Katie Coleman_DoD Project_Final
docx
keyboard_arrow_up
School
University of West Alabama *
*We aren’t endorsed by this school
Course
511
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
17
Uploaded by ProfessorSalmon327
Project: Department of Defense (DoD) Ready
Katie Coleman University of West Alabama
CY-511 – Cybersecurity Organization Policy/Management
Dr. Perez
Introduction
After winning a DoD contract, the organization must develop proper DoD security
policies to meet the standards for delivery of technology services to the U.S. Air Force Cyber Security Center (AFCSC.) The organization has established a cybersecurity framework that aligns with the DoD’s cybersecurity standards and guidelines. The report
includes policies that are DoD compliant, compliance laws, controls, standards for all devices, a deployment plan for the implementation of policies, standards, and controls, and DoD frameworks. Policies that are DoD Compliant:
The Department of Defense or the DoD has strict policies, standards, and control
to guarantee the security of its information systems. To ensure an organization stays in compliance with the DoD requirements, the company must implement policies, standards, and controls. The organization should create policies that are DoD compliant
for the organization’s IT infrastructure. Access Control Policy ensures that only authorized personnel have access to the
organization’s IT resources, information, and data. Under this policy, the company would
implement strong authentication methods, such as multifactor authentication. The organization must implement role-based access control to grant permissions based on job roles and responsibilities. The organization must regularly review and update user access rights to ensure they are current and relevant. Network Security Policy safeguards the organization’s network infrastructure from unauthorized access and cyber threats. Under this policy, the IT department would implement firewall rules to restrict inbound and outbound traffic and prevent
unauthorized access. The IT department would need to regularly update and patch network devices to address known vulnerabilities. Also, monitor the network traffic for signs of unauthorized or malicious activities using intrusion detection and prevention systems.
The Data Protection and Encryption Policy is to protect sensitive and classified data from unauthorized access and breaches. The organization must encrypt at rest and in transit sensitive data using approved encryption protocols. Data must be classified by labeling standards to clearly identify the sensitivity level of information. The
organization needs to implement data loss prevention mechanisms to prevent unauthorized data leakage. Patch Management Policy helps ensure that all systems and software are up to date with the least security patches. Under this policy, the organization will establish a regular patch management schedule for servers, applications, and endpoints. The IT department needs to test patches in a controlled environment before deploying them to production systems. Through this policy, the organization will define procedures for emergency patching in response to critical vulnerabilities. The Endpoint Security Policy protects individual workstations and devices from malware and unauthorized access. Within this policy, the organization requires the use of up-to-date antivirus and antimalware software on all endpoints. The organization will implement host-based intrusion detection systems to monitor for suspicious activities. The policy will enforce secure configuration settings on endpoints to prevent unauthorized software installations.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The Email and Web Security Policy will ensure the security and proper use of email and web resources. Through this policy, email filtering and scanning will be implemented to detect and prevent phishing attacks and malware. The policy will address education for users about recognizing and reporting suspicious email communications. It will also implement the use of web filtering solutions to block access to malicious or inappropriate websites. Incident Response and Reporting Policy will establish procedures for responding to and reporting security incidents. The development of an incident response plan that outlines steps for containment, elimination, and recovery. The policy will establish a clear communication for reporting security incidents to the appropriate personnel and authorities. It will outline post-incident analysis that will identify lessons learned and areas for improvement. Backup and Disaster Recovery Policy ensures integrity of data and the availability of the system in the case of data loss or system failure. The policy will implement regularly backup of critical data and test the restore process to verify data recovery. The development of disaster recovery plans for key systems and applications and will outline procedures for recovery and the continuity of business in the case of an event. The Physical Security Policy will protect assets and facilities housing the IT infrastructure. The policy will implement access controls, surveillance, and monitoring for data centers, server rooms, and networking equipment. The policy will restrict physical access to authorized personnel only and log all activities. It will define procedures for handling equipment disposal to prevent unauthorized data exposure.
User Training and Awareness Policy ensures the education of employees about cybersecurity best practices and threats. It will provide regular cybersecurity training to employees that cover topics such as phishing, social engineering, and password security. Implementing and conducting simulated phishing exercises that will test users’ awareness and responses. The policy will encourage employees to report suspicious activities to the right personnel in a timely manner. Compliance Laws
The Organization is required to comply with various laws, regulations, and standards
that pertain to national security, defense, and information assurance. Laws that are required to be followed by an organization when entering a DoD contract:
1.
Federal Acquisition Regulation also known as FAR outlines requirements for contracting, procurement, and acquisition processes.
2.
Defense Federal Acquisition Regulation Supplement (DFARS) is tailored for DoD acquisition and includes additional clauses and requirements that are related to cybersecurity, safeguarding sensitive information, and other defense-specific concerns. 3.
National Industrial Security Program Operating Manual (NISPOM) outlines security requirements and procedures for classified contracts and establishes standards for safeguarding classified information. 4.
Export Control Regulations which include International Traffic in Arms Regulations and Export Administration Regulations. The regulations control export of defense-related articles, technology, and services.
5.
Cybersecurity Maturity Model Certification (CMMC) accesses and certifies the cybersecurity practices and capabilities of organizations in the defense supply chain. 6.
Defense Contract Audit Agency Regulation (DCAA) provides audit and financial advisory services to the DoD and other federal entities. 7.
DoD Information Assurance Certification and Accreditation Process (DIACAP)/ Risk Management Framework (RMF) which defines the steps and controls that are required to achieve and maintain the authorization to operate for IT systems that process, store, or transmit DoD information. 8.
DoD 8500 Series includes a set of guideline and instructions related to information assurance, cybersecurity, and risk management for DoD systems and networks. 9.
Defense Industrial Base (DIB) Cybersecurity Program which aims to enhance the
cybersecurity posture of organizations in the defense industrial base and the adoption of cybersecurity best practices. 10.Controlled Unclassified Information (CUI) regulations define the handling and protection requirements for sensitive but unclassified information that is shared with contractors and partners.
11.DoD Cloud Computing Security Requirements Guide provides security requirements for the use of cloud computing services within the DoD.
12.Anti-Trafficking in Persons (ATIP) regulations require organizations to take measures to prevent human trafficking and forced labor in their operations and supply chain.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Controls placed on domains in the IT infrastructure:
1.
Authentication Controls – Such as:
a.
Password Policies which enforce strong password requirements such as: complexity, length, expiration, and re-usage
b.
Multifactor Authentication which requires additional authentication factors other than just passwords.
c.
Account Lockout which would automatically lock accounts after failed login
attempts to prevent brute-force attacks.
2.
Access Controls:
a.
Role-Based Access Control assigns permissions to gain access based on job roles and responsibilities. b.
Group Policies which apply specific settings, configurations, and permissions to groups of users or computers
c.
Resource Permissions which control access to shared folders, files, printers, and other network resources. 3.
Network Security Controls:
a.
Firewalls will restrict inbound and outbound traffic to and from the domain
b.
Intrusion Detection/Prevention System will monitor and prevent suspicious
or unauthorized network activities. c.
Network Segmentation will isolate different network segments such as production and testing environment for an improved security.
4.
Identity and User Management
a.
User provisioning and de-provisioning will automate the creation and removal of user accounts based on HR changes.
b.
Identity lifecycle management will help manage user identities from creation to termination.
c.
User Account Review will periodically review and validate user accounts and the access rights of the accounts. 5.
Auditing and Logging
a.
Event Logging is log security-related events which includes login attempts,
file access, and system changes. b.
Audit Policies will define what events to audit and set retention periods for logs.
c.
Log Analysis will include regular review and analyze logs for signs of unauthorized or suspicious activities.
6.
Password Management
a.
Password management will enforce regular password changes for users.
b.
Password history will prevent users from reusing previous passwords
c.
Password recovery will implement secure methods for users to reset forgotten passwords
7.
Account Monitoring and Reporting
a.
Account Activity Monitoring will monitor user activities and track changes to user accounts.
b.
User Activity Reports will include generated reports on user logins, file access, and other activities
c.
Account Lockout Reports will identify and investigate repeated account lockouts. 8.
Security Patch Management a.
Patch Deployment will regularly apply security patches and updates to the domain servers and systems.
b.
Testing and Verification will test patches in a controlled environment before deploying them to production. 9.
Mobile Device Management a.
Device enrollment will control the enrollment and configuration of mobile devices in the domain. b.
Device Policies will set security policies and restrictions for mobile devices
accessing the domain. 10. Backup and Recovery
a.
System Backups will ensure to regularly backup domain controllers and critical systems to ensure data availability and recovery. b.
Disaster Recovery Plans is a plan for restoring domain services in case of a major outage. 11.Compliance and Regulatory Controls
a.
Data Retention Policies will define retention periods for user data and logs
to comply with legal and regulatory requirements. b.
Audit Trails will ensure that audit trails and documentation are maintained for compliance audits.
List of DoD Standards for devices:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
WAN Domain:
DoD Directive 8500:01: Cybersecurity
DoD Instruction 8500:02: Information Assurance (IA) Implementation
DoD 8510:01: Risk Management Framework (RMF) for DoD Information Technology
National Institute of Standards and Technology (NIST) Special Publication 800-
53: Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
NIST SP 800-46: Guide to Enterprise Teleworker Services
Federal Information Processing Standards (FIPS) 140-2: Security Requirements for Cryptographic Modules
DoD Instruction 8140:01 Cybersecurity Workforce Management
Remote Access Domain:
DoD Directive 8100:04 Remote Access to DoD Information Systems
DoD Instruction 8100:08: Use of Commercial Cloud Services
NIST SP 800-146: Cloud Computing Synopsis and Recommendations
NIST SP 800-178: Guide to Secure Cloud Computing
NIST SP 800-187: Authenticator Assurance Level (AAL) Requirements for Remote Authentication System/Application Domain:
DoD Directive 8500:01: Cybersecurity
DoD 8510:01 Risk Management Framework for DoD Information Technology
NIST SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
NIST SP 800-53: Security and Privacy Controls for the Federal Information Systems and Organizations
NIST SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems and Organizations
NIST SP 800-64: Security Consideration in the System Development Life Cycle
Implementation Plan:
Developing a deployment plan for the implementation of policies, standards, and controls is critical to guarantee a smooth and effective transition while minimizing disruptions to the organization’s operations. The plan will allow for careful testing, training, and monitoring which will guarantee successful compliance and strengthen security across the IT infrastructure. The company can ensure a methodical and coherent implementation of the organization’s policy, standards, and controls by following the deployment plan. The first step when developing a deployment plan is to clearly outline the goals, objectives, and scope of the plan. In this step, the company must identify which policies,
standard, and controls will be implemented and their respective priorities. The second step is to assess the current state by conducting a comprehensive assessment of the organization’s current IT infrastructure, policies, and security measures. Through the assessment, gaps and areas that requirement improvement will be identified to meet the intended compliance standards. The third step would be to break down the
implementation into smaller tasks and create a detailed plan with timelines, responsible individuals, and resources that are needed for each task. After breaking down the implementation, tasks need to be prioritized by basing them on criticality and dependencies. Next, roles and responsibilities for each task should be assigned and the
expectations and responsibilities should be clearly communicated to the team members.
To ensure that the policies, standards, and controls are effective and do not disrupt operations; conducting pilot tests in a controlled environment and gathering feedback from the pilot phases will help identify any necessary adjustments. The next step would be to develop a communication plan that will inform employees and shareholders about the upcoming changes. In this step, implementing and providing training sessions will educate employees about the new policies, standards, and controls, and how it will impact their roles. Next will be phasing in the deployment of the policies, standards, and
controls following the timelines that have been established in the plan. The relevant teams will monitor the progress for each task, address challenges and make certain that
the implementation stays on track. Throughout the implementation process, regularly verifying the policies and control are functioning as intended and performing testing to that security measures are working effectively. To detect any issues, deviations, or non-
compliance, the relevant teams must continuously monitor the implementation process and collect and analyze data to ensure that the controls are achieving the desired security outcomes. Conducting periodic reviews will access the effectiveness of the implemented policies, standards, and controls. After conducting reviews, updating the deployment plan is necessary which is based on lessons learned and changing security requirements. The next step is maintaining detailed documentation of the process which
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
will include decisions, changes, and outcomes. In this step, it is necessary to prepare regular reports for management and stakeholders on the progress and the results of the
implementation. Next, preparing compliance audits to ensure that all documentation, evidence, and required reports are readily available to cooperate with auditors to demonstrate adherence with implemented policies and controls. Post-Implementation support is needed by providing ongoing support and assistance to employees for adjusting to the new policies and controls and addressing any issues, questions, or concerns that arise after implementation. Lastly, establishing a process for continuous improvement by gathering feedback, analyzing incidents, and updating policies and controls as needed. DOD Frameworks:
1.
Cybersecurity Maturity Model Certification (CMMC) is a framework that measures
the cybersecurity maturity of an organization and adherence to best practices which focuses on protecting controlled unclassified information and federal contract information. 2.
NIST Special Publication 800-53: Security and Privacy controls for Federal Information Systems and Organizations which is a comprehensive set of controls
and guidelines developed by the NIST that is widely adopted by the federal government for information security. 3.
NIST Cybersecurity Framework (CSF) is a risk-based framework that provides guidance for improving an organization’s cybersecurity posture, including identifying, protecting, detecting, responding to, and recovering from cyber threats.
4.
DoD Risk Management Framework (RMF) is a structure process for identifying and managing cybersecurity risks for DoD information systems, including steps for categorizing, selecting, implementing, assessing, authoring, and monitoring security controls. 5.
DoD Cloud Computing Security Requirements Guide (SRG) which are security guidelines and requirements for the use of cloud computing services within the DoD, which includes considerations for data protection and access control. 6.
Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to
the Federal Acquisition Regulation that includes clauses and requirements for DoD acquisition that is particularly related to cybersecurity and safeguarding of Controlled Unclassified Information.
7.
DoD Instruction 8500:01: Cybersecurity which is a directive that establishes policy and responsibilities for DoD cybersecurity, outlining requirements for information assurance and risk management. 8.
National Industrial Security Program Operating Manual (NISPOM) are security requirements and procedures for classified contracts which includes guidelines for safeguarding classified information. 9.
DoD 8500 Series is a series of documents that provide guidance on information assurance and cybersecurity practices for DoD systems and networks. 10.Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) are configuration standards for DoD information Assurance and IA-enabled devices/systems to ensure security compliance.
11.Defense Contract Audit Agency (DCAA) are regulations that are related to audits and financial advisory services for DoD Contracts which ensures financial compliance. Conclusion
The organization is committed to upholding the highest standards of cybersecurity and compliance which align with DoD requirements. It is important to protect sensitive information and contributing to national security efforts. It is critical for the organization to develop and follow implantation process to deliver and help the organization transition the implementation of the policies, standards, and controls. The organization must continue monitoring, evaluating, and improving the policies, controls, and practices to ensure compliance and successful business. The organization will activity engage with external audits and maintain continuous communication with DoD agencies to ensure ongoing compliance and readiness.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
References
Department of Defense Instruction - Executive Services Directorate. (n.d.). https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/850001_2014.p
df Divya Aradhya. (2018, April 13). Policies for the seven domains of a typical IT infrastructure
. http://www.divyaaradhya.com/2018/03/13/policies-for-the-seven-
domains-of-a-typical-it-infrastructure/ DOD 5200. (n.d.). https://irp.fas.org/doddir/dod/5200-1r/ DOD Directives Division
. Directives Division. (n.d.). https://www.esd.whs.mil/dd/ Johnson, R., & Easttom, C. (2022). Security policies and implementation issues
. Jones & Bartlett Learning. Far changes proposed to standardize important cybersecurity requirements and to impose new cyber threat, Incident reporting and information sharing rules: Perspectives & events: Mayer Brown
. Perspectives & Events | Mayer Brown. (n.d.). https://www.mayerbrown.com/en/perspectives-
events/publications/2023/10/far-changes-proposed-to-standardize-important-
cybersecurity-requirements-and-to-impose-new-cyber-threat#:~:text=Specifically
%2C%20the%20proposed%20rule%20would,incident%20may%20have
%20occurred.”%20Contractors Johnson, Robert (2020). Security Policies and Implementation Issues (3rd ed.). Jones &
Bartlett Learning. ISBN: 9781284199840