Final Project Security Awareness

Terri Y. Hudson

Southern New Hampshire University – IT 552

December 20, 2016

Agency-wide security awareness Program Proposal

Introduction

For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.

Objective

This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).

Background

The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.

1. Technical infrastructure

The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.

2. Computing Environment

The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.

3. Security Posture of the Organization

The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical security in server rooms has rocks, network closets and the network cabinet is rocked always. The organization has a worry on its current security plan this is because of hackers, spammers and cybercrimes. Also the security plan of the organization has not proved to have the best controls after the current security gap analysis that was conducted.

Security Gaps Findings

From the findings one of the largest organization’s risks is not the weakness in the IT infrastructure but the action and reaction of the employees. This has happen through disclosure of sensitive information by the workers and social engineering attacks. After the gap analysis report, the organization found that confidential customer data and the some of the IT assets were at risk. From the gap analysis findings it is evident that loss of customer confidential information was very high. The risks in Information technology assets were classified as moderate. The top ten security findings were internet; this has become one of the greatest avenues for hackers. Others are data breaches, ransom ware, browser plug-ins, virus, worms, spyware, key loggers, rogue security software and pharming. Lastly some of the organization factors are contributing to unhealthy of IT assets. Example a poor plan by the organization CEO of the best IT personnel, identification of the critical assets of the organization, wrong mapping of the existing cyber security capabilities across the organization so as to identify organizational risks, poor assessment of the organization’s security maturity level and poor identification of the potential cyber security threats (Roper, 2006).

The best practices in the organizational security program

Assemble all the security awareness team. The team will be mandated in ensuring development, maintenance and delivery of the security awareness. The recommendation is for the team to be well-staffed. In addition to this all the employee dough to be trained on the ten securities gas findings. The security awareness program ought to have reference materials such as ISO 27002:2013 which outlines the code practices of the information security control, the NIST (National Institute of Standards and Technology) and COBIT 5 (Desman, 2002).

Tasks

Some of the roles to be performed include performing a general description of the security posture of the organization and a risk analysis, drafting security deliverable of the organization and outlining responsibilities of each and every member in the organization in ensuring the security of organizational assets.

Personnel

It is highly recommended that security training includes how social engineering happens and what are the consequences to the organization IT assets. One of the ways hackers are using social engineering is to acquire user’s credentials. The program should tailor this awareness to reflect the types of attacks that the organization is encountering and what the organization can encounter in long-run. As one of the findings from the security gap is confidentiality of customers’ data, it is highly recommended that different ways of how to safeguard customers’ information to be covered at the basic level for all the personnel. Example is protecting data in electronic and non-electronic form. Others that need to be included in the awareness program is organization’s security awareness policy, the impact of unauthorized access and the awareness of the CHD security requirements (Gardner, 2014).

Conclusion

This SOW document has highlighted the objective of SOW. The document has addressed four critical elements which must be addressed in the security program, these are; the security posture of the organization and the major findings from the security gap analysis, the human factors which undermine the security of the organization IT assets and organization factors that contribute to unhealthy of the organization. Lastly I have included what need to be done in the security awareness program.

Introduction

Information security involves keeping corporate records secured. Policies are used to address the necessities to protect data from unauthorized access, disclosure, loss, interferences and corruption and are appropriate to information in both physical and electronic formats. A security policy refers to a well-documented strategy with the purpose of protecting and maintaining accessibility to a person network and its resources. Enough security in an organization is the responsibility of the management. At this era that there is high risk of data threat, almost all organizations have taken the initiative to implement security policies in their companies. This paper will address the ten available security policies, and their importance, which are: access control policies, addressing remote access, encryption and hashing, auditing network accounts, configuration change management, segregation of duties, mandatory vacation, information breaches, media protection, and social engineering (Bowden, February 18, 2003).

1. Access control policies

Access control is concentrates in determining the authorized activities of rightful users, mediating each trial by a user to get entry to a resource in the system. In several systems, total access is given upon a successful verification of the user, although many systems need more complicated and compound control. Additionally, to the verification method like a password, access control concentrates with how verifications are designed. In several scenarios, authorization might reflect the organization’s structure, while in others it might rely on the sensitivity degree of a range of documents and the clearance degree of the user contacting those documents.

Organizations thinking of access control system implementation should look at three abstractions which are: access control policy, mechanisms and models. Access control policies mean high-level requirements that state how access is managed and the person who has the authority to access information and also under what circumstances. For example, policies might be appropriate to resource utilization in or over units of an organization or might be based on need-to-know, authority, competence, conflict-of-interest, or obligation factors. In a high level, access control policies are implemented over a mechanism that translate request of a user, regularly in terms of design that a system offers (NIST, May 6, 2015).

2. Addressing remote access

The importance of this policy is to describe rules and requirements for connecting to a company’s network from any host. The reason these rules and requirements are designed is to increase the likelihood exposure to the company from damages which may be brought from unlawful use of the resources of the company. Damages consist of loss of sensitive or confidential data of the company, intellectual property, damage to critical internal systems of the company, damage to public image, and fines or other financial liabilities acquired from those losses.

Remote access policy applies to company’s staffs, contractors, vendors and agents company owned or personally-owned workstation or computer used to link to the network of the company. It applies to remote access links used to carry out tasks on behalf of the company, including sending or reading email and screening intranet web resources. Remote access policy covers each and all technical executions of remote access used to connect company’s networks. It is the duty of company staffs, contractors, vendors and agents with remote access rights to corporate network of a company to make sure that their remote access link is offered equal consideration as the user’s on-site link to the company (SANS Institute, 2014).

3. Encryption and hashing (to control data flow)

The main goal of encryption is to change data so as to keep it secret from others in order to control data flow. For example, sending somebody a secret letter, which only them that can be in a position to read or securely sending password in the internet. Instead of concentrating on usability, the objective is to make sure the data cannot be consumed by somebody else apart from the intended recipient. Encryption changes data into a different format in a way that only particular person can undo the transformation. It applies a key, which is kept secret, in combination with the plaintext and the algorithm, so as to carry out the encryption activity. Ciphertext, key, and algorithm are needed to undo to the plaintext.

Hashing acts the role of guaranteeing integrity that is, making it so that if something is transformed one will be able to know it. To be precise, hashing consumes arbitrary input and give a fixed-length string. It is implemented in combination with verification to give strong proof that a particular message has not been changed. This is achieved through taking a specific input, hashing it, and later signing the hash with the private key of the sender. Upon receiving the message, the recipient can confirm the signature of the hash with the public key of the sender, and later the hash the message itself and contrast it to the hash which the sender signed. If they are similar it is unchanged message, sent by the right person (Miessler, 1999-2016).

4. Auditing network accounts

Network auditing is the collective measure carried out to analyze, study, and collect data regarding a network with the aim of guaranteeing its health in line with the requirements of the organization or network. Primarily, network auditing offers insight into how helpful network practices and control are, that is, its fulfillment to internal and external network policies and regulations. When it comes to auditing network works it entails checking what user accounts and groups are on every machine and the shares are accessible and to whom.

Many auditing tools will deal more on the basic user account information that requires to be included in the audit. These main properties and settings are a good place to begin with the audit and will normally consist of the following properties: Workstations, LogonScript, last time password was set, password is needed, password expires, password time expires, account is disabled, and last logon time. From the fact that attacks are available through a user account that got one or several inaccurate and non-secured settings, it brings sense to concentrate on user account properties in time of audit. (Melber, August 4, 2005).

5. Configuration change management (to reduce unintentional threats)

Organizations have minimum visibility into the efficiency of their change management controls over their IT infrastructure. When there is no effective management and monitoring of change controls, the consequences of this can be distressing. At first, minimized availability over key corporate, customer, and financial systems can happen if unauthorized changes or updates of software are performed, even if their nature is non-malicious. These operations can impact main functionality, or a time brings breakdown the whole systems. As systems must later be taken offline to lessen a security problem or just withdraw the unauthorized change, this can result to dramatic revenue loss as capital expenditures are raised to resolve the problems, and clients are not able to access revenue-producing systems (Constellation Software Engineering, 2015).

6. Segregation of duties

Segregation of duties security policy manages conflict of interest, the manifestation of conflict of interest, and fraud. This policy is important since it makes sure that there is separation of various functions and explains authority and accountability over transactions. It is important to efficient internal control; it minimizes the danger of erroneous as well as inappropriate actions. This policy limits the power amount held by a person. It creates a boundary in place to keep away fraud, which might be committed by one person. There will still be occurrence of fraud when there is collusion. For one to be guaranteed that all segregation duties problems have been identified, one will first require to develop an information flow diagram for each function in each part of the organization.

Administrators who are responsible should consider the rule of segregation of duties when planning and describing job roles. They must use processes and control procedures that, to the degree practicable, segregate duties to the employees and that consist of effective oversight of operations and transactions. To the situation when it is not possible to separate these functions, for instance in small number of staffs, more reliance must be positioned on administrative scene (Lowa State University, 1995-2016).

7. Mandatory vacation (to mitigate intentional threats)

Mandatory vacation policy assists to detect when staffs get caught up in malicious action, like embezzlement or fraud. For embezzlement activity of any considerable size to be successful, a staff would require to be constantly available so as to stage-manage records and respond to various inquiries. Alternatively, if a staff is forced to be absent for a minimum of five consecutive workdays, the possibility of any illegal activity flourishing is minimized, because another person will be forced to respond to the queries in time of the staff’s absence.

This policy is not restricted to financial institutions only. Numerous organizations need same policies for administrators. For instance, an administrator might be the only individual needed to carry out sensitive actions like reviewing logs. An administrator who is malicious may overlook or cover up some actions revealed in the logs. But, a mandatory vacation policy would call for somebody else to carry out these activities and raise the likelihood of discovery (Darril, 2015).

8. Personally identifiable information breaches

Personally identifiable information (PII) means any data that could possible identify a particular person. Any information which can be used to differentiate an individual from the other can be applied for de-anonymizing anonymous data can be said as PII. PII can be grouped into two: sensitive and non-sensitive. Sensitive PII refers to that information, when exposed, could cause harm to the person whose privacy has been violated or breached.

Therefore, sensitive PII should be encrypted in transit and when data is at rest. Examples of such kind of information are: biometric information, personally identifiable financial information (PIFI), medical information, as well as unique identifiers like passport or Social Security numbers. Non-sensitive PII is information which can be sent in an unencrypted format without causing any harm to the person. It can also be gathered with ease from public records, corporate directories, and phonebooks (Rouse, January, 2014).

9. Information breaches

The importance of information breach procedure is to offer general guidance to employees who manage IT resources in an organization, to facilitate quick and effective recovery from security events; react in an orderly manner to events and perform all required steps to rightfully take on an event; minimize or prevent interference of critical computing services, as well as reduce theft or loss of sensitive or mission important information. The IT security breach notification also is used to breaches regarding all organization’s Health Insurance Portability and Accountability Act (HIPAA) and all organization’s business associates incorporated under HIPAA. The Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as their implementing regulations increase the privacy and security features of HIPAA.

10. Media protection and Social engineering

Information security media protection policy creates the enterprise media protection policy, for managing risks rooting from media access, media transport, media storage, as well as media protection by the establishment of an efficient media protection program. The media protection program assists an organization to implement security best practices in relation to enterprise media usage, storage, and clearance.

Social engineering simply means the act of manipulating people so as confidential information is given. The kind of information that criminals look upon may be different, though when peoples are aimed the criminals are normally attempting to trick the individual into giving them their passwords or information about their bank, or access a user’s computer to secretly install malicious software that will offer them access to user’s passwords and bank information and providing them control over one’s personal computer. Security entails identifying the person and what to trust. Knowing when and when not to take an individual at their word, when to rely the person one is talking to is actually the person one thinks he or she is talking with; when to rely on a website; when to trust that person on a phone; when giving information is or is not a good idea (Criddle, n.d.).

Introduction

Continuous monitoring is one of six stages in the Risk Management Framework portrayed in NIST Special Publication 800‐137. The motivation behind a Continuous monitoring project is to figure out whether the entire arrangement of planned, required, and conveyed security controls inside a data framework or acquired by the framework keep on being compelling after some time in light of the inescapable changes that might happen. Nonstop checking is a vital action in surveying the security impacts on a data framework coming about because of arranged and spontaneous changes to firmware, the programming, or environment of operation (Whitman & Mattord, 11 May 2016).

Overall security posture

To see any organizations' security pose, group significant discoveries were classes of digital security that is affected: security knowledge, application, information, business accomplices and outsourcing, and risk insight. These subjects serve as an extraordinary beginning stage for critical talks encompassing an association's security hone, with basic security address including: What is association's greatest security concern and is its security spends and ability legitimately apportioned to address that hazard? There's no specific business needs, business hazard, most important resources, and so on. Security pose that doesn't attach specifically to an organization goal can lead security vanity appeal, however, doesn't offer a genuine assessment of where an association stands (Alexander, Finch, Sutton, & Taylor, 18 Jun. 2013).

Human factors

Human elements that antagonistically influence the security atmosphere specifically, human qualities conduct impacts data security and at last related dangers. searching into employments constraint field investigation comprehends driving and limiting strengths of human issues and consider these powers as objectives and snags of data security. The examination will demonstrate the human variables while endeavoring to comprehend the present Information Security Management System circumstance of an association and its change considering perfect circumstance. It will give measures to interest in elements that satisfy the objectives of ISMS since the association is powerless against both unintentional and intentional security dangers.

Proposal

Setting and keeping up a safe processing environment is progressively more troublesome as systems turn out to be progressively interconnected and information streams perpetually openly. In the business world, the network is no more drawn out discretionary, and the conceivable dangers of availability don't exceed the advantages. Subsequently, it is imperative to empower systems to bolster security benefits that give satisfactory assurance to organizations that lead a business in a moderately open environment (Solms & Solms, 26 Nov. 2008). To give satisfactory security of system assets, the strategies, and advances that individual send needs to ensure three things:

Privacy: Providing classification of information ensures that exclusively approved clients can see delicate data.

Respectability: Providing uprightness of information ensures that exclusively approved clients can change touchy data and gives an approach to identify whether information has been messed with amid transmission; this may likewise ensure the credibility of information.

Accessibility of frameworks and information: System and information accessibility gives continuous access by approved clients to essential figuring assets and information.

The unintentional risk that the association is probably going to face is that the approved client may erase delicate information by oversight or unintentionally. The information may likewise be undermined or erased because of: the specialized disappointment of equipment, disappointment of some program running on the PC, the sudden breakdown of electric supply as well as viruses. The solutions for inadvertent danger actualized are: Backing up of information will be taken frequently. The reinforcement of information can be utilized to recoup the erased information. Most recent antivirus programming will be utilized to output all information coming into the PC (Sutton, 26 Nov. 2014).

While the Intentional threat, the unapproved (or approved) client may erase delicate information purposefully. The client might be an irate representative of an association or whatever another unapproved individual. For the most part, programmers can erase the delicate information. A programmer can break the security of the PC framework for erasing or changing information. He accesses information through PC network utilizing PC programming or devices or different procedures.

The solution for deliberate risk:

Just the approved staffs that have rights to get to information might be permitted to erase or adjust information subsequent to taking after a well-ordered process. An appropriate secret word assurance ought to be utilized. A log record ought to likewise be kept up to monitor every one of the exercises performed on the information/documents. Approved clients ought to change their passwords intermittently. Some solid encryption calculation ought to be utilized where useful information is encoded before its stockpiling or transmission over a system. On the off chance that anybody (unapproved individual) accesses the information; he will most likely be unable to comprehend it. PCs and all sponsorship stockpiling gadgets ought to be put in bolted rooms. Just approved clients ought to get to these assets (Solms & Solms, 26 Nov. 2008).

Work Settings

At the point when people feel that they can't act naturally at work, they won't connect with completely as a major aspect of the group or in allocated work. Hierarchical pioneers will assume an imperative part in setting the tone for the move towards expanded differing qualities and comprehensiveness in an association. An instructive approach can discredit many feelings of trepidation that individuals have with regards to tending to assorted qualities. Representatives need to realize that differing qualities and incorporation are best supported in an open working environment where errors can be utilized for learning not for humiliating or disgracing people.

Work Planning and Control

Upkeep work administration is the center of support administration. It's the place where the capability of administrators, organizers and specialists are illustrated, and where the achievement and cost-adequacy of an upkeep administration framework are resolved. A compelling work plan and control processor framework will recognize and approve all the support work to be done (both strategic and non-strategic), matches it with the required assets through legitimate arranging, plans when it will be done, distributes the undertakings to skilled people and guarantees that it is done effectively and hesitantly. At long last, the work points of interest and expenses will catch for reporting and examination purposes (Alexander, Finch, Sutton, & Taylor, 18 Jun. 2013).

Correspondence Plan

A corporate security mindfulness program means to make every one of the representatives comprehend and acknowledge not just the estimation of the organization's data security resources additionally the outcomes on the off chance that these advantages are traded off. In principle, the procedure is clear and easy.

Informing procedures

Interpersonal Communication

A standout amongst the most critical if not the most imperative types of correspondence a supervisor will take part in consistently is interpersonal correspondence. The benefit of Interpersonal Communication aptitudes is that:

Detailed data: When managing an unpredictable issue, email misses the mark. There's a lot forward and backward that can bring about mistaken assumptions and deficient trades that prompt to botches. Better to get up from your work area, talk face to face, and clear up points of interest.

Significant tasks: Working on real activities, coordinate correspondence can maintain a strategic distance from issues and underscore key focuses. For instance, amid discussions, extra issues may emerge, which can be specifically tended to. You complete the discussion sure you have a grip on new data.

Better understanding: Face-to-face communication permits you to watch non-verbal communication and how somebody responds sincerely to your thoughts. Since quite a bit of correspondence is nonverbal upwards one will pick up a full comprehension of collaborators' viewpoint and point of view, something you can't get from a PC screen or cell phone.

Persuading Stakeholders

The most imperative will be to distinguish and comprehend partners' level of intrigue; it permits one to enroll them as a feature of the exertion. Utilizing Interpersonal Communication aptitudes will build the odds for the accomplishment of security collaboration. For the majority of the above reasons, recognizing partners and reacting to their worries makes it significantly more probable that collaborations will have both the partners' bolster it needs and the suitable concentration to be viable (Sutton, 26 Nov. 2014). Interpersonal Communication techniques will likewise make space for a question and answer session since it's a one on one style of correspondence, making it easy clarify further and demonstrate partner the advantage of putting resources into the proposed innovation.

Conclusion

The blend of preventive and analyst observing controls is essential in building a successful constant checking program. The fruitful usage of continuous monitoring project will require normal duty through initiative support, approving authority authorization, and framework proprietor obligation. A very much outlined and actualized consistent checking project can enhance the nature of organization data security programs by giving administration present, significant data on the security stance of their IT resources (Alexander, Finch, Sutton, & Taylor, 18 Jun. 2013).

References:

United States. & United States. (2000). Summary statement of work. Washington:

National Commission on Air Quality.

Desman, M. B. (2002). Building an information security awareness program.

Boca Raton: Auerbach Publications.

Gardner, B., & Thomas, V. (2014). Building an information security awareness

program: Defending against social engineering and technical threats.

Waltham, Massachusetts: Syngress.

Roper, C. A., Grau, J. J., & Fischer, L. F. (2006). Security education, awareness, and

training: From theory to practice. Burlington, MA: Elsevier Butterworth-Heinemann.