StudyDaddy Computer Science Functional information assurance plan

Functional information assurance plan


Chaston Carter

05/30/17


Statement of Policy

Purpose: This policy outlines the incident response protocols, disaster response protocols, access control protocols, and maintenance plan, which will serve as controls and guidelines to address instances of unauthorized access to CFZ information and also as response to disastrous events or conditions that might adversely impact operations at CFZ.

Incident Response Protocol

Incidence Response Protocols have become integral part of information technology and they are used for detecting and handling incidents, minimizing loss and destruction, mitigating weaknesses and restoring IT services (Cichonski et.al, 2012). The incident response process has several phases which includes preparation, detection & analysis, containment, eradication and recovery and post incident activities (Cichonski et.al, 2012).

The preparation phase attempts to limit or prevent the number of security incidence that might occur by selecting controls such as regular risk assessments, host security, network security, malware prevention, and implementing user awareness training etc. that will effectively reduce the number of incidence occurring (Cichonski et.al, 2012).

Detection and analysis phase uses precursors and indicators to monitor and analyze attack vectors such as external media, attrition, web, email, impersonation, improper usage or unauthorized accesses etc. that can be used to propagate attacks against an organization. Some of the precursors that have been put in place at CFZ includes:

  • Intrusion Detection and Prevention systems to identify and log suspicious events, alert the necessary response team and take automated mitigative actions;

  • Security information and event management (SIEM) products to generate alerts based on the analysis of log data;

  • Antivirus and Anti-malware softwares to detect and prevent attacks from infecting the systems;

  • File integrity checker to detect changes to important files during attack incidents, and

  • Awareness programs for both internal and external users to keep them abreast of the latest attack incidents and to create a reporting route after anomalies have been identified (Cichonski et.al., 2012).

The Containment, Eradication and Recovery phase is used to manage incident attacks before they overwhelm the system and result into more fatal damages, using predetermined procedures such as disabling system functions or shutting down the systems and disconnecting them from the network to mitigate the effects of any attack (Cichonski et.al, 2012).

Finally the post incident activity phase is used by the organization or response team to reflect on the new threats and use lessons learned to improve on incident response plan (Cichonski et.al, 2012).Within CFZ, the incident response plan created will be used in responding to a variety of potential threats such as:

  • Unauthorized access or unauthorized privilege escalation and data breaches,

  • Denial or Distributed Denial of Service Attacks,

  • Firewall Breaches,

  • Viruses and malware outbursts,

  • Theft or physical loss of equipment, and

  • Insider Threats (Rouse, 2014).

To mitigate these issues, some of the recommended actions that have been put in place at CFZ include the following:

Incident Type

Kill Chain Stage

Priority Level

Recommended Action

Unauthorized Access

Exploitation & Installation

High

Detect, monitor and investigate unauthorized access attempts with priority on those that mission critical or contain sensitive data.

Unauthorized Privilege Escalation

Exploitation & Installation

High

Critical systems are configured to record all privileged escalation events and set alarms for unauthorized privilege escalation attempts.

Data Breach

System Compromise

High

During a data breach, all evidence is captured carefully and evidentiary data is collected. Alarms are set to alert system and administrators and emergency system shut down and data recovery steps is initiated.

All critical documents or data are backed up on a different system.

Denial or Distributed Denial of Service Attacks

Exploitation & Installation

High

An IPS is implemented to monitor, detect and automatically terminate all traffic patterns that steps out of the normal behavior of the system.

Viruses or Malware

Delivery & Attack

Low

Remediate any malware infections as quickly as possible. The rest of the network needs to scanned to ensure no further compromise were associated with the outbreak.

Insider Breach

System Compromise

High

User accounts are routinely monitored using system log events and security information and event management products that can generate alerts based on the analysis of log files

Theft of Physical Loss

System Compromise

High

Whole disk encryption is used to protect all laptops and mobile devices. Lockout screen or remote wiping is lost or stolen equipment is used to remotely remove all critical data on stolen or lost equipment.

Firewall Breaches

System Compromise

High

Technology additions and updates are used to evaluate firewall settings and adjust them as needed in order to minimize the impact on business.

Firewall rules are regularly reviewed and actively updated to protect against the latest security threats and dedicated and ongoing monitoring practices are employed to maximize system uptime while actively defending network and connected network devices.


Justification of Incident Response protocol

Since it is really difficult to assume the path that an attacker will take to infiltrate the network, CFZ decided to create their incidence response plan through the cyber kill chain sequence (Malik, 2016). The cyber kill chain sequence is the stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. The cyber kill chain involves the following stages:

  1. Reconnaissance and Probing - This is the stage when the attacker is probing the network to exploit any vulnerability or opportunities that may present in the system (Malik, 2016).

  2. Delivery and Attack – Once a vulnerability has been established, then a delivery mechanism (attack mechanism) is put in place to deliver the attacks or social engineering is employed to induce the target (Malik, 2016).

  3. Exploitation and Installation – This is the stage after the attacker have found the vulnerability to the system. They proceed to exploit those vulnerability in order to acquire access to the system and once access has been granted, they proceed to elevate their user privileges in order to elevate the access or even install persistence payload (Malik, 2016).

  4. System Compromise - At the stage, high value data is been exflitrated as quickly as possible (Malik, 2016).

Designing an incidence response plan or protocol around these different stages will allow CFZ to understand the threats being faced in their network environment, the steps an attacker can used to exploits such threats and take steps to adequately prevent or mitigate the effects of any of such security threats.



Disaster Response Protocol

Disaster response protocols are other critical components of computer security operations that ensure the continuation of vital business processes in the event that a disaster occurs (Martin, 2002). At CFZ, the disaster response and recovery protocols was not only focused on the physical infrastructure, back up and restoration systems but was expanded to include other critical components such as perimeter defenses, IDS network, threat evaluation and assessment, virus protections, patches and host configurations and vulnerability surveillance (Velliquette, 2005). Paying proper attention all these aspects is very critical to addressing computer security within disaster recovery planning to ensure the most efficient and successful recovery operations (Velliquette, 2005). Some of the major components that was developed into the disaster response protocols at CFZ includes:

Crisis Management Plan: This was a plan designed to ensure continuation of vital business processes in case of an emergency (Martin, 2002). This plan was developed to provide information, procedures, responsibilities and checklists that will enhance an organized and effective system of handling situations during a crisis occurrence (Martin, 2002).

Alternate Recovery Site: To ensure that IT services and recovery time matches the business recovery time objective, CFZ implemented a back-up site at an alternate location, where all data infrastructure is configured to run similar hardware and software applications to ensure that regular operations can be restored at the shortest time possible in the case of a disaster occurrence (Velliquette, 2005).

Regular Data Backup: CFZ also implemented a scheduled hardware and software backup and periodically validates that critical systems, applications and data are accurately backed up in a standard hardware in order to be able to easily replicate a new hardware in the case of a disaster.

Perimeter Defenses: Perimeter defenses such as firewall and VPN management are important aspects of CFZ disaster recovery plan because they assist in monitoring traffic during a recovery process and also ensuring a safe connection for users and clients to the alternate network in order to get the operation back online and reduce downtime (Velliquette, 2005).

Intrusion Prevention and Protection: This is another component that been built into the recovery plan to ensure that during the recovery process, proper configuration is established to keep virus definition files current and to ensure new threat and vulnerability are detected and prevented to improve the fortification process in order to reduce system downtime and return the system back to normal operations (Velliquette, 2005).

Justification of Disaster Response Protocol

The primary goal of CFZ is to get critical infrastructure, networks and systems back up and running as quickly as possible in order to minimize the potential long term impact on the business. Having a crisis management plan is highly important to coordinate the recovery effort in a systematic way that enables the disaster response team to make quick and effective decisions that will limit the impact of such disaster or crisis. Not having this type of systematic plan might cause ineffective decisions to be made and in turn cause an increase in disruption time, which can be very detrimental not only to the business but also to customers, stakeholders and investors alike (Velliquette, 2005). The presence of an alternate recovery site, an emergency response location and backup data are instrumental to the strategic and tactical implementation of the recovery procedures, without which the recovery process is impossible. Also implementing perimeter defenses, intrusion prevention system and virus protection during the recovery process will ensure that new threats that could impede the recovery process do not arise and increase the magnitude of the already bad situation (Martin, 2005). The survivability of any organization after a disaster is dependent on the premise of a successful continence planning, which would determine how effective an organization would responds to mitigate the business impacts of such disaster (Martin, 2005).

Access Control Protocols

Security challenges faced at CFZ due to data breaches caused the management to implement network access control protocols that will provide endpoint assessment, authentication and authorization of entities trying to gain access to their network, while also limiting the privileges of user assigned roles. First, CFZ decided to implement smart cards for employees, which digital certificate and underlying password associated with individual users. The smart cards provided authentication and authorization used by employees and users to gain secure access to the organization’s network (Boscolo, 2008). It also formed the basis of accountability for users in ensuring that their smart card are used in accordance to the organization’s acceptable use policy and cannot be shared with any other users (Boscolo, 2008).

CFZ also implemented the Role Based Access Control List, which grants permissions to users based on assigned roles rather than granting permission to actual users. Users can only inherit certain permissions or privileges based on the role they have been assigned to (Conklin & White, 2015). The least privilege security approach was also implemented to grant the least necessary permission and privileges that will enable users to perform their daily tasks according to their assigned roles (Conklin & White, 2015).

Finally, the company also implemented separation of duties with the different departments. This concept ensures that tasks are broken down into several duties to be performed by different individuals, in order to limit the probability of an employee exploiting the organization system for their personal gains (Conklin & White, 2015).

Justification of Access Control Protocols

CFZ decided to utilize smart cards, because it satisfies two factor authentication, which was more secure than a one factor authentication process such as passwords. Even though it cost more in terms of infrastructure to support it, two factor authentication provided two step verification process, which makes data breaches twice as hard for an external intruder, because not only do they need to have physical control of the smart card but they will also need to have the pin number associated to that card before they can be granted access to the organization’s network (Conklin & White, 2015). The smart card also created accountability measures, which makes the owner of the card responsible for it usage on the network. It also provided non repudiation, which means that a user cannot deny to certain information as long as their digital signatures was associated with the retrieval or access of such information. In order words, it provided easy tracking of user and employee activity across the network. Finally it improves integrity of information because users can use embedded digital signatures / private keys to encrypt files and emails before transmission and also makes it easy for other members of organization to easily decrypt such files or information using the corresponding public keys (Conklin & White, 2015).

CFZ also decided to utilize role based access control list because of the flexibility it create of granting and revoking user access based on specified roles within the organization. Users can be granted permissions to objects in terms of the specific duties they must perform and not according to a security classification associated to the individual objects (Rouse, 2012).

Finally implementing separation of duties helps CFZ manage conflict of interest and fraud, by restricting power held by any one individual. This provides checks and balances and also limits the harm that can be caused by one single individual and reduces the organization’s exposure to damage (Conklin & White, 2015).

Maintaining Information Assurance Plan

CFZ understands that maintaining this information assurance plan will involve every member of the organization and also require a day to day monitoring, so it is stays effective and relevant in improving their network security. Therefore management created some critical steps and programs that will enforce daily maintenance and continuous implementation of the plan.

Security Awareness Programs: CFZ management decided to implement monthly security meetings to talk about security policies, risks and incidents assessments performed for the organization. The awareness program serves as a monthly refresher to the daily security risks facing the organization as well as creating continous awareness for relevant security incidents that has occurred within their organization or industry (Kadam, 2002).

Monitor and Review Security Performance: Since the implementation of an information assurance policy is not a one-time event, CFZ created controls to monitor and review performance of the plan, to ensure that it is still serving the purpose for which it was created (Kadam, 2002).

Quarterly Audits: CFZ IT department also set up quarterly audits with an external auditor to review the various performance controls in place, gather performance results, document all non-conformities that will require corrective actions and identify new threats (Kadam, 2002).

Management Review: This review meetings will be conducted to revisit issues, analyze audit reports and take decisive actions, whether to keep the information assurance plan as is or to recommend improvements in order to accommodate the newly identified threats (Kadam, 2002).


Justification of Maintenance Plan

The importance of these maintenance steps is that they help to periodically access risks, identify new risks, and measure effectiveness of the program. Periodic audits are important because they serve as compliance controls that help the organization to monitor compliance to the plan. They also help access new risks, which gives the management the most updated information concerning risk facing their organization, and helps determine proper corrective actions to taken in order to ensure the most adequate security controls are implemented.

Awareness training programs are also critical to keep users and employees abreast of the latest security information that will ensure conformance or unanimous compliance to the most updated security controls (Garbars, 2002). When users are unaware of the latest threats, then they cannot protect themselves nor the organization from such threats and damages that will ensue afterwards.

Monitoring the effectiveness of the information assurance plan is also critical to the safety and security of the organization. After plan has been created and implemented, it is important to monitor and review the security performance of the plan in order to analyze its effectiveness in improving the security posture of the organization (Garbars, 2002).


References

Boscolo, C. (2008). How to Implement Network Access Control. Retrieved from

http://www.computerweekly.com/opinion/How-to-implement-network-access-control

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. NIST Special Publication Vol 800, pp. 61

Conklin, W. & White, G. (2015). All-in-one CompTIA Security+ Exam Guide. Fourth Ed.

(Exam SYO-401). San Francisco: McGraw Hill.

Garbars, K. (2002). Implementing an Effective IT Security Program. Retrieved from

https://www.sans.org/reading-room/whitepapers/bestprac/implementing-effective-security-program-80

Kadam, A. (2002). Implementation Methodology for Information Security Management System.

Retrieved from https://www.giac.org/paper/gsec/2693/implementation-methodology-information-security-management-system-to-comply-bs-7799-requi/104600

Martin, B. C. (2002). Disaster Recovery Plan Strategies and Processes. Retrieved from

https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-strategies-processes-564

Rouse, M. (2012). Role Based Access Control (RBAC). Retrieved from

http://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC

Rouse, M. (2014). Incidence Response Plan (IRP). Retrieved from

http://searchsecurity.techtarget.com/definition/incident-response-plan-IRP

Velliquette, D. (2005). Computer Security Considerations in Disaster Recovery Planning. Retrieved from http://www.sans.org/reading-room/whitepapers/recovery/computer- security-considerations-disaster-recvery-planning-1512.


Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!