SlideShare une entreprise Scribd logo

Final Project

P
Pamela R. Gist
1  sur  18
Télécharger pour lire hors ligne
Final Project Proposal Page 1 ITT TECHNICAL INSTITUTE State Government Department of Finance and Administration Request for Proposal for Information Security Assessment Services (ISAS) RFP Number: 427.04-107-08 Due: February 25, 2012 FINAL PROJECT PROPOSAL The contents of this document include all requirements for Final Project Proposal for RFP Number 427.04-107-08. Documentation submitted by PCMJ Security Services is for the sole purpose of this proposal. PCMJ Team members: Pamela R. Gist Mychal Dudley Chris Warren John Buchheim B. Henebry, Instructor
Final Project Proposal Page 2 Section A: Section “A” addresses the mandatory requirements of the proposer. The certifications that are held by the employees of PCMJ include Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Security Essentials Specialist (GSEC) and GIAC Certified Project Manager (GCPM). We are in good standing with our financial institution, have a positive business relationship with Dell (our hardware vendor) and Microsoft (our software vendor), and have a positive rating with all associated credit agencies. We currently hold liability insurance in the amount of $1,500,000 which exceeds the minimum amount required by the State. Within our organization we do not have any employees that are currently employed by the State in any way, nor are there any contracts currently being worked on for any State Government agencies. We have conducted vulnerability assessment for other large entities including Proctor and Gamble and Hewlett Packard. All documentation, certifications, and other forms of proof are available upon request by the State. Section B: Section “B” gives further details of the proposer’s current and historical employee status. PCMJ is a business partnership between four friends that have spent the previous years working together on various projects. Our main office is located in Indiana and our mailing address is as follows: PCMJ 1234 Main St. Indianapolis, IN 46202
Final Project Proposal Page 3 The main point of contact for all questions or concerns is Pamela Gist. Our company has not been involved in any sales, mergers, or acquisitions in the past ten years, and there aren’t any current plans for any of these possibilities. The background checks on all our employees will show that they are all free from any felony convictions, guilty pleas, or no contest pleas. There are no current litigation hearings involving our business and there haven’t been any in the past. We are not currently, and have never filed for bankruptcy or any other means of financial rescue. We have never been the target of any Securities Exchange Commission investigation in the past, and are not currently involved in one now. PCMJ was founded in 2002 and have been successful for 10 years. As of 2012, our staff is comprised of 22 full-time employees. Currently our staff exceeds the RFP minimum requirement of employing a Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Security Essentials Specialist (GSEC) and GIAC Certified Project Manager (GCPM). The team that will work with the State consists of the following members and their title within the company: • Pamela R. Gist, Project Manager • Chris Warren, IT Manager • Mychal Dudley, Client Representative Manager • John Buchheim, Security Manager • Amy Potential, Human Resources Manager • Joshua Great, Compliance Manager • Theodore Ralls, Legal Representative • Paul Johnston, Security Fulfillment Manager
Final Project Proposal Page 4 If we require the assistance of any subcontractors the State will be approached for approval, and will be given documentation on each person including contact information, their title, and a description of what work they will be performing. We as a company are dedicated to operating without prejudice towards race, sex, or any other possible discriminatory factors. Our employees include men and women of different ages, races, and religious beliefs. As mentioned previously, we have had contracts with Proctor and Gamble, and Hewlett Packard. In addition to these two we have worked successfully with the ITT Corporation, Duke Energy, Bank of America, and Citi Bank. The references from all of these companies are on file and will be made available upon request. We have never been under contract to any agency or office of the State in our tem years of existence. Section C: Section “C” details the proposers understanding of the RFP. The remainder of this proposal will be broken down by section and number for better clarity. C.1 The state will require PCMJ to have an office in the state of Ohio with the mandated licenses and insurances C.2 Any area of expertise the company has a deficiency in shall, with the approval of the state, hire a third party vendor to accomplish that task. C.3 Any third party vendor relied on shall meet the same quality of personal requirements as PCMJ in that all personal shall pass a state approved background check.
Final Project Proposal Page 5 C.4 Vulnerability assessments shall be done in each of the 7 typical information system domains. Each domain will be evaluated for operating system, software and malware signature updates where applicable. Hardware including routers, IDS / IPS, firewalls and managed switches will have their configurations reviewed. C.5 Any vulnerability discovered through the assessment process will be prioritized and a mitigation effort proposed. Documentation of any vulnerability or incident that has been realized will be used to develop a standard procedure where one does not exist. and delivered to the appropriate department manager for proper storage. C.6 PCMJ is able to assess all current Operating systems, Databases, IDS/ IPS settings, Router Firewall, and Switch settings as well as Access Control Lists. C.7The review of source code assembled by State contractors and personal shall be accomplished through a third party vendor that we will contract on behalf of the State in order to fulfill this Security Evaluation. The code review shall look specifically for vulnerabilities such as format string mistakes, buffer over flows, memory leaks, input validation/ sanitization mistakes, weak passwords, administrative back doors, unnecessary ports access, etc. C.8 The approved outside vendor will report all findings in a document marked “Source Code Evaluation” to the Software Development Team, Project Manager, the IRT team and the Policy Review team headed by PCMJ so that mitigation efforts and bug fixes can be developed and implemented.
Final Project Proposal Page 6 C.9 The contractor we provide to perform the code review will have expert knowledge in any language the State requires including: COBOL, Java, Pearl, and the more modern languages. C.10 “Anonymous example from Scope of services” A port scan on the server located at 192.160.128.10 has open ports listening on port 3689. This port is used for iTunes communication and should not be in service unless specifically designed into proprietary software developed by the State.” C.11 All background checks will be performed with the state minimum requirements with special attention on previous employment activities. Section D: Section D discusses our approach to developing a Security Policy Frameworks gap analysis. D.1 Our approach is to protect the accounting department financial files and data on the network using a layered security approach to harden against any unauthorized attempts to the network. D.2 We will ensured that all personally identifiable information (PII) is fully encrypted, all remote access to the network containing PII will travel over VPN protocol, unique User and Password ID’s are being put in place. D.3 To comply with PCI DSS all customer information will be encrypted using DES3, information and a secure transfer protocol when in transit.
Final Project Proposal Page 7 D.4 We will ensure that PII and PHI information is on a separate server behind layered using both firewalls and routers. D.5 All current group policies will be updated to allow only those persons with a ‘Principal of Least Privilege’ approach to access objects pertaining to customer and/or financial information. The files that are subject to the ‘need to know’ access will have special passwords as well as a Biometric touchpad. D.6 Banners will be in place on all workstations informing all users that they will not have access to the Public Internet while on the State’s network, and that we have the right to, and will, monitor their logging sessions and review all sites that are visited and attempted file access. The use of Stateful Inspection on packet headers and content will continuously monitor the traffic into and out of the local area network. D.7 We will further develop a policy for both internal and remote user access. This policy is currently under development and we can help to ensure that it is created to provide the necessary security as well as ease of access for those that require it. These policies will target the mission critical areas (network, staff and data) first before moving to the remote site. D.8 Gaps in the VPN remote user’s policy include a scan of the remote equipment to ensure that the OS and Firewall / Malware software is up to date. An evaluation of the current patches and scan results must also be verified. The VPN software being used now is sufficient to maintain confidentiality. C.9 A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) go hand in hand many times. So much so that there are often familiar faces on both teams. A
Final Project Proposal Page 8 BCP team must prioritize those critical business elements that relate to the businesses core function and be implemented when those functions are threatened or violated. A Disaster may or may not be declared at this point. If it were to be declared, the Disaster Recovery Plan (DRP) would be activated and that team would determine how much of its vastly more extensive plans would be necessary to put into place. D.10 Currently the access and privilege control policy is also under development. We will ensure that all users are part of the correct group to allow access with proper privileges. All employees, regardless of position or title, will read and sign an ‘acceptable use policy’ that states what actions are unacceptable before being assigned a workstation. Section E: Section E relates to how we will review and assess current PHI and PII data handling policies. E.1 We will be using the best practices described in the National Institute of Standards and Technology (NIST) Special Publication 800-122 titled Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) to determine compliance. E.2 HIPAA 5010 compliance laws in Ohio are found on file and generally covered in the NIST 800-122 publication and principle of least privilege. E.3 The best practices described in the NIST 800 series guide us on what to look for when evaluating your IT security policies. We will examine your current layered approach inside and out and make any necessary recommendations.
Final Project Proposal Page 9 E.4 The current Active Directory structure of group policies reveals how well the principal of least privilege is implemented. We also have to look into server structure to be sure that strong password, proper encryption standards and a narrow set of administrative rights exit. E.5 To identify any possible gaps in the control coverage protecting privacy data we will first review your employee security training to make sure there is a section regarding illegitimate access to privacy data. We will also look for a review of log files to see if there is any indication of repeated failed attempts to access privacy data. E.6 Change local policy to allow read only access for those departments that need only to view files; allow medical departments both read and write privileges while at the same time implementing a principal of least privilege on all file structures. E.7 Privacy data is found in more areas that most companies think. It can be found among email, internal notes, personal documents, the list goes on. This data can be client data or employee data. Once it is on a system, it becomes the property of the State. We will suggest making a Policy change in regards to the Security Training that each employee takes based on the findings of our initial hunt for PII on your network. If a corporate culture of saving potentially sensitive data is detected, it can be addressed in the updated Security Training. E.8 Any new policy developed in response to a deficiency will be distributed to each employee for review. Each employee must then sign a document stating they have read and will abide by the new policy.
Final Project Proposal Page 10 Section F: Section F reviews how PCMJ will review each of the domains needed to fulfill the scope of this RFP. F.1 With the Critical Business Tasks identified we will devise a matrix that includes the resources needed to accomplish and maintain those tasks. Those resources can then be evaluated for threat vectors and vulnerabilities F.2 The established Policies and Controls can now be reviewed to assure that all threat vectors and vulnerabilities are taken into consideration. Documentation of changes and additions to the policies will be noted in an appendix. F.3 There are many known risks and threats to every network infrastructure. They typically start from the outward facing points of access like a company website and remote access. With this in mind, attention to buffer overflows, memory leaks, man in the middle attacks. Trusted vendors such as Symantec and McAfee make available a newsletter and website devoted to current threat trends. We monitor these and others such as the software vendors themselves to keep abreast of current risks, threats and vulnerabilities. F.4 IT Infrastructure components have a finite lifespan. Within this lifespan configurations and software must be kept up to date. There comes a time when a component must be replaced, not because it has failed, but because its lifespan has reached a predictable failure rate or the technology has changed enough that new hardware must be implemented to keep up with this new technology and or remain in compliance with State or Federal rules.
Final Project Proposal Page 11 F.5 Once the critical hardware has been identified in any IT infrastructure, the Operating Systems and configuration software can be scanned and analyzed for known bugs using software such as Nessus F.6 Each risk as it becomes known is put into a matrix that will determine the criticality of the service affected, the likelihood that the risk will be exploited, the cost per exploitation and the cost to implement a mitigation effort. Using this chart we can prioritize a mitigation strategy. F.7 These are now to be formed into a list by criticality based on a qualitative analysis of the previous chart. F.8 The Executive Summary for section F will state each of the security risks as we have determined them in order of severity. Included will be a mitigation effort list for each risk and a cost breakdown for those efforts. A schedule can then be developed to implement each approved mitigation effort. Section G: Section F is a qualitative analysis of the requirements needed to fulfill the scope of this RFP. G.1 The critical functions to needed to carry out the States mission statement are used to develop the top priorities in a risk assessment. G.2 In the qualitative risk assessment of the IT Infrastructure all configuration files will be reviewed as well as the age of the equipment.
Final Project Proposal Page 12 G.3 Any equipment that has reached the manufacturer end-of-life status will be recommended for replacement as soon as possible. Equipment that has reached its predicted life cycle expectancy will be replaced based on its security function and how much redundancy is built into the current security structure. G.4 The core of our security structure is the system / application domain. This is where the servers reside and is at the center of our layered security approach. Although the impact of a breach here is high, the risk is smaller as we look deeper into the “onion”. The risk of a breach on a workstation is considered high but the impact lower as long as the breach is discovered quickly. G.5 Severity is measured not only in downtime, but also in potential fines and loss of customer confidence. We prioritize risk in the amount of money it will cost the company or organization to recover from a breech. G.6 Every proposed response to a potential risk is based on the likelihood it will be realized, the cost per incident, the annual rate of incidents. If a risk is inexpensive to mitigate and has a high cost per incident, this becomes our high priority risk mitigation task. If it has a low cost per incident, does not affect customer confidence and has a low annual rate of incident, it may never have a mitigation process implemented. G.7 When possible, more than one mitigation response will be developed for each qualitative risk identified. G.8 From highest to lowest priority, each qualitative risk will be explained briefly and a mitigation response(s) will be associated with it. Each mitigation response will have a clear cost attached.
Final Project Proposal Page 13 Section H: Section H is a qualitative analysis of the risk responses developed in accordance to the RFP. H.1 The qualitative risk assessment report will have identified those risks that are most likely to be realized, the rate of occurrence and the costs associated with each occurrence. Using this information and the input from the State we will devise a mitigation effort calendar. H.2 Our risk response report will be outlined in a gantt chart associating prioritization and resources needed to achieve our mitigation efforts. H.3 Any risk that is determined to be “High” whose cost is also determined to be “High” is deemed Critical and must be addressed ASAP. Any risk that that has a high rate of occurrence and a moderate cost is also one that needs to be addressed ASAP. Any risk that affects a critical business function must be placed on will also warrant a response. H.4 The best response to any item on the prioritized risk response report must have a Return on Investment (ROI) considered. We must consider future functionality when choosing a solution. H.5 A response that affects multiple domains creates a multilayered effect in the overall security of a network infrastructure. This is what we look for in a proposed risk mitigation approach
Final Project Proposal Page 14 H.6 Implementing these solutions should happen in a protected environment first so we can foresee any potential complications. Once any needed corrections are discovered and tested, we can implement our mitigation responses. H.7 A formal risk response report will be compiled once the needed actions are taken and implemented. This report will include final mitigation actions and resources including the costs involved. Section I: Section I deals with how the Business Impact Analysis, Business Continuity Plan and Disaster Recovery Plan are designed to keep us going. I.1 Ensuring operational continuity is a pivotal point of emphasis when looking at any organization. Our approach revolves around the creation and implementation of policies that will ensure that if and when there is an emergency, there are solid plans in place to ensure continuity. I.2 The first phase is to identify the applications and functions that are critical to keep your organization running. We will identify the applications that support the key daily operations, the hardware within the infrastructure that support those applications and house key data, and also identify the personnel that are needed to continue operating. I.3 The Business Impact Analysis (BIA) identifies critical functions and weighs the production costs involved as each function goes down. I.4 The more costly functions that the BIA identifies are elevated to a more critical status. When a failure occurs we use this information to prioritize the functions we restore first.
Final Project Proposal Page 15 I.5 Once all the critical resources are identified, we will develop a business continuity plan (BCP). The BCP is important because it provides the instructions on how to recover from any type of emergency ranging from power outages to natural disasters. It will contain steps for both long and short term emergencies and will include the possibility of relocation if needed. I.6 The cost of developing a BCP is related more to the staff and conference calls involved to agree on recommendations. IT will have one set of priorities; HR will have another and so on. The price is really in what it takes to incorporate all that is agreed upon. For instance, in this proposal, the required office space needed for a Hot Site is 14,000 sq feet and that does not include furniture and computers. I.7 The next step in the continuity plan is to develop a disaster recovery plan (DRP). The DRP is your plan that contains the actual instructions for the recovery process. The BCP and critical resource list are the basis for the DRP. It will identify the teams that determine the type of disaster, give the go ahead to launch the DRP, and perform the recovery itself. This is a step by step blueprint that contains the tasks, assignments and required times to completely recover from various emergencies. I.8 Once a disaster has been declared, the DRP team will evaluate the extent of the damage and recommend what to do next. In the event of a full blown disaster the DRP we have to make accommodations to activate the hot site (minimal), move and house (temporarily) the necessary teams to the hot site and begin the BRP phase. I.9 Creating the BCP and DRP are only part of the complete process. Having a plan is good, but knowing that the plan actually works is what we are looking for. We will coordinate with the State to test the recovery plans and their functionality once they
Final Project Proposal Page 16 have approved. We will have documentation of the different teams, the individuals on each team, the responsibilities of the teams, and the contact information as well. We will test the secondary sight to ensure that it is operational and the data flows to the datacenter as it is supposed to. There will be test runs so that all employees have some familiarity with the plans and that the first time they see them isn’t in the event of an emergency. Section J: Section J covers the threat vectors for critical resources and data and the security used to protect it. J.1 To prevent loss of accounting data and customer information, PCMJ has come up with a layered security solution that once in place will harden the current security in place by implementing stronger passwords for all users, limiting access to only those groups with a need to know, implementing another layer of firewall software for both the network and the workstations, and complete shutdown of all unused ports to the network. J.2 Any resource that is determined to house PII, PHI, database information or Human resource data will be determined to be determined to be of a high enough priority to require specific protection from attack or failure. J.3 Access to these resources will be regulated on a “Principle of Least Privilege” basis using the GPO function of Active Directory (AD). Furthermore, once identified, this data will reside on fully encrypted drives and travel over secure channels.
Final Project Proposal Page 17 J.4 Checking the sign on logs and what sites that those users are trying to access, deploying Wireshark to sniff for unwanted traffic, and deploying both IDS and IPS on the network. J.5 Since the user domain would more than likely be the weakest point, we will have in place banners explaining the denial of any access to the Public Internet, workstations will have anti-malware, pop up blocker, and software firewalls on them, both LAN and LAN to WAN domain will sit behind proxy servers in the DMZ, adding firewalls and another router on the WAN domain, sit the two layers of additional firewalls on the system/application domain, and limiting access for remote users to only business hours only. J.6 All sensitive data and will be housed on fully encrypted drives in servers that house only critical data. All sensitive resources will be housed in climate controlled locked cabinets within a locked climate controlled server room. J.7 The effectiveness of these controls are monitored in log files that are kept on a separate server so that any record of actions that have taken place cannot be easily altered. Using a baseline of problems that have occurred, we can now determine if the control actions have been effective. J.8 There will be in place two levels of passwords and sign on measures to ensure that if not met that the system will lock them completely out. Monthly vulnerability tests using white hat techniques to test the strength of the layered security placed on the seven domains. Creating audit logs to monitor the log on attempts both within the department and from the remote users onto the network; developing IDS and IPS to ensure that the layered security in placed is meeting the requirements of the state.
Final Project Proposal Page 18 J.9 If our Layered Security Solution invokes a response on each layer and that response is met with some action then the security approach is working as intended. If there are threats that make it past the current set of controls then they must be addressed immediately and an evaluation as to why a control was not put in place sooner must be determined. Such a new threat may be a user disregarding the AUP repeatedly or a port being open by an administrator to play WoW during office hours. Calculated Costs: Initial Port Scan $3000.00 Formal Policy Review (Based on 18 Policies) 21,150.00 PII PHI Data Scan and Recovery Strategy 35,000.00 Analyze Physical Security and make recommendations 3950.00 Initial Network Audit 3200.00 Assess each domain for vulnerabilities 5,600.00 Testing of Mitigation Efforts, Develop a Sandbox 9,000.00 Test each mitigation effort (Based on 20 mitigation efforts) 16,000.00 Development of a Hot site, Plus Furniture for 500 employees 12,000.00+50,000.00 Order and install Routers, Switches, Servers and Supporting Hardware 70,000.00+34,000.00 14,000 sq. ft. office space lease agreement (annually) 182,000.00 Review GPO and make suggested repairs 6,000.00 Develop Automated Procedures for everyday administrative tasks 10,000.00 Employee Security Training review and redevelopment 22,100.00 Review source code, report and recommend bug fixes and vulnerabilities (Depends upon the number of files and length of code to be reviewed) ~10,000.00 Total $493,000.00

Recommandé

Investor presentation2013
Investor presentation2013Investor presentation2013
Investor presentation2013
Company Spotlight
 
Investor Presentation
Investor PresentationInvestor Presentation
Investor Presentation
Company Spotlight
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
fEngel
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
ButlerRubin
 
Dss investor presentation
Dss investor presentationDss investor presentation
Dss investor presentation
Company Spotlight
 
ZS Infotech v1.0
ZS Infotech v1.0ZS Infotech v1.0
ZS Infotech v1.0
Muhammad Zubair
 

Recommandé

Investor presentation2013
Investor presentation2013Investor presentation2013
Investor presentation2013
Company Spotlight
 
Investor Presentation
Investor PresentationInvestor Presentation
Investor Presentation
Company Spotlight
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
fEngel
 
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & PrivacyDo You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
Do You Wannacry: Your Ethical and Legal Duties Regarding Cybersecurity & Privacy
ButlerRubin
 
Dss investor presentation
Dss investor presentationDss investor presentation
Dss investor presentation
Company Spotlight
 
ZS Infotech v1.0
ZS Infotech v1.0ZS Infotech v1.0
ZS Infotech v1.0
Muhammad Zubair
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Cyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, Md
Cyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, MdCyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, Md
Cyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, Md
ClearedJobs.Net
 
Hacking3e ppt ch11
Hacking3e ppt ch11Hacking3e ppt ch11
Hacking3e ppt ch11
Skillspire LLC
 
My Risk Assessment and Mitigation Strategy by David Bustin
My Risk Assessment and Mitigation Strategy by David BustinMy Risk Assessment and Mitigation Strategy by David Bustin
My Risk Assessment and Mitigation Strategy by David Bustin
David Bustin
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
Skillspire LLC
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
Victor Oluwajuwon Badejo
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
Network Intelligence India
 
Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.
David Bustin
 
Why Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureWhy Have A Digital Investigative Infrastructure
Why Have A Digital Investigative Infrastructure
Kevin Wharram
 
Hacking3e ppt ch01
Hacking3e ppt ch01Hacking3e ppt ch01
Hacking3e ppt ch01
Skillspire LLC
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment
Victor Oluwajuwon Badejo
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
Randy B.
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
Skillspire LLC
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
What is I2 Final-Approved
What is I2 Final-ApprovedWhat is I2 Final-Approved
What is I2 Final-Approved
Duane Blackburn
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
harshadthakar
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
Skillspire LLC
 
MU 29th oct 2010 - Business case study analysis approach
MU 29th oct 2010 - Business case study analysis approachMU 29th oct 2010 - Business case study analysis approach
MU 29th oct 2010 - Business case study analysis approach
Shanjoy Mairembam (BEng, MBA, LLM)
 
Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...
Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...
Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...
Andreas Freund, PhD
 

Contenu connexe

Tendances

Why Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureWhy Have A Digital Investigative Infrastructure
Why Have A Digital Investigative Infrastructure
Kevin Wharram
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
Randy B.
 
What is I2 Final-Approved
What is I2 Final-ApprovedWhat is I2 Final-Approved
What is I2 Final-Approved
Duane Blackburn
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
harshadthakar
 

Tendances (20)

2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Cyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, Md
Cyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, MdCyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, Md
Cyber Job Fair Job Seeker Handbook Oct 28, 2015, Baltimore, Md
 
Hacking3e ppt ch11
Hacking3e ppt ch11Hacking3e ppt ch11
Hacking3e ppt ch11
 
My Risk Assessment and Mitigation Strategy by David Bustin
My Risk Assessment and Mitigation Strategy by David BustinMy Risk Assessment and Mitigation Strategy by David Bustin
My Risk Assessment and Mitigation Strategy by David Bustin
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.
 
Why Have A Digital Investigative Infrastructure
Why Have A Digital Investigative InfrastructureWhy Have A Digital Investigative Infrastructure
Why Have A Digital Investigative Infrastructure
 
Hacking3e ppt ch01
Hacking3e ppt ch01Hacking3e ppt ch01
Hacking3e ppt ch01
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment
 
Security_360_Marketing_Package
Security_360_Marketing_PackageSecurity_360_Marketing_Package
Security_360_Marketing_Package
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
 
What is I2 Final-Approved
What is I2 Final-ApprovedWhat is I2 Final-Approved
What is I2 Final-Approved
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 

En vedette

En vedette (11)

MU 29th oct 2010 - Business case study analysis approach
MU 29th oct 2010 - Business case study analysis approachMU 29th oct 2010 - Business case study analysis approach
MU 29th oct 2010 - Business case study analysis approach
 
Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...
Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...
Predictive Analytics: Business Process Analysis And Optimization a CRM Case S...
 
Performing a Job Task Analysis in a Small Business - a Case Study
Performing a Job Task Analysis in a Small Business - a Case StudyPerforming a Job Task Analysis in a Small Business - a Case Study
Performing a Job Task Analysis in a Small Business - a Case Study
 
Financial assistance by the cbs bank mba finance project report
Financial assistance by the cbs bank mba finance project reportFinancial assistance by the cbs bank mba finance project report
Financial assistance by the cbs bank mba finance project report
 
A business organisation -TATA GROUP- pdf
A business organisation -TATA GROUP- pdfA business organisation -TATA GROUP- pdf
A business organisation -TATA GROUP- pdf
 
Project report on NPAs
Project report on NPAsProject report on NPAs
Project report on NPAs
 
BP's Deepwater Oil Spill Case Study Analysis - Business Ethics
BP's Deepwater Oil Spill Case Study Analysis - Business EthicsBP's Deepwater Oil Spill Case Study Analysis - Business Ethics
BP's Deepwater Oil Spill Case Study Analysis - Business Ethics
 
Heineken Case Study business Analysis
Heineken Case Study business AnalysisHeineken Case Study business Analysis
Heineken Case Study business Analysis
 
Merger & acquisition with case study
Merger & acquisition with case studyMerger & acquisition with case study
Merger & acquisition with case study
 
MBA Resume Sample Format
MBA Resume Sample FormatMBA Resume Sample Format
MBA Resume Sample Format
 
Business Analysis Fundamentals
Business Analysis FundamentalsBusiness Analysis Fundamentals
Business Analysis Fundamentals
 

Similaire à Final Project

IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)
Mark Milburn
 
Asif_QA Lead & Analyst_VirtusaPolaris
Asif_QA Lead & Analyst_VirtusaPolarisAsif_QA Lead & Analyst_VirtusaPolaris
Asif_QA Lead & Analyst_VirtusaPolaris
ASIF ALTHAF
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
croysierkathey
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
hyacinthshackley2629
 

Similaire à Final Project (20)

2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak Prevention
 
IS4799 Final Project (1)
IS4799 Final Project (1)IS4799 Final Project (1)
IS4799 Final Project (1)
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Cyber or Cleared Job Fair Job Seeker Handbook Feb 13, 2020 San Antonio
Cyber or Cleared Job Fair Job Seeker Handbook Feb 13, 2020 San AntonioCyber or Cleared Job Fair Job Seeker Handbook Feb 13, 2020 San Antonio
Cyber or Cleared Job Fair Job Seeker Handbook Feb 13, 2020 San Antonio
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
Cleared Job Fair Job Seeker Handbook May 24, 2018, BWI, MD
Cleared Job Fair Job Seeker Handbook May 24, 2018, BWI, MDCleared Job Fair Job Seeker Handbook May 24, 2018, BWI, MD
Cleared Job Fair Job Seeker Handbook May 24, 2018, BWI, MD
 
PCMJcapstone
PCMJcapstonePCMJcapstone
PCMJcapstone
 
Viscount Systems (OTCQB:VSYS) Presentation
Viscount Systems (OTCQB:VSYS) PresentationViscount Systems (OTCQB:VSYS) Presentation
Viscount Systems (OTCQB:VSYS) Presentation
 
LoanResolve Brief Presentation
LoanResolve Brief PresentationLoanResolve Brief Presentation
LoanResolve Brief Presentation
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudProxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Asif_QA Lead & Analyst_VirtusaPolaris
Asif_QA Lead & Analyst_VirtusaPolarisAsif_QA Lead & Analyst_VirtusaPolaris
Asif_QA Lead & Analyst_VirtusaPolaris
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
 
Cleared Job Fair Job Seeker Handbook March 7, BWI, MD
Cleared Job Fair Job Seeker Handbook March 7, BWI, MDCleared Job Fair Job Seeker Handbook March 7, BWI, MD
Cleared Job Fair Job Seeker Handbook March 7, BWI, MD
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 

Final Project

  • 1. Final Project Proposal Page 1 ITT TECHNICAL INSTITUTE State Government Department of Finance and Administration Request for Proposal for Information Security Assessment Services (ISAS) RFP Number: 427.04-107-08 Due: February 25, 2012 FINAL PROJECT PROPOSAL The contents of this document include all requirements for Final Project Proposal for RFP Number 427.04-107-08. Documentation submitted by PCMJ Security Services is for the sole purpose of this proposal. PCMJ Team members: Pamela R. Gist Mychal Dudley Chris Warren John Buchheim B. Henebry, Instructor
  • 2. Final Project Proposal Page 2 Section A: Section “A” addresses the mandatory requirements of the proposer. The certifications that are held by the employees of PCMJ include Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Security Essentials Specialist (GSEC) and GIAC Certified Project Manager (GCPM). We are in good standing with our financial institution, have a positive business relationship with Dell (our hardware vendor) and Microsoft (our software vendor), and have a positive rating with all associated credit agencies. We currently hold liability insurance in the amount of $1,500,000 which exceeds the minimum amount required by the State. Within our organization we do not have any employees that are currently employed by the State in any way, nor are there any contracts currently being worked on for any State Government agencies. We have conducted vulnerability assessment for other large entities including Proctor and Gamble and Hewlett Packard. All documentation, certifications, and other forms of proof are available upon request by the State. Section B: Section “B” gives further details of the proposer’s current and historical employee status. PCMJ is a business partnership between four friends that have spent the previous years working together on various projects. Our main office is located in Indiana and our mailing address is as follows: PCMJ 1234 Main St. Indianapolis, IN 46202
  • 3. Final Project Proposal Page 3 The main point of contact for all questions or concerns is Pamela Gist. Our company has not been involved in any sales, mergers, or acquisitions in the past ten years, and there aren’t any current plans for any of these possibilities. The background checks on all our employees will show that they are all free from any felony convictions, guilty pleas, or no contest pleas. There are no current litigation hearings involving our business and there haven’t been any in the past. We are not currently, and have never filed for bankruptcy or any other means of financial rescue. We have never been the target of any Securities Exchange Commission investigation in the past, and are not currently involved in one now. PCMJ was founded in 2002 and have been successful for 10 years. As of 2012, our staff is comprised of 22 full-time employees. Currently our staff exceeds the RFP minimum requirement of employing a Certified Information Systems Security Professional (CISSP), Certified Information Security Manger (CISM), Security Essentials Specialist (GSEC) and GIAC Certified Project Manager (GCPM). The team that will work with the State consists of the following members and their title within the company: • Pamela R. Gist, Project Manager • Chris Warren, IT Manager • Mychal Dudley, Client Representative Manager • John Buchheim, Security Manager • Amy Potential, Human Resources Manager • Joshua Great, Compliance Manager • Theodore Ralls, Legal Representative • Paul Johnston, Security Fulfillment Manager
  • 4. Final Project Proposal Page 4 If we require the assistance of any subcontractors the State will be approached for approval, and will be given documentation on each person including contact information, their title, and a description of what work they will be performing. We as a company are dedicated to operating without prejudice towards race, sex, or any other possible discriminatory factors. Our employees include men and women of different ages, races, and religious beliefs. As mentioned previously, we have had contracts with Proctor and Gamble, and Hewlett Packard. In addition to these two we have worked successfully with the ITT Corporation, Duke Energy, Bank of America, and Citi Bank. The references from all of these companies are on file and will be made available upon request. We have never been under contract to any agency or office of the State in our tem years of existence. Section C: Section “C” details the proposers understanding of the RFP. The remainder of this proposal will be broken down by section and number for better clarity. C.1 The state will require PCMJ to have an office in the state of Ohio with the mandated licenses and insurances C.2 Any area of expertise the company has a deficiency in shall, with the approval of the state, hire a third party vendor to accomplish that task. C.3 Any third party vendor relied on shall meet the same quality of personal requirements as PCMJ in that all personal shall pass a state approved background check.
  • 5. Final Project Proposal Page 5 C.4 Vulnerability assessments shall be done in each of the 7 typical information system domains. Each domain will be evaluated for operating system, software and malware signature updates where applicable. Hardware including routers, IDS / IPS, firewalls and managed switches will have their configurations reviewed. C.5 Any vulnerability discovered through the assessment process will be prioritized and a mitigation effort proposed. Documentation of any vulnerability or incident that has been realized will be used to develop a standard procedure where one does not exist. and delivered to the appropriate department manager for proper storage. C.6 PCMJ is able to assess all current Operating systems, Databases, IDS/ IPS settings, Router Firewall, and Switch settings as well as Access Control Lists. C.7The review of source code assembled by State contractors and personal shall be accomplished through a third party vendor that we will contract on behalf of the State in order to fulfill this Security Evaluation. The code review shall look specifically for vulnerabilities such as format string mistakes, buffer over flows, memory leaks, input validation/ sanitization mistakes, weak passwords, administrative back doors, unnecessary ports access, etc. C.8 The approved outside vendor will report all findings in a document marked “Source Code Evaluation” to the Software Development Team, Project Manager, the IRT team and the Policy Review team headed by PCMJ so that mitigation efforts and bug fixes can be developed and implemented.
  • 6. Final Project Proposal Page 6 C.9 The contractor we provide to perform the code review will have expert knowledge in any language the State requires including: COBOL, Java, Pearl, and the more modern languages. C.10 “Anonymous example from Scope of services” A port scan on the server located at 192.160.128.10 has open ports listening on port 3689. This port is used for iTunes communication and should not be in service unless specifically designed into proprietary software developed by the State.” C.11 All background checks will be performed with the state minimum requirements with special attention on previous employment activities. Section D: Section D discusses our approach to developing a Security Policy Frameworks gap analysis. D.1 Our approach is to protect the accounting department financial files and data on the network using a layered security approach to harden against any unauthorized attempts to the network. D.2 We will ensured that all personally identifiable information (PII) is fully encrypted, all remote access to the network containing PII will travel over VPN protocol, unique User and Password ID’s are being put in place. D.3 To comply with PCI DSS all customer information will be encrypted using DES3, information and a secure transfer protocol when in transit.
  • 7. Final Project Proposal Page 7 D.4 We will ensure that PII and PHI information is on a separate server behind layered using both firewalls and routers. D.5 All current group policies will be updated to allow only those persons with a ‘Principal of Least Privilege’ approach to access objects pertaining to customer and/or financial information. The files that are subject to the ‘need to know’ access will have special passwords as well as a Biometric touchpad. D.6 Banners will be in place on all workstations informing all users that they will not have access to the Public Internet while on the State’s network, and that we have the right to, and will, monitor their logging sessions and review all sites that are visited and attempted file access. The use of Stateful Inspection on packet headers and content will continuously monitor the traffic into and out of the local area network. D.7 We will further develop a policy for both internal and remote user access. This policy is currently under development and we can help to ensure that it is created to provide the necessary security as well as ease of access for those that require it. These policies will target the mission critical areas (network, staff and data) first before moving to the remote site. D.8 Gaps in the VPN remote user’s policy include a scan of the remote equipment to ensure that the OS and Firewall / Malware software is up to date. An evaluation of the current patches and scan results must also be verified. The VPN software being used now is sufficient to maintain confidentiality. C.9 A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) go hand in hand many times. So much so that there are often familiar faces on both teams. A
  • 8. Final Project Proposal Page 8 BCP team must prioritize those critical business elements that relate to the businesses core function and be implemented when those functions are threatened or violated. A Disaster may or may not be declared at this point. If it were to be declared, the Disaster Recovery Plan (DRP) would be activated and that team would determine how much of its vastly more extensive plans would be necessary to put into place. D.10 Currently the access and privilege control policy is also under development. We will ensure that all users are part of the correct group to allow access with proper privileges. All employees, regardless of position or title, will read and sign an ‘acceptable use policy’ that states what actions are unacceptable before being assigned a workstation. Section E: Section E relates to how we will review and assess current PHI and PII data handling policies. E.1 We will be using the best practices described in the National Institute of Standards and Technology (NIST) Special Publication 800-122 titled Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) to determine compliance. E.2 HIPAA 5010 compliance laws in Ohio are found on file and generally covered in the NIST 800-122 publication and principle of least privilege. E.3 The best practices described in the NIST 800 series guide us on what to look for when evaluating your IT security policies. We will examine your current layered approach inside and out and make any necessary recommendations.
  • 9. Final Project Proposal Page 9 E.4 The current Active Directory structure of group policies reveals how well the principal of least privilege is implemented. We also have to look into server structure to be sure that strong password, proper encryption standards and a narrow set of administrative rights exit. E.5 To identify any possible gaps in the control coverage protecting privacy data we will first review your employee security training to make sure there is a section regarding illegitimate access to privacy data. We will also look for a review of log files to see if there is any indication of repeated failed attempts to access privacy data. E.6 Change local policy to allow read only access for those departments that need only to view files; allow medical departments both read and write privileges while at the same time implementing a principal of least privilege on all file structures. E.7 Privacy data is found in more areas that most companies think. It can be found among email, internal notes, personal documents, the list goes on. This data can be client data or employee data. Once it is on a system, it becomes the property of the State. We will suggest making a Policy change in regards to the Security Training that each employee takes based on the findings of our initial hunt for PII on your network. If a corporate culture of saving potentially sensitive data is detected, it can be addressed in the updated Security Training. E.8 Any new policy developed in response to a deficiency will be distributed to each employee for review. Each employee must then sign a document stating they have read and will abide by the new policy.
  • 10. Final Project Proposal Page 10 Section F: Section F reviews how PCMJ will review each of the domains needed to fulfill the scope of this RFP. F.1 With the Critical Business Tasks identified we will devise a matrix that includes the resources needed to accomplish and maintain those tasks. Those resources can then be evaluated for threat vectors and vulnerabilities F.2 The established Policies and Controls can now be reviewed to assure that all threat vectors and vulnerabilities are taken into consideration. Documentation of changes and additions to the policies will be noted in an appendix. F.3 There are many known risks and threats to every network infrastructure. They typically start from the outward facing points of access like a company website and remote access. With this in mind, attention to buffer overflows, memory leaks, man in the middle attacks. Trusted vendors such as Symantec and McAfee make available a newsletter and website devoted to current threat trends. We monitor these and others such as the software vendors themselves to keep abreast of current risks, threats and vulnerabilities. F.4 IT Infrastructure components have a finite lifespan. Within this lifespan configurations and software must be kept up to date. There comes a time when a component must be replaced, not because it has failed, but because its lifespan has reached a predictable failure rate or the technology has changed enough that new hardware must be implemented to keep up with this new technology and or remain in compliance with State or Federal rules.
  • 11. Final Project Proposal Page 11 F.5 Once the critical hardware has been identified in any IT infrastructure, the Operating Systems and configuration software can be scanned and analyzed for known bugs using software such as Nessus F.6 Each risk as it becomes known is put into a matrix that will determine the criticality of the service affected, the likelihood that the risk will be exploited, the cost per exploitation and the cost to implement a mitigation effort. Using this chart we can prioritize a mitigation strategy. F.7 These are now to be formed into a list by criticality based on a qualitative analysis of the previous chart. F.8 The Executive Summary for section F will state each of the security risks as we have determined them in order of severity. Included will be a mitigation effort list for each risk and a cost breakdown for those efforts. A schedule can then be developed to implement each approved mitigation effort. Section G: Section F is a qualitative analysis of the requirements needed to fulfill the scope of this RFP. G.1 The critical functions to needed to carry out the States mission statement are used to develop the top priorities in a risk assessment. G.2 In the qualitative risk assessment of the IT Infrastructure all configuration files will be reviewed as well as the age of the equipment.
  • 12. Final Project Proposal Page 12 G.3 Any equipment that has reached the manufacturer end-of-life status will be recommended for replacement as soon as possible. Equipment that has reached its predicted life cycle expectancy will be replaced based on its security function and how much redundancy is built into the current security structure. G.4 The core of our security structure is the system / application domain. This is where the servers reside and is at the center of our layered security approach. Although the impact of a breach here is high, the risk is smaller as we look deeper into the “onion”. The risk of a breach on a workstation is considered high but the impact lower as long as the breach is discovered quickly. G.5 Severity is measured not only in downtime, but also in potential fines and loss of customer confidence. We prioritize risk in the amount of money it will cost the company or organization to recover from a breech. G.6 Every proposed response to a potential risk is based on the likelihood it will be realized, the cost per incident, the annual rate of incidents. If a risk is inexpensive to mitigate and has a high cost per incident, this becomes our high priority risk mitigation task. If it has a low cost per incident, does not affect customer confidence and has a low annual rate of incident, it may never have a mitigation process implemented. G.7 When possible, more than one mitigation response will be developed for each qualitative risk identified. G.8 From highest to lowest priority, each qualitative risk will be explained briefly and a mitigation response(s) will be associated with it. Each mitigation response will have a clear cost attached.
  • 13. Final Project Proposal Page 13 Section H: Section H is a qualitative analysis of the risk responses developed in accordance to the RFP. H.1 The qualitative risk assessment report will have identified those risks that are most likely to be realized, the rate of occurrence and the costs associated with each occurrence. Using this information and the input from the State we will devise a mitigation effort calendar. H.2 Our risk response report will be outlined in a gantt chart associating prioritization and resources needed to achieve our mitigation efforts. H.3 Any risk that is determined to be “High” whose cost is also determined to be “High” is deemed Critical and must be addressed ASAP. Any risk that that has a high rate of occurrence and a moderate cost is also one that needs to be addressed ASAP. Any risk that affects a critical business function must be placed on will also warrant a response. H.4 The best response to any item on the prioritized risk response report must have a Return on Investment (ROI) considered. We must consider future functionality when choosing a solution. H.5 A response that affects multiple domains creates a multilayered effect in the overall security of a network infrastructure. This is what we look for in a proposed risk mitigation approach
  • 14. Final Project Proposal Page 14 H.6 Implementing these solutions should happen in a protected environment first so we can foresee any potential complications. Once any needed corrections are discovered and tested, we can implement our mitigation responses. H.7 A formal risk response report will be compiled once the needed actions are taken and implemented. This report will include final mitigation actions and resources including the costs involved. Section I: Section I deals with how the Business Impact Analysis, Business Continuity Plan and Disaster Recovery Plan are designed to keep us going. I.1 Ensuring operational continuity is a pivotal point of emphasis when looking at any organization. Our approach revolves around the creation and implementation of policies that will ensure that if and when there is an emergency, there are solid plans in place to ensure continuity. I.2 The first phase is to identify the applications and functions that are critical to keep your organization running. We will identify the applications that support the key daily operations, the hardware within the infrastructure that support those applications and house key data, and also identify the personnel that are needed to continue operating. I.3 The Business Impact Analysis (BIA) identifies critical functions and weighs the production costs involved as each function goes down. I.4 The more costly functions that the BIA identifies are elevated to a more critical status. When a failure occurs we use this information to prioritize the functions we restore first.
  • 15. Final Project Proposal Page 15 I.5 Once all the critical resources are identified, we will develop a business continuity plan (BCP). The BCP is important because it provides the instructions on how to recover from any type of emergency ranging from power outages to natural disasters. It will contain steps for both long and short term emergencies and will include the possibility of relocation if needed. I.6 The cost of developing a BCP is related more to the staff and conference calls involved to agree on recommendations. IT will have one set of priorities; HR will have another and so on. The price is really in what it takes to incorporate all that is agreed upon. For instance, in this proposal, the required office space needed for a Hot Site is 14,000 sq feet and that does not include furniture and computers. I.7 The next step in the continuity plan is to develop a disaster recovery plan (DRP). The DRP is your plan that contains the actual instructions for the recovery process. The BCP and critical resource list are the basis for the DRP. It will identify the teams that determine the type of disaster, give the go ahead to launch the DRP, and perform the recovery itself. This is a step by step blueprint that contains the tasks, assignments and required times to completely recover from various emergencies. I.8 Once a disaster has been declared, the DRP team will evaluate the extent of the damage and recommend what to do next. In the event of a full blown disaster the DRP we have to make accommodations to activate the hot site (minimal), move and house (temporarily) the necessary teams to the hot site and begin the BRP phase. I.9 Creating the BCP and DRP are only part of the complete process. Having a plan is good, but knowing that the plan actually works is what we are looking for. We will coordinate with the State to test the recovery plans and their functionality once they
  • 16. Final Project Proposal Page 16 have approved. We will have documentation of the different teams, the individuals on each team, the responsibilities of the teams, and the contact information as well. We will test the secondary sight to ensure that it is operational and the data flows to the datacenter as it is supposed to. There will be test runs so that all employees have some familiarity with the plans and that the first time they see them isn’t in the event of an emergency. Section J: Section J covers the threat vectors for critical resources and data and the security used to protect it. J.1 To prevent loss of accounting data and customer information, PCMJ has come up with a layered security solution that once in place will harden the current security in place by implementing stronger passwords for all users, limiting access to only those groups with a need to know, implementing another layer of firewall software for both the network and the workstations, and complete shutdown of all unused ports to the network. J.2 Any resource that is determined to house PII, PHI, database information or Human resource data will be determined to be determined to be of a high enough priority to require specific protection from attack or failure. J.3 Access to these resources will be regulated on a “Principle of Least Privilege” basis using the GPO function of Active Directory (AD). Furthermore, once identified, this data will reside on fully encrypted drives and travel over secure channels.
  • 17. Final Project Proposal Page 17 J.4 Checking the sign on logs and what sites that those users are trying to access, deploying Wireshark to sniff for unwanted traffic, and deploying both IDS and IPS on the network. J.5 Since the user domain would more than likely be the weakest point, we will have in place banners explaining the denial of any access to the Public Internet, workstations will have anti-malware, pop up blocker, and software firewalls on them, both LAN and LAN to WAN domain will sit behind proxy servers in the DMZ, adding firewalls and another router on the WAN domain, sit the two layers of additional firewalls on the system/application domain, and limiting access for remote users to only business hours only. J.6 All sensitive data and will be housed on fully encrypted drives in servers that house only critical data. All sensitive resources will be housed in climate controlled locked cabinets within a locked climate controlled server room. J.7 The effectiveness of these controls are monitored in log files that are kept on a separate server so that any record of actions that have taken place cannot be easily altered. Using a baseline of problems that have occurred, we can now determine if the control actions have been effective. J.8 There will be in place two levels of passwords and sign on measures to ensure that if not met that the system will lock them completely out. Monthly vulnerability tests using white hat techniques to test the strength of the layered security placed on the seven domains. Creating audit logs to monitor the log on attempts both within the department and from the remote users onto the network; developing IDS and IPS to ensure that the layered security in placed is meeting the requirements of the state.
  • 18. Final Project Proposal Page 18 J.9 If our Layered Security Solution invokes a response on each layer and that response is met with some action then the security approach is working as intended. If there are threats that make it past the current set of controls then they must be addressed immediately and an evaluation as to why a control was not put in place sooner must be determined. Such a new threat may be a user disregarding the AUP repeatedly or a port being open by an administrator to play WoW during office hours. Calculated Costs: Initial Port Scan $3000.00 Formal Policy Review (Based on 18 Policies) 21,150.00 PII PHI Data Scan and Recovery Strategy 35,000.00 Analyze Physical Security and make recommendations 3950.00 Initial Network Audit 3200.00 Assess each domain for vulnerabilities 5,600.00 Testing of Mitigation Efforts, Develop a Sandbox 9,000.00 Test each mitigation effort (Based on 20 mitigation efforts) 16,000.00 Development of a Hot site, Plus Furniture for 500 employees 12,000.00+50,000.00 Order and install Routers, Switches, Servers and Supporting Hardware 70,000.00+34,000.00 14,000 sq. ft. office space lease agreement (annually) 182,000.00 Review GPO and make suggested repairs 6,000.00 Develop Automated Procedures for everyday administrative tasks 10,000.00 Employee Security Training review and redevelopment 22,100.00 Review source code, report and recommend bug fixes and vulnerabilities (Depends upon the number of files and length of code to be reviewed) ~10,000.00 Total $493,000.00