Comprehensive Security Management Plan, Essay Example
Hypothetical Organization and Security Requirements
Despite the increase in network and data center security with the most up-to-date and technologically advanced security modules, there is still the potential for a security breach posing a threat to the network. Criminals and other people with malicious cyber intent are currently exploring and creating new ways to bypassing or superseding security software in order to gain access to classified material such as banking information, personal data, competitor’s intellectual property or other information that may provide a potential advantage or gain to the criminal. This information is gained by taking advantages of potential weaknesses in the security systems by physical or opportunistic methods. These loses could result in the loss of business critical information or loss of a competitive advantage, both of which could negatively impact the company as a whole. Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and many more. (Calder, 2008) This paper will highlight implementation of the proposal for an ISO 27001 compliant information security management system (ISMS) for a chain of EM’s bakeries, in order to implement a standard to ensure confidentiality, availability, and integrity of data.
The scope for ISMS defined in ISO 27001 as “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks (Calder 2008). An ISMS is part of a larger management system and can be implemented on one or more than one department. There are identified issues, related to mismanagement of network, data, assets, and database security. The data is synchronized on a daily basis from each outlet of Em’s bakery to the file server. The Sales server is the most crucial as far as both clients and organization is concerned, as it contains all the financial data related to daily sales, products sold etc. The outlets are connected to the head office via virtual private network. Coordination of each employee, whether the internal staff or the sales outlet staff, is conducted by emails relayed from the email server located at the head office. (Calder, 2009)The ISMS is applicable in the head office servers for ensuring data security. The reason for implementing ISMS on the servers is that both the organization and clients are accessing information from these servers. If any threat or security breach is triggered on these servers, both clients and the customers will suffer. The current scope does not protect the overall network. Moreover, the servers are vulnerable due to no protection between the workstations and the wireless connectivity. In order to protect these servers from threats and vulnerabilities, deployment of firewall is required.
Business Requirements
- If the sales server stops responding or suffers from a hardware or software failure, the sales outlets of Em’s bakery will not be able to send sales data to the servers. The sales process will be halted, as the system will not process any data from these outlets. On the other hand, the customer connected to Wi-Fi will not be able to access services related to Em’s bakery sales. As there is no backup available for the sales server, it is very critical.
- It is possible for any employee to gain access of the sales server, for amending sales figures related to any particular sales outlets. This is possible because no firewall rules are defined and no access mechanisms are set for each employee. Furthermore, a hacker may intrude in the sales server and extract all the sales figures of Em’s bakery. The hacker can then sell this information to the competitors, as they will be delighted to know which product is on the top list. This is the most critical issue as data leakage is not acceptable at any level.
- An employee can amend sales figures before sending them to the sales server, resulting in a revenue loss for the bakery. A hacker may also disrupt the transmission of data, from the sales outlets to the ‘sales server’ located at the head office. This issue is under control, as the transmission between the sales outlets and the head office are encrypted due to VPN deployment.
The security policy would enable the Em’s Bakeries Ltd. to follow certain set of control policy, which will give a type of broad idea of how the organization should function on daily basis. Also after implementing of the rules, they need to be checked at a periodical basis in order to keep up with the latest threats and vulnerabilities. The following are the guidelines to control the security policy of the organization (Commerce, 2007):
1) All data must be identified as confidential and should be managed by using access rights.
2) Any unauthorized software found on the system would be deleted with due effect.
3) Internet access should only be granted, to selected authorized personnel only.
4) Access of certain ports and proxy must be granted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored.
5) Passwords of profile of each employee must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number.
6) Passwords will expire within duration of 3 months without repeating the previous password credentials.
7) Mandatory that all workstations have an anti-virus and firewall system installed and operational.
8) The workstation will have write protection enabled and would not allow any executable programs to run except for the required software.
9) There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network.
10) All the installation and maintenance of the workstation must be performed by system administrator only.
11) If any problem is faced in the network or workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started.
12) All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security.
13) The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security.
14) Each and every staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties.
Security Business Requirements
The basic requirements for the business’s security have been outlined in the previous section. In order to achieve these objectives it must first be fully understood where the company’s current security levels are in regard to maturity level. The Capability Maturity Model Integration or CMMI utilizes a process improvement method to iteratively increase the maturity of specific functions or systems within an organization. The CMMI follows a stair step approach with five individual and distinct levels of maturity as they progress (CMUSEI 2011). The levels are initial, managed, defined, quantitatively managed and optimized. Each level has distinct goals and objectives to meet prior to reaching the next level ultimately pushing the system into the optimized position for future process improvement. Each organization could be appraised to receive a level of CMMI and from that appraisal a maturity rating of 1-5 is awarded. The lowest possible level is the initial phase. In this phase the processes are unpredictable and each section has little if any control on the process. Another key aspect of the initial phase lies in the fact that all of the precautions and solutions generated by the company are reactive and become “fire drills” to quickly mitigate the issue at hand. While the CMMI appraisal does not guarantee solutions to the issues it does provide a framework for solutions to be created. There are specific process areas that are associated with the type of CMMI that is being performed (Zimmie 2004). The process areas are the areas that are covered within the organizations processes.
For Em’s Bakery to achieve the next level of CMMI it must possess a specific level of maturity in multiple process areas. Within those specific process areas, the process most important to the security requirements falls within the purview of project monitoring and control (PMC). Under the project monitoring and controlling process area, the business can establish the framework for project management methodology to implement the multiple projects that it will need to complete the outlined business requirements. The project management methodology will help ensure the successful implementation of the security requirements while also pushing the business into a more rigorous and structured business model (PMI 2008). The PMC area will ensure progress is monitored and schedules are adhered to throughout the project lifecycle. Transforming a company from a CMMI level 1 to level 2 requires the structure and standard operating procedures of a best-practices framework (Chrissis, Konrad, and Shrum 2011). There are specific and generic goals associated with PMC. The generic goals include building the organization framework and business processes to promote and accept the process changes while also building an institutionalized vision of what the corporation will look like and behave after the implementation. These actions include defining certain processes, identifying the stakeholders, assigning accountable and responsible parties and implementing evaluation techniques for the process.
The specific goals include monitoring the achieve actions versus the plan. This boils down to project management including project risks, schedule, performance, stakeholder analysis, performance reviews and project status. The specific goals for implementation include building the ability to take corrective action as well as manage the action to fruition. In regard to the security requirements implementation, the PMC’s generic and specific goals allow for the project management controls to evaluate the projects process as well as take the necessary actions to correct the course and successfully implement the project.
Security Policy
In order to create and maintain a security policy the first step is to ensure that it is in line with current business requirements and processes. That being said the policy must also have a structure in such that it can be enforced with the appropriate repercussions for violating the policy. This will establish the framework on which the policy sits to ensure that what is generated will actually have the ability to be utilized for its intended purpose. This security policy will be developed from the requirements gathered from the multiple business units and in essences by gathering and utilizing the requirements are creating a bond between the end users, leadership and the project team. The role of the policy is to influence people’s actions as well as to guide them so certain goals and objectives are obtained. The influence is derived from management’s support as well as the end user buy-in during the requirement’s creation. The business requirements are processed and formed into what we can utilize as a security policy.
The business requirements are listed below in italics. Each of the three business requirements will be decomposed into a series of policies and guidelines.
- If the sales server stops responding or suffers from a hardware or software failure, the sales outlets of Em’s bakery will not be able to send sales data to the servers. The sales process will be halted, as the system will not process any data from these outlets. On the other hand, the customer connected to Wi-Fi will not be able to access services related to Em’s bakery sales. As there is no backup available for the sales server, it is very critical.\
These requirements address the need for a way to keep the shop up and running and avoid potential downtime due to server error. This is a two part requirement. The first part is to ensure that the server does not fail which prevents the sales process. The second part is the availability data to the customers. The policies deconstructed from this requirement would show how to keep the connectivity of data between the sales process as well as the customers. The policy statement for the first part would be “Develop a system in which there is a fail over server that is a mirror image of the current server so that data disruption is mitigated.” The next portion should be constructed as “Data should be backed up on a determined frequency and stored in a separate location from the rest of the data”. To dive further into this requirement there would be other areas that need to be addressed such as disaster recovery of data as well as a separate policy on information integrity and dependability.
- It is possible for any employee to gain access of the sales server, for amending sales figures related to any particular sales outlets. This is possible because no firewall rules are defined and no access mechanisms are set for each employee. Furthermore, a hacker may intrude in the sales server and extract all the sales figures of Em’s bakery. The hacker can then sell this information to the competitors, as they will be delighted to know which product is on the top list. This is the most critical issue as data leakage is not acceptable at any level.
This requirement drives right to the point of role based access control and segregation of duties. Since the system was built initially without roles and responsibilities established a policy denoting the exact functions each particular position within the company can perform. In conjunction with the access control there will be firewall restrictions based on location and entry points. Data protection is the critical factor in the security plan. “Each individual will be assigned specific roles within the corporation regarding access to specific actions and data.” Each role will be developed and contain only the pertinent functions necessary to conduct the business of that role.” The policy on role based access control and segregation of duties will need to include maintenance and provisioning of accesses to ensure that the policy is not inadvertently or maliciously superseded by a lack of control on access provisioning and maintenance.
- An employee can amend sales figures before sending them to the sales server, resulting in a revenue loss for the bakery. A hacker may also disrupt the transmission of data, from the sales outlets to the ‘sales server’ located at the head office. This issue is under control, as the transmission between the sales outlets and the head office are encrypted due to VPN deployment.
This requirement is based on the need for secure transmission of data to the servers. Disruption in service is a bigger issue than what is listed in the requirement based on the fact that a solution has already been implemented for this requirement. An entire policy on “Contingency Operations” needs to be established to work in conjunction with the Security Policy to create a solidified. This requirement can be broken down into “There is a necessity for operations to continue, even in a degraded state, during times of malicious or unintended service outages. This plan and policy will work to build a stronger business operation during times of less than perfect circumstances.”
The security policy can be derived from the business requirements but it will also need to work in conjunction with the business operations as a whole. Security of data, segregation of duties, role based access control, data maintenance and availability, risk mitigation and contingency operations all are vital to the business and thus vital for the security policy.
References
Carnegie Mellon University Software Engineering Institute. 2011. CMMI for development, version 1.3. Retrieved from http://www.sei.cmu.edu/library/abstracts/reports/10tr033.cfm
Calder, A., 2009. Implementing information security based on ISO 27001/ISO 27002 (best practice) Van Haren Publishing.
Calder, A., 2008. ISO27001/ISO27002: A pocket guide IT Governance Publishing.
Chrissis, M, Konrad, M., and Shrum, S., 2011. CMMI: guidelines for process integration and product improvement. Addison-Wesley Professional.
Commerce, O. G. C. O. G. (2007). Service design Stationery Office. Start with security policies, n.d. Retrieved 8/25/2012, 2012, from http://www.altiusit.com/files/blog/StartWithSecurityPolicies.htm
Project Management Institute, P. M. 2008. A guide to the project management body of knowledge. (4th ed.). Newtown Square: Project Management Inst.
Zimmie, K., 2004. Secure and mature: combining CMMI SCAMPI with an ISO/IEC 21827(SSE-CMM) appraisal. Retrieved from http://www.sei.cmu.edu/library/assets/zimmie-secure.pdf
Time is precious
don’t waste it!
Plagiarism-free
guarantee
Privacy
guarantee
Secure
checkout
Money back
guarantee