IT 253 Project Two Security Plan

docx

School

Southern New Hampshire University *

*We aren’t endorsed by this school

Course

253

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

5

Uploaded by PresidentLightningChinchilla38

Report
IT 253 Project Two Security Plan A proper Security plan is typically comprised of specific components catered to a company’s needs this would also include an Acceptable Use policy, Authorized Access policy, Configuration Management Policy, as well as Code of Ethics. We will also expand on some of these topics specifically to give a better idea of what all will be covered. A. Roles and Responsibilities We will identify and define specific roles and the responsibilities for these roles within our Security Plan. Chief Information Officer [CIO] - In charge of ensuring an effective implementation of an organization-wide IT security program. - Involves ensuring that systems are safeguarded through the implementation of approved security plans. - Involves allocating resources to safeguard the systems that support business operations and functions. System Owner / Network Admin - Focus on improving our user access to business systems. - Ensuring that we remain in compliance with all IT security requirements. - In charge of developing and maintaining the company’s system security plan. - In charge of ensuring these specific systems are deployed as well as operated in accordance with any security controls in place. System Security Engineer - Involves the creation and implementation of systems. - Focuses on the process of upgrading legacy systems. - The role involves coordinating all security-related activities with the appropriate personnel. System Administrator - Role involves the installation, configuration, and updating of hardware and software. - The process involves creating and managing user accounts. - Individual is responsible for overseeing backup and recovery tasks for the company. - Role is to implement technical security controls for the company. B. User Awareness Training 1
- We will require the standard new hire training process and to increase employees’ awareness of threats and vulnerabilities additional information security training must be provided. This would include simulated phishing email tests, monthly security bulletins, and yearly refresher training. The Companies monthly results will then be measured against Key Performance Indicators and the training will be documented for auditing purposes. C. Access Control - Access control for the security plan should be divided into two categories: these two categories are physical access and systems access. Physical access will be controlled by the employee badges that are using RFID technology, these will be created at the time of hire. Employees will initially have access to their primary work location regardless of the badge creation process. If an employee need’s access to other controlled locations within the business, a Service Desk ticket will be created in order to initiate a workflow to get this service ticket approved. All approvals will be recorded in the company’s Service Desk for any audit purposes. Network and system access will both be controlled similarly and treated like an employee’s badge access, employees will be granted an AD account that will have the least number of privileges needed when hired. Supervisors will make requests for any needed systems access through the Service Desk ticket, the Service desk will create child tickets for each request to initiate workflow to the ticket user’s supervisor and the individual system’s owner. Remember all approvals will be recorded within the Service Desk for any audit purposes. D. Vulnerability Management The Vulnerability Management Plan will be comprised of three key components, which will be detailed below. - The First Component is Identify, The Identify component will involve a comprehensive asset inventory as well as standardizing baseline standards and configurations for our business. This would include changes to our default hardware configuration like any company passwords and programs we are currently using. - The Second Component is Evaluation, The Evaluation component will involve the business reviewing our current Patch Management Plan and determining if any new system patches are needed. We will then test each patch and create an implementation plan in order to continue to evaluate any threats we identified in the first component. - The Third Component is Treat, The Treat component will involve treating/implementing any necessary patches and fixes we evaluated in component number two. These patches and fixes will then be reviewed during the Change Control Board weekly meeting to determine any business impacts this may have as well as to determine the timing for implementation. Each of these items will have to go through documented testing results to make impact analysis for any future auditing purposes. Remediation and mitigation processes for any identified threats will also be 2
reviewed with urgency to reduce the window of opportunity for any possible threats to the business. E. Backup and Recovery The Backup and Recovery will be handled by our Business Continuity Plan as well as our Disaster Recovery Plan. These will help to guide our Backup and Recovery to ensure we are setting a baseline tolerance to define what is an acceptable downtime. - The BCP [Business Continuity Plan] will be used to outline any operational procedures during an unplanned service disruption, this will include data backup plans, backup site locations, any equipment requirements needed as well as contact information. - The DR [Disaster Recovery Plan] is an essential component of our Business Process Planning [BCP] this outlines any strategies for handling our hardware disruptions, reestablishing any office and enterprise software to meet any business needs and expectations, and implementing manual operations to be set into place that can be used until the systems are restored. We plan to implement a warm site backup facility to address the business-critical needs as it may offer the company a middle-ground for any recovery options. This would allow for the company to go through minimal data loss during any fallouts or failovers as we have shown in the graphic below. The graphic also gives the proper information on why a warm site backup facility is the proper choice for this company moving forward. - The company’s backup strategy will include a weekly weekend backup as well as a daily differential backup, this will ensure that the only data being backed up will be the data that has changed since the most current full backup. 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
F. Internet-Facing Security When it comes to our Internet-Facing Security there are many different security measures that can be implemented, the first would be a DMZ. In order to protect internet-facing equipment and systems, we need to ensure a de-militarized zone [DMZ] can be implemented between two firewalls. The company’s less restrictive firewall prevents blocked access, allowing our users to view and order products. For our sensitive data like credit card information that is then passed through our more restrictive firewall that leads into the company’s internal network. The less restrictive firewall allows the system more time to identify and stop threats before they can reach the company’s internal network. Ensuring the implementation of a DMZ can help to protect the company’s internet-facing equipment and the systems from any potential threats they may face. The second security measure we should implement is multi-factor authentication [MFA], this ensures users are exactly who they say they are by providing at least two identifying pieces of evidence to prove their identity. An example of MFA is the use of texting a single-use security code to a systems user device to input. “Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack. “(What is multi-factor authentication? [MFA]) 4
Citations Fulber-Garcia, W. by: V. (2023) Public DMZ Network Architecture , Baeldung on Computer Science . Available at: https://www.baeldung.com/cs/public-dmz-network-architecture (Accessed: 18 October 2023). Disaster recovery sites comparison: Which One to choose? (2023) NAKIVO . Available at: https://www.nakivo.com/blog/overview-disaster-recovery-sites/ (Accessed: 18 October 2023). Hewitt, N. (2023) How to discover your internet-facing assets • truefort , TrueFort . Available at: https://truefort.com/internet-facing-assets/ (Accessed: 18 October 2023). What is multi-factor authentication (MFA)? (no date) OneLogin . Available at: https://www.onelogin.com/learn/what-is-mfa (Accessed: 18 October 2023). 5

Related Documents

IT 253 Project One Memo.docx
CYB_250_Final_Project_Milestone.docx
CYB_250_BYOD_Policy_Update.docx
Gathering Data Status Report.docx
IT 202 Project 2 milestone.docx
IT 202 Project One Site Survey final.docx
Screenshot 2023-08-02 093220.png
Extra Point Tasks-2-1 (1).docx
SYC3003_WEEK3_CRAAPTEST.docx
CYB_250_Stepping_Stone_One.docx
CYB_230_Module_Three_Lab_Worksheet.docx
10624329_DIPMB2_AS_v2_Submission1.docx