...setup. f. Restrict access for users to only applications, data and systems needed to perform their job. g. Monitor and track employee behavior and their use of IT infrastructure during off hours. 2. Workstation Domain a. Systems where most users connect to the IT infrastructure. i. Workstations can be any desktop, laptop, or other device that connects to an organizations network. b. Password protection on all workstations. c. Auto screen lockout for inactive times. d. Strict access control procedures, standards, policies, and guidelines. e. All CD, DVD, and USB ports will be disabled. f. Automated antivirus solution that updates and scans each workstation automatically. g. Vulnerability policies for workstation operating systems and application software 3. LAN Domain a. LAN domain includes both Logical configuration and physical network components. b. Wiring closets, data centers, and computer rooms need to be secured. c. Strict access control procedures, standards,...
Words: 779 - Pages: 4
...u09d1 Project Plan Draft Julian G. Romero II IT 4990 Integrated Action Learning Project 8430 Favero Cove Converse, TX 78109 210-310-2397 Instructor: Joe Johnson Table of Contents Work in progress… Executive Summary 2econd2n0ne.com is a newly developed motorcycle parts and apparel store created by my good friend Mr. Brockton Gardner. Mr. Gardner is a motorcycle enthusiast, and is in tune with the motorcycle industry with a great number of people who are also enthusiasts that he’s networked with; qualities that can spell success for his website as soon as it goes live. There are many factors to consider before going live with one of those factors being security. My project proposal is a security plan that will protect Mr. Gardner, and his website, from the variety of Internet and physical security threats. This security plan is not a complete overhaul of current systems and methods used, but a plan to harden current security measures. An environmental scan conducted on the website, and Mr. Gardner, has shown that although security measures are being taken there can be some improvements to further protect his investment, and reduce the chances of a malicious attack. Internet threats aren’t the only concerns. Physical security must be considered because mobile devices, to include laptops, are lost and stolen on a daily basis. Most mobile devices carry considerable amounts of sensitive or private information giving all the more reason...
Words: 2765 - Pages: 12
...Security Requirements and Risks Paper Security Requirements and Risks Paper There are a lot of businesses such as Huffman Trucking that complete risk reviews to determine the quantity of threats that may affect their company, and discover ways in dealing with them before a huge tragedy takes place. Risks include hypothetical efficiency of loss of impact, security measures, vulnerabilities and threats that are widespread in today's world. Huffman Trucking sticks to procedures and guidelines that are overseen by dealings by which the organization assesses and handles its contact to risk. Nearly all businesses cope with some risk or possible risk that could possibly trigger a giant blow to their business. These threats and risks typically come from outside or within any organization. In order to get ready for the worst that may occur, corporations should direct their attention on how to consider distinctive types of risk so they could shield themselves from the damage caused by them. The first security risk that needs to be looked into is username and passwords that are assigned to each user. Listed are some cons of password security: Do not choose a password that has to do with family, name, or any personal information that anyone could figure out easily. Writing passwords down is giving others easy access to your personal information. If needed write it down and put it in a safe place where no one is able to find it. Some pros of password security...
Words: 763 - Pages: 4
...DoS/DDoS Prevention This document details guidelines that can be implemented to the school to prevent the recent DDoS attack the school experienced. These guidelines are by no means any requirement, however each will grant an additional layer of security for the current networks and services in production. Implement Policies and procedures An Acceptable Use Policy is a policy that defines what type of actions are allowed to be performed on the systems and network to which the policy applies. For the school, an Acceptable Use Policy may state that users of the computers and network must be performing functions related to the school such as homework, administration, research, etc. In addition to defining what is allowed, the Acceptable Use Policy should also specify what actions will be taken when a user or individual violates the policy. The acceptable use policy should be made accessible to every user. One method to do this would be to display the policy when a user logs in or direct them to where they can read the document. (Glenn, 2003.) Develop Incident Response Procedures The incident response procedures should identify the following: ← Define who the respondents are and what each individual's responsibility is ← Specify what data is to be collected and what actions are expected ◦ This would include gathering information on the attacker and a clearly defined resolution path for the team to return systems to a pre-attack state ...
Words: 699 - Pages: 3
...Jonathan E. La Rosa July 22, 2014 NTC/411 Randal C. Shirley Security Solutions Firewalls have been around for years. In that time, they have protected various different organizations and corporations from possible hacker attacks. They play a critical part in protecting the internal network and making sure that packets are screened and checked before being provided access. Although firewalls are extremely powerful, especially in today’s world, they cannot be the only source of protection that the network can have. Various other technologies need to be used in order to actually make sure that the data is secure and that information has not be tampered with. Intrusion Prevention Systems, or IPS’, as well as Intrusion Detection Systems, or IDS’ are great in making sure that the network is free of any attacker or unwanted individual. These different technologies working together can provide the best protection possible, although they do have to be monitored in order to make sure they are working in the best way possible. Firewall Protection Managing firewalls is a fundamental function in making sure a network is secure. Network security managers are the main individuals who have to make sure that the firewall is constantly working in the most effective and efficient way possible. The rules that are in place within this device can and will affect the network and how it responds. Firewalls need to be constantly upgraded and put with the latest software in order to be effective...
Words: 948 - Pages: 4
...Legislation/Standards/Policies 6 Risk management 6 Identification of risk 7 Analysis of risk 8 Risk Category 9 Review of Matrix 9 Action plan 9 Testing Procedures 11 Maintenance 11 Scheduling 11 Implementation 12 Training 12 Milestones 12 Monitoring and review 13 Definition 13 Authorisation 14 Reference 15 Executive summary A Security Risk Management Plan (SRMP) helps CBS by providing specific guidelines and rules to ensure risk management is considered and included. It provides guidelines for its implementation that can minimise the threats by planning, policies, processes and procedures that can help your business get everything back to normal as soon as possible. This SRMP was designed for the guidelines for its implementation of risk management in CBS and in its operations in order to ensure its security and safety of its staff and assets. Throughout this SRMP it identifies threats, procedures, policies, responsible person and etc which will provide you and your staff information to prepare you with the worst disaster event. Every business these days has a SRMP in case of any events which may occur, this is essential for every business to provide a base of guidelines and security risk controls. Project purpose The purpose of this Security Risk Management Plan is to provide a guideline of risk management in CBS and its operation. It also analyses risks and provides information on implementation of risk controls to ensure security. Scope...
Words: 2028 - Pages: 9
...customers and employees, guidelines, laws, and policies have been established to insure the privacy of such information is secure. Only those authorized to view, change, or remove such data must be fully authenticated through proper procedures. In addition, established protocols and encryption methods must be use to access database information via the Internet. This section of the report will address these and other challenges related to IT privacy and security. PCI DSS (Payment Card Industry Data Security Standard) is an information security standard that was created from a joint effort of major credit card companies in 2004. Its purpose is to create controls that would reduce credit card fraud. This standard is built around 6 principles and 12 requirements. It is assumed that Beachside Bytes intends to credit cards as a form of payment and must therefore comply with the following principles set forth. The first principle, "Build and Maintain a Secure Network", is enforced through 2 requirements: (1) Install and maintain a firewall, and (2) do not use defaults (IE. passwords). Firewalls create a single point of defense between two networks. Since the Internet is web of networks, it is important that firewalls are installed in every Beachside Bytes local area network location. Since the company has 3 major locations in Miami, San Diego, and Honolulu, a minimum of 1 firewall at each location is required. If a website is maintained, 2 firewalls and a DMZ (demilitarized...
Words: 1244 - Pages: 5
...Richman Investments Security Outline Welcome to Richman Investments (RI) where we strive to bring you the most secure, reliable, and available resources that we can offer. We know that work needs to be done and that most of you aren’t aware of the security procedures taking place behind the scenes. We have devised a summary of the seven domains of the company and its security model. Please take the time to read this over and understand the implications of not following company guidelines, procedures, and policies. The user domain contains the users and/or employees that will be accessing resources within the organizations information system. A user can access systems, applications and data within the rights and privileges defined by the AUP (acceptable use policy). The AUP must be followed or the user may be dismissed or have their contracts terminated. With the user domain being one of the most vulnerable aspects of any organization, there are a wide variety of user related threats ranging from lack of awareness to blackmail and extortion. Employees are responsible for their own actions when using company assets and the HR department will be doing background checks on all employees within the company to ensure integrity within the workforce. Enforcement of the user level domain will include the use of RFID badges and pins for all areas of the facility and rooms that require special access. The workstation domain is where most users connect to the organizations infrastructure...
Words: 1016 - Pages: 5
...State of North Carolina Statewide Information Security Manual Prepared by the Enterprise Security and Risk Management Office Publication Date: April 20, 2012 INTRODUCTION FOR STATEWIDE INFORMATION SECURITY MANUAL ...... 1 GUIDANCE FOR AGENCIES .............................................................................. 1 CHAPTER 1 – CLASSIFYING INFORMATION AND DATA ................................ 2 CHAPTER 2 – CONTROLLING ACCESS TO INFORMATION AND SYSTEMS. 7 CHAPTER 3 – PROCESSING INFORMATION AND DOCUMENTS ................. 32 CHAPTER 4 – PURCHASING AND MAINTAINING COMMERCIAL SOFTWARE ..................................................................................................... 107 CHAPTER 5 – SECURING HARDWARE, PERIPHERALS AND OTHER EQUIPMENT .................................................................................................... 122 CHAPTER 6 – COMBATING CYBER CRIME ................................................. 146 CHAPTER 7 – CONTROLLING E-COMMERCE INFORMATION SECURITY 153 CHAPTER 9 – DEALING WITH PREMISES RELATED CONSIDERATIONS . 173 CHAPTER 10 – ADDRESSING PERSONNEL ISSUES RELATING TO SECURITY ........................................................................................................ 185 CHAPTER 11 – DELIVERING TRAINING AND STAFF AWARENESS .......... 192 CHAPTER 12 – COMPLYING WITH LEGAL AND POLICY REQUIREMENTS ......................................................................................................................
Words: 65255 - Pages: 262
...Riordan Manufacturing is an international manufacturer of plastics and is currently make its mark on the industry as an industry leader. Currently Riordan Manufacturing has four locations that all serve different purposes in the company. Riordan Manufacturing has locations in Albany, Georgia, Pontiac, Michigan, Hangzhou, China and the corporate headquarters in San Jose, California. Riordan Manufacturing uses a Wide Area Network (WAN) that allow the three locations to be connected to the corporate headquarters in San Jose, California. Along with the Wide Area Network to connect the locations to the Corporate Headquarters of Riordan Manufacturing, each location has its own Local Area Network (LAN). Network Architecture. The topology of the networks varies from site to site. The network of the Corporate Headquarters and the location in China both use a bus topology in both networks there is a single 100BaseT line that is either connected to a server or an interface device. The other two site Albany, Georgia and Pontiac, Michigan both use what seems to be a partial mesh topology or a hybrid topology. The servers on these networks are all connected together , the interface devices are connected to the server, and the clients and printers are then connected to only the interface devices. All of the locations have their own local area network which is connected to the Corporate Headquarter though a point to point connection which is a star topology. The China location has a point...
Words: 2198 - Pages: 9
...User Domain Risk, Threat, or Vulnerability Lack of user awareness • Conduct security awareness training display security awareness posters, insert reminders in banner greetings, and send e-mail reminders to employees. User apathy toward policies • Conduct annual security awareness training, implement acceptable use policy, update staff manual and handbook, discuss dring performance reviews. Workstation Domain Risk, Threat, or Vulnerability Unauthorized access to workstation • Enable password protection on workstations for access. Enable auto screen lockout for inactive time. Unauthorized access to systems, applications, and data • Define strict access control policies, standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to gain access. Account Policies | Password, lockout, and Kerberos settings. | Local Policies | Audit, user rights, and security options. ("Security Options" consist primarily of security-relevant registry values.) | Event Log | Settings for system, application, security and directory service logs. | Restricted Groups | Policy regarding group membership. | System Services | Startup modes and access control for system services. | Registry | Access control for registry keys. | File System | Access control for folders and files. | LAN Multilayer Security * Coverage considerations for wireless LAN (WLAN) users in a branch office * Distance considerations from the closet to the...
Words: 726 - Pages: 3
...Internet DMZ Equipment Policy 1.0 Purpose The purpose of this policy is to define standards to be met by all equipment owned and/or operated by Richman Investments located outside Richman Investment's corporate Internet firewalls. These standards are designed to minimize the potential exposure to Richman Investment from the loss of sensitive or company confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use of Richman Investment resources. Devices that are Internet facing and outside the Richman Investment firewall are considered part of the "de-militarized zone" (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls. The policy defines the following standards: * Ownership responsibility * Secure configuration requirements * Operational requirements * Change control requirement 2.0 Scope All equipment or devices deployed in a DMZ owned and/or operated by Richman Investment (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by Richman Investment, must follow this policy. This policy also covers any host device outsourced or hosted at external/third-party service providers, if that equipment resides in the "RichmanInvestment.com" domain or appears to be owned by Richman Investment. All new...
Words: 1219 - Pages: 5
...Central Medical Services, L. L. C. Security Plan To meet HIPPA security requirements within this network the following hardware, software, procedures and guidelines will be met: System security accreditation will be supported by reviewing the system set in place to include its management, operational and technical controls. This is the formal authorization for system operation and explicit acceptance of risk. Periodic reaccreditation will follow to formally reexamine the system from a broader perspective to address the high-level security, management concerns and the implementation of the security. A certification process will be established to demonstrate and document that all computer systems and network devices meet HIPPA criteria to consider risks identified during the risk assessment process. The following hardware and devices will be tested thoroughly to prevent intrusion and meet HIPPA Security regulations for systems certification and accreditation to prevent unauthorized access: Routers will be placed along the perimeter of the network and properly configured to route all packets through the network, drop traffic to unknown destinations and block all local broadcasts. Security filtering will be set by the use of an Access Control List (ACL) to allow or deny traffic throughout the network based upon IP addresses, packet header information, protocols or port numbers. The router will be set for ports not in use will be closed. Assessment of router security will...
Words: 987 - Pages: 4
...would you want a policy? • Regulatory compliance • Due care; due diligence • Assign responsibility • Assign authority, e.g., incident response • Publicize to members of organization • Create framework for development of standards, procedures, baselines, and guidelines. • Proclaim priorities; values • Specific issues need to be addressed formally by organization as a whole Mission Statements: per Paul Drucker, a MS has to be operational, otherwise, it's just good intentions. A policy statement is a way of operationalizing your entity's mission statement. Measure of policy: SMART • Specific • Measurable • Achievable • Realistic • Time-based Policy Taxonomy • • • • Policy: what and why-objective Standards: measures of compliance. DOD, FIPS. E.g., level of software or hardware. Baselines: minimum standards Guidelines: not mandatory, not compulsory, several solutions may be satisfactory. Procedures: explicit actions, sometimes in explicit order at a specific time (e.g., prior to production/operation). Mandatory. Procedures employ standards. Policies Standards Guidelines Procedures Different types of policies: issue vs. system policies 1 • • • • Passwords Acceptable use Email Copyright Firewalls Mobile Devices Email servers Copiers Policy Structure • Purpose: the why; problem is defined, objectives, reason for policy • Background: historical or current rationale • Cancellation/expiration: supercedes existing policy •...
Words: 376 - Pages: 2
...Phase Three With the network topology and employee workstations configured as requested, network functionality and security are a necessity for enterprise protection. Phase three takes into consideration both network and data security. This data security is a combination of both network resources in addition to personnel training. While these objectives have separate outcomes, they work in tandem with each other to provide holistic network security. Firewalls, Antivirus, and Intrusion Detection/Prevention In the simplest form, firewalls provide a go/no-go gate for passing traffic from the internal network to the internet. By setting up appropriate rulesets, the network administrators restrict and allow different data packages which users and peripheral...
Words: 1641 - Pages: 7