Info Security Plan
Information Security Plan Table of ContentsExecutive Summary 3SECURITY CONTROLS DETAILS 4Inventory of Asset Management 4Risk Management 4Identity and Access Management 4Protecting the Perimeter 5Opening up the Perimeter with VPN and Wireless 6Mobile Security 7Incident Response 7Business Continuity Management 8Change Management Controls 8Measuring Effectiveness 8DEFINITIONS 9REFERENCES 10Executive SummaryThe purpose of this security plan is to provide an overview of the security of XXXXX and describe the controls and critical elements in place or planned. This ISP follows guidance contained in the Time-Based Model of Security.The average time to exploitation on some networks for an unprotected computer is measured in minutes. Not all attacks are directed at an individual computer. Viruses, for example, are written and directed at the computing community in general. A virus’s purpose is most often not to damage or destroy data, but simply to replicate by attaching itself to files, infecting other computers.The foundational principles of information security are confidentiality, integrity and availability. Confidentiality is the assurance that only those who are authorized to access data can access it; integrity is the assurance that the data is accurate, and unaltered; and availability is the assurance that the data will be accessible when it is required. The goal of an information security program is insure these three principles.The risk and severity of a security breach must be identified, and quantified wherever possible. Then, appropriate steps must be taken to reduce the probability of an attack; controls identified to reduce the impact if one should occur; and plans developed to respond to, and recover from, the incident. This process of risk management begins by identifying and valuing the assets to be protected. Before any measures are considered.SECURITY CONTROLS DETAILS 1.0 Inventory of Asset ManagementProcedure for identifying assets (Intellectual property, financial information, privacy, regulations of customers partners, employees, etc)Assessing the risk and deciding how to respondClassification scheme (Teach employees how to recognize the classification categoriesAsset inventory and security impact analysis with data classificationProcess control informationWhat is and what is not public knowledge, info not intended to be on public domain and we need to protect and assign a value.KPI’sBeing able to locate assets, track, tag hardware properties, installed softwareContract and license information in a central locationVendor data, lease terms, warranties in a central locationIdentify compliance and security risks by listing all hardware, software, and the software associated with that hardware through a comprehensive, quick- to-retrieve repository2.0 Risk ManagementThreats: Intentional (sabotage) or unintentional (natural disasters) increase riskVulnerabilities: Software, bugs Increase riskExploits: Methods of attack, increase the riskControl: Reduce the riskPrioritize risk: Low, Medium, HighRisk assessment resultsSelect the risk response (COBIT APO12): Avoid, Reduce, Share, AcceptProcedures addressing security assessments Security assessment results” Residual risk is always > 0 COBIT: EDM03 and APO12KPI’sService-level agreementsRisk assessment results Risk assessment reviews 3.0 Identity and Access ManagementWho is accessing our system? We want to authenticateAuthentication enrollment, New Hire data access procedure Network diagrams that detail remote access Procedure for remote administration and accessPresent credentials: If match GRANT access if not DENIES access.Decide what credentials to use: Something you know=PasswordSomething you have=Card, TokenSomething about you= BiometricReview false rejection rate (real person gets rejected) False acceptance rate (Impersonator) Goal is to have both as low as possibleUse multiple credentials: Multifactor (i.e ATM card we have card and know something)Make sure that everybody in the system uniquely identifiedAllocated rights from privileges, need to perform job duties not everybody to be a super userLimited user credential/ admin super users privilegesAuthorizations controls prevent fraud. (segregate duties) the buyer should not be the controller.Best Practice is Role Base Access Control (RBAC)KPI’sPassword reset volume per monthAverage number of distinct credentials per userNumber of new accounts provisionedAverage time it takes to provision a userSeparation of duty violations4.0 Protecting the PerimeterLayers of defense to protect our network (Time-Based Model)Preventive measures, Detective measures, Reactive measures Most important preventive layer: Physical accessFirewalls, Intrusion Detection System, Intrusion Protection SystemsPerimeter protection devices filter traffic to block attacks. FirewallDont block, they filter IDS and IPS are an addition layer of protectionBoth IDs and IPS can identify that a scan is in progress Both IDS and IPS provide detailed mapping and scanning (tools like nmap or wireshark)TCP /IP Model (Seven layers)ApplicationPresentationSessionsTransportNetwork Data LinkPhysical Each layer has a variety of protocols, more important TCP and IPTCP breaks files into pieces and reassemble (use port numbers to specify application type)IP is what we route from one network to another across the internet (each device has IP address assigned)TCP and UDP ports permit multiple simultaneous connectionsNetwork protocols specify rules for normal behavior and effect on security violations of those rules may disrupt communicationsFor filtering to work:Set off IF THEN rules called access control List (ACLs)THEN part specifies what to do (only two options Permit or Deny)In addition filter outbound traffic (prevent exit of confidential information, stop attacks, control employee behavior avoid becoming accomplice to attacks (i.e part of botnet)Two basic filtering modelsPacket filter firewall: Inspect the information contained in packet headersApplication firewalls: inspect the data contained in the packets)Another function of firewalls : NAT Network Address TranslationAll our internal devices cannot route or cannot be reach directly from internet , mostly cost effective we only pay for one routable IP address. Reserve block only for internal use. Use Log analysisKPI’sProtect our network longer than take to detect that something is going on and respond to block it. Number of incident reportsNumber of attacksNumber of “3 way handshake” violations5.0 Opening up the Perimeter with VPN and WirelessVirtual Private networks (VPN) encrypt traffic on the internetTwo purposes of VPNTo connect two branch offices , in this case we use IPSec (built in authentication and encryption mechanisms) Remote access by individuals, working from home or traveling and connecting from hotel, Three Types of secure connections:IPSecSSL PortalSSL TunnelTerminating VPNTerminate VPN traffic at VPN terminator (decrypted)Integrate with firewall (Termination point is firewall)Terminate at DMZ (Demilitarized zone) terminator Scan and QuarantinePrevent remote storage & printing (Comply with HIPPA, SOX, etc)Need to configure VPN client to prevent leakage of confidential and private informationWireless access creates inherent threats, somebody could “piggy back” and cause interception of messages, modification of messages, interruption of Services (Dos)Mitigate with STRONG encryptionUse advance technology i.e 802.11iHide the signal (hiding does not eliminate encryption)Secure wireless access points Set up policiesRegular auditsLocate all wireless access points in DMZ.Secure wireless clients Secure laptopsRequire mutual authenticationRequire use of infrastructure modeProhibit ad hoc modeEncrypt all sensitive stored data.Wireless also needs IDS and IPS, best solution is two sets of access points,Dedicated access points for IDS/IPSOther access points for wireless trafficLog wireless: Who connected how many times> from where? etcKPI’sProtect our network longer than take to detect that something is going on and respond to block it. Number of incident reportsNumber of attacksNumber of “3 way handshake” violations6.0 Mobile SecuritySystem use policyProcedures addressing media usage restrictionsProcedures addressing access control for mobile device usage (including restrictions)Authorizations for mobile device connectionsInformation system audit recordsDocumentation of encryption mechanismsProcedures addressing media storageLogs of media transportKPI’sSuspicious activity Number of scans in progressUnauthorized changes (lower is better)Change success rate (higher is better)Number of delayed project (lower is better)Number of unplanned outages (lower is better)7.0 Incident ResponseA key piece of the Time-Based Model is an effective timely responseThe goal is Reduce time to respondThis requires training and planningDocument a plan, more importantly test the plan The response plan is not an IT plan, is a Response Team plan and includes all stakeholders for example HR, C-Suite, PR, Legal.How easy was the event? What was exposed? How can we make it harder to repeat Tape backup process KPI’sTime IT spend on unplanned changes (lower is better)Percent of changes that are ‘emergency” (lower is better)Server-admin Ratio (Higher is better)Unauthorized changes (lower is better)Change success rate (higher is better)Number of delayed project (lower is better)Number of unplanned outages (lower is better)8.0 Business Continuity ManagementDisaster Recovery Plan (DRP)Business Continuity Plan (BCP) Business Impact AnalysisBCP and DRP training The goal is resilience, But most plan for recoveryRecovery Time Objective (RTO) “how long can we afford to be down?”Recovery Point Objective (RPO) “how much data can we afford to lose?”Backup process:IncrementalDifferentialBack up media: Tape or disk?Back ups versus ArchivesKPI’sNumber of unplanned outages (lower is better)9.0 Change Management Controls Reduces time spent on unplanned work (BAI10)Increase success rateReduce unauthorized changesReduce Mean Time To Repair (MTTR) by standardizing configurationsKPI’sPercent of changes that are ‘emergency” (lower is better)Unauthorized changes (lower is better)Change success rate (higher is better)Number of unplanned outages (lower is better)10.0 Measuring EffectivenessAre we doing the right thing? Are we doing the right way?Are we getting them done well?Are we getting the cost benefit?Scorecards used to evaluatePeriodicSummarized/aggregateUsed to evaluate performanceCan be strategic or tactical levelDashboards used to monitorReal TimeDetailed, low level pictureUsed to monitor and intervene timelyTactical levelLagging Indicators (how we did in the past)Leading Indicators (predict future)Balance ScorecardMulti dimensionalMultiple measuresShow trendsFits on one page or slideWhen selecting 3rd party, request SOC-2, Type 2 ReportResource Responsibility, but not accountabilityKPI’sBalance ScorecardDEFINITIONSKPI’s – refers to metricsRBAC- Role Base Access Control (RBAC)IDS – Intrusion Detection System
Essay About Best Solution And Access Management
Essay, Pages 1 (1550 words)
Latest Update: July 11, 2021
//= get_the_date(); ?>
Views: 148
//= gt_get_post_view(); ?>
Best Solution And Access Management. (July 11, 2021). Retrieved from https://www.freeessays.education/best-solution-and-access-management-essay/