SlideShare a Scribd company logo

Security Policy Document Project Objectives The purpose .docx

Download as DOCX, PDF
K
kenjordan97598

Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) o Using the GDI Case Study below, complete the Security Policy Document Outline. o Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. o Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) o Using the GDI Case Study, complete the Security Policy Document. o Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines  Using the GDI Case Study, create the security policy document.  The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12- point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects.  At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References."  Appropriate citations are required. See the syllabus regarding plagiarism policies.  This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity.  The paper is due during Week 7 of this course. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Re.

Education
1 of 41
Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) o Using the GDI Case Study below, complete the Security Policy Document Outline. o Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. o Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary”
of the final deliverable. Project Deliverable #2 (Due Week 7) o Using the GDI Case Study, complete the Security Policy Document. o Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines document. conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12- point font. See "Writing Guideline" in WebTycho where you'll
find help on writing for research projects. (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." plagiarism policies. ity of paper information, use of citations, grammar and sentence structure, and creativity. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous
Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points At least 3 Appropriate APA citations/referenced sources and formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or
referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements 8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the 0-7 points Describes the security policy in a manner that
is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. and evidence. Senior management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs
real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; also lacks efficiency to meet the organization’s objectives.
Continuous Monitoring 17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate
any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior 6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security 0-5 points Describes the security policy analysis in a
manner that is unclear and/or insufficient. Summary is difficult to follow or does not management to understand the organizational security requirements but not enough to make appropriate decisions . requirements but not enough to make appropriate decisions. Key information is left out or not made clear. include key information and details. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the
help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables.
Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However,
one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI: Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system.
You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.
GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network
Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12) Worstations (x63) Worstations (x5) Worstations (x10) Worstations (x49) Border (Core) Routers Accounting
Loan Dept Customer Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web Server Printers (x7) Printers (x5) Printers (x3)
Printers (x3) Printers (x3) Printers (x5) Workstations (x7) SUS Server Access Layer VLAN Switch 10 Gbps 100Mbps 10Gbps 100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps
10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to
these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached. 3 CMIT320 Security Policy Paper Week 3
Table of Contents Introduction: GDI background and given problem……………………………………… 1 Important Assets………………………………………………………………… ………. 2 Security Architecture for GDI…………………………………………………………… 3 Twenty Possible Security Policies………………………………………………………. 4 Details and Rationale of the Twenty Security Policies………………………………….. 5 Twelve Security Policies that should be Applied to GDI……………………………….. 6 Conclusion…………………………………………………………… ………………..… 7 References…………………………………………………………… ………………….. 8
Outline I. Introduction a. Briefly discuss the background of GDI. b. Also, discuss about the given problem of the IT security, infrastructure, cost, etc. II. Discuss the important assets of the company that need protection a. Asset identification: “Identity and quantify the company’s assets” (Meyers, 2009, p. 215) i. Important assets include: 1. Computer network equipment (Meyers, 2009, p. 215) 2. Data (Meyers, 2009, p. 215) 3. Servers, printers 4. Routers, firewalls, switches, wireless devices, etc. b. Access control methods: sensitivity, integrity, availability (Meyers, 2009, p. 157). c. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” (Meyers, 2009, p. 215). d. Identify solutions and countermeasures: “Identify a cost- effective solution to protect assets” (Meyers, 2009, p. 215). III. Security architecture for the company
a. “The IT department should always have current diagrams of your overall network architecture on hand” (Meyers, 2009, p. 381). IV. A list of 20 or more policies that could be applied to this situation a. User Account Policy (Meyers, 2009, p. 170) b. Audit Security Policy (SANS) c. Email Security Policy (SANS) d. Internet Security Policy (SANS) e. Server Security Policy (SANS) f. Wireless Security Policy (SANS) g. Network Security Policy (SANS) h. Physical Security Policy (SANS) i. Remote Access Security Policy j. Ethics Policy (SANS) k. Privacy Policy (Meyers, 2009, p. 369) l. Incident Response Policy (Meyers, 2009, p. 371) m. Access Control Policy (Meyers, 2009, p. 372) n. Separation of Duties Policy (Meyers, 2009, p. 372) o. Password Policy (Meyers, 2009, p. 374) p. Data Retention Policy (Meyers, 2009, p. 375) q. Hardware Disposal and Data Destruction Policy (Meyers, 2009, p. 375) r. Documentation policy (Meyers, 2009, p. 378) s. Termination Policy (Meyers, 2009, p. 377) t. Acceptable Use Policy (Meyers, 2009, p. 367) V. Specific details and rationale of each policy from above a. Ethics Policy – “User Education and Awareness Training” (Meyers, 2009, p. 384) b. Documentation policy- “Standards and Guidelines for Documentation, Data Classification, document retention and storage, document destruction, system architecture, logs inventory, change management and control documentation (Meyers, 2009, p. 378-383). c. Network Security Policy- risk and threat assessment, vulnerabilities, threats, risk, impact, probabilities, natural
disasters, equipment malfunction, intruders, malicious hackers, potential loss, and threat profiles (Meyers, 2009, p. 216-218). It also includes firewall, intrusion detection system, audits, etc. d. Wireless Security Policy- Access point security, encryption protocols, MAC address filtering, VPN, etc. (Meyers, 2009, p. 144-147). e. Physical Security Policy- physical barriers, video surveillance and monitoring, lighting, locks, access logs, ID badges, man-trap (Meyers, 2009, p. 200-204). VI. Review the policies and select 12 important policies that can be applied to GDI a. Network Security Policy b. Internet Security Policy c. Physical Security Policy d. Ethics Policy e. Remote Access Security Policy f. Incident Response Policy g. Hardware Disposal and Data Destruction Policy h. Wireless Security Policy i. Password Security Policy j. Separation of Duties Policy k. Privacy Policy l. Server Security Policy VII. Conclusion a. Conclude discussion and proposal of the security policy document.
References Include any references here with full citations. Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) · Using the GDI Case Study below, complete the Security Policy Document Outline. · Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. · Ungraded but instructor will provide feedback to make sure
students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) · Using the GDI Case Study, complete the Security Policy Document. · Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines · Using the GDI Case Study, create the security policy document. · The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects. · At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References."
· Appropriate citations are required. See the syllabus regarding plagiarism policies. · This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity. · The paper is due during Week 7 of this course. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and
Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points At least 3 Appropriate APA citations/referenced sources and formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will
allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. 8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. 0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and evidence. Senior management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real- time threats; also lacks efficiency to meet the organization’s objectives. Continuous Monitoring 17-25 points
Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior management to understand the organizational security requirements but not enough to make appropriate decisions . 6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make appropriate decisions. Key information is left out or not made clear. 0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or
does not include key information and details. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your
own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates.
http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI: CEO John Thompson Vice Presidnet Trey Elway Executive Assistant Julie Anderson Executive Assistant Kim Johnson Executive Assistant
Michelle Wang CFO Ron Johnson COO Mike Willy CCO Andy Murphy Director of Marketing John King Director of HR Ted Young Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been
to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic
capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12) Worstations (x63) Worstations (x5) Worstations (x10) Worstations (x49) Border (Core) Routers Accounting Loan Dept Customer
Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web Server Printers (x7) Printers (x5) Printers (x3) Printers (x3) Printers (x3) Printers (x5) Workstations (x7) SUS Server Access Layer VLAN Switch 10 Gbps 100Mbps 10Gbps
100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna 90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the
corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached. _1430024514.vsd

Recommended

ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
vrickens
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
Security Executive Council
 
Rubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docxRubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docx
SUBHI7
 
Cis 550-week-10-term-paper
Cis 550-week-10-term-paperCis 550-week-10-term-paper
Cis 550-week-10-term-paper
shyaminfo18
 
IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx
ShiraPrater50
 
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docxCIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
AASTHA76
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Throughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxThroughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docx
herthalearmont
 

Recommended

ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docxITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
ITS 834 Emerging Threats and CountermeasuresTotal points - 100.docx
vrickens
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
Security Executive Council
 
Rubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docxRubric Name Project 7 Organization Enterprise Plan and Security P.docx
Rubric Name Project 7 Organization Enterprise Plan and Security P.docx
SUBHI7
 
Cis 550-week-10-term-paper
Cis 550-week-10-term-paperCis 550-week-10-term-paper
Cis 550-week-10-term-paper
shyaminfo18
 
IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx IT 552 Milestone One Guidelines and Rubric The fina.docx
IT 552 Milestone One Guidelines and Rubric The fina.docx
ShiraPrater50
 
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docxCIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
CIS333 – Assignments and Rubrics © 2017 Strayer Unive.docx
AASTHA76
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Throughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docxThroughout this course you will be working on several aspects of s.docx
Throughout this course you will be working on several aspects of s.docx
herthalearmont
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
Michael Ball
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
christiandean12115
 
2022-security-plan-template.pptx
2022-security-plan-template.pptx2022-security-plan-template.pptx
2022-security-plan-template.pptx
Eng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
aryan532920
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
aryan532920
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxCIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
AASTHA76
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
manningchassidy
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
tangyechloe
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
Ken M. Shaurette
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
Vincent Toms
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
eleanorabarrington
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)
Marie Peters
 
As a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAs a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity program
AASTHA76
 
IDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG 2020 Security Priorities Research
IDG 2020 Security Priorities Research
IDG
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
Kaloyan Krastev
 
Five steps to achieve success with application security
Five steps to achieve success with application securityFive steps to achieve success with application security
Five steps to achieve success with application security
IBM Security
 
You are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxYou are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docx
kenjordan97598
 
You are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxYou are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docx
kenjordan97598
 

More Related Content

Similar to Security Policy Document Project Objectives The purpose .docx

Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
Michael Ball
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
christiandean12115
 
2022-security-plan-template.pptx
2022-security-plan-template.pptx2022-security-plan-template.pptx
2022-security-plan-template.pptx
Eng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
Gary Hayslip CISSP, CISA, CRISC, CCSK
 
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
aryan532920
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
aryan532920
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxCIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
AASTHA76
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
Info-Tech Research Group
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
manningchassidy
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
tangyechloe
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
Ken M. Shaurette
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
Vincent Toms
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
Fahmi Albaheth
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
eleanorabarrington
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)
Marie Peters
 
As a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAs a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity program
AASTHA76
 
IDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG 2020 Security Priorities Research
IDG 2020 Security Priorities Research
IDG
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
Kaloyan Krastev
 
Five steps to achieve success with application security
Five steps to achieve success with application securityFive steps to achieve success with application security
Five steps to achieve success with application security
IBM Security
 

Similar to Security Policy Document Project Objectives The purpose .docx (20)

Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
 
2022-security-plan-template.pptx
2022-security-plan-template.pptx2022-security-plan-template.pptx
2022-security-plan-template.pptx
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
ISE 510 Final Project Milestone Two Guidelines and Rubric .docx
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
 
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docxCIS333 – Networking Security Fundamentals © 2017 Stray.docx
CIS333 – Networking Security Fundamentals © 2017 Stray.docx
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docxTerm Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
 
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docxBest Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
Best Coding PracticesLaDonne White, Manager, Webtrain Inc. e.docx
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and woerm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
 
10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)10-things-you-ought-to-know-before-you-benchmark(1)
10-things-you-ought-to-know-before-you-benchmark(1)
 
As a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity programAs a recent graduate of the umgc masters in cybersecurity program
As a recent graduate of the umgc masters in cybersecurity program
 
IDG 2020 Security Priorities Research
IDG 2020 Security Priorities ResearchIDG 2020 Security Priorities Research
IDG 2020 Security Priorities Research
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
Five steps to achieve success with application security
Five steps to achieve success with application securityFive steps to achieve success with application security
Five steps to achieve success with application security
 

More from kenjordan97598

You are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxYou are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docx
kenjordan97598
 
You are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxYou are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docx
kenjordan97598
 
You are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docxYou are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docx
kenjordan97598
 
You are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docxYou are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docx
kenjordan97598
 
You are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docxYou are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docx
kenjordan97598
 
You are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docxYou are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docx
kenjordan97598
 
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docxYou are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
kenjordan97598
 
You are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docxYou are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docx
kenjordan97598
 
You are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docxYou are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docx
kenjordan97598
 
You are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docxYou are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docx
kenjordan97598
 
You are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docxYou are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docx
kenjordan97598
 
You are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docxYou are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docx
kenjordan97598
 
You are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docxYou are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docx
kenjordan97598
 
You are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docxYou are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docx
kenjordan97598
 
You are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docxYou are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docx
kenjordan97598
 
You are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docxYou are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docx
kenjordan97598
 
You are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docxYou are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docx
kenjordan97598
 
You are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docxYou are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docx
kenjordan97598
 
You are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docxYou are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docx
kenjordan97598
 
You are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docxYou are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docx
kenjordan97598
 

More from kenjordan97598 (20)

You are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docxYou are the Nursing Director for the medical-surgical area of a .docx
You are the Nursing Director for the medical-surgical area of a .docx
 
You are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docxYou are the newly appointed director of the Agile County Airport.docx
You are the newly appointed director of the Agile County Airport.docx
 
You are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docxYou are working on an address book database with a table called Cont.docx
You are working on an address book database with a table called Cont.docx
 
You are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docxYou are the new Security Manager for a small bank in Iowa. They are .docx
You are the new Security Manager for a small bank in Iowa. They are .docx
 
You are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docxYou are working in a rural Family Planning Health clinic and a 16 y.docx
You are working in a rural Family Planning Health clinic and a 16 y.docx
 
You are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docxYou are working in a family practice when your newly diagnosed T.docx
You are working in a family practice when your newly diagnosed T.docx
 
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docxYou are working for the Chief of Staff (CoS) for a newly elected Gov.docx
You are working for the Chief of Staff (CoS) for a newly elected Gov.docx
 
You are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docxYou are working at Johnson and Cohen law firm and have recently .docx
You are working at Johnson and Cohen law firm and have recently .docx
 
You are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docxYou are working for a community counseling agency, and you are taske.docx
You are working for a community counseling agency, and you are taske.docx
 
You are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docxYou are working as the software tester for a big enterprise comp.docx
You are working as the software tester for a big enterprise comp.docx
 
You are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docxYou are working as HelpDesk Support for an organization where your u.docx
You are working as HelpDesk Support for an organization where your u.docx
 
You are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docxYou are working as an APRN in your local primary care office. Th.docx
You are working as an APRN in your local primary care office. Th.docx
 
You are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docxYou are the new Public Information Officer (PIO) assigned by the.docx
You are the new Public Information Officer (PIO) assigned by the.docx
 
You are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docxYou are welcome to go to the San Diego Zoo any time you would li.docx
You are welcome to go to the San Diego Zoo any time you would li.docx
 
You are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docxYou are visiting one of your organization’s plants in a poor nation..docx
You are visiting one of your organization’s plants in a poor nation..docx
 
You are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docxYou are to write a four-page (typed, double-spaced) essay addressing.docx
You are to write a four-page (typed, double-spaced) essay addressing.docx
 
You are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docxYou are to write a 7-page Biographical Research Paper of St Franci.docx
You are to write a 7-page Biographical Research Paper of St Franci.docx
 
You are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docxYou are to write a 1050 to 1750 word literature review (in a.docx
You are to write a 1050 to 1750 word literature review (in a.docx
 
You are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docxYou are to take the uploaded assignment and edit it. The title shoul.docx
You are to take the uploaded assignment and edit it. The title shoul.docx
 
You are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docxYou are to use a topic for the question you chose.WORD REQUIRE.docx
You are to use a topic for the question you chose.WORD REQUIRE.docx
 

Recently uploaded

MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025
khuleseema60
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
EduSkills OECD
 
Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.
IsmaelVazquez38
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
Steve Thomason
 
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptxPrésentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
siemaillard
 
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
National Information Standards Organization (NISO)
 
Stack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 MicroprocessorStack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 Microprocessor
JomonJoseph58
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray (9)Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
nitinpv4ai
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
indexPub
 
skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)
Mohammad Al-Dhahabi
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
Nguyen Thanh Tu Collection
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
David Douglas School District
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
giancarloi8888
 
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
GeorgeMilliken2
 
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptxRESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
zuzanka
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
Electric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger HuntElectric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger Hunt
RamseyBerglund
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
PsychoTech Services
 
Educational Technology in the Health Sciences
Educational Technology in the Health SciencesEducational Technology in the Health Sciences
Educational Technology in the Health Sciences
Iris Thiele Isip-Tan
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Denish Jangid
 

Recently uploaded (20)

MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025MDP on air pollution of class 8 year 2024-2025
MDP on air pollution of class 8 year 2024-2025
 
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxBeyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
 
Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.Bossa N’ Roll Records by Ismael Vazquez.
Bossa N’ Roll Records by Ismael Vazquez.
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
 
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptxPrésentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
 
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
Jemison, MacLaughlin, and Majumder "Broadening Pathways for Editors and Authors"
 
Stack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 MicroprocessorStack Memory Organization of 8086 Microprocessor
Stack Memory Organization of 8086 Microprocessor
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray (9)Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
 
skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)skeleton System.pdf (skeleton system wow)
skeleton System.pdf (skeleton system wow)
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
 
Juneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School DistrictJuneteenth Freedom Day 2024 David Douglas School District
Juneteenth Freedom Day 2024 David Douglas School District
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
 
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
What is Digital Literacy? A guest blog from Andy McLaughlin, University of Ab...
 
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptxRESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
RESULTS OF THE EVALUATION QUESTIONNAIRE.pptx
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
Electric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger HuntElectric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger Hunt
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
 
Educational Technology in the Health Sciences
Educational Technology in the Health SciencesEducational Technology in the Health Sciences
Educational Technology in the Health Sciences
 
Chapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptxChapter wise All Notes of First year Basic Civil Engineering.pptx
Chapter wise All Notes of First year Basic Civil Engineering.pptx
 

Security Policy Document Project Objectives The purpose .docx

  • 1. Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) o Using the GDI Case Study below, complete the Security Policy Document Outline. o Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. o Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary”
  • 2. of the final deliverable. Project Deliverable #2 (Due Week 7) o Using the GDI Case Study, complete the Security Policy Document. o Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines document. conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12- point font. See "Writing Guideline" in WebTycho where you'll
  • 3. find help on writing for research projects. (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." plagiarism policies. ity of paper information, use of citations, grammar and sentence structure, and creativity. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous
  • 4. Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points At least 3 Appropriate APA citations/referenced sources and formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or
  • 5. referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements 8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the 0-7 points Describes the security policy in a manner that
  • 6. is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. and evidence. Senior management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs
  • 7. real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; also lacks efficiency to meet the organization’s objectives.
  • 8. Continuous Monitoring 17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate
  • 9. any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior 6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security 0-5 points Describes the security policy analysis in a
  • 10. manner that is unclear and/or insufficient. Summary is difficult to follow or does not management to understand the organizational security requirements but not enough to make appropriate decisions . requirements but not enough to make appropriate decisions. Key information is left out or not made clear. include key information and details. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the
  • 11. help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables.
  • 12. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However,
  • 13. one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI: Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system.
  • 14. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.
  • 15. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network
  • 16. Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12) Worstations (x63) Worstations (x5) Worstations (x10) Worstations (x49) Border (Core) Routers Accounting
  • 17. Loan Dept Customer Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web Server Printers (x7) Printers (x5) Printers (x3)
  • 19. 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
  • 20. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to
  • 21. these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached. 3 CMIT320 Security Policy Paper Week 3
  • 22. Table of Contents Introduction: GDI background and given problem……………………………………… 1 Important Assets………………………………………………………………… ………. 2 Security Architecture for GDI…………………………………………………………… 3 Twenty Possible Security Policies………………………………………………………. 4 Details and Rationale of the Twenty Security Policies………………………………….. 5 Twelve Security Policies that should be Applied to GDI……………………………….. 6 Conclusion…………………………………………………………… ………………..… 7 References…………………………………………………………… ………………….. 8
  • 23. Outline I. Introduction a. Briefly discuss the background of GDI. b. Also, discuss about the given problem of the IT security, infrastructure, cost, etc. II. Discuss the important assets of the company that need protection a. Asset identification: “Identity and quantify the company’s assets” (Meyers, 2009, p. 215) i. Important assets include: 1. Computer network equipment (Meyers, 2009, p. 215) 2. Data (Meyers, 2009, p. 215) 3. Servers, printers 4. Routers, firewalls, switches, wireless devices, etc. b. Access control methods: sensitivity, integrity, availability (Meyers, 2009, p. 157). c. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” (Meyers, 2009, p. 215). d. Identify solutions and countermeasures: “Identify a cost- effective solution to protect assets” (Meyers, 2009, p. 215). III. Security architecture for the company
  • 24. a. “The IT department should always have current diagrams of your overall network architecture on hand” (Meyers, 2009, p. 381). IV. A list of 20 or more policies that could be applied to this situation a. User Account Policy (Meyers, 2009, p. 170) b. Audit Security Policy (SANS) c. Email Security Policy (SANS) d. Internet Security Policy (SANS) e. Server Security Policy (SANS) f. Wireless Security Policy (SANS) g. Network Security Policy (SANS) h. Physical Security Policy (SANS) i. Remote Access Security Policy j. Ethics Policy (SANS) k. Privacy Policy (Meyers, 2009, p. 369) l. Incident Response Policy (Meyers, 2009, p. 371) m. Access Control Policy (Meyers, 2009, p. 372) n. Separation of Duties Policy (Meyers, 2009, p. 372) o. Password Policy (Meyers, 2009, p. 374) p. Data Retention Policy (Meyers, 2009, p. 375) q. Hardware Disposal and Data Destruction Policy (Meyers, 2009, p. 375) r. Documentation policy (Meyers, 2009, p. 378) s. Termination Policy (Meyers, 2009, p. 377) t. Acceptable Use Policy (Meyers, 2009, p. 367) V. Specific details and rationale of each policy from above a. Ethics Policy – “User Education and Awareness Training” (Meyers, 2009, p. 384) b. Documentation policy- “Standards and Guidelines for Documentation, Data Classification, document retention and storage, document destruction, system architecture, logs inventory, change management and control documentation (Meyers, 2009, p. 378-383). c. Network Security Policy- risk and threat assessment, vulnerabilities, threats, risk, impact, probabilities, natural
  • 25. disasters, equipment malfunction, intruders, malicious hackers, potential loss, and threat profiles (Meyers, 2009, p. 216-218). It also includes firewall, intrusion detection system, audits, etc. d. Wireless Security Policy- Access point security, encryption protocols, MAC address filtering, VPN, etc. (Meyers, 2009, p. 144-147). e. Physical Security Policy- physical barriers, video surveillance and monitoring, lighting, locks, access logs, ID badges, man-trap (Meyers, 2009, p. 200-204). VI. Review the policies and select 12 important policies that can be applied to GDI a. Network Security Policy b. Internet Security Policy c. Physical Security Policy d. Ethics Policy e. Remote Access Security Policy f. Incident Response Policy g. Hardware Disposal and Data Destruction Policy h. Wireless Security Policy i. Password Security Policy j. Separation of Duties Policy k. Privacy Policy l. Server Security Policy VII. Conclusion a. Conclude discussion and proposal of the security policy document.
  • 26. References Include any references here with full citations. Security Policy Document Project Objectives The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable #1 (Due Week 3) · Using the GDI Case Study below, complete the Security Policy Document Outline. · Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision. · Ungraded but instructor will provide feedback to make sure
  • 27. students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable. Project Deliverable #2 (Due Week 7) · Using the GDI Case Study, complete the Security Policy Document. · Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines · Using the GDI Case Study, create the security policy document. · The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects. · At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References."
  • 28. · Appropriate citations are required. See the syllabus regarding plagiarism policies. · This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity. · The paper is due during Week 7 of this course. Grading Rubrics Final Deliverable Category Points % Description Documentation and Formatting 10 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25 25% Accurate Completion of Security Policy. Real-time Security 25 25 Real-time Security Protection against dynamically changing threats. Continuous Monitoring 25 25 Continuous Monitoring for up-to-date Asset Management and
  • 29. Security Posture Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document. Total 100 100% A quality paper will meet or exceed all of the above requirements. No Outline Submitted -10 If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. Criteria Good Fair Poor Documentation and formatting 7-10 points At least 3 Appropriate APA citations/referenced sources and formats of characters/ content. 3-6 points Included 3 references but incorrect formatting or referencing/ citation 0-2 points Does not include at least 3 references Security Policy analysis 17-25 points Effectively describes the security policy in a manner that will
  • 30. allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence. 8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. 0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and evidence. Senior management would not have enough detail to make appropriate decisions. Real-time Security 17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real- time threats; also lacks efficiency to meet the organization’s objectives. Continuous Monitoring 17-25 points
  • 31. Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. 8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. 0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. Executive summary 11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior management to understand the organizational security requirements but not enough to make appropriate decisions . 6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make appropriate decisions. Key information is left out or not made clear. 0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or
  • 32. does not include key information and details. Background For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter. Project Description The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below. You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your
  • 33. own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates.
  • 34. http://www.sans.org/security-resources/policies/ Company Description GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine. The executive management team of GFI: CEO John Thompson Vice Presidnet Trey Elway Executive Assistant Julie Anderson Executive Assistant Kim Johnson Executive Assistant
  • 35. Michelle Wang CFO Ron Johnson COO Mike Willy CCO Andy Murphy Director of Marketing John King Director of HR Ted Young Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system. You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been
  • 36. to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence. There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic
  • 37. capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Remote Dial UpUsers Trusted Computing Base Internal Network Off-Site Office Internet Global Finance, Inc. VPN Gateway VPN Gateway PBX PSTN Worstations (x25) Worstations (x12) Worstations (x63) Worstations (x5) Worstations (x10) Worstations (x49) Border (Core) Routers Accounting Loan Dept Customer
  • 38. Services Mgmt Credit Dept Finance Internal DNS Exchange E-mail Distribution Routers File and Print Server Oracle DB Server Intranet Web Server Printers (x7) Printers (x5) Printers (x3) Printers (x3) Printers (x3) Printers (x5) Workstations (x7) SUS Server Access Layer VLAN Switch 10 Gbps 100Mbps 10Gbps
  • 39. 100Mbps 10 Gbps OC193 10Gbps RAS 10 Gbps 10 Gbps 10 Gbps OC193 10Gbps 90 90 Wireless Antenna 90 You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted. A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
  • 40. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. 2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. 4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed. 5. Employees enjoy the flexibility of getting access to the
  • 41. corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. 6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached. _1430024514.vsd