SlideShare a Scribd company logo

Security Policy Document Project Objectives The purpos.docx

Download as DOCX, PDF
K
kenjordan97598

Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) o Using the GDI Case Study below, complete the Security Policy Document Outline. o Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. o Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) o Using the GDI Case Study, complete the Security Policy Document. o Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines  Using the GDI Case Study, create the security policy document.  The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12- point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects.  At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References."  Appropriate citations are required. See the syllabus regarding plagiarism policies.  This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity.  The paper is due during Week 7 of this course. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25 25% Accurate Completion of Security Policy. Real-time Security 25 2.

Education
1 of 41
Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) o Using the GDI Case Study below, complete the Security Policy Document Outline. o Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. o Ungraded but instructor will provide feedback to make sure students are on-track.
This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) o Using the GDI Case Study, complete the Security Policy Document. o Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines document. conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-
point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects. (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." plagiarism policies. ity of paper information, use of citations, grammar and sentence structure, and creativity. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis
25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points
At least 3 Appropriate APA citations/referenced sources and formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements 8-16 points Describes the security policy in a manner that
allows the Senior Management to understand the organizational security requirements but not enough to make the 0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. and evidence. Senior
management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points
Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; also lacks efficiency to meet the organization’s objectives. Continuous Monitoring 17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent
future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior 6-10 points
Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security 0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or does not management to understand the organizational security requirements but not enough to make appropriate decisions . requirements but not enough to make appropriate decisions. Key information is left out or not made clear. include key information and details.
Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below.
You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal
The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI:
Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s
act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to
your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12) Worstations (x63) Worstations (x5)
Worstations (x10) Worstations (x49) Border (Core) Routers Accounting Loan Dept Customer Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web
Server Printers (x7) Printers (x5) Printers (x3) Printers (x3) Printers (x3) Printers (x5) Workstations (x7) SUS Server Access Layer VLAN Switch 10 Gbps 100Mbps 10Gbps
100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted.
A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure
services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached.
SOCIAL POLICY PAPER 1 SOCIAL SECURITY PAPER 1 CMIT320 Security Policy Paper Week 3 Table of Contents Introduction: GDI background and given problem……………………………….…………………… 1 Important Assets for GDI…..……………………………………………………………. 2 Security Architecture for GDI…………………………………………………………… 3 Ten Possible Security Policies………………………………………………………. 4 Details and Rationale of the Ten Security Policies………………………………….. 5
Ten Security Policies that should be Applied to GDI……………………………….. 6 Conclusion…………………………………………………………… ………………..… 7 References…………………………………………………………… ………………….. 8 Outline of the paper I. Introduction a. Briefly discuss the background of GDI in depth. b. A discussion about the given problem of the IT security, infrastructure, cost, among items. II. Discuss the important assets of GDI that need to be fully protected i. Asset identification: “Identity and quantify the company’s
assets” ii. Important assets include: 1. Computer network equipment 2. Data 3. Servers, printers 4. Routers, firewalls, switches, wireless devices, etc. b. Access control methods: sensitivity, integrity, availability c. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” d. Identify solutions and countermeasures: “Identify a cost- effective solution to protect assets” III. Security architecture for the company a. “The IT department should always have current diagrams of your overall network architecture on hand” IV. A list of 20 or more policies that could be applied to this situation a. User Account Policy b. Audit Security Policy (SANS) c. Email Security Policy (SANS) d. Internet Security Policy (SANS) e. Server Security Policy (SANS) f. Wireless Security Policy (SANS) g. Network Security Policy (SANS) h. Physical Security Policy (SANS) i. Remote Access Security Policy j. Ethics Policy (SANS) k. Privacy Policy l. Incident Response Policy m. Access Control Policy n. Separation of Duties Policy o. Password Policy p. Data Retention Policy q. Hardware Disposal and Data Destruction Policy r. Documentation policy V. Specific details and rationale of each policy from above a. Ethics Policy – “User Education and Awareness Training”
b. Documentation policy- “Standards and Guidelines for Documentation, Data Classification, document retention and storage, document destruction, system architecture, logs inventory, change management and control documentation Network Security Policy- risk and threat assessment, vulnerabilities, threats, risk, impact, probabilities, natural disasters, equipment malfunction, intruders, malicious hackers, potential loss, and threat profiles c. It also includes firewall, intrusion detection system, audits, etc. d. Wireless Security Policy- Access point security, encryption protocols, MAC address filtering, VPN, etc. e. Physical Security Policy- physical barriers, video surveillance and monitoring, lighting, locks, access logs, ID badges, man-trap VI. Review the policies and select 12 important policies that can be applied to GDI a. Network Security Policy b. Internet Security Policy c. Physical Security Policy d. Ethics Policy e. Remote Access Security Policy f. Incident Response Policy g. Hardware Disposal and Data Destruction Policy h. Wireless Security Policy i. Password Security Policy j. Separation of Duties Policy k. Privacy Policy l. Server Security Policy VII. Conclusion a. Conclude discussion and proposal of the security policy document. This will be a conclusion based on the real aspects as discussed in the ouline
References Include any references here with full citations. The references will be stated in the case of the final project. This will show all the sources of information that has been used in making the detailed research. Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation.
Detailed Requirements Project Deliverable #1 (Due Week 3) · Using the GDI Case Study below, complete the Security Policy Document Outline. · Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. · Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) · Using the GDI Case Study, complete the Security Policy Document. · Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines · Using the GDI Case Study, create the security policy document.
· The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects. · At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." · Appropriate citations are required. See the syllabus regarding plagiarism policies. · This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity. · The paper is due during Week 7 of this course. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis
25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points At least 3 Appropriate APA citations/referenced sources and
formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. 8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. 0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and evidence. Senior management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives.
8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real- time threats; also lacks efficiency to meet the organization’s objectives. Continuous Monitoring 17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior management to understand the organizational security requirements but not enough to make appropriate decisions
. 6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make appropriate decisions. Key information is left out or not made clear. 0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or does not include key information and details. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a
maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The GDI company description is deliberately brief. In all real
life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI:
CEO John Thompson Vice Presidnet Trey Elway Executive Assistant Julie Anderson Executive Assistant Kim Johnson Executive Assistant Michelle Wang CFO Ron Johnson COO Mike Willy CCO Andy Murphy Director of Marketing John King Director of HR Ted Young Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff
of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for
their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12)
Worstations (x63) Worstations (x5) Worstations (x10) Worstations (x49) Border (Core) Routers Accounting Loan Dept Customer Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web Server Printers (x7) Printers (x5) Printers (x3) Printers (x3) Printers (x3)
Printers (x5) Workstations (x7) SUS Server Access Layer VLAN Switch 10 Gbps 100Mbps 10Gbps 100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna 90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal
databases is not encrypted. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle
database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached. _1430024514.vsd

Recommended

ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxvrickens
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Security Executive Council
 
Rubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docxRubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docxSUBHI7
 
IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docxShiraPrater50
 
Cis 550-week-10-term-paper
Cis 550-week-10-term-paperCis 550-week-10-term-paper
Cis 550-week-10-term-papershyaminfo18
 
2022-security-plan-template.pptx
2022-security-plan-template.pptx2022-security-plan-template.pptx
2022-security-plan-template.pptxEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docxCIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docxAASTHA76
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 

Recommended

ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxvrickens
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Security Executive Council
 
Rubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docxRubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docxSUBHI7
 
IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docxShiraPrater50
 
Cis 550-week-10-term-paper
Cis 550-week-10-term-paperCis 550-week-10-term-paper
Cis 550-week-10-term-papershyaminfo18
 
2022-security-plan-template.pptx
2022-security-plan-template.pptx2022-security-plan-template.pptx
2022-security-plan-template.pptxEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docxCIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docxAASTHA76
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docxaryan532920
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual cisoMichael Ball
 
Throughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxThroughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxherthalearmont
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxtangyechloe
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
As a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAs a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAASTHA76
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxmanningchassidy
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)Marie Peters
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security StrategyInfo-Tech Research Group
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woeleanorabarrington
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxaryan532920
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxCIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxAASTHA76
 
ISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryKevin Landale
 
IDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
You are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxYou are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxkenjordan97598
 
You are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxYou are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxkenjordan97598
 

More Related Content

Similar to Security Policy Document Project Objectives The purpos.docx

ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docxaryan532920
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual cisoMichael Ball
 
Throughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxThroughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxherthalearmont
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxtangyechloe
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
As a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAs a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAASTHA76
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxmanningchassidy
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)Marie Peters
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woeleanorabarrington
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxaryan532920
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxCIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxAASTHA76
 
ISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryKevin Landale
 
IDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 

Similar to Security Policy Document Project Objectives The purpos.docx (20)

ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 
Throughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxThroughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docx
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
 
As a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAs a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity program
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxCIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
 
ISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryISM and its impact on Government Project Delivery
ISM and its impact on Government Project Delivery
 
IDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG 2020 Security Priorities Research
IDG 2020 Security Priorities Research
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 

More from kenjordan97598

You are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxYou are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxkenjordan97598
 
You are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxYou are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxkenjordan97598
 
You are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docxYou are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docxkenjordan97598
 
You are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docxYou are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docxkenjordan97598
 
You are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docxYou are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docxkenjordan97598
 
You are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docxYou are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docxkenjordan97598
 
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docxYou are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docxkenjordan97598
 
You are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docxYou are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docxkenjordan97598
 
You are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docxYou are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docxkenjordan97598
 
You are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docxYou are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docxkenjordan97598
 
You are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docxYou are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docxkenjordan97598
 
You are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docxYou are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docxkenjordan97598
 
You are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docxYou are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docxkenjordan97598
 
You are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docxYou are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docxkenjordan97598
 
You are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docxYou are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docxkenjordan97598
 
You are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docxYou are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docxkenjordan97598
 
You are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docxYou are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docxkenjordan97598
 
You are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docxYou are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docxkenjordan97598
 
You are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docxYou are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docxkenjordan97598
 
You are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docxYou are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docxkenjordan97598
 

More from kenjordan97598 (20)

You are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxYou are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docx
 
You are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxYou are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docx
 
You are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docxYou are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docx
 
You are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docxYou are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docx
 
You are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docxYou are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docx
 
You are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docxYou are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docx
 
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docxYou are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
 
You are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docxYou are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docx
 
You are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docxYou are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docx
 
You are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docxYou are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docx
 
You are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docxYou are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docx
 
You are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docxYou are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docx
 
You are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docxYou are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docx
 
You are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docxYou are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docx
 
You are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docxYou are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docx
 
You are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docxYou are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docx
 
You are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docxYou are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docx
 
You are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docxYou are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docx
 
You are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docxYou are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docx
 
You are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docxYou are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docx
 

Recently uploaded

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
Major project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategiesMajor project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategiesAmanpreetKaur157993
 
UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024Borja Sotomayor
 
male presentation...pdf.................
male presentation...pdf.................male presentation...pdf.................
male presentation...pdf.................MirzaAbrarBaig5
 
Rich Dad Poor Dad ( PDFDrive.com )--.pdf
Rich Dad Poor Dad ( PDFDrive.com )--.pdfRich Dad Poor Dad ( PDFDrive.com )--.pdf
Rich Dad Poor Dad ( PDFDrive.com )--.pdfJerry Chew
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjMohammed Sikander
 
8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital ManagementMBA Assignment Experts
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSean M. Fox
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...EADTU
 
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...MysoreMuleSoftMeetup
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....Ritu480198
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptNishitharanjan Rout
 
Pharmaceutical Biotechnology VI semester.pdf
Pharmaceutical Biotechnology VI semester.pdfPharmaceutical Biotechnology VI semester.pdf
Pharmaceutical Biotechnology VI semester.pdfBALASUNDARESAN M
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...EduSkills OECD
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111GangaMaiya1
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...Gary Wood
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...Nguyen Thanh Tu Collection
 

Recently uploaded (20)

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Major project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategiesMajor project report on Tata Motors and its marketing strategies
Major project report on Tata Motors and its marketing strategies
 
UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024UChicago CMSC 23320 - The Best Commit Messages of 2024
UChicago CMSC 23320 - The Best Commit Messages of 2024
 
male presentation...pdf.................
male presentation...pdf.................male presentation...pdf.................
male presentation...pdf.................
 
Rich Dad Poor Dad ( PDFDrive.com )--.pdf
Rich Dad Poor Dad ( PDFDrive.com )--.pdfRich Dad Poor Dad ( PDFDrive.com )--.pdf
Rich Dad Poor Dad ( PDFDrive.com )--.pdf
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
 
8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
ESSENTIAL of (CS/IT/IS) class 07 (Networks)
ESSENTIAL of (CS/IT/IS) class 07 (Networks)ESSENTIAL of (CS/IT/IS) class 07 (Networks)
ESSENTIAL of (CS/IT/IS) class 07 (Networks)
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
MuleSoft Integration with AWS Textract | Calling AWS Textract API |AWS - Clou...
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Pharmaceutical Biotechnology VI semester.pdf
Pharmaceutical Biotechnology VI semester.pdfPharmaceutical Biotechnology VI semester.pdf
Pharmaceutical Biotechnology VI semester.pdf
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
TỔNG HỢP HƠN 100 ĐỀ THI THỬ TỐT NGHIỆP THPT TOÁN 2024 - TỪ CÁC TRƯỜNG, TRƯỜNG...
 

Security Policy Document Project Objectives The purpos.docx

  • 1. Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) o Using the GDI Case Study below, complete the Security Policy Document Outline. o Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. o Ungraded but instructor will provide feedback to make sure students are on-track.
  • 2. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) o Using the GDI Case Study, complete the Security Policy Document. o Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines document. conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-
  • 3. point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects. (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." plagiarism policies. ity of paper information, use of citations, grammar and sentence structure, and creativity. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis
  • 4. 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points
  • 5. At least 3 Appropriate APA citations/referenced sources and formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements 8-16 points Describes the security policy in a manner that
  • 6. allows the Senior Management to understand the organizational security requirements but not enough to make the 0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. and evidence. Senior
  • 7. management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points
  • 8. Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; also lacks efficiency to meet the organization’s objectives. Continuous Monitoring 17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent
  • 9. future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior 6-10 points
  • 10. Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security 0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or does not management to understand the organizational security requirements but not enough to make appropriate decisions . requirements but not enough to make appropriate decisions. Key information is left out or not made clear. include key information and details.
  • 11. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below.
  • 12. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal
  • 13. The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI:
  • 14. Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s
  • 15. act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to
  • 16. your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12) Worstations (x63) Worstations (x5)
  • 17. Worstations (x10) Worstations (x49) Border (Core) Routers Accounting Loan Dept Customer Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web
  • 19. 100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted.
  • 20. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure
  • 21. services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached.
  • 22. SOCIAL POLICY PAPER 1 SOCIAL SECURITY PAPER 1 CMIT320 Security Policy Paper Week 3 Table of Contents Introduction: GDI background and given problem……………………………….…………………… 1 Important Assets for GDI…..……………………………………………………………. 2 Security Architecture for GDI…………………………………………………………… 3 Ten Possible Security Policies………………………………………………………. 4 Details and Rationale of the Ten Security Policies………………………………….. 5
  • 23. Ten Security Policies that should be Applied to GDI……………………………….. 6 Conclusion…………………………………………………………… ………………..… 7 References…………………………………………………………… ………………….. 8 Outline of the paper I. Introduction a. Briefly discuss the background of GDI in depth. b. A discussion about the given problem of the IT security, infrastructure, cost, among items. II. Discuss the important assets of GDI that need to be fully protected i. Asset identification: “Identity and quantify the company’s
  • 24. assets” ii. Important assets include: 1. Computer network equipment 2. Data 3. Servers, printers 4. Routers, firewalls, switches, wireless devices, etc. b. Access control methods: sensitivity, integrity, availability c. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” d. Identify solutions and countermeasures: “Identify a cost- effective solution to protect assets” III. Security architecture for the company a. “The IT department should always have current diagrams of your overall network architecture on hand” IV. A list of 20 or more policies that could be applied to this situation a. User Account Policy b. Audit Security Policy (SANS) c. Email Security Policy (SANS) d. Internet Security Policy (SANS) e. Server Security Policy (SANS) f. Wireless Security Policy (SANS) g. Network Security Policy (SANS) h. Physical Security Policy (SANS) i. Remote Access Security Policy j. Ethics Policy (SANS) k. Privacy Policy l. Incident Response Policy m. Access Control Policy n. Separation of Duties Policy o. Password Policy p. Data Retention Policy q. Hardware Disposal and Data Destruction Policy r. Documentation policy V. Specific details and rationale of each policy from above a. Ethics Policy – “User Education and Awareness Training”
  • 25. b. Documentation policy- “Standards and Guidelines for Documentation, Data Classification, document retention and storage, document destruction, system architecture, logs inventory, change management and control documentation Network Security Policy- risk and threat assessment, vulnerabilities, threats, risk, impact, probabilities, natural disasters, equipment malfunction, intruders, malicious hackers, potential loss, and threat profiles c. It also includes firewall, intrusion detection system, audits, etc. d. Wireless Security Policy- Access point security, encryption protocols, MAC address filtering, VPN, etc. e. Physical Security Policy- physical barriers, video surveillance and monitoring, lighting, locks, access logs, ID badges, man-trap VI. Review the policies and select 12 important policies that can be applied to GDI a. Network Security Policy b. Internet Security Policy c. Physical Security Policy d. Ethics Policy e. Remote Access Security Policy f. Incident Response Policy g. Hardware Disposal and Data Destruction Policy h. Wireless Security Policy i. Password Security Policy j. Separation of Duties Policy k. Privacy Policy l. Server Security Policy VII. Conclusion a. Conclude discussion and proposal of the security policy document. This will be a conclusion based on the real aspects as discussed in the ouline
  • 26. References Include any references here with full citations. The references will be stated in the case of the final project. This will show all the sources of information that has been used in making the detailed research. Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation.
  • 27. Detailed Requirements Project Deliverable #1 (Due Week 3) · Using the GDI Case Study below, complete the Security Policy Document Outline. · Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. · Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) · Using the GDI Case Study, complete the Security Policy Document. · Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines · Using the GDI Case Study, create the security policy document.
  • 28. · The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects. · At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." · Appropriate citations are required. See the syllabus regarding plagiarism policies. · This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity. · The paper is due during Week 7 of this course. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis
  • 29. 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points At least 3 Appropriate APA citations/referenced sources and
  • 30. formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. 8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. 0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and evidence. Senior management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives.
  • 31. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real- time threats; also lacks efficiency to meet the organization’s objectives. Continuous Monitoring 17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior management to understand the organizational security requirements but not enough to make appropriate decisions
  • 32. . 6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make appropriate decisions. Key information is left out or not made clear. 0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or does not include key information and details. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a
  • 33. maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The GDI company description is deliberately brief. In all real
  • 34. life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI:
  • 35. CEO John Thompson Vice Presidnet Trey Elway Executive Assistant Julie Anderson Executive Assistant Kim Johnson Executive Assistant Michelle Wang CFO Ron Johnson COO Mike Willy CCO Andy Murphy Director of Marketing John King Director of HR Ted Young Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff
  • 36. of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for
  • 37. their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12)
  • 38. Worstations (x63) Worstations (x5) Worstations (x10) Worstations (x49) Border (Core) Routers Accounting Loan Dept Customer Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web Server Printers (x7) Printers (x5) Printers (x3) Printers (x3) Printers (x3)
  • 39. Printers (x5) Workstations (x7) SUS Server Access Layer VLAN Switch 10 Gbps 100Mbps 10Gbps 100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna 90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal
  • 40. databases is not encrypted. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle
  • 41. database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached. _1430024514.vsd