Fluent Essays

Purpose This course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies. Learning Objectives and Outcomes Successful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following: § Evaluate compliance laws relevant to the U.S. Department of Defense. § Assess policy frameworks appropriate for an organization in a given scenario. § Evaluate security controls and standards for the seven domains of a typical IT infrastructure. § Develop DoD-compliant policies for an organization’s IT infrastructure. Required Source Information and Tools Web References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on August 26, 2020. The following tools and resources will be needed to complete this project: § Course textbook § Internet access § DoD instructions or directives https://www.esd.whs.mil/dd/ § Risk Management Framework (RMF) for DoD Information Technology (IT) https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf?ver=2019-02-26-101520-300  § U.S. Department of Defense (DoD) Chief Information Office Library https://dodcio.defense.gov/Library/  § Department of Defense Information Security Program https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol1.pdf?ver=2020-08-04-092500-203  § Department of Defense Internet Services and Internet-Based Capabilities https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/817001p.pdf  You may consult other relevant sources, if needed. If so, include citations for those sources in the final deliverable for this report.  This project is divided into several parts, each with a deliverable. The first three parts are research drafts, which should include organized lists and notes gathered during research, sources, and in some cases policy drafts. These documents should be organized and readable, but are not polished reports.      Item Deliverables   Project Part 1 U.S. Compliance Laws   Research Create a draft of your   research of DOD-specific requirements for an organization’s IT infrastructure   and U.S. compliance laws that may affect the firm. This will be due Friday   night   Project Part 2 Infrastructure Research A Create a draft of (1) which   policy framework(s) will be followed for the project and (2) DoD-compliant   policies, standards, and controls that affect the User, Workstation, LAN, and   LAN-to-WAN Domains.   Project Part 3 Infrastructure Research B Create a list of   DoD-compliant policies, standards, and controls that affect the WAN, Remote   Access, and System/Application Domains.   Project Part 4 Final Report Submit the final report of   your class project. On Sunday you will present the result of your paper    You are a security professional for Blue Stripe Tech, an IT services provider with approximately 400 employees. Blue Stripe Tech partners with industry leaders to provide storage, networking, virtualization, and cybersecurity to clients. Blue Stripe Tech recently won a large DoD contract, which will add 30 percent to the revenue of the organization. It is a high-priority, high-visibility project. Blue Stripe Tech will be allowed to make its own budget, project timeline, and tollgate decisions. As a security professional for Blue Stripe Tech, you are responsible for developing security policies for this project. These policies are required to meet DoD standards for delivery of IT technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency.  To do this, you must develop DoD-approved policies, standards, and control descriptions for your IT infrastructure (see the “Tasks” section in this document). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies, standards, or controls in place.    § 12 servers running the latest edition of Microsoft Server, providing the following: o Active Directory (AD) o Domain Name System (DNS) o Dynamic Host Configuration Protocol (DHCP) o Enterprise resource planning (ERP) application (Oracle) o A research and development (R&D) engineering network segment for testing, separate from the production environment o Microsoft Exchange Server for email o Email filter o Cloud-based secure web gateway (web security, data loss protection, next-generation firewall, cloud application security, advanced threat protection)  § Two Linux servers running Apache Server to host your website § 400 PCs/laptops running Microsoft Windows 10, Microsoft 365 office applications, and other productivity tools Tasks § Develop a list of compliance laws required for DoD contracts. § Determine which policy framework(s) will be used for this project. § List controls placed on domains in the IT infrastructure. § List required standards for common devices, categorized by IT domain. § Develop DoD-compliant policies for the organization’s IT infrastructure. § Describe the policies, standards, and controls that would make the organization DoD compliant. § Develop a high-level deployment plan for implementation of these polices, standards, and controls. § Write a professional report that includes all of the above content-related items and citations for all sources. Submission Requirements Format: Microsoft Word (or compatible) Font: Arial, size 12, double-space Citation style: Your school’s preferred style      guide Length of draft research documents: 2–4 pages Length of final report: 14–18 pages Self-Assessment Checklist for Final Report § We developed a list of compliance laws required for DoD contracts. § We listed controls placed on domains in typical IT infrastructure. § We  listed required standards for common devices, categorized by IT domain. § We  developed DoD-compliant policies and standards for the organization’s IT infrastructure § We described the policies, standards, and controls that would make my organization DoD compliant. § We  listed all applicable DoD frameworks in the final report. § We developed a high-level deployment plan for implementation of these polices, standards, and controls. § We created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation. § We included citations for all sources used in the report. § We followed the submission guidelines. Project: Department of Defense (DoD) Ready Purpose This course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies. Learning Objectives and Outcomes Successful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following: Evaluate compliance laws relevant to the U.S. Department of Defense. Assess policy frameworks appropriate for an organization in a given scenario. Evaluate security controls and standards for the seven domains of a typical IT infrastructure. Develop DoD-compliant policies for an organization’s IT infrastructure. Required Source Information and Tools Web References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on August 26, 2020. The following tools and resources will be needed to complete this project: · Course textbook Internet access DoD instructions or directives https://www.esd.whs.mil/dd/ Risk Management Framework (RMF) for DoD Information Technology (IT) https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf?ver=2019-02-26-101520-300 U.S. Department of Defense (DoD) Chief Information Office Library https://dodcio.defense.gov/Library/ Department of Defense Information Security Program https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol1.pdf?ver=2020-08-04-092500-203 Department of Defense Internet Services and Internet-Based Capabilities https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/817001p.pdf You may consult other relevant sources, if needed. If so, include citations for those sources in the final deliverable for this report. Deliverables This project is divided into several parts, each with a deliverable. The first three parts are research drafts, which should include organized lists and notes gathered during research, sources, and in some cases policy drafts. These documents should be organized and readable, but are not polished reports. Item Deliverables Project Part 1 U.S. Compliance Laws Research Create a draft of your research of DOD-specific requirements for an organization’s IT infrastructure and U.S. compliance laws that may affect the firm. This will be due Friday night Project Part 2 Infrastructure Research A Create a draft of (1) which policy framework(s) will be followed for the project and (2) DoD-compliant policies, standards, and controls that affect the User, Workstation, LAN, and LAN-to-WAN Domains. Project Part 3 Infrastructure Research B Create a list of DoD-compliant policies, standards, and controls that affect the WAN, Remote Access, and System/Application Domains. Project Part 4 Final Report Submit the final report of your class project. On Sunday you will present the result of your paper Note: Your instructor will require that this project be completed in groups. If so, select a team leader and conduct the research. Scenario You are a security professional for Blue Stripe Tech, an IT services provider with approximately 400 employees. Blue Stripe Tech partners with industry leaders to provide storage, networking, virtualization, and cybersecurity to clients. Blue Stripe Tech recently won a large DoD contract, which will add 30 percent to the revenue of the organization. It is a high-priority, high-visibility project. Blue Stripe Tech will be allowed to make its own budget, project timeline, and tollgate decisions. As a security professional for Blue Stripe Tech, you are responsible for developing security policies for this project. These policies are required to meet DoD standards for delivery of IT technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency. To do this, you must develop DoD-approved policies, standards, and control descriptions for your IT infrastructure (see the “Tasks” section in this document). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies, standards, or controls in place. Blue Stripe Techs computing environment includes the following: 12 servers running the latest edition of Microsoft Server, providing the following: Active Directory (AD) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Enterprise resource planning (ERP) application (Oracle) A research and development (R&D) engineering network segment for testing, separate from the production environment Microsoft Exchange Server for email Email filter Cloud-based secure web gateway (web security, data loss protection, next-generation firewall, cloud application security, advanced threat protection) Two Linux servers running Apache Server to host your website 400 PCs/laptops running Microsoft Windows 10, Microsoft 365 office applications, and other productivity tools Tasks Develop a list of compliance laws required for DoD contracts. Determine which policy framework(s) will be used for this project. List controls placed on domains in the IT infrastructure. List required standards for common devices, categorized by IT domain. Develop DoD-compliant policies for the organization’s IT infrastructure. Describe the policies, standards, and controls that would make the organization DoD compliant. Develop a high-level deployment plan for implementation of these polices, standards, and controls. Write a professional report that includes all of the above content-related items and citations for all sources. Submission Requirements · Format: Microsoft Word (or compatible) · Font: Arial, size 12, double-space · Citation style: Your school’s preferred style guide · Length of draft research documents: 2–4 pages · Length of final report: 14–18 pages Self-Assessment Checklist for Final Report We developed a list of compliance laws required for DoD contracts. We listed controls placed on domains in typical IT infrastructure. We listed required standards for common devices, categorized by IT domain. We developed DoD-compliant policies and standards for the organization’s IT infrastructure We described the policies, standards, and controls that would make my organization DoD compliant. We listed all applicable DoD frameworks in the final report. We developed a high-level deployment plan for implementation of these polices, standards, and controls. We created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation. We included citations for all sources used in the report. We followed the submission guidelines. © 2022 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Page 1 CHAPTER 6 IT Security Policy Frameworks Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Learning Objective(s) and Key Concepts Describe issues related to information systems security (ISS) policy implementation and enforcement. Building blocks of a security policy framework Types of documents for a security policy framework Information systems security (ISS) and information assurance considerations Considerations for creating a security policy framework Learning Objective(s) Key Concepts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com What Is an IT Policy Framework? Includes policies, standards, baselines, procedures, guidelines, and a taxonomy Many frameworks resemble a hierarchy or tree An organization’s security posture is often expressed in terms of risk appetite and risk tolerance Risk appetite Generally refers to how much risk an organization is willing to accept to achieve its goal Risk tolerance Relates to how much variance in the process an organization will accept Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com A Policy and Standards Library Framework FIGURE 6-1 A policy and standards library framework. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Charting Risk Appetite FIGURE 6-2 Charting risk appetite. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com What Is a Program Framework Policy or Charter? (1 of 2) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com High-level policy defines: The program’s purpose and mission The program’s scope within the organization Assignment of responsibilities for program implementation Compliance management What Is a Program Framework Policy or Charter? (2 of 2) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Purpose and Mission Scope Responsibilities Compliance States the purpose and mission of the program Specifies what the program covers States the responsibilities of personnel and departments related to the program Should address enforcement of the policy; for example, what happens if someone doesn’t comply with computer security policies? Industry-Standard Policy Frameworks Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ISO/IEC 27002 (2015) ISO/IEC 30105 ISO 27007 NIST Special Publication (SP) 800-53 What Is a Policy? High-level statements, beliefs, goals, and objectives Helps protect an organization’s resources and guide employee behavior Provide the “what” and “why” of security measures Lack of information security policies and enforcement leaves an organization vulnerable to data breaches, business interruptions, and legal liabilities Policies describe: Details of how a program runs Who is responsible for day-to-day work How training and awareness are conducted How compliance is handled Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com What Are Standards? Formal documents that establish: Uniform criteria that you can evaluate and measure Methods to accomplish a goal Repeatable processes and practices for compliance with policies Issue-specific standard Focuses on an area of current relevance and concern to your company System-specific standard, or baseline standard Focuses on the secure configuration of a specific system, device, operating system, or application Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com What Are Procedures? Written instructions on how to comply with a standard A specific series of actions or operations that are executed in the same manner repeatedly Support the policy framework and associated standards by codifying the steps that are proven to yield compliant systems Examples: Incident reporting, server configuration, emergency evacuation Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Procedures should be: Clear and unambiguous Repeatable Up to date Tested Documented What Are Guidelines? Assist people in developing procedures or processes with best practices that other people have found useful Can clarify issues or problems that have arisen after the publication of a standard Provide the people who implement standards or baselines more detailed information and guidance (hints, tips, processes, etc.) to aid in compliance Are optional in a library but are often helpful May become a standard when their adoption is widely accepted and implemented Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Business Considerations for the Framework Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Cost Cost of implementing and maintaining the framework Impact Impact of the controls required by the framework on employees, customers, and business processes Roles for Policy and Standards Development and Compliance (1 of 2) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com CISO Establishes and maintains security and risk management programs for information resources Information resources manager Maintains policies and procedures that provide for security and risk management of information resources Information resources security officer Directs policies and procedures designed to protect information resources, identifies vulnerabilities, and develops security awareness program Owners of information resources Responsible for carrying out the program that uses the resources; does not imply personal ownership Roles for Policy and Standards Development and Compliance (2 of 2) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Custodians of information resources Provide technical facilities, data processing, and other support services to owners and users of information resources Technical managers Provide technical support for security of information resources Internal auditors Conduct periodic risk-based reviews to ensure the effectiveness of information resources security policies and procedures Control partners Ensure that security policies result in operational compliance with risk appetite and regulatory requirements Users Have access to information resources in accordance with the owner-defined controls and access rules Information Assurance Considerations Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Confidentiality Integrity Availability Best Practices for IT Security Policy Framework Creation When implementing policies, use various methods to spread the word throughout your organization, such as presentations, videos, panel discussions, road shows, and newsletters Introduce computer security policies in a manner that ensures that management’s support is clear, especially where employees feel overwhelmed with policies, directives, guidelines, and procedures State core principles in the form of goals upfront. This defines “what” the framework must achieve Get buy-in on the “what,” and then get others to work together with you on the “how” Gain ownership from key user groups by offering them choices on how to achieve policy goals Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Case Studies and Examples (1 of 2) Alberta Health Services Established a policy development and document management framework Goes beyond policy creation and approval Has a whole section on policy implementation, and a section on how to review the policy and evaluate its efficacy University of Huddlesfield in England Published a policy development framework Describes a policy owner responsible for the development and dissemination of the policy as well as maintenance and review Suggests, when needed, consultation with subject matter expert A large section is devoted to approval of policies and policy changes Private Sector 1 Private Sector 2 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Case Studies and Examples (2 of 2) State of Tennessee Used ISO/IEC 17799 (27002) Policies and frameworks covered all information asset owned, leased, or controlled by the State of Tennessee Control the practices of external parties that need access to the State of Tennessee’s information resources Target Corporation December 2013 point-of-sale (PoS) data breach 40 million credit card records stolen 70 million records containing PII Largest data breaches of its kind Serious weaknesses in the information security framework and related controls Public Sector Private Sector 3 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Summary Building blocks of a security policy framework Types of documents for a security policy framework Information systems security (ISS) and information assurance considerations Considerations for creating a security policy framework Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 10/10/2020 20 Guidelines for PPT Presentation How many slides? Your presentation should be 10 to 15 minutes in length. Each person in the group should participate and must be present. All presentations will be recorded. 10 20 30 Slideshow rule Its quite simple: a PowerPoint presentation should have 10 slides, last no more than 20 minutes, and contain no font smaller than 30 points. Good guideline, but not absolute https://www.slidegenius.com/blog/guy-kawasakis-10-20-30-rule-presentation APA formatting for slide shows · Include the same information on your title slide that you would have on a title page.  · Include in-text citations for any quote, paraphrase, image, graph, table, data, audio or video file that you use within your presentation. Please note that photographs are considered figures in APA style. See section 7.30 of the APA manual for more information about this. · The last slide will be your References List.  · “No citation, permission, or copyright attribution is necessary for clip art from programs like Microsoft Word or PowerPoint” (American Psychological Association [APA], 2020, p. 346). · Do not reproduce images without permission from the creator or owner of the image. See section 12.15 of the APA manual for more information about this. https://goodwin.libguides.com/c.php?g=29109&p=7298502 Group Project Final Paper Learning Objectives Successful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following: Evaluate compliance laws relevant to the U.S. Department of Defense. Assess policy frameworks appropriate for an organization in a given scenario. Evaluate security controls and standards for the seven domains of a typical IT infrastructure. Develop DoD-compliant policies for an organization’s IT infrastructure. Course textbook, Internet access DoD instructions or directives https://www.esd.whs.mil/dd/ Risk Management Framework (RMF) for DoD Information Technology (IT) https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf?ver=2019-02-26-101520-300 U.S. Department of Defense (DoD) Chief Information Office Library https://dodcio.defense.gov/Library/ Department of Defense Information Security Program https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520001m_vol1.pdf?ver=2020-08-04-092500-203 Department of Defense Internet Services and Internet-Based Capabilities https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/817001p.pdf Required Resources and Tools Suggested Approach Item Deliverable Part 1 Research DOD-specific requirements for an organization’s IT infrastructure and U.S. compliance laws that may affect the firm. Part 2 (1) which policy framework(s) will be followed for the project and (2) DoD-compliant policies, standards, and controls that affect the User, Workstation, LAN, and LAN-to-WAN Domains. Part 3 list of DoD-compliant policies, standards, and controls that affect the WAN, Remote Access, and System/Application Domains. Part 4 Create a polished final paper that creates polices for this company You are a security professional for Blue Stripe Tech, an IT services provider with approximately 400 employees. Blue Stripe Tech partners with industry leaders to provide storage, networking, virtualization, and cybersecurity to clients. Blue Stripe Tech recently won a large DoD contract, which will add 30 percent to the revenue of the organization. It is a high-priority, high-visibility project. Blue Stripe Tech will be allowed to make its own budget, project timeline, and tollgate decisions. As a security professional for Blue Stripe Tech, you are responsible for developing security policies for this project. These policies are required to meet DoD standards for delivery of IT technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency. To do this, you must develop DoD-approved policies, standards, and control descriptions for your IT infrastructure (see the “Tasks” section in this document). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies, standards, or controls in place. Scenario 12 servers running the latest edition of Microsoft Server, providing the following: Active Directory (AD) Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) Enterprise resource planning (ERP) application (Oracle) A research and development (R&D) engineering network segment for testing, separate from the production environment Microsoft Exchange Server for email Email filter Cloud-based secure web gateway (web security, data loss protection, next-generation firewall, cloud application security, advanced threat protection) Two Linux servers running Apache Server to host your website 400 PCs/laptops running Microsoft Windows 10, Microsoft 365 office applications, and other productivity tools IT Infrastructure Develop a list of compliance laws required for DoD contracts. Determine which policy framework(s) will be used for this project. List controls placed on domains in the IT infrastructure. List required standards for common devices, categorized by IT domain. Develop DoD-compliant policies for the organization’s IT infrastructure. Describe the policies, standards, and controls that would make the organization DoD compliant. Develop a high-level deployment plan for implementation of these polices, standards, and controls. Write a professional report that includes all of the above content-related items and citations for all sources. Tasks