CALLUM ENTERPRISES

Security Plan
Creating a Security Department
Johnny C. Wachter December 13, 2011

SECURITY PLAN

Table of Contents
The Need for Security ..................................................................................................................... 3 Creating the Security Department ................................................................................................... 4 Role ......................................................................................................................................... 4 Responsibilities ....................................................................................................................... 4 Protecting Information Assets......................................................................................................... 6 Asset Definitions ..................................................................................................................... 6 Impact Definitions .................................................................................................................. 7 Critical Information Matrix..................................................................................................... 7 Solution Through a Security Department ............................................................................... 8 Organizational Chart ....................................................................................................................... 9 Creating Order and Combating Opposition .................................................................................. 12 Expected Results ........................................................................................................................... 12 Appendix A ................................................................................................................................... 14

SECURITY PLAN

The Need for Security

The development and implementation of a security department is crucial to this organization's survival. Being a large corporation in today's market, and a leader in the industry has brought a great deal of visibility to the organization but this has not come without its struggles. Having such visibility, both nationwide and internationally has certainly made the organization a clear target for attackers. We can see the harm that attackers are able to cause when security is not made a priority in the organization. A recently unsealed indictment relates to the attack of multiple organization's Point of Sales Systems. Along with 50 other companies, Subway was a victim of this attack, and they all lost sensitive customer data including credit and debit card information. The attack was lead by four Romanian "hackers," who used very simple techniques to find vulnerable POS's connected to the internet, that they could later exploit and use to steal customer data. This breach occurred due to a lack in security, and it was completely avoidable. It is time to take a step forward and assess our own security posture. We have seen from recent events that our infrastructure is vulnerable, and that our Intellectual Property can be taken away by a determined attacker. We have lost sensitive organizational plans, have fears of corporate espionage, and most importantly, we have lost the trust of our customers whose personal data was stolen. It is our responsibility to regain that trust and to restructure the organization with security awareness in mind. By implementing a good security plan, we will be able to: Improve our security posture, Help prevent corporate espionage, Ensure that our data, and our customer's private information is secure, Identify future attacks and stop them, and Have a plan in place for mitigating any future incidents.

SECURITY PLAN

Creating the Security Department

Understanding that there is a need for security is not enough. The organization must create a department whose sole purpose is to manage the security of the infrastructure, and enforce good security policies and procedures otherwise the successful prevention of future attacks is impossible. Role The role of the security department is to ensure that the organization is actively engaged in strengthening its security posture by following good security practices, and meeting compliance with both national and international standards. This department will be created in order to manage all of the security needs of the organization, and as a decision maker for current and future security products that will be deployed on the network. Responsibilities The security department will be responsible for all aspects of organizational security, including the maintenance and updating of policies, procedures, and this security plan. Responsibilities will include: Developing/Enforcing Security Policies: the security department will be responsible for creating policies that will ensure the Confidentiality, Integrity, and Availability of the organization's resources, assets, and customer data.

Deploying Security Hardware/Software: the security department must maintain the security posture by deploying necessary security hardware/software on the network.

SECURITY PLAN Ensure Compliance: as a publicly traded corporation, we must ensure that compliance is met with Sarbanes-Oxley, and since we take electronic payment from customers, we must ensure compliance with PCI DSS. It will be the responsibility of the security

department to perform internal audits semi-annually, and schedule one annual third party assessment in order to ensure that compliance with current InfoSec Standards and Regulations are met. It will also be the responsibility of the security department to ensure that any other form of compliance that becomes necessary due to business changes will be implemented, and that amends will be made to this document in order to include them.

Security Assessments: while our organization must perform assessments for compliance due to federal regulations, we cannot discount the value of non-required internal and external security assessments, and penetration testing. It will be the responsibility of the security department to perform quarterly internal penetration tests, and annual third party security assessments/penetration tests. This will be the best way of finding vulnerabilities in our network, and repairing them before another attack can occur.

Encryption: due to the vast amount of mobile employees, the organization must ensure that lost/stolen computers, especially during business trips will not have a sever negative impact. Requiring hard disk encryption on every system will inevitably require the proper management of this process, and that responsibility will fall on the security department.

SECURITY PLAN

Account Management: it will be the responsibility of the security department to ensure that user accounts are created with the proper permissions, and that accounts of terminated individuals are closed. All security aspects of the user accounts [i.e. password management] will be managed by the security department.

Security Awareness Training: the organization will hire a third party security awareness training company to visit once per year, but the security department will also hold semi-annual meetings with all company employees in order to discuss new threats, and forms of social engineering that attackers are using. This will ensure that the weakest link in the organization's security has been strengthened.

Protecting Information Assets

It is of utmost importance that the information assets which are most critical to the organization's existence and proper functioning be defined. These assets will be given a value of High, Medium, or Low impact each pertaining to the risk they pose for the organization with respect to Confidentiality, Integrity, and Availability. Asset Definitions Customer Information: this refers to any information that can be used to identify the customer, or that could compromise the customer in any way if lost/stolen. This is the information which the customer has entrusted the organization with, and which they expect to be properly secured. Internal Business Target Information: this refers to organizational plans, intellectual property, and research data crucial to the ongoing success of the organization.

SECURITY PLAN Company Banking Information: this refers to any of the financial documentation which could bring a financial deficit to the organization if compromised. Network Defense Information: this refers to all information pertaining to the network defenses which the organization is currently implementing, or that it plans to implement

in the future. In the wrong hands, this information could lead to another successful attack on the organization. Impact Definitions High - Loss of funds in excess of $50,000; loss of reputation with a customer leading to a loss of a contract; and loss of customer information resulting in a compromise of that customer. Medium - Loss of funds between $15,000 - $50,000; Loss of reputation resulting in a strained relationship with a customer; loss of any customer information; and bad press. Low - Any loss of funds less than $15,000, and any inconveniences.

Critical Information Matrix

Impact Attributes Customer Information Company Banking Information Internal Business Target Information Network Defense Information Final Results Confidentiality H H H H H Integrity H H H H H Availability H H M M H

SECURITY PLAN Solution Through a Security Department

A security department would allow for the proper management of information, and the assurance that organizational, and customer information is kept safe. Each of the information assets listed above are crucial to the existence of the organization, and its ongoing success. Through the enactment of their responsibilities [listed above], the security department will be able to ensure that proper security measures are deployed across the network, and that access to customer and organizational data is granted based on need. This will help drastically with the mitigation of potential corporate espionage and information leakage because no user will be granted access to all information on the network. Through proper monitoring of incoming, outgoing, and internal network traffic, the security department will be able to determine how information is accessed, what that information is, and who is accessing that information. Monitoring of network traffic will also allow the security department to determine if an attack is currently happening on the network, or if someone is trying to gain unauthorized access this will help prevent future attacks. In short, the security department would provide a single and direct solution for ensuring the security of the organization.

SECURITY PLAN

Organizational Chart
The chart below will group key members of the organization based upon the level of access that each group has to both organizational and customer information. Each level of access will follow its own set of requirements. The level definitions are as follows: Level 1 - this is the highest possible access to both network and customer information. Only members of senior management will have access to this level of information. Members with this level of access will be able to view and modify any and all organizational information, and all customer information. This level requires that all devices which are used for business, whether to store or access data, be encrypted with AES-256 bit encryption, and adhere to the following rules for password management: o Password must be at least 25 characters long. o Password must contain alpha-numeric characters, upper and lower cases, and special characters. o Password will be changed quarterly. o Password cannot be stored in plaintext on a computer or written on paper.

Level 2 - this level of access will grant the user permission to view information belonging to the organization, and to view and modify customer information that is needed in order to perform daily business tasks. Users with this level of access will be granted access only to that information [organizational or customer] which is required for performing their tasks, and nothing more. If additional access to information is needed, these users must provide documentation for that need, and request access from senior management. Upon receipt of senior management approval, the security department will

SECURITY PLAN

10

grant the user access to requested information. Required credentials for encryption, and for password management will be the same as users with Level 1 access.

Level 3 - This level of access will allow users to view customer and organizational information which is necessary for performing daily tasks. Users will not have permission to make changes to the system. Users will only be granted access to information belonging to their particular department [i.e. financial, network layout, etc]. If a user with this level of access has been issued a mobile device, then the user will adhere to the following credential requirements: o Hard Disk Encryption on all mobile devices. o Password: 15 character length. Alpha-numeric, upper and lower cases, and special characters. Password will be changed quarterly. Password may not be stored in plaintext, or written down.

Level 4 - This level is the lowest level of access which can be granted. Users with this level of access will be able to view only that information which pertains to their daily tasks, and will be granted temporary access to the information, based upon the assignment which they are currently working on. Users with this level of access will not be permitted to take mobile devices off premises. Credential requirements will be the same as a Level 3.

SECURITY PLAN

11

Level 1 Level 2 Level 3 Level 4

VP of Buisness Operations

CEO and Senior Mgmt.

VP of Professional Services

Security Operations Department

IT Department

Contraciting Managers

Interns and Lower Level Analysts

Interns and Support Desk

Contracters

The Security Operations department will have a further organizational breakdown, that will follow the ISO27001 Standard for Organization of Information Security [listed in Appendix A]. The requirements for each of the positions will be as follows: Senior Security Engineers and Analysts: o Minimum 10 years of experience in Information Security, and a Masters Degree in Information Assurance or related field. Security Analysts: o Minimum 2 years of experience in Information Security or related field, and a Bachelors Degree in Network Security or related field.

SECURITY PLAN

12

Creating Order and Combating Opposition

In its current standing, the organization has experienced some great losses, and has fears not only of outside threats and attacks, but insiders willing to partake in corporate espionage. Through the proper implementation of this security plan, and the creation of a governing body [the security department] for all security measures which need to be taken, the organization will be able to restore order, rebuild trust with its clients, and prevent future incidents from occurring. The restoration process will not be easy, and will require a great deal of effort on everyone's part. Proper coordination and communication between departments will be necessary during the restructuring of the organization, and this will cause a lot of push-back from all parties involved. It is impossible to create and implement an organization-wide security plan without experiencing some opposition, so the best possible way to accomplish this will be with a top-down approach. Orders must be given by senior management to all subordinate parties, to allow for the enforcement of this security plan. Dispersing responsibilities in a fashion that is different from what the organization has been doing will surely cause some confusion, so in order to combat this, proper training must be given to all departments. The training will involve the defining of new responsibilities, and the disbursement of newly implemented security practices and access restrictions.

Expected Results
Once the restructuring is complete and the organization is able to implement this security plan, it is expected that the security posture will be strong and trust in the organization will be restored. The security department will be able to effectively defend all information that is on the network, and successfully mitigate any future attempts by attackers. Policies and procedures will be

SECURITY PLAN regularly updated in order to maintain or strengthen the security posture, and access to information on the network will be restricted thereby preventing corporate espionage. The organization will be able to set an example for the industry with regard to security, and experience growth without the fear of information leakage.

13

SECURITY PLAN

14

Appendix A

SECURITY PLAN Works Cited Admin. (2011, December 08). Four romanian nationals indicted for hacking subway and 50 other merchants pos systems. Retrieved from http://www.databreaches.net/?p=22065 ISO 27001. Formal isms specification. (2011, December 15). Retrieved from http://www.iso27001security.com/

15