unit8finalproject

docx

School

Columbia Southern University *

*We aren’t endorsed by this school

Course

4303

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

9

Uploaded by briandjones127

Report
Running head: UNIT VIII FINAL PROJECT 1 Unit VIII Final Project Brian Jones Columbia Southern University
UNIT VIII FINAL PROJECT 2 Unit VIII Final Project The goal behind the institution of any security policy is to maintain the confidentiality, integrity and availability of the data used for day to day operations. Keeping the data confidential simply means that the data is viewed and interacted with only by those who are authorized to do so. Maintaining the integrity of the data ensures that the data is unaltered. Availability means that when the data is needed, it can be retrieved and used. These three areas, commonly known as the CIA triad, are the key elements that will be the focus of the security policy. In addition to the CIA triad, there are two other main aspects that will need to be addressed. The first of these two elements is the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. The HIPAA regulations directly pertain to keeping an individual’s personal and health information secure. The second element is the Payment Card Industry Data Security Standard (PCI DSS). Since the facility will be collecting payments from individuals, the PCI DSS standards must be followed to keep payment information secure. Policy Overview The new security policy will align with the goals and guiding principals of the company. Following the policy hierarchy, the policies drafted will reflect the guiding principles. Standards will support the policy. To give further support and clarification, baselines, guidelines, and procedures will be added to the hierarchy (Santos, 2019). Having the policy broken down in this fashion will help to ensure that the policy is instituted properly and is easy to modify in the future should the need arise. Additionally, data will be classified using the labels Classified, Confidential, and Public. Access to the data by various users will be based upon which label the data is given and the level of access the user has. The goal of this step is to ensure that data meant only for upper
UNIT VIII FINAL PROJECT 3 management is not accidentally leaked to the public for example. The laws and standards of both HIPAA and PCI DSS will play prominently into how the data is classified. Application Development Security Should the need arise for applications to be developed to improve workflow or efficiency, there will be certain steps taken to ensure the security of the application’s development. 1. Security requirements will be defined and documented during the initiation phase. 2. Development will be done following compliance laws and best practices. 3. All code and information pertaining to the application should be encrypted. This step will help to ensure that should the application be attacked; it will be harder to decipher. 4. All code that is developed or modified will be tested and validated before being released. In addition to the above steps, it should be noted that use of open source development tools should be as limited as possible. Use of open source materials can leave vulnerabilities within the code that could be exploited (Armerding, 2019). Data Backup and Storage The backing up of data is an essential component of day to day operations. The frequency at which the data will need to be backed up will be determined by management and the IT team. Having a secure backup of data is critical for maintaining the availability of the data. This is especially critical for compliance with HIPAA regulations. Ideally, the data should be backed up and stored at a site that will keep the backups secure from theft, natural disasters, and also allow for a rapid recovery time (Santos, 2019). In addition to, or in place of, physical backups, the facility can utilize secure cloud storage as an option. The recovery time would be much faster than having to physically retrieve a copy from a remote location.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNIT VIII FINAL PROJECT 4 Physical Security As is the case with most facilities, physical attack or theft remains an issue that needs to be addressed. The following recommendations will help to ensure that the facility is secured from these events. Have the parking lot for employees separate from public parking areas with a separate employee entrance. This will decrease the instances of “tailgating”, where someone attempts to enter the building after an employee. Closed circuit television (CCTV) cameras should be used to cover all entrances and be monitored by a security guard. Entrance to the building should be limited to those who have an authorized key card for employee entrance, or those who come through the main entrance and sign in with reception. Fire exits should be alarmed and labelled as emergency exit only. In addition to the overall physical security recommendations, extra attention should be paid to the room(s) where servers will be stored. These rooms should only be accessed by authorized individuals who have key cards and biometric access. Network Device Installation and Configuration Before any devices are installed within the facility, a detailed plan of where each device will be located should be made. This plan should include the physical location, type of device, and installation date. In addition to the devices, a plan listing all of the cabling and other connections used should be included. Inevitably, the devices or connections will need to be updated at some point. When this occurs, the plan should be amended to reflect the changes.
UNIT VIII FINAL PROJECT 5 Configuration of the devices should follow industry best practices. The Security Technical Implementation Guides (STIGs) used by the Department of Defense (DoD) offer standards and recommendations on the configuration of hardware and software. The STIGs give in-depth insights into the benefits of proper configuration to increase data security. Data Handling Standards pertaining to data handling are implemented to tell users and custodians how to treat the data and interact with it. Santos (2019) states, “Handling standards generally include storage, transmission, communication, access, retention, destruction, and disposal, and may extend to incident management and breach notification.”. Furthermore, a key aspect of data handling relates to the labelling practices mentioned earlier. Adherence to the policies and rules pertaining to these labels will further dictate how the data is treated. An example of the data handling policy would pertain to faxes coming into the office from an outside source. Data labelled as Classified or Confidential should be directed to the nearest available fax machine and removed from the machine immediately. Conversely, outgoing faxes should have a cover sheet that clearly states that the contents of the fax is Classified or Confidential. Remote Access With more users working from home, or accessing the network remotely, it is critical to have policies in place that will keep the data and network safe. Remote access can prove to more difficult to keep safe since the data must flow through a domain that is beyond the control of the company. One such policy would require any individual who attempts to access the network remotely to use multifactor authentication. Examples would be passwords, pin codes, or other
UNIT VIII FINAL PROJECT 6 identifiers unique to that individual. By using more than one identifier, it makes attacks from a hacker more difficult than just cracking a password alone. Email Email has become one of the easiest ways to communicate for business or personal reasons. For this reason, more attacks are being used targeting emails to gain access to networks or devices. The primary attack is known as phishing. Phishing uses emails that look legitimate enough to be opened by a user but can contain malicious code or links to malicious websites. Filters and firewall setting coupled with strong antimalware are strongly encouraged to help prevent these attacks. Additionally, email sent within the internal office should be avoided if they are labelled classified or confidential. If email must be sent to an external source, and that email contains sensitive information, there are rules that must be followed. 1. No attachments of any kind. 2. Only text pertaining to business is allowed. 3. The subject line should clearly feature “Classified” or “Confidential”. 4. Encryption will be required. Internet and Web Access Web-based business operations have come to the forefront within the last several years. Employees use the Internet and web to communicate with clients and customers and vice versa. The downfall of this is that the Internet is a very unsecure environment to operate in. It is not difficult at all for an employee to accidently type in an incorrect web address and be taken to a malicious site. Likewise, an attacker may attempt to intercept transmission sent via the Internet to gain information or access to the network.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
UNIT VIII FINAL PROJECT 7 It would therefore be wise to severely limit Internet and web access to only trusted sites. General web browsing (social media, shopping, etc.) should be prohibited on any company owned device or personal device connected to the company network. Antivirus and antimalware should also be installed and updated frequently. Device Security Security of devices, and the data that they contain, should be taken very seriously. This is especially true of laptops that may be taken out of the facility for remote work. These devices should require strong passwords to access them and should have encryption enabled on all files. The worst-case scenario would be one of these devices being stolen and not having security measures in place. The thief/attacker would have very little standing between them and the sensitive data on the device. Should this scenario happen, the loss of the device should be reported as soon as possible. The IT team should then change the employee’s credentials to avoid an unauthorized user from accessing the company information. Additionally, no login information or passwords should be saved to the device. Saving of login information may save a few seconds of time, but it can make accessing the network or device far too easy. Communicating the Policies After the policies have been drafted and reviewed, it is important to get the information to those that the new policies will affect. This list includes employees, vendors, contractors, and all levels of management. The methods used to convey the information will need to be tailored to each category to ensure the information is understood properly. Starting with upper management, a general overview of the finer points of the newer policies should be presented. Upper management should have had at least some input on the
UNIT VIII FINAL PROJECT 8 policies. Therefore, they need to be assured that their input was taken into consideration. Since many members of upper management are extremely busy, a short presentation with an executive summary would be best. The presentation should include little technical jargon as some members of management may not be well versed in the aspects of IT. Middle management would be the next level to present the policies to. It is important for these individuals to understand the material so they can be a point of contact for the employees should the employees have questions. A PowerPoint presentation is an effective way to convey this information along with hard copies of the policies. The presentation should be given by at two members of the team that drafted the policies to make answering of questions go smoother. Employees are the next level to receive the information. Since these individuals comprise the bulk of the users, it is vital for them to understand the importance of the policies. An overview presentation should be given along with group training. If some employees are having a hard time grasping the material, one on one training can be arranged. Finally, the vendors and contractors will need to be made aware of the policies. These individuals may not access the network directly, but they do send and receive communications with the company. Therefore, the fax and email policies will apply to them. As a final note, all of the individuals in all of the above the categories should be given a hard copy version of the policies. This should be accompanied by a simple form that the individual must sign acknowledging that they have received the policies. Should changes or additions need to be made, the individuals will be notified by email and given the appropriate changes to be added to their copy.
UNIT VIII FINAL PROJECT 9 References Armerding, T. (2019, October 9). Best practices for secure application development. Retrieved from https://www.synopsys.com/blogs/software-security/secure-application- development-best-practices/ Santos, O. (2019). Developing cybersecurity programs and policies (3rd ed.). Upper Saddle River, NJ: Pearson
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

unit 2 homework.docx
unit 5 homework.docx
unit 3 homework.docx
Untitled 2.pdf
ACC 531 Final Exam-8.docx
Unit3casestudy.docx
Unit4casestudy.docx
Unit7casestudy.docx
unit6research paper.docx
CSS110 Externship Journal 5.docx
CSS110 Externship Journal 2.docx
CSS110 Externship Journal 1.docx