Security Policy Paper Outline
sunhasSecurity Policy Document Project
Objectives |
The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation.
|
|
Detailed Requirements |
Project Deliverable #1 (Due Week 3)
· Using the GDI Case Study below, complete the Security Policy Document Outline.
· Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision.
· Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “Executive Summary” of the final deliverable.
Project Deliverable #2 (Due Week 7)
· Using the GDI Case Study, complete the Security Policy Document.
· Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce.
|
|
Guidelines |
· Using the GDI Case Study, create the security policy document.
· The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-point font. See "Writing Guideline" in WebTycho where you'll find help on writing for research projects.
· At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References."
· Appropriate citations are required. See the syllabus regarding plagiarism policies.
· This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity.
· The paper is due during Week 7 of this course.
|
|
Grading Rubrics |
Final Deliverable |
|||
Category |
Points |
% |
Description |
Documentation and Formatting |
10 |
10% |
Appropriate APA citations/referenced sources and formats of characters/content. |
Case Study Security Policy Analysis |
25 |
25% |
Accurate Completion of Security Policy. |
Real-time Security |
25 |
25 |
Real-time Security Protection against dynamically changing threats. |
Continuous Monitoring |
25 |
25 |
Continuous Monitoring for up-to-date Asset Management and Security Posture |
Executive Summary |
15 |
15% |
Provide an appropriate summary of the Security Policy Document. |
Total |
100 |
100% |
A quality paper will meet or exceed all of the above requirements. |
No Outline Submitted |
-10 |
|
If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade. |
Criteria |
Good |
Fair |
Poor |
Documentation and formatting |
7-10 points At least 3 Appropriate APA citations/referenced sources and formats of characters/ content.
|
3-6 points Included 3 references but incorrect formatting or referencing/ citation |
0-2 points Does not include at least 3 references |
Security Policy analysis |
17-25 points Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Analysis is supported with documentation and evidence.
|
8-16 points Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear. |
0-7 points Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and evidence. Senior management would not have enough detail to make appropriate decisions. |
Real-time Security |
17-25 points Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives. |
8-16 points Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives. |
0-7 points Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; also lacks efficiency to meet the organization’s objectives. |
Continuous Monitoring |
17-25 points Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. |
8-16 points Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives. |
0-7 points Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives. |
Executive summary |
11-15 points Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior management to understand the organizational security requirements but not enough to make appropriate decisions .
|
6-10 points Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make appropriate decisions. Key information is left out or not made clear. |
0-5 points Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or does not include key information and details. |
Background
For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter.
Project Description
The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below.
You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables.
Suggested Approach
These are only recommendations on the general approach you might take for this project. This is your project to develop individually.
1. Determine the most important assets of the company, which must be protected
2. Determine a general security architecture for the company
3. Determine the real-time security measures that must be put in place
4. Determine the monitoring and preventative measures that must be put in place
5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy
6. Integrate and write up the final version of the Security Policy Document for submittal
The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy.
References
There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates.
http://www.sans.org/security-resources/policies/
Company Description
GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers.
GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine.
The executive management team of GFI:
CEO
John Thompson
Vice Presidnet
Trey Elway
Executive
Assistant
Julie Anderson
Executive
Assistant
Kim Johnson
Executive
Assistant
Michelle Wang
CFO
Ron Johnson
COO
Mike Willy
CCO
Andy Murphy
Director of
Marketing
John King
Director of HR
Ted Young
Figure 1 GFI Management Organizational Chart
BACKGROUND AND YOUR ROLE
You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system.
You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team.
There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.
GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence.
There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns.
CORPORATE OFFICE NETWORK TOPOLOGY
Remote
Dial UpUsers
Trusted Computing Base Internal Network
Off-Site Office
Internet
Global Finance, Inc.
VPN
Gateway
VPN
Gateway
PBX
PSTN
Worstations
(x25)
Worstations
(x12)
Worstations
(x63)
Worstations
(x5)
Worstations
(x10)
Worstations
(x49)
Border (Core) Routers
Accounting
Loan Dept
Customer
Services
Mgmt
Credit Dept
Finance
Internal
DNS
Exchange
Distribution Routers
File and Print Server
Oracle DB
Server
Intranet Web
Server
Printers
(x7)
Printers
(x5)
Printers
(x3)
Printers
(x3)
Printers
(x3)
Printers
(x5)
Workstations
(x7)
SUS Server
Access
Layer
VLAN
Switch
10 Gbps
100Mbps
10Gbps
100Mbps
10 Gbps
OC193
10Gbps
RAS
10 Gbps
10 Gbps
10 Gbps
OC193
10Gbps
90
90
Wireless
Antenna
90
You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted.
A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
OTHER CONSIDERATIONS
1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information.
2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you.
3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited.
4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed.
5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents.
6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached.