...and Existing IT Security Policy Framework Richman Investments Remote Access Standards Purpose: This document is designed to provide definition of the standards for connecting remotely to Richman Investments’ network outside of the company’s direct network connection. The standards defined here are designed to mitigate exposure to potential damage to Richman Investments’ network, resulting from the use of unauthorized use of network resources. Scope: All Richman Investments agents, vendors, contractors, and employees, who use either Richman Investments company property or their own personal property to connect to the Richman Investments network, are governed by this policy. The scope of this policy covers remote connections, used to access or do work on behalf of Richman Investments, including, but not limited to, the viewing or sending of e-mail, and the viewing of intranet resources. Policy: Richman Investments agents, vendors, contractors, and employees with privilege to remote access to Richman Investments’ corporate network are responsible for ensuring that they adhere to these standards, whether using company-owned or personal equipment for data access, and that they follow the same guidelines that would be followed for on-site connections to the Richman Investments network. General access to the Internet by household members via the Richman Investments network will be permitted, and should be used responsibly, such that all Richman Investments standards and...
Words: 474 - Pages: 2
...Richman Investment Richman Investment Remote Access Control Policy Document Remote Access Control Policy Document 01/14/14 01/14/14 Contents 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 4 6 Applying the Policy - Passwords 5 6.1 Choosing Passwords 5 6.1.1 Weak and strong passwords 5 6.2 Protecting Passwords 5 6.3 Changing Passwords 5 6.4 System Administration Standards 6 7 Applying the Policy – Employee Access 6 7.1 User Access Management 6 7.2 User Registration 6 7.3 User Responsibilities 6 7.4 Network Access Control 7 7.5 User Authentication for External Connections 7 7.6 Supplier’s Remote Access to the Council Network 7 7.7 Operating System Access Control 7 7.8 Application and Information Access 8 8 Policy Compliance 8 9 Policy Governance 8 10 Review and Revision 9 11 References 9 12 Key Messages 9 13 Appendix 1 10 Policy Statement Richman Investments will establish specific requirements for protecting information and information systems against unauthorised access. Richman Investments will effectively communicate the need for information and information system access control. Purpose Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Richman Investments which must be managed with care. All information has a value to the Council. However, not all of this information has an equal...
Words: 2211 - Pages: 9
...Richman Investments has decided to expand their business. We have been given their new growth projections of 10,000 employees in 20 countries, with 5,000 located within the U.S. Richman have also established eight branch offices located throughout the U.S. and have designated Phoenix, AZ being the main headquarters. With this scenario, I intend to design a remote access control policy for all systems, applications and data access within Richman Investments. With so many different modes of Access Control to choose from it is my assessment that by choosing only one model would not be appropriate for Richman Investments. My recommendation would be a combination of multiple Access Control Models that overlap to provide maximum coverage and overall security. Here are my suggestions for access controls. Role Based Access Control or RBAC, this will work well with the Non-Discretionary Access Control model, which will be detailed in the next paragraph. RBAC is defined as setting permissions or granting access to a group of people with the same job roles or responsibilities. With many different locations along with many different users it is important to identify the different users and different workstations within this network. Every effort should be dedicated towards preventing user to access information they should not have access to. Non-Discretionary Access Control is defined as controls that are monitored by a security administrator. While RBAC identifies those with permissions...
Words: 548 - Pages: 3
...Authorization- Richman Investment has to define specific rules to dedicate who has access to which of the computers and its resources. The suggestion that I suggest is that Richman Investments implements a group policy. A group policy would allow an administrator the privilege to assign different access controls to different group users. The administrator could then assign different individuals to one or multiple groups. The permissions of the user is dictated by the administrator. Identification- Richman Investments must assign a unique identifier that compliments each user. This way they can keep track of who has access to what systems and data, the most commonly has used is a user identification number and password. Authentication- “In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification.” (Technology, 2014)The best way for this company is to use a knowledge based system that includes PIN, pass phrase, or password along with a ownership authentication which includes but is not limited to a key, badge, token, or smart card. Using a combination of will provide the most adequate form of security. Accountability- Richman Investments has to hold all users responsible for what they do or not do on their systems. They must makes sure log systems can detect, prevent, and/or monitor the system due to all the laws that have...
Words: 282 - Pages: 2
...NT2580 Ishmael Burch III Project Part 2 Student SSCP Domain Research Paper Remote Access Domain is a domain involving Portable devices that use static IP address like Smart phones Laptop computers PDAs Remote E-mail usage Wireless access to cloud resources. Remote access policies are configured using the RRAS console. They are contained within the Remote Access Policies container under the server node in the console tree. There is a default remote access policy created when the RRAS is installed on a computer. Allow or deny remote access depending on the time or day of the week, the group membership of the remote user, the type of connection (VPN or dial-up), and so on. Administrators can configure remote access settings to specify authentication protocols, and encryption schemes used by clients, maximum duration of a remote access session, etc. A wireless link is likely to be limited in bandwidth error rates on a wireless link is much higher than that of a wired link. Different types of communication paths involved, one of which is radio link, particularly vulnerable to attack. Location privacy, any leakage of specific signaling information on the network can lead to an eavesdropper to approximately “locate” the position of a subscriber and thus hindering the subscriber’s privacy. Securing Internet Communication by using S-HTTP and SSL Secure Socket Layer (SSL) protocol is a protocol that uses public key encryption to secure channel over public Internet. A Secure Hypertext...
Words: 769 - Pages: 4
...Ken Schmid Unit 3 Assignment 1 Remote Access Control Policy for Richman Investments Authorization- Richman Investments must define rules as to who has access to which computer and network resources. My suggestion is that RI implements either a group membership policy or an authority-level policy to achieve this. Group policy would allow the administrator to assign different privileges to different groups. The admin would then assign different individual users to those different groups. So the users permissions would depend on the permissions of the group they were a member of. With authority-level policy the admin would assign different permissions to individual users based on their position and authority level within the company and what access that position requires. Identification- Richman Investments needs to assign a unique identifier to each user in order to have accurate records of who is accessing, or trying to access, what applications, which network resource, and what data. The most common ID is the username, account number, or PIN Authentication- In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification. To do this RI can choose one of the following knowledge type authentications: PIN, password, or passphrase along with one of the following ownership type of authentication: smart card, key, badge...
Words: 312 - Pages: 2
...Appropriate Access Controls for Systems, Applications, and Data Access Learning Objective Explain the role of access controls in implementing security policy. Key Concepts The authorization policies applying access control to systems, application, and data The role of identification in granting access to information systems The role of authentication in granting access to information systems The authentication factor types and the need for two- or three-factor authentication The pros and cons of the formal models used for access controls Reading Kim and Solomon, Chapter 5: Access Controls. Keywords Use the following keywords to search for additional materials to support your work: Biometrics Content Dependent Access Control Decentralized Access Control Discretionary Access Control Kerberos Mandatory Access Control Remote Authentication Dial In User Service (Radius) Role-Based Access Control Security Controls Secure European System for Applications in a Multi-Vendor Environment (SESAME) Single Sign-on Terminal Access Controller Access-Control System (TACACS) ------------------------------------------------- Week 3 Discussion * Access Control Models * Unit 3 Access Control Models (lT255.U3.TS2) Lab * Enable Windows Active Directory and User Access Controls Assignment * Remote Access Control Policy Definition ...
Words: 542 - Pages: 3
...information that belongs to Richman Investments. As part of the general security plan of the organization the IT department puts together a proposal to provide multi-layered security strategies that can be applied at every level of the IT structure. The plan will lay out the importance of improving and safeguarding the levels of each domain and the process of protecting the information of the organization. User Domain At Richman Investments the personnel is accountable for the appropriate use of IT assets. Therefore, it is in the best interest of the organization to ensure employees handle security procedures with integrity. It is essential to create a strong AUP (Acceptable Use Policy) procedure and as part of the process, require employees sign an agreement to guarantee they understand and conform to implemented rules and regulations. In addition, the company will conduct security awareness training, annual security exercises, notices about securing information, and constant reminders security is everyone’s responsibility. Workstation Domain The plan to secure the workstation domain enforces a strong password policy on each workstation and also enables screen lockout protection for inactive times. Keeping all workstations with an up to date antivirus is essential. Furthermore, content filtering features will arrange access of specific domain names according to AUP definitions. In addition, workstations will have up-to-date application software and security patches conferring...
Words: 779 - Pages: 4
...Acceptable Use Policy (AUP) for use of WAN/LAN owned and maintained by Richman Investments Statement of Policy: The following Information Technology Acceptable Use Policies and Procedures are to be followed by ALL employees, contractors, vendors, and other authorized individuals who are granted access to any Local Area Network and/or Wide Area Network or other service maintained and provided by Richman Investments or its subsidiaries. It is expected that all departments will enforce these policies. ANY USER FOUND VIOLATING THESE POLICIES OR PROCEDURES WILL FACE PUNISHMENT WHICH MAY INCLUDE DISCIPLINARY ACTION, SERVICE ACCESS TERMINATION, AND/OR LEGAL ACTION. Users of the any Local Area Network and/or Wide Area Network owned and maintained by Richman Investments understand they are subject to monitoring by the Information Technology department in order to maintain systems security and prevent unauthorized access and usage of equipment. Richman Investments assumes no responsibility for actions performed by users which violate any laws, foreign or domestic. If discovered, these users will be reported to the proper authorities for prosecution. Prohibited Use of Equipment or System: * No peer-to-peer file sharing or externally reachable file transfer protocol (FTP) servers * No exporting internal software or technical material in violation of export control laws * No accessing unauthorized internal resources or information from external sources * No port...
Words: 339 - Pages: 2
...strategic assets of the Richman Investments and must be treated and managed as valuable resources. Richman Investments provides various computer resources to its employees for the purpose of assisting them in the performance of their job-related duties. State law permits incidental access to state resources for personal use. This policy clearly documents expectations for appropriate use of Richman Investments assets. This Acceptable Use Policy in conjunction with the corresponding standards is established to achieve the following: 1. To establish appropriate and acceptable practices regarding the use of information resources. 2. To ensure compliance with applicable State law and other rules and regulations regarding the management of information resources. 3. To educate individuals who may use information resources with respect to their responsibilities associated with computer resource use. This Acceptable Use Policy contains four policy directives. Part I – Acceptable Use Management, Part II – Ownership, Part III – Acceptable Use, and Part IV – Incidental Use. Together, these directives form the foundation of the Richman Investments Acceptable Use Program. Section 2 – Roles & Responsibilities 1. Richman Investments management will establish a periodic reporting requirement to measure the compliance and effectiveness of this policy. 2. Richman Investments management is responsible for implementing the requirements of this policy, or documenting non-compliance...
Words: 1330 - Pages: 6
...IT-255 Part 1 Multi-Layer Security Outline Task at hand: Richman Investments Network Division has been handed the task of creating a general solutions outline for safety of data and information that belongs to their organization. This following outline will cover the security solutions of the seven domains that the IT infrastructure is made of. User Domain | The User Domain being the weakest link of the seven layers. This is from lack of users not aware of security policies and procedures. | To secure this link to its fullest. The employees should be trained and updated with security policies and procedures. The system should have firewall and antivirus software installed as well. | Workstation Domain | The Workstation Domain can be made up of desktops, laptops, iPods and or personal assisting tools like Smartphone’s. | The common threat to the Workstation is the unauthorized access to the system. The solution would be to enable password protection and automatic lockout during time of inactivity. | LAN Domain | LAN being a collection of computers connected to each other. The links can use several tools direct connected with a switch and wireless with a router being the most common. | Unauthorized access can tap into and work its way into workstations, data centers (servers). To put a block and set-up counter measures a Firewall and OS Security Software installed and monitored. | LAN-TO-WAN Domain | LAN-to-WAN is where the IT infrastructure links to a wide...
Words: 779 - Pages: 4
...Authorization- Richman Investments must define rules as to who has access to which computer and network resources. My suggestion is that RI implements either a group membership policy or an authority-level policy to achieve this. Group policy would allow the administrator to assign different privileges to different groups. The admin would then assign different individual users to those different groups. So the users permissions would depend on the permissions of the group they were a member of. With authority-level policy the admin would assign different permissions to individual users based on their position and authority level within the company and what access that position requires. Identification- Richman Investments needs to assign a unique identifier to each user in order to have accurate records of who is accessing, or trying to access, what applications, which network resource, and what data. The most common ID is the username, account number, or PIN Authentication- In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification. To do this RI can choose one of the following knowledge type authentications: PIN, password, or passphrase along with one of the following ownership type of authentication: smart card, key, badge, or token. Using a combination of ownership authentication and knowledge authentication...
Words: 298 - Pages: 2
...Remote access control policy definition Richman Investments firm Remote access control policy The following is the firm remote access control policy. The policy will be listing the appropriate access controls for systems, applications and data access. We will be providing a description on each type of access. It is our mission to preserve and protect the Confidentiality, Availability and Integrity of our Firms Information System. 1. Systems Access Control. A. Users are required to use a user ID with password and smart card for accessibility. B. Remote Users are required to use a user ID with password and software token for accessibility. C. All users most change user password every 30 days. D. Users will only have access to their branch office. E. User’s logins will be recorded. F. Only authorized users will be allowed access to their respected system. G. Management users will have access to their own branch office and also to Head Quarters office. H. Desk top, mobile and wireless devices most be loaded with up to date firm ware, OS software and patches. 2. Application Access Control. A. Users will be assigned rights to use individual application. B. Users will have to use first and second layer of authentication to gain access to their application. C. Users will be recorded using application. D. IT Administration is responsible for running monthly application test. E. Applications will be tested for security...
Words: 383 - Pages: 2
...Internet DMZ Equipment Policy 1.0 Purpose The purpose of this policy is to define standards to be met by all equipment owned and/or operated by Richman Investments located outside Richman Investment's corporate Internet firewalls. These standards are designed to minimize the potential exposure to Richman Investment from the loss of sensitive or company confidential data, intellectual property, damage to public image etc., which may follow from unauthorized use of Richman Investment resources. Devices that are Internet facing and outside the Richman Investment firewall are considered part of the "de-militarized zone" (DMZ) and are subject to this policy. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls. The policy defines the following standards: * Ownership responsibility * Secure configuration requirements * Operational requirements * Change control requirement 2.0 Scope All equipment or devices deployed in a DMZ owned and/or operated by Richman Investment (including hosts, routers, switches, etc.) and/or registered in any Domain Name System (DNS) domain owned by Richman Investment, must follow this policy. This policy also covers any host device outsourced or hosted at external/third-party service providers, if that equipment resides in the "RichmanInvestment.com" domain or appears to be owned by Richman Investment. All new equipment...
Words: 1219 - Pages: 5
...Fundamentals of Information Systems Security - Jones & Bartlett Learning, LLC. 40 - Tall Pine Drive Sudbury, MA 01776 – Copyright 2012 Multi Layered Security Plan: Richman Investments 1.) General This Multi-layered Security Plan will give a brief overview of the security strategies that will be implemented at each level of the Information Technology (IT) infrastructure. 2.) User Domain a. Security awareness training will be implemented to instruct employees of Richman Investments security policies. b. Structured auditing of all user activity. 3.) Workstation Domain c. The installation of antivirus and anti-malware programs on all user computers. d. Strict access privileges to corporate data files and important company documents. e. Media ports to be deactivated. 4.) LAN Domain f. Utilizing the correct network switches per each domain. g. WPA 2 encryption policies to wireless access points. h. Securing server rooms from unauthorized access. 5.) LAN to WAN Domain i. Deactivating and closing off unused ports per the firewall to reduce the chance of unwanted network access. j. Monitor inbound IP traffic, more specifically looking for inbound transmissions that show signs of malicious intent. k. All networking hardware is to have up to date security patches, and operating systems. 6.) WAN Domain l. Enforce encryption, and VPN tunneling for remote connections. m. Configure...
Words: 316 - Pages: 2