesk or ‘business owner’] of the software application is responsible for granting access to the information within the system. The access must [amend list as appropriate]: · Provide compliance instructions (list 3). Policy Compliance If any user is found to have breached this policy, they may be subject to [Name’s] disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from [name appropriate
department]. Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by [Name an appropriate role]. References The following [Name] policy documents are directly relevant to this policy, and are referenced within this document [amend list as appropriate]: · Remote Working Policy. The following [Name] policy documents are indirectly relevant to this policy [amend list as appropriate]: List three other policies that may be necessary for the technicians to read as background (i.e.: Local email use; Acceptable use, etc.) Key Messages Summarize the most important points of the policy for Access Project #2: Prepare a Local IT Security Policy
Introduction In Project 1, you developed an outline for an enterprise level IT security policy. In this project, you will write an IT security policy which is more limited in scope – a local IT security policy. This policy will apply to a specific facility – a data center. Your policy must be written for a specific organization (the same one you used for Project #1). You should reuse applicable sections of Project #1 for this project (e.g. your organization overview and/or a specific section of your outline). If you wish to change to a different organization for project #2, you must first obtain your instructor’s permission. Your local IT security policy will be used to implement access control for the information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) which are housed within the data center. Your policy must protect the data center by preventing personnel who are not authorized to access or use the resources of the organization from gaining access and potentially causing harm (e.g. loss of confidentiality, integrity, or availability). Such personnel may include employees, contractors, vendors, and visitors. You should also address unauthorized individuals who may attempt to gain access to the facility, its information systems, or its networks. Your policy is being written by you as the facility manager. In this role, you are also the information system owner (ISO) for all IT systems and networks within the data center. The information systems hosted in the data center are shown in Figure 2-1. The primary audience for your policy is the Tier 1 staff responsible for day-to-day operations and maintenance in the data center. Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO.Research: 1. Research the subject of access controls and control measures (security controls) required for a data center. Suggested control
measures are listed in Table 2-1. Use the IT architecture shown in Figure 2-2 to identify the types of systems and networks which must be secured against unauthorized access. Table 2-1. Access Control Measures for a Data Center · Access Control Decisions · Access Enforcement · Account Management · Concurrent Session Control · Data Mining Protection · Information Sharing · Least Privilege · Permitted Actions without Authentication · Previous Logon (Access) Notification · Publicly Accessible Content · Reference Monitor · Remote Access · Security Attributes · Session Lock · Session Termination · System Use Notification · Unsuccessful Logon Attempts · Use of External Information Systems 2. Using Figure 2-2, identify at least five specific types of information which are likely to be stored within the data center (use your organization’s missing, products, and services). Research the types of access controls which must be provided to protect the confidentiality, integrity, and availability of such data. (Remember to consult Table 2-1.)Figure 2-2. Data Center IT Architecture Diagram Write: 1. Use the following outline to prepare your local IT security policy for the data center. See the policy template / sample file (attached to the assignment entry) for formatting and content suggestions for individual sections.
I. Identification a. Organization: [name] b. Title of Policy: Data Center Access Control c. Author: [your name] d. Owner: [role, e.g. Data Center Manager] e. Subject: Access Control for [data center name] f. Review Date: [date submitted for grading] g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager] h. Distribution List i. Revision History II. Purpose a. Provide a high level summary statement as to the policy requirements which are set forth in this document. III. Scope a. Summarize the information, information systems, and networks to be protected. b. Identify who is required to comply with this policy. See the project description for categories of personnel and other individuals. IV. Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) V. Terms and Definitions VI. Risk Identification and Assessment a. Using Figure 2-1, identify potential control weaknesses, threats, and vulnerabilities (“risks”) which could negatively impact the information, information systems, and information infrastructure for the data center. b. Identify and discuss the level of risk associated with the
identified weaknesses, threats, and vulnerabilities. c. Identify the control measures which will be implemented to mitigate or otherwise address each risk or risk area. VII. Policy a. For each control measure, write a policy statement (“Shall” wording) which addresses the implementation of that control. (See Table 2-1.) b. Include an explanatory paragraph for each policy statement. 2. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.). 3. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting: 1. Submit your policy as an MS Word document using your assignment folder. 2. Use standard outline formatting. See item #1 under “Write.” 3. Cite sources using a consistent and professional style. You may use APA format citations and references, foot notes, or end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.) 4. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
NASA IT Security Policy Outline

Recommended

Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxOutline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxalfred4lewis58146
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)anthnydvs
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the EnterpriseADGP, Public Grivences, Bangalore
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 

Recommended

Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxOutline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docxalfred4lewis58146
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)anthnydvs
 
Safeguarding the Enterprise
Safeguarding the EnterpriseSafeguarding the Enterprise
Safeguarding the EnterpriseADGP, Public Grivences, Bangalore
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxanitramcroberts
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...James McDonald
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docxhyacinthshackley2629
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paperWesen Tegegne
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docxcroysierkathey
 
Case Study on Effective IS Governance within a Department of Defense Organiza...
Case Study on Effective IS Governance within a Department of Defense Organiza...Case Study on Effective IS Governance within a Department of Defense Organiza...
Case Study on Effective IS Governance within a Department of Defense Organiza...Chris Furton
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Malaysia University of Science and Technology (MUST)
 
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITYUSE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITYIJMIT JOURNAL
 
Use of network forensic mechanisms to formulate network security
Use of network forensic mechanisms to formulate network securityUse of network forensic mechanisms to formulate network security
Use of network forensic mechanisms to formulate network securityIJMIT JOURNAL
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIJCSEA Journal
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pbMohammed Mahfouz Alhassan
 
in addition to these questions also answer the following;Answer .docx
in addition to these questions also answer the following;Answer .docxin addition to these questions also answer the following;Answer .docx
in addition to these questions also answer the following;Answer .docxcharisellington63520
 
In an environment of compliancy laws, regulations, and standards, in.docx
In an environment of compliancy laws, regulations, and standards, in.docxIn an environment of compliancy laws, regulations, and standards, in.docx
In an environment of compliancy laws, regulations, and standards, in.docxcharisellington63520
 

More Related Content

Similar to NASA IT Security Policy Outline

Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxanitramcroberts
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...James McDonald
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docxhyacinthshackley2629
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docxcroysierkathey
 
Case Study on Effective IS Governance within a Department of Defense Organiza...
Case Study on Effective IS Governance within a Department of Defense Organiza...Case Study on Effective IS Governance within a Department of Defense Organiza...
Case Study on Effective IS Governance within a Department of Defense Organiza...Chris Furton
 
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITYUSE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITYIJMIT JOURNAL
 
Use of network forensic mechanisms to formulate network security
Use of network forensic mechanisms to formulate network securityUse of network forensic mechanisms to formulate network security
Use of network forensic mechanisms to formulate network securityIJMIT JOURNAL
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIJCSEA Journal
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 

Similar to NASA IT Security Policy Outline (20)

Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXWIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEX
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxSECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docx
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
Whitepaper Best Practices For Integrated Physical Security Supporting Ma It...
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
Ethiopia reba paper
Ethiopia reba paperEthiopia reba paper
Ethiopia reba paper
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
 
Case Study on Effective IS Governance within a Department of Defense Organiza...
Case Study on Effective IS Governance within a Department of Defense Organiza...Case Study on Effective IS Governance within a Department of Defense Organiza...
Case Study on Effective IS Governance within a Department of Defense Organiza...
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
 
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITYUSE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
USE OF NETWORK FORENSIC MECHANISMS TO FORMULATE NETWORK SECURITY
 
Use of network forensic mechanisms to formulate network security
Use of network forensic mechanisms to formulate network securityUse of network forensic mechanisms to formulate network security
Use of network forensic mechanisms to formulate network security
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pb
 

More from charisellington63520

in addition to these questions also answer the following;Answer .docx
in addition to these questions also answer the following;Answer .docxin addition to these questions also answer the following;Answer .docx
in addition to these questions also answer the following;Answer .docxcharisellington63520
 
In an environment of compliancy laws, regulations, and standards, in.docx
In an environment of compliancy laws, regulations, and standards, in.docxIn an environment of compliancy laws, regulations, and standards, in.docx
In an environment of compliancy laws, regulations, and standards, in.docxcharisellington63520
 
In American politics, people often compare their enemies to Hitler o.docx
In American politics, people often compare their enemies to Hitler o.docxIn American politics, people often compare their enemies to Hitler o.docx
In American politics, people often compare their enemies to Hitler o.docxcharisellington63520
 
In addition to the thread, the student is required to reply to 2 oth.docx
In addition to the thread, the student is required to reply to 2 oth.docxIn addition to the thread, the student is required to reply to 2 oth.docx
In addition to the thread, the student is required to reply to 2 oth.docxcharisellington63520
 
In addition to reading the Announcements, prepare for this d.docx
In addition to reading the Announcements, prepare for this d.docxIn addition to reading the Announcements, prepare for this d.docx
In addition to reading the Announcements, prepare for this d.docxcharisellington63520
 
In Act 4 during the trial scene, Bassanio says the following lin.docx
In Act 4 during the trial scene, Bassanio says the following lin.docxIn Act 4 during the trial scene, Bassanio says the following lin.docx
In Act 4 during the trial scene, Bassanio says the following lin.docxcharisellington63520
 
In a Word document, please respond to the following questions.docx
In a Word document, please respond to the following questions.docxIn a Word document, please respond to the following questions.docx
In a Word document, please respond to the following questions.docxcharisellington63520
 
In a Word document, create A Set of Instructions. (you will want.docx
In a Word document, create A Set of Instructions. (you will want.docxIn a Word document, create A Set of Instructions. (you will want.docx
In a Word document, create A Set of Instructions. (you will want.docxcharisellington63520
 
In a two page response MLA format paperMaria Werner talks about .docx
In a two page response MLA format paperMaria Werner talks about .docxIn a two page response MLA format paperMaria Werner talks about .docx
In a two page response MLA format paperMaria Werner talks about .docxcharisellington63520
 
In a paragraph (150 words minimum), please respond to the follow.docx
In a paragraph (150 words minimum), please respond to the follow.docxIn a paragraph (150 words minimum), please respond to the follow.docx
In a paragraph (150 words minimum), please respond to the follow.docxcharisellington63520
 
In a paragraph form, discuss the belowThe client comes to t.docx
In a paragraph form, discuss the belowThe client comes to t.docxIn a paragraph form, discuss the belowThe client comes to t.docx
In a paragraph form, discuss the belowThe client comes to t.docxcharisellington63520
 
In a minimum of 300 words in APA format.Through the advent o.docx
In a minimum of 300 words in APA format.Through the advent o.docxIn a minimum of 300 words in APA format.Through the advent o.docx
In a minimum of 300 words in APA format.Through the advent o.docxcharisellington63520
 
In a paragraph form, post your initial response after reading th.docx
In a paragraph form, post your initial response after reading th.docxIn a paragraph form, post your initial response after reading th.docx
In a paragraph form, post your initial response after reading th.docxcharisellington63520
 
In a minimum 250-word paragraph, discuss at least one point the auth.docx
In a minimum 250-word paragraph, discuss at least one point the auth.docxIn a minimum 250-word paragraph, discuss at least one point the auth.docx
In a minimum 250-word paragraph, discuss at least one point the auth.docxcharisellington63520
 
In a hostage crisis, is it ethical for a government to agree to gran.docx
In a hostage crisis, is it ethical for a government to agree to gran.docxIn a hostage crisis, is it ethical for a government to agree to gran.docx
In a hostage crisis, is it ethical for a government to agree to gran.docxcharisellington63520
 
In a double-spaced 12 Font paper  How did you immediately feel a.docx
In a double-spaced 12 Font paper  How did you immediately feel a.docxIn a double-spaced 12 Font paper  How did you immediately feel a.docx
In a double-spaced 12 Font paper  How did you immediately feel a.docxcharisellington63520
 
In a follow-up to your IoT discussion with management, you have .docx
In a follow-up to your IoT discussion with management, you have .docxIn a follow-up to your IoT discussion with management, you have .docx
In a follow-up to your IoT discussion with management, you have .docxcharisellington63520
 
In a COVID-19 situation identify the guidelines for ethical use of t.docx
In a COVID-19 situation identify the guidelines for ethical use of t.docxIn a COVID-19 situation identify the guidelines for ethical use of t.docx
In a COVID-19 situation identify the guidelines for ethical use of t.docxcharisellington63520
 
In a 750- to 1,250-word paper, evaluate the implications of Internet.docx
In a 750- to 1,250-word paper, evaluate the implications of Internet.docxIn a 750- to 1,250-word paper, evaluate the implications of Internet.docx
In a 750- to 1,250-word paper, evaluate the implications of Internet.docxcharisellington63520
 
In a 600 word count (EACH bullet point having 300 words each) di.docx
In a 600 word count (EACH bullet point having 300 words each) di.docxIn a 600 word count (EACH bullet point having 300 words each) di.docx
In a 600 word count (EACH bullet point having 300 words each) di.docxcharisellington63520
 

More from charisellington63520 (20)

in addition to these questions also answer the following;Answer .docx
in addition to these questions also answer the following;Answer .docxin addition to these questions also answer the following;Answer .docx
in addition to these questions also answer the following;Answer .docx
 
In an environment of compliancy laws, regulations, and standards, in.docx
In an environment of compliancy laws, regulations, and standards, in.docxIn an environment of compliancy laws, regulations, and standards, in.docx
In an environment of compliancy laws, regulations, and standards, in.docx
 
In American politics, people often compare their enemies to Hitler o.docx
In American politics, people often compare their enemies to Hitler o.docxIn American politics, people often compare their enemies to Hitler o.docx
In American politics, people often compare their enemies to Hitler o.docx
 
In addition to the thread, the student is required to reply to 2 oth.docx
In addition to the thread, the student is required to reply to 2 oth.docxIn addition to the thread, the student is required to reply to 2 oth.docx
In addition to the thread, the student is required to reply to 2 oth.docx
 
In addition to reading the Announcements, prepare for this d.docx
In addition to reading the Announcements, prepare for this d.docxIn addition to reading the Announcements, prepare for this d.docx
In addition to reading the Announcements, prepare for this d.docx
 
In Act 4 during the trial scene, Bassanio says the following lin.docx
In Act 4 during the trial scene, Bassanio says the following lin.docxIn Act 4 during the trial scene, Bassanio says the following lin.docx
In Act 4 during the trial scene, Bassanio says the following lin.docx
 
In a Word document, please respond to the following questions.docx
In a Word document, please respond to the following questions.docxIn a Word document, please respond to the following questions.docx
In a Word document, please respond to the following questions.docx
 
In a Word document, create A Set of Instructions. (you will want.docx
In a Word document, create A Set of Instructions. (you will want.docxIn a Word document, create A Set of Instructions. (you will want.docx
In a Word document, create A Set of Instructions. (you will want.docx
 
In a two page response MLA format paperMaria Werner talks about .docx
In a two page response MLA format paperMaria Werner talks about .docxIn a two page response MLA format paperMaria Werner talks about .docx
In a two page response MLA format paperMaria Werner talks about .docx
 
In a paragraph (150 words minimum), please respond to the follow.docx
In a paragraph (150 words minimum), please respond to the follow.docxIn a paragraph (150 words minimum), please respond to the follow.docx
In a paragraph (150 words minimum), please respond to the follow.docx
 
In a paragraph form, discuss the belowThe client comes to t.docx
In a paragraph form, discuss the belowThe client comes to t.docxIn a paragraph form, discuss the belowThe client comes to t.docx
In a paragraph form, discuss the belowThe client comes to t.docx
 
In a minimum of 300 words in APA format.Through the advent o.docx
In a minimum of 300 words in APA format.Through the advent o.docxIn a minimum of 300 words in APA format.Through the advent o.docx
In a minimum of 300 words in APA format.Through the advent o.docx
 
In a paragraph form, post your initial response after reading th.docx
In a paragraph form, post your initial response after reading th.docxIn a paragraph form, post your initial response after reading th.docx
In a paragraph form, post your initial response after reading th.docx
 
In a minimum 250-word paragraph, discuss at least one point the auth.docx
In a minimum 250-word paragraph, discuss at least one point the auth.docxIn a minimum 250-word paragraph, discuss at least one point the auth.docx
In a minimum 250-word paragraph, discuss at least one point the auth.docx
 
In a hostage crisis, is it ethical for a government to agree to gran.docx
In a hostage crisis, is it ethical for a government to agree to gran.docxIn a hostage crisis, is it ethical for a government to agree to gran.docx
In a hostage crisis, is it ethical for a government to agree to gran.docx
 
In a double-spaced 12 Font paper  How did you immediately feel a.docx
In a double-spaced 12 Font paper  How did you immediately feel a.docxIn a double-spaced 12 Font paper  How did you immediately feel a.docx
In a double-spaced 12 Font paper  How did you immediately feel a.docx
 
In a follow-up to your IoT discussion with management, you have .docx
In a follow-up to your IoT discussion with management, you have .docxIn a follow-up to your IoT discussion with management, you have .docx
In a follow-up to your IoT discussion with management, you have .docx
 
In a COVID-19 situation identify the guidelines for ethical use of t.docx
In a COVID-19 situation identify the guidelines for ethical use of t.docxIn a COVID-19 situation identify the guidelines for ethical use of t.docx
In a COVID-19 situation identify the guidelines for ethical use of t.docx
 
In a 750- to 1,250-word paper, evaluate the implications of Internet.docx
In a 750- to 1,250-word paper, evaluate the implications of Internet.docxIn a 750- to 1,250-word paper, evaluate the implications of Internet.docx
In a 750- to 1,250-word paper, evaluate the implications of Internet.docx
 
In a 600 word count (EACH bullet point having 300 words each) di.docx
In a 600 word count (EACH bullet point having 300 words each) di.docxIn a 600 word count (EACH bullet point having 300 words each) di.docx
In a 600 word count (EACH bullet point having 300 words each) di.docx
 

Recently uploaded

EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.arsicmarija21
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Quarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayQuarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayMakMakNepo
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 

Recently uploaded (20)

EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Quarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up FridayQuarter 4 Peace-education.pptx Catch Up Friday
Quarter 4 Peace-education.pptx Catch Up Friday
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 

NASA IT Security Policy Outline

  • 1. Running head: IT SECURITY POLICY IT SECURITY POLICY 4 Enterprise IT Security Policy Outline IT Security Policy Introduction Enterprise IT security is a vital aspect especially when it comes to the protection of information assets. This is more so when these assets can be classified as of strategic national importance, otherwise regarded as critical infrastructure. From historical data, to current operations data, future plans and the systems that house these data, IT security is necessary to prevent them from being compromised by external parties. Enterprise IT security encompasses a wide range of areas in a
  • 2. bid to ensure that the implementation is done holistically without leaving room for potential malicious parties. One of the most important critical infrastructures is that belonging to NASA. NASA Overview The National Aeronautics and Space Administration is a federal government agency responsible for the American civilian space flight program and research. Established under the National Aeronautics and Space Act in 1958, NASA has conducted all federally funded civilian space programs and the corresponding research into the field. Apart from the manned and unmanned missions to space, it has also contributed in the building of the International Space Station, and its research has gone on to contribute to a myriad of consumer and industrial applications. The Jet Propulsion Laboratory is a division of NASA based in California that is responsible research and development mostly in robotic spacecraft. The center also operates the agency’s current fleet of robotic spacecraft. The information contained at this facility is vast and of great importance to NASA. This includes information on its current operations, plans for future development as well the trove of ground-breaking research being conducted by its team of scientists. To fully protect this vast information requires the implementation of a robust enterprise IT security policy that fully appreciates the importance of this facility and the necessity for its protection (“The Jet…”). Policy Outline 1. Access Control Under the framework core, Access Control is a category that falls under the function of protection. It mostly involves limiting access to cyber resources only to those who have prior authorization to do so. Implementing this will include: a) Assigning user privileges according to responsibility. A robotics operator would not need to access the future strategic plans to adequately perform their duties. b) Single User Sign-in for all user profiles. This will prevent
  • 3. multiple users from using the same credentials to access the resources (“Framework...,” 2014). 2. Application Development Application development can be done to improve existing systems by adding functionalities onto them or building entirely new applications. Whichever reason, it is important that whatever application is being developed that it will not jeopardize the specific network by creating loopholes. The following policies address this. a) Rigorous application testing before testing. This rids the applications of any and all buds that might otherwise endanger the system. b) Peer review. This ensures that more people get to appraise the application before it is deployed (“Framework...,” 2014). 3. Asset Management Asset management is largely about identifying the components of the system and inventorying them according to their functions and their criticality to the operations of the organization. While a communication mechanism within the system is important, it is not as important as the database hosting vast amounts of research on robotics. The exact policies include: a) Mapping out the data flow. This provides knowledge on how data moves which is important when troubleshooting network problems. b) Inventorying all hardware and software on a regular basis. This monitoring not only ensures they are up to date but also that none of them is being misused. (“CIS Critical...”) 4. Business Operations JPL is a division of a federal government agency. As such, its operations are required to conform to the functions set out for NASA under the National Aeronautics and Space Act. Policies include: a) Strictly sticking to the roles of JPL as set out for it. Doing this ensures that whatever activities being conducted not only adhere to the law but also does not expose sensitive data to
  • 4. those not authorized, even in government. b) Following the set out official procedures within NASA whenever there is major decision to be made. While some departmental heads in private entities might enjoy total control over their duties, the same can’t be said of a government institution (“Framework...,” 2014). 5. Communications Communication comes into an enterprise security policy two-fold. This is during the response to a crisis to ensure correcting reporting and coordination of various stakeholders in managing the crisis. It also applies in managing the aftermath of the crisis through public relations exercises. The following are necessary: a) Establishing clear and coherent reporting mechanisms within the organization. This ensures information is gathered more efficiently. b) Having a designated communications team. This ensures that any information being released is from a single point and talking in different voices that might create entropy (“Framework...,” 2014) 6. Compliance Given the sensitive nature of the work being done by the JPL team, it is necessary that all of its employees be vetted under Federal Information Processing Standards 201 also known as FIPS 201. It is only after complying with this are employees then allowed to continue working for the lab. The policies for this are: a) Knowing and understanding the rules and regulations on cyber-security. This way, no one falls prey to the pitfalls of ignorance and its corresponding mistakes. b) Coordinate with the Sector Coordinating Councils to review the Cyber-security Framework of the federal government (“Framework...,” 2014) 7. Corporate Governance These are policies and procedures that need to be undertaken for the management of regulatory and operational
  • 5. requirements. They include: a) Establishing an information security policy. This will cover all the information assets belonging to the organization. b) Establishing information security roles and responsibilities for all employees. This should align with their roles internally (“CIS Critical...”). 8. Customers These are policies are policies that implemented to govern and organization’s relationship with its customers. But all of JPL’s projects are for the benefit of NASA. Still, policies that can be implemented in this regard include: a) Aligning with the overall NASA IT security policy. It creates organizational uniformity to avoid instances of confusion. b) Establishing clear communication channels with the rest of NASA that serve to ensure further IT security. E.g. utilizing technology used in the rest of the agency and adopting those developed by others. 9. Incident Management With admission that incidents can still happen, incident management policies are drawn to guide the organization on how best to mount a response. These include: a) Developing incident containment processes. This deals with first stopping and incident following by activities that will lessen the effects of the incident. b) Identifying new risks. Once they are identified and accepted, mitigation measures can then be prepared (“Framework...,” 2014). 10. IT Operations Policies on IT operation largely deal with the conduct of activities like configuring databases, installing and managing applications, configuring networks and so forth. Policies include: a) Assigning roles over such activities on the basis of the importance of the activity. The more importance of an activity, the more seniority attached to the role. b) Establishing a monitoring mechanism. This will provide a
  • 6. continuous assessment of the hardware and software (“Framework...,” 2014). 11. Outsourcing These policies are about the involvement of outside contractors to carry out functions that would otherwise have been done in-house but are not really central. It includes hardware maintenance among others. Policies are: a) Subjecting contractors to the same rigorous vetting as employees. This will uphold the level of security already established. b) Agreeing on an acceptable level of service that will maintain the already established security regime. This ensures that the services do not risk internal systems. (“Framework...,” 2014) 12. Physical/Environmental These policies govern security in regard to the environment around the system and how it affects it. They include: a) Taking regard for the environment. This relates to the impact of the system on the environment and how best to reduce it. E.g. efficient energy use. b) Facility access controls. Largely deals with the security of the data center in regards to physical access of to it. Can involve use of keypad locks and biometric scanners. 13. Policies & Procedures Policies and procedures govern how specific activities should be conducted. They ensure that regard to security is acknowledged at all times and the necessary steps taken to ensure so. a) Employee code of conduct. This will obligate employees to always adhere to the set out rules on policies and procedures. b) Management input. The contribution of the management in the drawing and maintenance of rules and procedures ensures that the overall goals of the organizations can be included (“CIS Critical...”). 14. Privacy It is important that civil liberties not be trampled on in a
  • 7. quest for security. A right balance can be achieved by involving all stakeholders. a) Notifying employees on all areas that will be under surveillance. This way, they are always aware of the security accorded to the various areas. b) Demarcating applicable areas. This keeps the personal and professional aspects of employees separate (“CIS Critical...”). 15. IT Security Program Implementation These policies dictate how these policies will be carried out within the entire organization. It largely deals with assigning responsibilities. a) Stating each employee’s responsibility in the implementation process. This promotes clarity as everyone knows what they are required to do. b) Drawing a security implementation schedule. Not only does it set timelines for completion of given tasks, it also promotes accountability by having those responsible adhere to those timelines (“CIS Critical...”). Works Cited Framework for Improving Critical Infrastructure Cybersecurity. (2014). Retrieved January 19, 2016, from http://www.nist.gov/cyberframework/upload/cybersecurity- framework-021214.pdf CIS Critical Security Controls. Retrieved January 19, 2016, from https://www.sans.org/critical-security-controls The Jet Propulsion Laboratory. Retrieved January 19, 2016, from http://www.jpl.nasa.gov/
  • 8. Data Center Local Policy Policy Document Access Control Policy Enter your Name: _____________________________________ Professor Last Name: Landreville
  • 9. Document Control [CSIA 413, Today’s Date] Organization [Name of your chosen organization] Title [Name of the Local Policy ] Author [Your Name ] Owner Data Center Manager Subject IT Local Access Policy Review date Date of Completion of Policy Revision History Revision Date Reviser Previous Version
  • 10. Description of Revision Changes to your draft are provided here Document Approvals This document requires the following approvals: Sponsor Approval Name Date Approved [CEO, CISO, etc.] Enter date of submission to folder Document Distribution This document will be distributed to: Name Job Title Email Address All Data Center Staff Technicians Enter your email address
  • 11. Contributors Development of this policy was assisted through information provided by the following organization: · Enter your organization Contents List the contents of the policy Table of Contents 1 2 3 4 5 Policy Statement [ ] will establish specific requirements for protecting information and information systems against unauthorized access. [ ] will effectively communicate the need for information and information system access control. Purpose Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of [ name of your chosen organization ] which must be secured from threats and vulnerabilities must be identified and patched. All information has a value to the organization. Access controls are essential to protect information by controlling user rights for information resources and by guarding against unauthorized use. Formal
  • 12. procedures must control how access to information is granted and how such access is changed. This policy includes the following access control measures [enter 5 local policy protections for your chosen organization based on a brief risk assessment using FIPS 199 and FIPS 200]. Scope This policy applies to all [ BE THOROUGH IN SCOPE ] (including system support staff, contractual third parties and agents with any form of access to the data center information and information systems. Definition Access control rules and procedures are required to regulate who can access information resources or systems and the associated access privileges. This policy applies at all times and should be adhered to whenever accessing information in any format, and on any device. Risks On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorization and clearance may intentionally or accidentally gain unauthorized access to business information which may adversely affect day to day business. This policy is intended to mitigate that risk. Non-compliance with this policy could have a significant effect on the efficient operation of the data center and may result in financial loss and an inability to provide necessary services to
  • 13. our customers. Risk Assessment and level of risk Identify weaknesses in the system. Identify possible threats and vulnerabilities in the system. SIGNATORY AUTHORITY (Enter CISO Name) Include the following information in your local policy Applying the Policy – Employee Access User Access Management Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorized user access and to prevent unauthorized access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. These must be agreed by the system administrator. Each user must be allocated access rights and permissions to computer systems and data that: · List constraints on what the user in the data center is allowed to view, read, change User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users that are required to perform system administration tasks.
  • 14. User Registration A request for access to the computer systems must first be submitted to the [Name a department – e.g. Information Services Helpdesk] for approval. Applications for access must only be submitted if approval has been gained from [Name a role – e.g. your line manager]. When an employee leaves access to computer systems and data must be suspended at the close of business on the employee’s last working day. It is the responsibility of the [Name a role – e.g. your line manager] to request the suspension of the access rights via the [Name a department – e.g. Information Services Helpdesk]. User Responsibilities It is a user’s responsibility to prevent their userID and password being used to gain unauthorized access to systems by: · Following the Password Policy Statements outlined above in Section 6. · Add three more user responsibilities Network Access Control The use of modems on non-owned PC’s connected to the network can seriously compromise the security of the network. The normal operation of the network must not be interfered with. Specific approval must be obtained from [Name a department – e.g. Information Services] before connecting any equipment to the network.
  • 15. User Authentication for External Connections Where remote access to the [ Name] network is required, an application must be made via the [Name a department – e.g. IT Helpdesk]. Remote access to the network must be secured by two factor authentication consisting of a username and one other component, for example a [Name a relevant authentication token]. For further information please refer to [name a relevant policy -likely to be Remote Working Policy]. Supplier’s Remote Access to the Network Partner agencies or 3rd party suppliers must not be given details of how to access the network without permission from [Name a department – e.g. IT Helpdesk]. Any changes to supplier’s connections must be immediately sent to the [Name a department – e.g. IT Helpdesk] so that access can be updated or ceased. All permissions and access methods must be controlled by [Name a department – e.g. IT Helpdesk]. Partners or 3rd party suppliers must contact the [Name a department – e.g. IT Helpdesk] before connecting to the [ Name] network and a log of activity must be maintained. Remote access software must be disabled when not in use. Operating System Access Control Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section (section 7.1) and the Password section (section 6) above must be applied. The login procedure must also be protected by:
  • 16. · Provide security controls to protect unauthorized access from the table below All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights). System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities. Application and Information Access Access within software applications must be restricted using the security features built into the individual product. The [Name a department – e.g. IT Helpdesk or ‘business owner’] of the software application is responsible for granting access to the information within the system. The access must [amend list as appropriate]: · Provide compliance instructions (list 3). Policy Compliance If any user is found to have breached this policy, they may be subject to [Name’s] disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s). If you do not understand the implications of this policy or how it may apply to you, seek advice from [name appropriate
  • 17. department]. Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by [Name an appropriate role]. References The following [Name] policy documents are directly relevant to this policy, and are referenced within this document [amend list as appropriate]: · Remote Working Policy. The following [Name] policy documents are indirectly relevant to this policy [amend list as appropriate]: List three other policies that may be necessary for the technicians to read as background (i.e.: Local email use; Acceptable use, etc.) Key Messages Summarize the most important points of the policy for Access Project #2: Prepare a Local IT Security Policy
  • 18. Introduction In Project 1, you developed an outline for an enterprise level IT security policy. In this project, you will write an IT security policy which is more limited in scope – a local IT security policy. This policy will apply to a specific facility – a data center. Your policy must be written for a specific organization (the same one you used for Project #1). You should reuse applicable sections of Project #1 for this project (e.g. your organization overview and/or a specific section of your outline). If you wish to change to a different organization for project #2, you must first obtain your instructor’s permission. Your local IT security policy will be used to implement access control for the information, information systems, and information infrastructure (e.g. networks, communications technologies, etc.) which are housed within the data center. Your policy must protect the data center by preventing personnel who are not authorized to access or use the resources of the organization from gaining access and potentially causing harm (e.g. loss of confidentiality, integrity, or availability). Such personnel may include employees, contractors, vendors, and visitors. You should also address unauthorized individuals who may attempt to gain access to the facility, its information systems, or its networks. Your policy is being written by you as the facility manager. In this role, you are also the information system owner (ISO) for all IT systems and networks within the data center. The information systems hosted in the data center are shown in Figure 2-1. The primary audience for your policy is the Tier 1 staff responsible for day-to-day operations and maintenance in the data center. Your policy will be communicated to other personnel and to the senior managers who are ultimately responsible for the security of the organization and its IT assets. These managers include: CEO, CIO/CISO, and CSO.Research: 1. Research the subject of access controls and control measures (security controls) required for a data center. Suggested control
  • 19. measures are listed in Table 2-1. Use the IT architecture shown in Figure 2-2 to identify the types of systems and networks which must be secured against unauthorized access. Table 2-1. Access Control Measures for a Data Center · Access Control Decisions · Access Enforcement · Account Management · Concurrent Session Control · Data Mining Protection · Information Sharing · Least Privilege · Permitted Actions without Authentication · Previous Logon (Access) Notification · Publicly Accessible Content · Reference Monitor · Remote Access · Security Attributes · Session Lock · Session Termination · System Use Notification · Unsuccessful Logon Attempts · Use of External Information Systems 2. Using Figure 2-2, identify at least five specific types of information which are likely to be stored within the data center (use your organization’s missing, products, and services). Research the types of access controls which must be provided to protect the confidentiality, integrity, and availability of such data. (Remember to consult Table 2-1.)Figure 2-2. Data Center IT Architecture Diagram Write: 1. Use the following outline to prepare your local IT security policy for the data center. See the policy template / sample file (attached to the assignment entry) for formatting and content suggestions for individual sections.
  • 20. I. Identification a. Organization: [name] b. Title of Policy: Data Center Access Control c. Author: [your name] d. Owner: [role, e.g. Data Center Manager] e. Subject: Access Control for [data center name] f. Review Date: [date submitted for grading] g. Signatures Page: [authorized signers for the policy: CEO, CISO, Data Center Manager] h. Distribution List i. Revision History II. Purpose a. Provide a high level summary statement as to the policy requirements which are set forth in this document. III. Scope a. Summarize the information, information systems, and networks to be protected. b. Identify who is required to comply with this policy. See the project description for categories of personnel and other individuals. IV. Compliance a. Identify the measures which will be taken to ensure compliance with this policy (e.g. audits, compliance reporting, exception reporting, etc.) b. Identify the sanctions which will be implemented for compliance failures or other violations of this policy. c. Include information about how to obtain guidance in understanding or interpreting this policy (e.g. HR, corporate legal counsel, etc.) V. Terms and Definitions VI. Risk Identification and Assessment a. Using Figure 2-1, identify potential control weaknesses, threats, and vulnerabilities (“risks”) which could negatively impact the information, information systems, and information infrastructure for the data center. b. Identify and discuss the level of risk associated with the
  • 21. identified weaknesses, threats, and vulnerabilities. c. Identify the control measures which will be implemented to mitigate or otherwise address each risk or risk area. VII. Policy a. For each control measure, write a policy statement (“Shall” wording) which addresses the implementation of that control. (See Table 2-1.) b. Include an explanatory paragraph for each policy statement. 2. Prepare a Table of Contents and Cover Page for your policy. Your cover page should include your name, the name of the assignment, and the date. Your Table of Contents must include at least the first level headings from the outline (I, II, III, etc.). 3. Prepare a Reference list (if you are using APA format citations & references) or a Bibliography and place that at the end of your file. (See Item #3 under Formatting.) Double check your document to make sure that you have cited sources appropriately. Formatting: 1. Submit your policy as an MS Word document using your assignment folder. 2. Use standard outline formatting. See item #1 under “Write.” 3. Cite sources using a consistent and professional style. You may use APA format citations and references, foot notes, or end notes. (Citation requirements for policy documents are less stringent than those applied to research papers. But, you should still acknowledge your sources and be careful not to plagiarize by copying text verbatim.) 4. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.