Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 2016
Running head: IT Security Policy Outline 1
10
Running head: BASIC PAPER TEMPLATE
Introduction
An it security policy is a strategy developed by an organization or an enterprise to protect and maintain network and resources (Bowden, 2003). It is very important that organization create a well-written policy that is geared towards dealings with threats towards availability, confidentiality and integrity. The United States Government has implemented a Cybersecurity framework, which is geared towards improving the critical infrastructure of cybersecurity (NIST, 2014). “The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers” (NIST, 2014).
In addition a proper outline for an IT Security Policy will not only address all applicable elements of the framework core and protective technologies listed in the NIST cybersecurity framework but also address relevant policies and controls from sources including the CIS critical security controls. CIS controls are recommended set of actions that helps an organization defend their infrastructure and are created by people who are highly skilled in dealing with attacks and how they work (CIS, 2015).Analysis
The national Aeronautics and Space Administration (NASA) is a government owned enterprise that organization that is responsible for the civilian space programs and is continuing to venture on to new things such as air transportation (NASA, 2015). Thus, Information technology plays is a vital part of the organizations development as they focus on increasing the productivity of scientist, engineers and mission support personnel by responsively and efficiently delivering reliable, innovative and secure IT services (NASA, 2015). According to NASA’s information technology governance (2013) “the Agency spends more than $1.5 billion annually on a portfolio of IT assets that includes approximately 550 information systems it uses to control spacecraft, collect and process scientific data, provide security for its IT infrastructure, and enable NASA personnel to collaborate with colleagues around the world.” In addition, Technical scientific information generated by NASA research, science, engineering, technology, and exploration initiatives is one of its most valuable assets and should be protected under a solid IT security policy. NASA’s has a sophisticated information infrastructure such as DAEP, SN, DSN, and NEN and supplies telecommunication services to customers across the globe.
In addition, NASA has had it share of cyber threats over the years and has since continued to develop a better IT security policy to safeguard against threats. Following 5408 computer security incidents in 2010 and 2011 the .
Outline for an Enterprise IT Security PolicyNo NameJanuary 24, 201.docx
1. Outline for an Enterprise IT Security PolicyNo NameJanuary
24, 2016
Running head: IT Security Policy Outline 1
10
Running head: BASIC PAPER TEMPLATE
Introduction
An it security policy is a strategy developed by an organization
or an enterprise to protect and maintain network and resources
(Bowden, 2003). It is very important that organization create a
well-written policy that is geared towards dealings with threats
towards availability, confidentiality and integrity. The United
States Government has implemented a Cybersecurity
framework, which is geared towards improving the critical
infrastructure of cybersecurity (NIST, 2014). “The Framework
focuses on using business drivers to guide cybersecurity
activities and considering cybersecurity risks as part of the
organization’s risk management processes. The Framework
consists of three parts: the Framework Core, the Framework
Profile, and the Framework Implementation Tiers” (NIST,
2014).
In addition a proper outline for an IT Security Policy will not
only address all applicable elements of the framework core and
protective technologies listed in the NIST cybersecurity
framework but also address relevant policies and controls from
sources including the CIS critical security controls. CIS
controls are recommended set of actions that helps an
organization defend their infrastructure and are created by
people who are highly skilled in dealing with attacks and how
they work (CIS, 2015).Analysis
2. The national Aeronautics and Space Administration (NASA) is a
government owned enterprise that organization that is
responsible for the civilian space programs and is continuing to
venture on to new things such as air transportation (NASA,
2015). Thus, Information technology plays is a vital part of the
organizations development as they focus on increasing the
productivity of scientist, engineers and mission support
personnel by responsively and efficiently delivering reliable,
innovative and secure IT services (NASA, 2015). According to
NASA’s information technology governance (2013) “the
Agency spends more than $1.5 billion annually on a portfolio of
IT assets that includes approximately 550 information systems
it uses to control spacecraft, collect and process scientific data,
provide security for its IT infrastructure, and enable NASA
personnel to collaborate with colleagues around the world.” In
addition, Technical scientific information generated by NASA
research, science, engineering, technology, and exploration
initiatives is one of its most valuable assets and should be
protected under a solid IT security policy. NASA’s has a
sophisticated information infrastructure such as DAEP, SN,
DSN, and NEN and supplies telecommunication services to
customers across the globe.
In addition, NASA has had it share of cyber threats over the
years and has since continued to develop a better IT security
policy to safeguard against threats. Following 5408 computer
security incidents in 2010 and 2011 the organization has
implemented regulations such as securing laptops, iPad and
smartphones and making all employees accountable for securing
sensitive security information (NASA, 2012). Thus, since the
Information technology continues to change new threats
continue to emerge and it is the organization responsibility to
use the necessary resources such as NIST Critical infrastructure
framework as a tool to help develop strong IT security policies
to deal with cyber threats.
Framework
On February 12, 2013 an Executive Order 13636 was issued by
3. President Obama and focused on the improvement of resilience
and the security of the infrastructure of the cyber world (NIST,
2014). “The Framework Coreprovides a set of activities to
achieve specific cybersecurity outcomes, and references
examples of guidance to achieve those outcomes”(2014).
In addition, the NASA’S Information Technology Governance
(2013) states “centralization of the Agency’s IT framework
under a Headquarters-based CIO would improve NASA‟s
overall management of IT, including planning, acquisition, and
security, while increasing control over IT expenditures and
accountability.” Before the framework was addressed, NASA’s
system was “overly complex and ineffective”. “We believe that
both NASA‟s history and the experience of the other agencies
supports a recommendation that NASA move to a more
centralized approach to IT governance” (NASA, 2013).
Therefore it is important for me to provide an outline of the 15
content areas of the as it relates to NASA.
1. Access Control: “Access to assets and associated facilities is
limited to authorized users, processes, or devices, and to
authorized activities and transactions” (NIST, 2014).
· Within the organization, all users should be provided different
credentials and any remote access devices need to be registered
the device in advance.
· The network integrity must be protected, and network
segregation needs to be included (Ashford, 2015).
2. Asset Management: “The data, personnel, devices, systems,
and facilities that enable the organization to achieve business
purposes are identified and managed consistent with their
relative importance to business objectives and the
organization’s risk strategy.”(NIST 2014)
.
· By referring ISO 142242 from the International Organization
for Standardization (ISO), it is important to establish and
configure a physical asset hierarchy.
· Changes in the future to the asset management need to be
4. evaluated properly before its implementation (IAM, 2015).
3. Application Development: design develop deploy, manage
and maintain in accordance with security principles.
· Should define and describe data arrangements and application
solutions and new systems.
· Need to build and create designs and prototypes (Ashford,
2015)
4. Communications: “Response activities are coordinated with
internal and external stakeholders, as appropriate, to include
external support from law enforcement agencies” (NIST, 2014).
· Public relations need to manage properly, and recovery
strategies must update.
· Recovery activities are essential to creating secure
communication between different management teams and
internal stakeholders.
5. Compliance: all sectors of organization must be in
compliance to regulation handed down.
· The compliance policy needs to support cybersecurity
activities with regulations, Constitutional, and applicable
privacy laws requirements.
6. Corporate Governance:
· Organization should govern and actively involved in balancing
the interests stakeholders in a company and including
shareholders, management groups, suppliers, customers,
financiers, the community and the government.
· It should renew public confidence and trust in markets and
corporations after bankruptcy and accounting fraud of high-
profile companies (Investopedia, 2015).
7. Customers: it is important to ensure the safety of customers
as it relates to availability integrity and confidentiality, thus
developing ways to increase productivity.
· Customers can give the ability to drive up costs and to put
enormous impact on revenue
5. · All kinds of customer relationships with a company should be
handled delicately (greatsampleresume, 2015).
8. Incident Management: The organization’s priorities,
constraints, risk tolerances, and assumptions are established and
used to support operational risk decisions (NIST, 2014)
· Organization should have a process in place to identify,
categorize, prioritize and respond to risk.
· Roles and responsibilities during this process should be
indicated such as incident response teams.
9. IT Operations Reports should be prepared and ensure the IT
optimal performance need t be ensured.
· It should preserve customers' agreement records and maintain
the service level of a company.
· It should design in a way to deliver efficient maintenance and
response at the time of compliance and disaster recovery
(greatsampleresume, 2015).
10. Outsourcing: Third party should be regulated to adhere to
certain policy and guidelines as it relates to integrity
confidentiality and availability.
· It needs to be certain that a third-party supplier meets all of
the compliance requirements that a company must abide by
requirements.
· It should consider the consequences of service deliverance
failure by the third party (LCE, 2015).
11. Physical/Environmental: Organization needs to ensure that
it has suitable physical security equipment and the environment
is protected at all times.
· Any Physical passage and access to assets should be managed
and shielded.
· Policies and regulations that are regarding the physical
operating environment should meet the organization
requirements (GREENWALD, 2013).
12. Policies & Procedures: organization must adhere to policies
and procedures and ensure that each employee is aware of these
policies and procedures.
· Procedures and Policies need to be defined and implemented
6. to perform their cybersecurity duties.
13. It should be used to manage and protect information systems
and assets and address potential Cybersecurity events
14. Privacy: A system development life cycle is needs to be
implemented carefully to manage the system.
· A Cybersecurity and future risk assessments must consider the
privacy law.
· Privacy laws must support the Cybersecurity compliance
activities with constitutional requirements and regulations
(LCE, n.d)
15. IT Security Program Implementation: Monitoring and
training employees consistently.
· Every user in the company should be given a security manual
· A company needs to have an incident response and security
team who handles all security and security breaches (Hammond,
2010)
Controls
There are several controls with the CIS that are appropriate
protective solutions technologies, which can be used to secure
NASA. Since NASA has had web browser intrusion and other
threats it is very important that the organization implement data
protection, malware defenses, wireless access control, email and
web browsing protections, inventory authorized and
unauthorized devices and software and have data recovery
capability. According to CIS (2015) it is important to have
inventory to authorized and unauthorized devices because
attackers can be located anywhere around the world. In addition
maintaining a current and accurate view of IT assets by actively
scanning using tools such as ICMP is a plus (2015). In addition
bundling firewall, antivirus, IDS and IPS is also good to
monitor software. Using vulnerability assessment tools is also
essential to catch any unpatched systems (CIS, 2015).
Controlling administrative privileges is also a great way to
verify users. Overall all these tools are necessary in order to
7. safeguard against common cyber threats. Once a solid IT
security policy is implemented using resources available any
organization will be secured from threats.References
Ashford, W. (2015). Best practice in outsourcing security.
Computer weekly. Retrieved from
http://www.computerweekly.com/feature/Best-practice-in-
outsourcing-security
CIS, (2015). The CIS Critical Security Controls for Effective
Cyber Defense. https://www.cisecurity.org/critical-
controls/download.cfm?f=CSC-MASTER-
VER%206.0%20CIS%20Critical%20Security%20Controls%201
0.15.2015
Great sample resume. (2016). IT Operations Manager
Responsibilities and Duties. Retrieved from
greatsampleresume.com:
http://www.greatsampleresume.com/Job-Responsibilities/IT-
Operations-Manager-Responsibilities.html
GREENWALD, J. (2013). Cyber security framework welcomed.
Business Insurance, 47(22), 46. Retrieved from
http://connection.ebscohost.com/c/articles/91951516/cyber-
security-framework-welcomed
Hammond, B. (2010). Presidential advisory panel recommends
increased investment in cybersecurity R&D. Indianapolis:
Indiana University. Retrieved from http://iucat-
test.uits.iu.edu/iupui/articles/edsggo/edsgcl.260494931/?resultI
d=67&highlight=%22Administrative%20agencies%20--
%20Investments%22
IAM. (2015). What is Asset Management? Retrieved from
https://theiam.org: https://theiam.org/what-asset-management
Investopedia. (n.d). DEFINITION OF 'CORPORATE
GOVERNANCE'. Retrieved from http://www.investopedia.com:
http://www.investopedia.com/terms/c/corporategovernance.asp
LCE. (2015). The Five Biggest Risks to Effective Asset
Management. Retrieved from www.lce.com:
http://www.lce.com/the_five_biggest_risks_to_effective_asset_
management_367-item.html
8. NASA, (2013). NASA Information Technology Governance
Program Evaluation, REPORT NO. IG-13-015 (ASSIGNMENT
NO. A-12-018-00).
NASA, (2016) NASA TV. Networks. Retrieved from
http://www.nasa.gov/directorates/heo/scan/services/networks/txt
_sn.html
NASA, (2012). IT TALK. Protecting and safeguarding NASA
information and systems.
https://www.nasa.gov/pdf/666064main_ITTalk_JUL2012_final.p
df
NASA, (2004). Information Security Policy, dated April 07,
2004. (n.d.).
http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPD&c=2810&s=
1D
NIST, (2014). Framework for Improving Critical Infrastructure
Cybersecurity. Retrieved from
http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214.pdf