Running head: IT SECURITY POLICY
IT SECURITY POLICY 4
Enterprise IT Security Policy Outline
IT Security Policy
Introduction
Enterprise IT security is a vital aspect especially when it comes to the protection of information assets. This is more so when these assets can be classified as of strategic national importance, otherwise regarded as critical infrastructure. From historical data, to current operations data, future plans and the systems that house these data, IT security is necessary to prevent them from being compromised by external parties. Enterprise IT security encompasses a wide range of areas in a bid to ensure that the implementation is done holistically without leaving room for potential malicious parties. One of the most important critical infrastructures is that belonging to NASA.
NASA Overview
The National Aeronautics and Space Administration is a federal government agency responsible for the American civilian space flight program and research. Established under the National Aeronautics and Space Act in 1958, NASA has conducted all federally funded civilian space programs and the corresponding research into the field. Apart from the manned and unmanned missions to space, it has also contributed in the building of the International Space Station, and its research has gone on to contribute to a myriad of consumer and industrial applications. The Jet Propulsion Laboratory is a division of NASA based in California that is responsible research and development mostly in robotic spacecraft. The center also operates the agency’s current fleet of robotic spacecraft. The information contained at this facility is vast and of great importance to NASA. This includes information on its current operations, plans for future development as well the trove of ground-breaking research being conducted by its team of scientists. To fully protect this vast information requires the implementation of a robust enterprise IT security policy that fully appreciates the importance of this facility and the necessity for its protection (“The Jet…”).
Policy Outline
1. Access Control
Under the framework core, Access Control is a category that falls under the function of protection. It mostly involves limiting access to cyber resources only to those who have prior authorization to do so. Implementing this will include:
a) Assigning user privileges according to responsibility. A robotics operator would not need to access the future strategic plans to adequately perform their duties.
b) Single User Sign-in for all user profiles. This will prevent multiple users from using the same credentials to access the resources (“Framework...,” 2014).
2. Application Development
Application development can be done to improve existing systems by adding functionalities onto them or building entirely new applications. Wh.
Procuring digital preservation CAN be quick and painless with our new dynamic...
NASA IT Security Policy Outline
1. Running head: IT SECURITY POLICY
IT SECURITY POLICY
4
Enterprise IT Security Policy Outline
IT Security Policy
Introduction
Enterprise IT security is a vital aspect especially when it
comes to the protection of information assets. This is more so
when these assets can be classified as of strategic national
importance, otherwise regarded as critical infrastructure. From
historical data, to current operations data, future plans and the
systems that house these data, IT security is necessary to
prevent them from being compromised by external parties.
Enterprise IT security encompasses a wide range of areas in a
2. bid to ensure that the implementation is done holistically
without leaving room for potential malicious parties. One of the
most important critical infrastructures is that belonging to
NASA.
NASA Overview
The National Aeronautics and Space Administration is a federal
government agency responsible for the American civilian space
flight program and research. Established under the National
Aeronautics and Space Act in 1958, NASA has conducted all
federally funded civilian space programs and the corresponding
research into the field. Apart from the manned and unmanned
missions to space, it has also contributed in the building of the
International Space Station, and its research has gone on to
contribute to a myriad of consumer and industrial applications.
The Jet Propulsion Laboratory is a division of NASA based in
California that is responsible research and development mostly
in robotic spacecraft. The center also operates the agency’s
current fleet of robotic spacecraft. The information contained at
this facility is vast and of great importance to NASA. This
includes information on its current operations, plans for future
development as well the trove of ground-breaking research
being conducted by its team of scientists. To fully protect this
vast information requires the implementation of a robust
enterprise IT security policy that fully appreciates the
importance of this facility and the necessity for its protection
(“The Jet…”).
Policy Outline
1. Access Control
Under the framework core, Access Control is a category
that falls under the function of protection. It mostly involves
limiting access to cyber resources only to those who have prior
authorization to do so. Implementing this will include:
a) Assigning user privileges according to responsibility. A
robotics operator would not need to access the future strategic
plans to adequately perform their duties.
b) Single User Sign-in for all user profiles. This will prevent
3. multiple users from using the same credentials to access the
resources (“Framework...,” 2014).
2. Application Development
Application development can be done to improve existing
systems by adding functionalities onto them or building entirely
new applications. Whichever reason, it is important that
whatever application is being developed that it will not
jeopardize the specific network by creating loopholes. The
following policies address this.
a) Rigorous application testing before testing. This rids the
applications of any and all buds that might otherwise endanger
the system.
b) Peer review. This ensures that more people get to appraise
the application before it is deployed (“Framework...,” 2014).
3. Asset Management
Asset management is largely about identifying the
components of the system and inventorying them according to
their functions and their criticality to the operations of the
organization. While a communication mechanism within the
system is important, it is not as important as the database
hosting vast amounts of research on robotics. The exact policies
include:
a) Mapping out the data flow. This provides knowledge on how
data moves which is important when troubleshooting network
problems.
b) Inventorying all hardware and software on a regular basis.
This monitoring not only ensures they are up to date but also
that none of them is being misused. (“CIS Critical...”)
4. Business Operations
JPL is a division of a federal government agency. As such,
its operations are required to conform to the functions set out
for NASA under the National Aeronautics and Space Act.
Policies include:
a) Strictly sticking to the roles of JPL as set out for it. Doing
this ensures that whatever activities being conducted not only
adhere to the law but also does not expose sensitive data to
4. those not authorized, even in government.
b) Following the set out official procedures within NASA
whenever there is major decision to be made. While some
departmental heads in private entities might enjoy total control
over their duties, the same can’t be said of a government
institution (“Framework...,” 2014).
5. Communications
Communication comes into an enterprise security policy
two-fold. This is during the response to a crisis to ensure
correcting reporting and coordination of various stakeholders in
managing the crisis. It also applies in managing the aftermath of
the crisis through public relations exercises. The following are
necessary:
a) Establishing clear and coherent reporting mechanisms within
the organization. This ensures information is gathered more
efficiently.
b) Having a designated communications team. This ensures that
any information being released is from a single point and
talking in different voices that might create entropy
(“Framework...,” 2014)
6. Compliance
Given the sensitive nature of the work being done by the
JPL team, it is necessary that all of its employees be vetted
under Federal Information Processing Standards 201 also known
as FIPS 201. It is only after complying with this are employees
then allowed to continue working for the lab. The policies for
this are:
a) Knowing and understanding the rules and regulations on
cyber-security. This way, no one falls prey to the pitfalls of
ignorance and its corresponding mistakes.
b) Coordinate with the Sector Coordinating Councils to review
the Cyber-security Framework of the federal government
(“Framework...,” 2014)
7. Corporate Governance
These are policies and procedures that need to be
undertaken for the management of regulatory and operational
5. requirements. They include:
a) Establishing an information security policy. This will cover
all the information assets belonging to the organization.
b) Establishing information security roles and responsibilities
for all employees. This should align with their roles internally
(“CIS Critical...”).
8. Customers
These are policies are policies that implemented to govern
and organization’s relationship with its customers. But all of
JPL’s projects are for the benefit of NASA. Still, policies that
can be implemented in this regard include:
a) Aligning with the overall NASA IT security policy. It creates
organizational uniformity to avoid instances of confusion.
b) Establishing clear communication channels with the rest of
NASA that serve to ensure further IT security. E.g. utilizing
technology used in the rest of the agency and adopting those
developed by others.
9. Incident Management
With admission that incidents can still happen, incident
management policies are drawn to guide the organization on
how best to mount a response. These include:
a) Developing incident containment processes. This deals with
first stopping and incident following by activities that will
lessen the effects of the incident.
b) Identifying new risks. Once they are identified and accepted,
mitigation measures can then be prepared (“Framework...,”
2014).
10. IT Operations
Policies on IT operation largely deal with the conduct of
activities like configuring databases, installing and managing
applications, configuring networks and so forth. Policies
include:
a) Assigning roles over such activities on the basis of the
importance of the activity. The more importance of an activity,
the more seniority attached to the role.
b) Establishing a monitoring mechanism. This will provide a
6. continuous assessment of the hardware and software
(“Framework...,” 2014).
11. Outsourcing
These policies are about the involvement of outside
contractors to carry out functions that would otherwise have
been done in-house but are not really central. It includes
hardware maintenance among others. Policies are:
a) Subjecting contractors to the same rigorous vetting as
employees. This will uphold the level of security already
established.
b) Agreeing on an acceptable level of service that will maintain
the already established security regime. This ensures that the
services do not risk internal systems. (“Framework...,” 2014)
12. Physical/Environmental
These policies govern security in regard to the
environment around the system and how it affects it. They
include:
a) Taking regard for the environment. This relates to the impact
of the system on the environment and how best to reduce it. E.g.
efficient energy use.
b) Facility access controls. Largely deals with the security of
the data center in regards to physical access of to it. Can
involve use of keypad locks and biometric scanners.
13. Policies & Procedures
Policies and procedures govern how specific activities
should be conducted. They ensure that regard to security is
acknowledged at all times and the necessary steps taken to
ensure so.
a) Employee code of conduct. This will obligate employees to
always adhere to the set out rules on policies and procedures.
b) Management input. The contribution of the management in
the drawing and maintenance of rules and procedures ensures
that the overall goals of the organizations can be included (“CIS
Critical...”).
14. Privacy
It is important that civil liberties not be trampled on in a
7. quest for security. A right balance can be achieved by involving
all stakeholders.
a) Notifying employees on all areas that will be under
surveillance. This way, they are always aware of the security
accorded to the various areas.
b) Demarcating applicable areas. This keeps the personal and
professional aspects of employees separate (“CIS Critical...”).
15. IT Security Program Implementation
These policies dictate how these policies will be carried
out within the entire organization. It largely deals with
assigning responsibilities.
a) Stating each employee’s responsibility in the implementation
process. This promotes clarity as everyone knows what they are
required to do.
b) Drawing a security implementation schedule. Not only does it
set timelines for completion of given tasks, it also promotes
accountability by having those responsible adhere to those
timelines (“CIS Critical...”).
Works Cited
Framework for Improving Critical Infrastructure Cybersecurity.
(2014). Retrieved January 19, 2016, from
http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214.pdf
CIS Critical Security Controls. Retrieved January 19, 2016,
from https://www.sans.org/critical-security-controls
The Jet Propulsion Laboratory. Retrieved January 19, 2016,
from http://www.jpl.nasa.gov/
8. Data Center Local Policy
Policy Document
Access Control Policy
Enter your Name:
_____________________________________
Professor Last Name: Landreville
9. Document Control
[CSIA 413, Today’s Date]
Organization
[Name of your chosen organization]
Title
[Name of the Local Policy ]
Author
[Your Name ]
Owner
Data Center Manager
Subject
IT Local Access Policy
Review date
Date of Completion of Policy
Revision History
Revision Date
Reviser
Previous Version
10. Description of Revision
Changes to your draft are provided here
Document Approvals
This document requires the following approvals:
Sponsor Approval
Name
Date
Approved
[CEO, CISO, etc.]
Enter date of submission to folder
Document Distribution
This document will be distributed to:
Name
Job Title
Email Address
All Data Center Staff
Technicians
Enter your email address
11. Contributors
Development of this policy was assisted through information
provided by the following organization:
· Enter your organization
Contents
List the contents of the policy
Table of Contents
1
2
3
4
5
Policy Statement
[ ] will establish specific requirements for protecting
information and information systems against unauthorized
access.
[ ] will effectively communicate the need for
information and information system access control.
Purpose
Information security is the protection of information against
accidental or malicious disclosure, modification or destruction.
Information is an important, valuable asset of [ name of your
chosen organization ] which must be secured from threats and
vulnerabilities must be identified and patched. All information
has a value to the organization. Access controls are essential to
protect information by controlling user rights for information
resources and by guarding against unauthorized use. Formal
12. procedures must control how access to information is granted
and how such access is changed.
This policy includes the following access control measures
[enter 5 local policy protections for your chosen organization
based on a brief risk assessment using FIPS 199 and FIPS 200].
Scope
This policy applies to all [ BE THOROUGH IN SCOPE
] (including system support staff, contractual third parties and
agents with any form of access to the data center information
and information systems.
Definition
Access control rules and procedures are required to regulate
who can access information resources or systems and the
associated access privileges. This policy applies at all times
and should be adhered to whenever accessing information in any
format, and on any device.
Risks
On occasion business information may be disclosed or accessed
prematurely, accidentally or unlawfully. Individuals or
companies, without the correct authorization and clearance may
intentionally or accidentally gain unauthorized access to
business information which may adversely affect day to day
business. This policy is intended to mitigate that risk.
Non-compliance with this policy could have a significant effect
on the efficient operation of the data center and may result in
financial loss and an inability to provide necessary services to
13. our customers.
Risk Assessment and level of risk
Identify weaknesses in the system.
Identify possible threats and vulnerabilities in the system.
SIGNATORY AUTHORITY (Enter CISO Name)
Include the following information in your local policy
Applying the Policy – Employee Access
User Access Management
Formal user access control procedures must be documented,
implemented and kept up to date for each application and
information system to ensure authorized user access and to
prevent unauthorized access. They must cover all stages of the
lifecycle of user access, from the initial registration of new
users to the final de-registration of users who no longer require
access. These must be agreed by the system administrator. Each
user must be allocated access rights and permissions to
computer systems and data that:
· List constraints on what the user in the data center is allowed
to view, read, change
User access rights must be reviewed at regular intervals to
ensure that the appropriate rights are still allocated. System
administration accounts must only be provided to users that are
required to perform system administration tasks.
14. User Registration
A request for access to the computer systems must first be
submitted to the [Name a department – e.g. Information
Services Helpdesk] for approval. Applications for access must
only be submitted if approval has been gained from [Name a
role – e.g. your line manager].
When an employee leaves access to computer systems and data
must be suspended at the close of business on the employee’s
last working day. It is the responsibility of the [Name a role –
e.g. your line manager] to request the suspension of the access
rights via the [Name a department – e.g. Information Services
Helpdesk].
User Responsibilities
It is a user’s responsibility to prevent their userID and password
being used to gain unauthorized access to systems by:
· Following the Password Policy Statements outlined above in
Section 6.
· Add three more user responsibilities
Network Access Control
The use of modems on non-owned PC’s connected to the
network can seriously compromise the security of the network.
The normal operation of the network must not be interfered
with. Specific approval must be obtained from [Name a
department – e.g. Information Services] before connecting any
equipment to the network.
15. User Authentication for External Connections
Where remote access to the [ Name] network is required, an
application must be made via the [Name a department – e.g. IT
Helpdesk]. Remote access to the network must be secured by
two factor authentication consisting of a username and one
other component, for example a [Name a relevant authentication
token]. For further information please refer to [name a relevant
policy -likely to be Remote Working Policy].
Supplier’s Remote Access to the Network
Partner agencies or 3rd party suppliers must not be given details
of how to access the network without permission from [Name a
department – e.g. IT Helpdesk]. Any changes to supplier’s
connections must be immediately sent to the [Name a
department – e.g. IT Helpdesk] so that access can be updated or
ceased. All permissions and access methods must be controlled
by [Name a department – e.g. IT Helpdesk].
Partners or 3rd party suppliers must contact the [Name a
department – e.g. IT Helpdesk] before connecting to the [
Name] network and a log of activity must be maintained.
Remote access software must be disabled when not in use.
Operating System Access Control
Access to operating systems is controlled by a secure login
process. The access control defined in the User Access
Management section (section 7.1) and the Password section
(section 6) above must be applied. The login procedure must
also be protected by:
16. · Provide security controls to protect unauthorized access from
the table below
All access to operating systems is via a unique login id that will
be audited and can be traced back to each individual user. The
login id must not give any indication of the level of access that
it provides to the system (e.g. administration rights).
System administrators must have individual administrator
accounts that will be logged and audited. The administrator
account must not be used by individuals for normal day to day
activities.
Application and Information Access
Access within software applications must be restricted using the
security features built into the individual product. The [Name a
department – e.g. IT Helpdesk or ‘business owner’] of the
software application is responsible for granting access to the
information within the system. The access must [amend list as
appropriate]:
· Provide compliance instructions (list 3).
Policy Compliance
If any user is found to have breached this policy, they may be
subject to [Name’s] disciplinary procedure. If a criminal
offence is considered to have been committed further action
may be taken to assist in the prosecution of the offender(s).
If you do not understand the implications of this policy or how
it may apply to you, seek advice from [name appropriate
17. department].
Review and Revision
This policy will be reviewed as it is deemed appropriate, but no
less frequently than every 12 months.
Policy review will be undertaken by [Name an appropriate role].
References
The following [Name] policy documents are directly relevant to
this policy, and are referenced within this document [amend list
as appropriate]:
· Remote Working Policy.
The following [Name] policy documents are indirectly relevant
to this policy [amend list as appropriate]:
List three other policies that may be necessary for the
technicians to read as background (i.e.: Local email use;
Acceptable use, etc.)
Key Messages
Summarize the most important points of the policy for Access
Project #2: Prepare a Local IT Security Policy
18. Introduction
In Project 1, you developed an outline for an enterprise level IT
security policy. In this project, you will write an IT security
policy which is more limited in scope – a local IT security
policy. This policy will apply to a specific facility – a data
center. Your policy must be written for a specific organization
(the same one you used for Project #1). You should reuse
applicable sections of Project #1 for this project (e.g. your
organization overview and/or a specific section of your outline).
If you wish to change to a different organization for project #2,
you must first obtain your instructor’s permission.
Your local IT security policy will be used to implement access
control for the information, information systems, and
information infrastructure (e.g. networks, communications
technologies, etc.) which are housed within the data center.
Your policy must protect the data center by preventing
personnel who are not authorized to access or use the resources
of the organization from gaining access and potentially causing
harm (e.g. loss of confidentiality, integrity, or availability).
Such personnel may include employees, contractors, vendors,
and visitors. You should also address unauthorized individuals
who may attempt to gain access to the facility, its information
systems, or its networks.
Your policy is being written by you as the facility manager. In
this role, you are also the information system owner (ISO) for
all IT systems and networks within the data center. The
information systems hosted in the data center are shown in
Figure 2-1.
The primary audience for your policy is the Tier 1 staff
responsible for day-to-day operations and maintenance in the
data center. Your policy will be communicated to other
personnel and to the senior managers who are ultimately
responsible for the security of the organization and its IT assets.
These managers include: CEO, CIO/CISO, and CSO.Research:
1. Research the subject of access controls and control measures
(security controls) required for a data center. Suggested control
19. measures are listed in Table 2-1. Use the IT architecture shown
in Figure 2-2 to identify the types of systems and networks
which must be secured against unauthorized access. Table 2-1.
Access Control Measures for a Data Center
· Access Control Decisions
· Access Enforcement
· Account Management
· Concurrent Session Control
· Data Mining Protection
· Information Sharing
· Least Privilege
· Permitted Actions without Authentication
· Previous Logon (Access) Notification
· Publicly Accessible Content
· Reference Monitor
· Remote Access
· Security Attributes
· Session Lock
· Session Termination
· System Use Notification
· Unsuccessful Logon Attempts
· Use of External Information Systems
2. Using Figure 2-2, identify at least five specific types of
information which are likely to be stored within the data center
(use your organization’s missing, products, and services).
Research the types of access controls which must be provided to
protect the confidentiality, integrity, and availability of such
data. (Remember to consult Table 2-1.)Figure 2-2. Data Center
IT Architecture Diagram
Write:
1. Use the following outline to prepare your local IT security
policy for the data center. See the policy template / sample file
(attached to the assignment entry) for formatting and content
suggestions for individual sections.
20. I. Identification
a. Organization: [name]
b. Title of Policy: Data Center Access Control
c. Author: [your name]
d. Owner: [role, e.g. Data Center Manager]
e. Subject: Access Control for [data center name]
f. Review Date: [date submitted for grading]
g. Signatures Page: [authorized signers for the policy: CEO,
CISO, Data Center Manager]
h. Distribution List
i. Revision History
II. Purpose
a. Provide a high level summary statement as to the policy
requirements which are set forth in this document.
III. Scope
a. Summarize the information, information systems, and
networks to be protected.
b. Identify who is required to comply with this policy. See the
project description for categories of personnel and other
individuals.
IV. Compliance
a. Identify the measures which will be taken to ensure
compliance with this policy (e.g. audits, compliance reporting,
exception reporting, etc.)
b. Identify the sanctions which will be implemented for
compliance failures or other violations of this policy.
c. Include information about how to obtain guidance in
understanding or interpreting this policy (e.g. HR, corporate
legal counsel, etc.)
V. Terms and Definitions
VI. Risk Identification and Assessment
a. Using Figure 2-1, identify potential control weaknesses,
threats, and vulnerabilities (“risks”) which could negatively
impact the information, information systems, and information
infrastructure for the data center.
b. Identify and discuss the level of risk associated with the
21. identified weaknesses, threats, and vulnerabilities.
c. Identify the control measures which will be implemented to
mitigate or otherwise address each risk or risk area.
VII. Policy
a. For each control measure, write a policy statement (“Shall”
wording) which addresses the implementation of that control.
(See Table 2-1.)
b. Include an explanatory paragraph for each policy statement.
2. Prepare a Table of Contents and Cover Page for your policy.
Your cover page should include your name, the name of the
assignment, and the date. Your Table of Contents must include
at least the first level headings from the outline (I, II, III, etc.).
3. Prepare a Reference list (if you are using APA format
citations & references) or a Bibliography and place that at the
end of your file. (See Item #3 under Formatting.) Double check
your document to make sure that you have cited sources
appropriately. Formatting:
1. Submit your policy as an MS Word document using your
assignment folder.
2. Use standard outline formatting. See item #1 under “Write.”
3. Cite sources using a consistent and professional style. You
may use APA format citations and references, foot notes, or end
notes. (Citation requirements for policy documents are less
stringent than those applied to research papers. But, you should
still acknowledge your sources and be careful not to plagiarize
by copying text verbatim.)
4. You are expected to write grammatically correct English in
every assignment that you submit for grading. Do not turn in
any work without (a) using spell check, (b) using grammar
check, (c) verifying that your punctuation is correct and (d)
reviewing your work for correct word usage and correctly
structured sentences and paragraphs.