Professional Documents
Culture Documents
Security Plan
Creating a Security Department
Johnny C. Wachter December 13, 2011
SECURITY PLAN
Table of Contents
The Need for Security ..................................................................................................................... 3 Creating the Security Department ................................................................................................... 4 Role ......................................................................................................................................... 4 Responsibilities ....................................................................................................................... 4 Protecting Information Assets......................................................................................................... 6 Asset Definitions ..................................................................................................................... 6 Impact Definitions .................................................................................................................. 7 Critical Information Matrix..................................................................................................... 7 Solution Through a Security Department ............................................................................... 8 Organizational Chart ....................................................................................................................... 9 Creating Order and Combating Opposition .................................................................................. 12 Expected Results ........................................................................................................................... 12 Appendix A ................................................................................................................................... 14
SECURITY PLAN
SECURITY PLAN
Deploying Security Hardware/Software: the security department must maintain the security posture by deploying necessary security hardware/software on the network.
SECURITY PLAN Ensure Compliance: as a publicly traded corporation, we must ensure that compliance is met with Sarbanes-Oxley, and since we take electronic payment from customers, we must ensure compliance with PCI DSS. It will be the responsibility of the security
department to perform internal audits semi-annually, and schedule one annual third party assessment in order to ensure that compliance with current InfoSec Standards and Regulations are met. It will also be the responsibility of the security department to ensure that any other form of compliance that becomes necessary due to business changes will be implemented, and that amends will be made to this document in order to include them.
Security Assessments: while our organization must perform assessments for compliance due to federal regulations, we cannot discount the value of non-required internal and external security assessments, and penetration testing. It will be the responsibility of the security department to perform quarterly internal penetration tests, and annual third party security assessments/penetration tests. This will be the best way of finding vulnerabilities in our network, and repairing them before another attack can occur.
Encryption: due to the vast amount of mobile employees, the organization must ensure that lost/stolen computers, especially during business trips will not have a sever negative impact. Requiring hard disk encryption on every system will inevitably require the proper management of this process, and that responsibility will fall on the security department.
SECURITY PLAN
Account Management: it will be the responsibility of the security department to ensure that user accounts are created with the proper permissions, and that accounts of terminated individuals are closed. All security aspects of the user accounts [i.e. password management] will be managed by the security department.
Security Awareness Training: the organization will hire a third party security awareness training company to visit once per year, but the security department will also hold semi-annual meetings with all company employees in order to discuss new threats, and forms of social engineering that attackers are using. This will ensure that the weakest link in the organization's security has been strengthened.
SECURITY PLAN Company Banking Information: this refers to any of the financial documentation which could bring a financial deficit to the organization if compromised. Network Defense Information: this refers to all information pertaining to the network defenses which the organization is currently implementing, or that it plans to implement
in the future. In the wrong hands, this information could lead to another successful attack on the organization. Impact Definitions High - Loss of funds in excess of $50,000; loss of reputation with a customer leading to a loss of a contract; and loss of customer information resulting in a compromise of that customer. Medium - Loss of funds between $15,000 - $50,000; Loss of reputation resulting in a strained relationship with a customer; loss of any customer information; and bad press. Low - Any loss of funds less than $15,000, and any inconveniences.
A security department would allow for the proper management of information, and the assurance that organizational, and customer information is kept safe. Each of the information assets listed above are crucial to the existence of the organization, and its ongoing success. Through the enactment of their responsibilities [listed above], the security department will be able to ensure that proper security measures are deployed across the network, and that access to customer and organizational data is granted based on need. This will help drastically with the mitigation of potential corporate espionage and information leakage because no user will be granted access to all information on the network. Through proper monitoring of incoming, outgoing, and internal network traffic, the security department will be able to determine how information is accessed, what that information is, and who is accessing that information. Monitoring of network traffic will also allow the security department to determine if an attack is currently happening on the network, or if someone is trying to gain unauthorized access this will help prevent future attacks. In short, the security department would provide a single and direct solution for ensuring the security of the organization.
SECURITY PLAN
Organizational Chart
The chart below will group key members of the organization based upon the level of access that each group has to both organizational and customer information. Each level of access will follow its own set of requirements. The level definitions are as follows: Level 1 - this is the highest possible access to both network and customer information. Only members of senior management will have access to this level of information. Members with this level of access will be able to view and modify any and all organizational information, and all customer information. This level requires that all devices which are used for business, whether to store or access data, be encrypted with AES-256 bit encryption, and adhere to the following rules for password management: o Password must be at least 25 characters long. o Password must contain alpha-numeric characters, upper and lower cases, and special characters. o Password will be changed quarterly. o Password cannot be stored in plaintext on a computer or written on paper.
Level 2 - this level of access will grant the user permission to view information belonging to the organization, and to view and modify customer information that is needed in order to perform daily business tasks. Users with this level of access will be granted access only to that information [organizational or customer] which is required for performing their tasks, and nothing more. If additional access to information is needed, these users must provide documentation for that need, and request access from senior management. Upon receipt of senior management approval, the security department will
SECURITY PLAN
10
grant the user access to requested information. Required credentials for encryption, and for password management will be the same as users with Level 1 access.
Level 3 - This level of access will allow users to view customer and organizational information which is necessary for performing daily tasks. Users will not have permission to make changes to the system. Users will only be granted access to information belonging to their particular department [i.e. financial, network layout, etc]. If a user with this level of access has been issued a mobile device, then the user will adhere to the following credential requirements: o Hard Disk Encryption on all mobile devices. o Password: 15 character length. Alpha-numeric, upper and lower cases, and special characters. Password will be changed quarterly. Password may not be stored in plaintext, or written down.
Level 4 - This level is the lowest level of access which can be granted. Users with this level of access will be able to view only that information which pertains to their daily tasks, and will be granted temporary access to the information, based upon the assignment which they are currently working on. Users with this level of access will not be permitted to take mobile devices off premises. Credential requirements will be the same as a Level 3.
SECURITY PLAN
11
VP of Professional Services
IT Department
Contraciting Managers
Contracters
The Security Operations department will have a further organizational breakdown, that will follow the ISO27001 Standard for Organization of Information Security [listed in Appendix A]. The requirements for each of the positions will be as follows: Senior Security Engineers and Analysts: o Minimum 10 years of experience in Information Security, and a Masters Degree in Information Assurance or related field. Security Analysts: o Minimum 2 years of experience in Information Security or related field, and a Bachelors Degree in Network Security or related field.
SECURITY PLAN
12
Expected Results
Once the restructuring is complete and the organization is able to implement this security plan, it is expected that the security posture will be strong and trust in the organization will be restored. The security department will be able to effectively defend all information that is on the network, and successfully mitigate any future attempts by attackers. Policies and procedures will be
SECURITY PLAN regularly updated in order to maintain or strengthen the security posture, and access to information on the network will be restricted thereby preventing corporate espionage. The organization will be able to set an example for the industry with regard to security, and experience growth without the fear of information leakage.
13
SECURITY PLAN
14
Appendix A
SECURITY PLAN Works Cited Admin. (2011, December 08). Four romanian nationals indicted for hacking subway and 50 other merchants pos systems. Retrieved from http://www.databreaches.net/?p=22065 ISO 27001. Formal isms specification. (2011, December 15). Retrieved from http://www.iso27001security.com/
15