Security Policy Document Project
Objectives
The purpose of this two-part project is to evaluate the student’s ability to analyze security
requirements and develop a security policy that fully addresses them. By completing the two
documents, the student will also gain practical knowledge of the security policy documentation
process. The project will enable the student to see and understand the required standards in
practice, as well as the details that should be covered within the security policy documentation.
Detailed Requirements
Project Deliverable #1 (Due Week 3)
o Using the GDI Case Study below, complete the Security Policy Document
Outline.
o Provide a one or two-page Security Policy Document Outline. The Outline should
cover all aspects of the security policy document and convey the accurate and
appropriate information for the stakeholders to make the appropriate decision.
o Ungraded but instructor will provide feedback to make sure students are on-track.
This outline can become major part of the “Executive Summary” of the final
deliverable.
Project Deliverable #2 (Due Week 7)
o Using the GDI Case Study, complete the Security Policy Document.
o Provide a seven- to ten-page analysis summarizing the security policy to the
executive management team of GDI. The student designs effective real-time
security and continuous monitoring measures to mitigate any known
vulnerabilities, prevent future attacks, and deter any real-time unknown threats;
and also efficiently meets the organization’s objectives. The summary should
effectively describe the security policy in a manner that will allow the Senior
Management to understand the organizational security requirements and make the
appropriate decisions to enforce.
Guidelines
Using the GDI Case Study, create the security policy document.
The security policy document must be 8 to 10 pages long, conforming to APA standards.
NO more than 10 pages (excluding title page, table of contents (optional), and
references page). The document must be double-spaced and Time New Roman 12-
point font. See "Writing Guideline" in WebTycho where you'll find help on writing for
research projects.
At least three authoritative, outside references are required (anonymous authors or web
pages are not acceptable). These should be listed on the last page titled "References."
Appropriate citations are required. See the syllabus regarding plagiarism policies.
This will be graded on quality of research topic, quality of paper information, use of
citations, grammar and sentence structure, and creativity.
The paper is due during Week 7 of this course.
Grading Rubrics
Final Deliverable
Category Points % Description
Documentation and
Formatting
10 10%
Appropriate APA citations/referenced sources and
formats of characters/content.
Case Study Security
Policy Analysis
25 25% Accurate Completion of Security Policy.
Real-time Security 25 2.
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
Security Policy Document Project Objectives The purpos.docx
1. Security Policy Document Project
Objectives
The purpose of this two-part project is to evaluate the student’s
ability to analyze security
requirements and develop a security policy that fully addresses
them. By completing the two
documents, the student will also gain practical knowledge of the
security policy documentation
process. The project will enable the student to see and
understand the required standards in
practice, as well as the details that should be covered within the
security policy documentation.
Detailed Requirements
Project Deliverable #1 (Due Week 3)
o Using the GDI Case Study below, complete the Security
Policy Document
Outline.
o Provide a one or two-page Security Policy Document Outline.
The Outline should
cover all aspects of the security policy document and convey
the accurate and
appropriate information for the stakeholders to make the
appropriate decision.
o Ungraded but instructor will provide feedback to make sure
students are on-track.
2. This outline can become major part of the “Executive Summary”
of the final
deliverable.
Project Deliverable #2 (Due Week 7)
o Using the GDI Case Study, complete the Security Policy
Document.
o Provide a seven- to ten-page analysis summarizing the
security policy to the
executive management team of GDI. The student designs
effective real-time
security and continuous monitoring measures to mitigate any
known
vulnerabilities, prevent future attacks, and deter any real-time
unknown threats;
and also efficiently meets the organization’s objectives. The
summary should
effectively describe the security policy in a manner that will
allow the Senior
Management to understand the organizational security
requirements and make the
appropriate decisions to enforce.
Guidelines
document.
conforming to APA standards.
NO more than 10 pages (excluding title page, table of contents
(optional), and
references page). The document must be double-spaced and
Time New Roman 12-
3. point font. See "Writing Guideline" in WebTycho where you'll
find help on writing for
research projects.
(anonymous authors or web
pages are not acceptable). These should be listed on the last
page titled "References."
plagiarism policies.
ity of
paper information, use of
citations, grammar and sentence structure, and creativity.
Grading Rubrics
Final Deliverable
Category Points % Description
Documentation and
Formatting
10 10%
Appropriate APA citations/referenced sources and
formats of characters/content.
Case Study Security
Policy Analysis
4. 25 25% Accurate Completion of Security Policy.
Real-time Security 25 25
Real-time Security Protection against dynamically
changing threats.
Continuous
Monitoring
25 25
Continuous Monitoring for up-to-date Asset
Management and Security Posture
Executive Summary 15 15%
Provide an appropriate summary of the Security
Policy Document.
Total 100 100%
A quality paper will meet or exceed all of the
above requirements.
No Outline
Submitted
-10
If no outline is submitted at the end of week 3, it
will be minus 10 points from the final document
grade.
Criteria Good Fair Poor
Documentation
and formatting
7-10 points
5. At least 3 Appropriate
APA
citations/referenced
sources and formats
of characters/ content.
3-6 points
Included 3 references but
incorrect formatting or
referencing/ citation
0-2 points
Does not include at
least 3 references
Security Policy
analysis
17-25 points
Effectively describes
the security policy in
a manner that will
allow the Senior
Management to
understand the
organizational
security requirements
8-16 points
Describes the security
policy in a manner that
6. allows the Senior
Management to
understand the
organizational security
requirements but not
enough to make the
0-7 points
Describes the security
policy in a manner that
is unclear to the Senior
Management. The
analysis Is not
sufficiently supported
with documentation
and make the
appropriate decisions
to enforce.
Analysis is supported
with documentation
and evidence.
appropriate decisions to
enforce. And/or is not
sufficiently supported with
documentation and
evidence. And/or the
description is somewhat
unclear.
and evidence. Senior
7. management would not
have enough detail to
make appropriate
decisions.
Real-time
Security
17-25 points
Effectively designs
real-time security
measures to mitigate
any known
vulnerabilities, prevent
attacks, and deter any
real-time threats; and
also efficiently meets
the organization’s
objectives.
8-16 points
Designs technically
feasible real-time
security measures to
mitigate any known
vulnerabilities, prevent
attacks, and deter any
real-time threats, but
lacks efficiency to meet
the organization’s
objectives.
0-7 points
8. Ineffectively designs
real-time security
measures to mitigate
any known
vulnerabilities, prevent
attacks, and deter any
real-time threats; also
lacks efficiency to
meet the
organization’s
objectives.
Continuous
Monitoring
17-25 points
Effectively designs
continuous monitoring
measures to mitigate
any unknown
vulnerabilities, prevent
future attacks, and
deter any real-time
unknown threats; and
also efficiently meets
the organization’s
objectives.
8-16 points
Designs technically
feasible continuous
monitoring measures to
mitigate any unknown
vulnerabilities, prevent
9. future attacks, and deter
any real-time unknown
threats, but lacks
efficiency to meet the
organization’s objectives.
0-7 points
Ineffectively designs
continuous monitoring
measures to mitigate
any unknown
vulnerabilities, prevent
future attacks, and
deter any real-time
unknown threats; also
lacks efficiency to
meet the
organization’s
objectives.
Executive
summary
11-15 points
Effectively
summarizes the
security policy
analysis. Includes all
key points of the
analysis and allows
the senior
6-10 points
10. Describes the security
policy analysis in a
manner that allows the
Senior Management to
understand the
organizational security
0-5 points
Describes the security
policy analysis in a
manner that is unclear
and/or insufficient.
Summary is difficult to
follow or does not
management to
understand the
organizational
security requirements
but not enough to
make appropriate
decisions
.
requirements but not
enough to make
appropriate decisions. Key
information is left out or
not made clear.
include key information
and details.
11. Background
For those that are not familiar with the term, this project is
called an Authentic Assessment
Project. These projects are designed to reflect “real life”
activities and will require you to
perform considerable self-directed study. Like real life
problems, you will not find all the
answers you need in the textbook. You will, however, have the
help of your instructor to resolve
issues you may encounter.
Project Description
The project is to write a company Security Policy Document for
a fictitious company called
Global Distribution, Inc. (GDI). A Security Policy Document is
an absolutely essential item for
any organization that is subjected to a security audit. Lack of
such a document will result in an
automatic failed audit. A Security Policy Document within an
organization provides a high-level
description of the various security controls the organization will
use to protect its information
and assets. A typical Security Policy Document contains a large
set of specific policies and can
run several hundred pages. However, for this project, you will
write a brief document with a
maximum of 20 specific policies for the GDI Company.
Therefore, you must carefully consider
and select only the most important policies from hundreds of
possible specific policies. A brief
description of the GDI Company is given below.
12. You will work individually on this project for a total of 25% of
your grading for the course. You
may collaborate with your classmates to share ideas and
activities in preparation of the final
project deliverable. However, you will be graded for your
individual effort and deliverables, and
you will submit the project in your individual project
assignment folders. You will treat this
project deliverable as if you would deliver it to your own
customer or client who will be paying
you for the deliverables.
Suggested Approach
These are only recommendations on the general approach you
might take for this project. This is
your project to develop individually.
1. Determine the most important assets of the company, which
must be protected
2. Determine a general security architecture for the company
3. Determine the real-time security measures that must be put in
place
4. Determine the monitoring and preventative measures that
must be put in place
5. Develop a list of 15 to 20 specific policies that could be
applied along with details and
rationale for each policy
6. Integrate and write up the final version of the Security Policy
Document for submittal
13. The GDI company description is deliberately brief. In all real
life projects, you typically add
complexity as you become smarter as you go along. State the
assumptions/rationale you make to
justify the selection of the particular security policies you
select. Attach the
assumptions/rationale to each specific security policy.
References
There are many information sources for Security Policy
Documents on the Internet. However,
one good source to start with is the SANS Security Policy
Project that lists many example
security policy templates.
http://www.sans.org/security-resources/policies/
Company Description
GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages
thousands of accounts across Canada, the United
States, and Mexico. A public company traded on the NYSE,
GFI specializes in financial management, loan
application approval, wholesale loan processing, and investment
of money management for their customers.
GFI employs over 1,600 employees and has been experiencing
consistent growth keeping pace with S&P averages
(approximately 8%) for nearly six years. A well-honed
management strategy built on scaling operational
performance through automation and technological innovation
has propelled the company into the big leagues; GFI
was only recently profiled in Fortune Magazine.
The executive management team of GFI:
14. Figure 1 GFI Management Organizational Chart
BACKGROUND AND YOUR ROLE
You are the Computer Security Manager educated, trained, and
hired to protect the physical and operational
security of GFI’s corporate information system.
You were hired by COO Mike Willy and currently report to the
COO. You are responsible for a $5.25m
annual budget, a staff of 11, and a sprawling and expansive data
center located on the 5th floor of the
corporate tower. This position is the pinnacle of your career –
you are counting on your performance here
to pave the way into a more strategic leadership position in IT,
filling a vacancy that you feel is so
significantly lacking from the executive team.
There is actually a reason for this. CEO John Thompson
believes that the IT problem is a known quantity –
that is, he feels the IT function can be nearly entirely
outsourced at fractions of the cost associated with
creating and maintaining an established internal IT department;
the CEO’s strategy has been to prevent IT
from becoming a core competency since so many services can
be obtained from 3rd parties. Since the CEO
has taken the reigns two years ago, the CEO has made
significant headway in cutting your department’s
budget by 30% and reducing half of your staff through
outsourcing. This has been a political fight for you:
maintaining and reinforcing the relevance of an internal IT
department is a constant struggle. COO Willy’s
15. act of hiring you was, in fact, an act of desperation: the
increasing operational dependence on technology
combined with a diminishing IT footprint gravely concerned
Willy, and he begged to at least bring in a
manager to whom these obligations could be delegated to.
Willy’s worst nightmare is a situation where the
Confidentiality, Integrity, and Availability of the information
system was compromised – bringing the
company to its knees – then having to rely on vendors to pull
him out of the mess.
GFI has experienced several cyber-attacks from outsiders over
the past a few years. In 2012, the Oracle
database server was attacked and its customer database lost its
confidentiality, integrity, and availability for
several days. Although the company restored the Oracle
database server back online, its lost confidentiality
damaged the company reputations. GFI ended up paying its
customers a large sum of settlement for their
loss of data confidentiality. Another security attack was carried
out by a malicious virus that infected the
entire network for several days. While infected the Oracle and
e-mail servers had to be shut down to
quarantine these servers. In the meantime, the company lost
$1.700, 000 in revenue and intangible
customer confidence.
There’s no question that the company’s CEO sees the strategic
importance of technology in executing his
business plan, and in this way you share a common basis of
principle with him: that IT is a competitive
differentiator. However, you believe that diminishing internal
IT services risks security and strategic
capability, whereas the CEO feels he can acquire that capability
immediately at a low cost through the open
market. You’re told that CEO Thompson reluctantly agreed to
16. your position if only to pacify COO Willy’s
concerns.
CORPORATE OFFICE NETWORK TOPOLOGY
Remote
Dial UpUsers
Trusted Computing Base Internal Network
Off-Site Office
Internet
Global Finance, Inc.
VPN
Gateway
VPN
Gateway PBX
PSTN
Worstations
(x25)
Worstations
(x12)
Worstations
(x63)
Worstations
(x5)
19. 100Mbps
10 Gbps
OC193
10Gbps
RAS
10 Gbps
10 Gbps
10 Gbps
OC193
10Gbps
90
90
Wireless
Antenna90
You are responsible for a corporate WAN spanning 10 remote
facilities and interconnecting those facilities
to the central data processing environment. Data is transmitted
from a remote site through a VPN
appliance situated in the border layer of the routing topology;
the remote VPN connects to the internal
Oracle database to update the customer data tables. Data
transaction from the remote access to the
corporate internal databases is not encrypted.
20. A bulk of the data processing for your company is handled by
Oracle database on a high end super
computer. The trusted computing based (TCB) internal network
is situated in a physically separated subnet.
This is where all corporate data processing is completed and
internal support team has its own intranet web
server, a SUS server, an internal DNS, an e-mail system, and
other support personnel workstations. Each
corporate department is segregated physically on a different
subnet and shares the corporate data in the
TCB network.
OTHER CONSIDERATIONS
1. Ever since the article ran in Fortune about GFI, your network
engineers report that they’ve noted a
significant spike in network traffic crossing into the internal
networks. They report that they cannot be
certain what or who is generating this traffic, but the volume
and frequency of traffic is certainly
abnormal. The management is very concerned over securing the
corporate confidential data and
customer information.
2. Increasingly, GFI’s CEO Thompson attempts to outsource IT
competency. In fact, you’ve been told of
a plan from COO Willy to outsource network management and
security functions away from your
department and to a service integrator. COO Willy warns you
that the political environment will only
become more contentious over time; you must make a
compelling case as to what value your
department can bring over an integrator that can provide secure
21. services at 40% less annual cost than
you.
3. The interrelationship between data and operations concerns
you. Increasingly, some of the 10 remote
sites have been reporting significant problems with network
latency, slow performance, and
application time-outs against the Oracle database. The
company’s business model is driving higher
and higher demand for data, but your capability to respond to
these problems are drastically limited.
4. Mobility is important for the organization to interact with the
customers and other co-workers in near
real-time. However, the CEO is concerned with the mobility
security and would like to research for the
best practice for mobility security. The CEO is willing to
implement a BYOD policy if security can be
addressed.
5. Employees enjoy the flexibility of getting access to the
corporate network using a WiFi network.
However, the CEO is concerned over the security ramifications
over the wireless network that is
widely open to the company and nearby residents.
6. The company plans to offer its products and services online
and requested its IT department to design a
Cloud Computing based on an e-commerce platform. However,
the CEO is particularly concerned over
the cloud security in case the customer database had been
breached.
22. SOCIAL POLICY PAPER 1
SOCIAL SECURITY PAPER 1
CMIT320
Security Policy Paper
Week 3
Table of Contents
Introduction:
GDI background and given
problem……………………………….…………………… 1
Important Assets for
GDI…..……………………………………………………………. 2
Security Architecture for
GDI…………………………………………………………… 3
Ten Possible Security
Policies………………………………………………………. 4
Details and Rationale of the Ten Security
Policies………………………………….. 5
23. Ten Security Policies that should be Applied to
GDI……………………………….. 6
Conclusion……………………………………………………………
………………..… 7
References……………………………………………………………
………………….. 8
Outline of the paper
I. Introduction
a. Briefly discuss the background of GDI in depth.
b. A discussion about the given problem of the IT security,
infrastructure, cost, among items.
II. Discuss the important assets of GDI that need to be fully
protected
i. Asset identification: “Identity and quantify the company’s
24. assets”
ii. Important assets include:
1. Computer network equipment
2. Data
3. Servers, printers
4. Routers, firewalls, switches, wireless devices, etc.
b. Access control methods: sensitivity, integrity, availability
c. Risk and threat assessment: “Identify and access the possible
security vulnerabilities and threats”
d. Identify solutions and countermeasures: “Identify a cost-
effective solution to protect assets”
III. Security architecture for the company
a. “The IT department should always have current diagrams of
your overall network architecture on hand”
IV. A list of 20 or more policies that could be applied to this
situation
a. User Account Policy
b. Audit Security Policy (SANS)
c. Email Security Policy (SANS)
d. Internet Security Policy (SANS)
e. Server Security Policy (SANS)
f. Wireless Security Policy (SANS)
g. Network Security Policy (SANS)
h. Physical Security Policy (SANS)
i. Remote Access Security Policy
j. Ethics Policy (SANS)
k. Privacy Policy
l. Incident Response Policy
m. Access Control Policy
n. Separation of Duties Policy
o. Password Policy
p. Data Retention Policy
q. Hardware Disposal and Data Destruction Policy
r. Documentation policy
V. Specific details and rationale of each policy from above
a. Ethics Policy – “User Education and Awareness Training”
25. b. Documentation policy- “Standards and Guidelines for
Documentation, Data Classification, document retention and
storage, document destruction, system architecture, logs
inventory, change management and control documentation
Network Security Policy- risk and threat assessment,
vulnerabilities, threats, risk, impact, probabilities, natural
disasters, equipment malfunction, intruders, malicious hackers,
potential loss, and threat profiles
c. It also includes firewall, intrusion detection system, audits,
etc.
d. Wireless Security Policy- Access point security, encryption
protocols, MAC address filtering, VPN, etc.
e. Physical Security Policy- physical barriers, video
surveillance and monitoring, lighting, locks, access logs, ID
badges, man-trap
VI. Review the policies and select 12 important policies that
can be applied to GDI
a. Network Security Policy
b. Internet Security Policy
c. Physical Security Policy
d. Ethics Policy
e. Remote Access Security Policy
f. Incident Response Policy
g. Hardware Disposal and Data Destruction Policy
h. Wireless Security Policy
i. Password Security Policy
j. Separation of Duties Policy
k. Privacy Policy
l. Server Security Policy
VII. Conclusion
a. Conclude discussion and proposal of the security policy
document. This will be a conclusion based on the real aspects as
discussed in the ouline
26. References
Include any references here with full citations. The references
will be stated in the case of the final project. This will show all
the sources of information that has been used in making the
detailed research.
Security Policy Document Project
Objectives
The purpose of this two-part project is to evaluate the student’s
ability to analyze security requirements and develop a security
policy that fully addresses them. By completing the two
documents, the student will also gain practical knowledge of the
security policy documentation process. The project will enable
the student to see and understand the required standards in
practice, as well as the details that should be covered within the
security policy documentation.
27. Detailed Requirements
Project Deliverable #1 (Due Week 3)
· Using the GDI Case Study below, complete the Security
Policy Document Outline.
· Provide a one or two-page Security Policy Document Outline.
The Outline should cover all aspects of the security policy
document and convey the accurate and appropriate information
for the stakeholders to make the appropriate decision.
· Ungraded but instructor will provide feedback to make sure
students are on-track. This outline can become major part of
the “Executive Summary” of the final deliverable.
Project Deliverable #2 (Due Week 7)
· Using the GDI Case Study, complete the Security Policy
Document.
· Provide a seven- to ten-page analysis summarizing the security
policy to the executive management team of GDI. The student
designs effective real-time security and continuous monitoring
measures to mitigate any known vulnerabilities, prevent future
attacks, and deter any real-time unknown threats; and also
efficiently meets the organization’s objectives. The summary
should effectively describe the security policy in a manner that
will allow the Senior Management to understand the
organizational security requirements and make the appropriate
decisions to enforce.
Guidelines
· Using the GDI Case Study, create the security policy
document.
28. · The security policy document must be 8 to 10 pages long,
conforming to APA standards. NO more than 10 pages
(excluding title page, table of contents (optional), and
references page). The document must be double-spaced and
Time New Roman 12-point font. See "Writing Guideline" in
WebTycho where you'll find help on writing for research
projects.
· At least three authoritative, outside references are required
(anonymous authors or web pages are not acceptable). These
should be listed on the last page titled "References."
· Appropriate citations are required. See the syllabus regarding
plagiarism policies.
· This will be graded on quality of research topic, quality of
paper information, use of citations, grammar and sentence
structure, and creativity.
· The paper is due during Week 7 of this course.
Grading Rubrics
Final Deliverable
Category
Points
%
Description
Documentation and Formatting
10
10%
Appropriate APA citations/referenced sources and formats of
characters/content.
Case Study Security Policy Analysis
29. 25
25%
Accurate Completion of Security Policy.
Real-time Security
25
25
Real-time Security Protection against dynamically changing
threats.
Continuous Monitoring
25
25
Continuous Monitoring for up-to-date Asset Management and
Security Posture
Executive Summary
15
15%
Provide an appropriate summary of the Security Policy
Document.
Total
100
100%
A quality paper will meet or exceed all of the above
requirements.
No Outline Submitted
-10
If no outline is submitted at the end of week 3, it will be minus
10 points from the final document grade.
Criteria
Good
Fair
Poor
Documentation and formatting
7-10 points
At least 3 Appropriate APA citations/referenced sources and
30. formats of characters/ content.
3-6 points
Included 3 references but incorrect formatting or referencing/
citation
0-2 points
Does not include at least 3 references
Security Policy analysis
17-25 points
Effectively describes the security policy in a manner that will
allow the Senior Management to understand the organizational
security requirements and make the appropriate decisions to
enforce.
Analysis is supported with documentation and evidence.
8-16 points
Describes the security policy in a manner that allows the Senior
Management to understand the organizational security
requirements but not enough to make the appropriate decisions
to enforce. And/or is not sufficiently supported with
documentation and evidence. And/or the description is
somewhat unclear.
0-7 points
Describes the security policy in a manner that is unclear to the
Senior Management. The analysis Is not sufficiently supported
with documentation and evidence. Senior management would
not have enough detail to make appropriate decisions.
Real-time Security
17-25 points
Effectively designs real-time security measures to mitigate any
known vulnerabilities, prevent attacks, and deter any real-time
threats; and also efficiently meets the organization’s objectives.
31. 8-16 points
Designs technically feasible real-time security measures to
mitigate any known vulnerabilities, prevent attacks, and deter
any real-time threats, but lacks efficiency to meet the
organization’s objectives.
0-7 points
Ineffectively designs real-time security measures to mitigate
any known vulnerabilities, prevent attacks, and deter any real-
time threats; also lacks efficiency to meet the organization’s
objectives.
Continuous Monitoring
17-25 points
Effectively designs continuous monitoring measures to mitigate
any unknown vulnerabilities, prevent future attacks, and deter
any real-time unknown threats; and also efficiently meets the
organization’s objectives.
8-16 points
Designs technically feasible continuous monitoring measures to
mitigate any unknown vulnerabilities, prevent future attacks,
and deter any real-time unknown threats, but lacks efficiency to
meet the organization’s objectives.
0-7 points
Ineffectively designs continuous monitoring measures to
mitigate any unknown vulnerabilities, prevent future attacks,
and deter any real-time unknown threats; also lacks efficiency
to meet the organization’s objectives.
Executive summary
11-15 points
Effectively summarizes the security policy analysis. Includes all
key points of the analysis and allows the senior management to
understand the organizational security requirements but not
enough to make appropriate decisions
32. .
6-10 points
Describes the security policy analysis in a manner that allows
the Senior Management to understand the organizational
security requirements but not enough to make appropriate
decisions. Key information is left out or not made clear.
0-5 points
Describes the security policy analysis in a manner that is
unclear and/or insufficient. Summary is difficult to follow or
does not include key information and details.
Background
For those that are not familiar with the term, this project is
called an Authentic Assessment Project. These projects are
designed to reflect “real life” activities and will require you to
perform considerable self-directed study. Like real life
problems, you will not find all the answers you need in the
textbook. You will, however, have the help of your instructor
to resolve issues you may encounter.
Project Description
The project is to write a company Security Policy Document for
a fictitious company called Global Distribution, Inc. (GDI). A
Security Policy Document is an absolutely essential item for
any organization that is subjected to a security audit. Lack of
such a document will result in an automatic failed audit. A
Security Policy Document within an organization provides a
high-level description of the various security controls the
organization will use to protect its information and assets. A
typical Security Policy Document contains a large set of
specific policies and can run several hundred pages. However,
for this project, you will write a brief document with a
33. maximum of 20 specific policies for the GDI Company.
Therefore, you must carefully consider and select only the most
important policies from hundreds of possible specific policies.
A brief description of the GDI Company is given below.
You will work individually on this project for a total of 25% of
your grading for the course. You may collaborate with your
classmates to share ideas and activities in preparation of the
final project deliverable. However, you will be graded for your
individual effort and deliverables, and you will submit the
project in your individual project assignment folders. You will
treat this project deliverable as if you would deliver it to your
own customer or client who will be paying you for the
deliverables.
Suggested Approach
These are only recommendations on the general approach you
might take for this project. This is your project to develop
individually.
1. Determine the most important assets of the company, which
must be protected
2. Determine a general security architecture for the company
3. Determine the real-time security measures that must be put in
place
4. Determine the monitoring and preventative measures that
must be put in place
5. Develop a list of 15 to 20 specific policies that could be
applied along with details and rationale for each policy
6. Integrate and write up the final version of the Security Policy
Document for submittal
The GDI company description is deliberately brief. In all real
34. life projects, you typically add complexity as you become
smarter as you go along. State the assumptions/rationale you
make to justify the selection of the particular security policies
you select. Attach the assumptions/rationale to each specific
security policy.
References
There are many information sources for Security Policy
Documents on the Internet. However, one good source to start
with is the SANS Security Policy Project that lists many
example security policy templates.
http://www.sans.org/security-resources/policies/
Company Description
GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages
thousands of accounts across Canada, the United States, and
Mexico. A public company traded on the NYSE, GFI
specializes in financial management, loan application approval,
wholesale loan processing, and investment of money
management for their customers.
GFI employs over 1,600 employees and has been experiencing
consistent growth keeping pace with S&P averages
(approximately 8%) for nearly six years. A well-honed
management strategy built on scaling operational performance
through automation and technological innovation has propelled
the company into the big leagues; GFI was only recently
profiled in Fortune Magazine.
The executive management team of GFI:
35. CEO
John Thompson
Vice Presidnet
Trey Elway
Executive
Assistant
Julie Anderson
Executive
Assistant
Kim Johnson
Executive
Assistant
Michelle Wang
CFO
Ron Johnson
COO
Mike Willy
CCO
Andy Murphy
Director of
Marketing
John King
Director of HR
Ted Young
Figure 1 GFI Management Organizational Chart
BACKGROUND AND YOUR ROLE
You are the Computer Security Manager educated, trained, and
hired to protect the physical and operational security of GFI’s
corporate information system.
You were hired by COO Mike Willy and currently report to the
COO. You are responsible for a $5.25m annual budget, a staff
36. of 11, and a sprawling and expansive data center located on the
5th floor of the corporate tower. This position is the pinnacle
of your career – you are counting on your performance here to
pave the way into a more strategic leadership position in IT,
filling a vacancy that you feel is so significantly lacking from
the executive team.
There is actually a reason for this. CEO John Thompson
believes that the IT problem is a known quantity – that is, he
feels the IT function can be nearly entirely outsourced at
fractions of the cost associated with creating and maintaining an
established internal IT department; the CEO’s strategy has been
to prevent IT from becoming a core competency since so many
services can be obtained from 3rd parties. Since the CEO has
taken the reigns two years ago, the CEO has made significant
headway in cutting your department’s budget by 30% and
reducing half of your staff through outsourcing. This has been
a political fight for you: maintaining and reinforcing the
relevance of an internal IT department is a constant struggle.
COO Willy’s act of hiring you was, in fact, an act of
desperation: the increasing operational dependence on
technology combined with a diminishing IT footprint gravely
concerned Willy, and he begged to at least bring in a manager to
whom these obligations could be delegated to. Willy’s worst
nightmare is a situation where the Confidentiality, Integrity,
and Availability of the information system was compromised –
bringing the company to its knees – then having to rely on
vendors to pull him out of the mess.
GFI has experienced several cyber-attacks from outsiders over
the past a few years. In 2012, the Oracle database server was
attacked and its customer database lost its confidentiality,
integrity, and availability for several days. Although the
company restored the Oracle database server back online, its
lost confidentiality damaged the company reputations. GFI
ended up paying its customers a large sum of settlement for
37. their loss of data confidentiality. Another security attack was
carried out by a malicious virus that infected the entire network
for several days. While infected the Oracle and e-mail servers
had to be shut down to quarantine these servers. In the
meantime, the company lost $1.700, 000 in revenue and
intangible customer confidence.
There’s no question that the company’s CEO sees the strategic
importance of technology in executing his business plan, and in
this way you share a common basis of principle with him: that
IT is a competitive differentiator. However, you believe that
diminishing internal IT services risks security and strategic
capability, whereas the CEO feels he can acquire that capability
immediately at a low cost through the open market. You’re told
that CEO Thompson reluctantly agreed to your position if only
to pacify COO Willy’s concerns.
CORPORATE OFFICE NETWORK TOPOLOGY
Remote
Dial UpUsers
Trusted Computing Base Internal Network
Off-Site Office
Internet
Global Finance, Inc.
VPN
Gateway
VPN
Gateway
PBX
PSTN
Worstations
(x25)
Worstations
(x12)
39. Printers
(x5)
Workstations
(x7)
SUS Server
Access
Layer
VLAN
Switch
10 Gbps
100Mbps
10Gbps
100Mbps
10 Gbps
OC193
10Gbps
RAS
10 Gbps
10 Gbps
10 Gbps
OC193
10Gbps
90
90
Wireless
Antenna
90
You are responsible for a corporate WAN spanning 10 remote
facilities and interconnecting those facilities to the central data
processing environment. Data is transmitted from a remote site
through a VPN appliance situated in the border layer of the
routing topology; the remote VPN connects to the internal
Oracle database to update the customer data tables. Data
transaction from the remote access to the corporate internal
40. databases is not encrypted.
A bulk of the data processing for your company is handled by
Oracle database on a high end super computer. The trusted
computing based (TCB) internal network is situated in a
physically separated subnet. This is where all corporate data
processing is completed and internal support team has its own
intranet web server, a SUS server, an internal DNS, an e-mail
system, and other support personnel workstations. Each
corporate department is segregated physically on a different
subnet and shares the corporate data in the TCB network.
OTHER CONSIDERATIONS
1. Ever since the article ran in Fortune about GFI, your network
engineers report that they’ve noted a significant spike in
network traffic crossing into the internal networks. They report
that they cannot be certain what or who is generating this
traffic, but the volume and frequency of traffic is certainly
abnormal. The management is very concerned over securing the
corporate confidential data and customer information.
2. Increasingly, GFI’s CEO Thompson attempts to outsource IT
competency. In fact, you’ve been told of a plan from COO
Willy to outsource network management and security functions
away from your department and to a service integrator. COO
Willy warns you that the political environment will only
become more contentious over time; you must make a
compelling case as to what value your department can bring
over an integrator that can provide secure services at 40% less
annual cost than you.
3. The interrelationship between data and operations concerns
you. Increasingly, some of the 10 remote sites have been
reporting significant problems with network latency, slow
performance, and application time-outs against the Oracle
41. database. The company’s business model is driving higher and
higher demand for data, but your capability to respond to these
problems are drastically limited.
4. Mobility is important for the organization to interact with the
customers and other co-workers in near real-time. However, the
CEO is concerned with the mobility security and would like to
research for the best practice for mobility security. The CEO is
willing to implement a BYOD policy if security can be
addressed.
5. Employees enjoy the flexibility of getting access to the
corporate network using a WiFi network. However, the CEO is
concerned over the security ramifications over the wireless
network that is widely open to the company and nearby
residents.
6. The company plans to offer its products and services online
and requested its IT department to design a Cloud Computing
based on an e-commerce platform. However, the CEO is
particularly concerned over the cloud security in case the
customer database had been breached.
_1430024514.vsd