Upload File

isstategovtproposal

44

Upload: dale-white

Post on 14-Aug-2015

132 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: ISStateGovtProposal
Page 2: ISStateGovtProposal

Inception Securities

History• Began in 2002 providing database

performance tuning and security for database applications

• By 2006, routinely provided complete security service(assessments, penetration tests, policy creation, and regulatory compliance assistance)

Page 3: ISStateGovtProposal

Clients in the Past

Our clients include organizations of different sizes. Most are state and federal government agencies that must demonstrate compliance with specific security-related regulations.

Page 4: ISStateGovtProposal

Current

• New “In-State” Headquarters• 22 full-time employees; including 4 who will

focus on providing services and products for this new opportunity, should we be awarded the contract

Page 5: ISStateGovtProposal

Resources

• Of the five people, all hold Certified Information Systems Security Professional (CISSP) certifications, Certified Information Security Manager (CISM), Global Information Assurance Certification (GIAC), Security Essentials Certification (GSEC), and other GIAC certifications

Page 6: ISStateGovtProposal

The Cast

• Project Manager – Dale White• Network Administrator – Julie Newton• Database Security – Stephen Davis• Risk Management – Will Lopez• Procurement/Compliance – Tara Ramchi

Page 7: ISStateGovtProposal

Accomplishments

• Won four major contracts in the last four years for vulnerability assessments and penetration tests.

Page 8: ISStateGovtProposal

Network Administration

Julie Newton

Page 9: ISStateGovtProposal

User Domain

• Bi-monthly training on security (what to look out for, what is allowed, password security, etc.)

• Employees will be working with trainers certified through Inception Securities

• Background checks for employees• Access badges assigned to each employee

Page 10: ISStateGovtProposal

Workstation Domain

• Nightly virus scans performed by Symantec• Nightly malware scans performed by Malware

Bytes• Monthly checks for updates and patches• All laptops will be encrypted by Symantec• Physical security by disabling USB ports

Page 11: ISStateGovtProposal

LAN Domain

• Proxy settings to filter content based on departmental needs

• Account based access • Once a day port scanning performed by

Nessus to identify unauthorized open ports• Departments sub-netted to separate them for

easier security control

Page 12: ISStateGovtProposal

LAN-WAN Domain

• Constant monitoring of the packet flow by Omni-Peek to maintain optimal network functionality

• Once a day port scanning performed by Nmap to identify unauthorized open ports

• Access control list (ACL) limiting the access per department

Page 13: ISStateGovtProposal

WAN Domain

• Black and white lists for the DMZ. The Black list details sites that are blocked and the White list details the sites that are approved

• ACL detailing what individual people are allowed to access based on job code

Page 14: ISStateGovtProposal

Remote Domain

• Organizational units in Active Directory providing access to only those who need to use it

• Virtual Private Network (VPN) client to ensure data security

• Password requirements will be implemented

Page 15: ISStateGovtProposal

Application Domain

• Updates to be applied by the Application team as they are approved and released

• Patches to be applied by the System Administrator as they are approved and released

• Physical security to the server room. Security code and badge

Page 16: ISStateGovtProposal

Data Base Administration

Stephen Davis

Page 17: ISStateGovtProposal

Physical Security

• Data Integrity is the single most important part of the network.

• All data will be under physical security (i.e Lock and Key) with only specific personal having access.

• Notices on the Network closets will have disclaimers about unauthorized access.

Page 18: ISStateGovtProposal

Active Directory• All employees will have a unique username and password. (90 Day

Expiration on passwords)

• Password uniqueness will require at least seven characters, one uppercase, one number and cannot be your last seven previous passwords

• Employees will have access to only job specific tasks.

• Access to shared folders will need to be approved by the employees manager.

• Provide generic accounts with tight Group Policy

Page 19: ISStateGovtProposal

Workstations• All workstations will be a part of a domain and will need to added

manually with administrative privileges.

• All downloads will be conducted by the Help Desk.

• All patches will be conducted by the Desktop System Administrator.

• All administrative rights to local machines will need permission from the CIO.

• Laptops will have a full disc encryption and will need someone to register the user for first time use.

Page 20: ISStateGovtProposal

Servers

• All servers will be Virtualized and have a Raid 5 setup for redundancy

• Data Center will be in a central location of the building in a fire rated room.

• Security cameras will be installed to monitor movement

Page 21: ISStateGovtProposal

Software

• All software will be tested in a controlled environment and approved before put in the live environment.

• All software installations will be installed from a shared network and not the internet.

Page 22: ISStateGovtProposal

User Training

• All new employees will need to review the user agreement policy and sign before actually starting work.

• Mandatory annual IT security training (social networking, phishing emails, etc.)

• Proper user training could strengthen data integrity.

Page 23: ISStateGovtProposal

Risk Management

Will Lopez

Page 24: ISStateGovtProposal

Identify Threats

• What is considered a threat?

1. External hacking threats

2. Personnel

3. Out dated policies

Page 25: ISStateGovtProposal

How often is this threat occurring

• Depending on how often the threat occurs will determine the action to be taken.

• How the security was bypassed and what new process can be used to stop the threat from happening.

• By reviewing the past years information to help determine the trend and which possible action can be taken next.

Page 26: ISStateGovtProposal
Page 27: ISStateGovtProposal

What to do with your assets

Cold site – Will be used to handle issues such as unforeseen network hiccups, but planed1. Network updates2. Hardware failure

Warm Sites – For sections of the company that might go down.

Hot Sites- For events far beyond human control.

Page 28: ISStateGovtProposal

What are your assets

Departmental heads from each department are

considered important to the business continuity

Managers that help assist with the incident

Core documents and materials to maintain

business continuity.

Page 29: ISStateGovtProposal

Procurement and Compliance

Tara Ramchi

Page 30: ISStateGovtProposal

What is procurement?

• “Procurement” is the overarching function that describes the activities and processes to acquire goods and services.

• Procurement involves the activities involved in establishing fundamental requirements, sourcing activities such as market research and vendor evaluation and negotiation of contracts.

• Procurement differs from purchasing. The term “Purchasing” refers to the process of ordering and receiving goods and services. It is a subset of the wider procurement process.

Page 31: ISStateGovtProposal

Procurement Process

• Involves 5 Steps1. Define Business Need

Capture business requirements. Obtain full stakeholder buy into any resulting plans and

timelines.

2. Develop Procurement Strategy Agree procurement approach and timescale. Evaluate current environment and decide on the procurement

process.

3. Supplier Evaluation & Selection To select the right suppliers and value proposition to be taken

forward to final negotiation.

Page 32: ISStateGovtProposal

Procurement Process (Cont.)

4. Negotiation and Award of Contract Complete negotiations and select best supplier. Award contract.

5. Induction & Integration To ensure that the suppliers is fully prepared to

deliver all aspects of the contracts. To ensure that all parties are familiar with agreed

P2P policies and procedures. To initiate the relevant performance measures and

reporting.

Page 33: ISStateGovtProposal

Vendors

• Tiger Direct• Newegg• Lenovo• Cisco• Symantec

Page 34: ISStateGovtProposal

Compliancy• Legislation and regulations are always changing. Keeping on top

of new developments can be a challenge. • Our project team:

– Conducts mock regulatory inspections.– Performs compliance reviews.– Runs risk mapping projects– Updates policies and procedures.– Advises on the compliance issues surrounding new products

and new businesses.– Conducts training sessions on important compliance topics.– Researches and reports on a variety of regulatory issues across

many jurisdictions.

Page 35: ISStateGovtProposal

Compliancy (Cont.)

– Accelerates licensing and compliance.– Results in significant savings for your organization.– Enables your organization to focus on business critical tasks.– Smoothes out volatility in resource demands.– Protects your organization from penalties/fines associated

with compliance mistakes.– We have an in depth understanding of the security industry

and thorough knowledge of the regulations that impact your business.

– Our services are aligned with state and local regulations to ensure complete compliance for your organization.

Page 36: ISStateGovtProposal

Importance of Compliancy

• What is compliancy?– Compliance refers to the company obeying all of the legal

laws and regulations in regards to how they manage the business, their staff, and their treatment towards their consumers. The concept of compliance is to make sure that corporations act responsibly.

• Benefits– Avoidance of Criminal Charges and Penalties– Building Positive Reputation– Higher Productivity in the Company

Page 37: ISStateGovtProposal

Compliance Policy

• All State of Florida agencies must be compliant with this security policy document

• Compliance with Legal Requirements (11.1) – All State of Florida agencies must be compliant with any

State or Federal regulatory requirements which supersede this policy document.

• Applicable Legislation (11.1.1) – All State of Florida agencies must be compliant with any

legislation enacted by the State of Florida in regards to the management of information resources on behalf of the State.

Page 38: ISStateGovtProposal

Compliance Policy (Cont.)• Data Protection and Privacy (11.1.2)

– All State of Florida agency data custodians must ensure that all “Personal Information” data assets, as defined by applicable State and/or Federal law and regulations, are protected from unauthorized use, modification or disclosure.

• Data Breach and Disclosure (11.1.3) – Any State of Florida agency that discovers a breach of the information

security controls set forth in this document which results in disclosure of unencrypted “personal information” about persons to unauthorized third parties shall provide notice of the disclosure in accordance with TCA 47-18-2107(3)(A).

Page 39: ISStateGovtProposal

Closing

Presented by Dale White

Page 40: ISStateGovtProposal

Equipment cost

• $357,794.52 – Includes• Desktops by Lenovo• Think Pads• Routers and switches• Color Laser Printers• Anti-virus• Servers

Page 41: ISStateGovtProposal

Budget

• The presented budget for the 2014 fiscal year is $4 million dollars.

Page 42: ISStateGovtProposal

Cost

• Project Manager $200,000

• Risk Management $150,000

• Database Security$200,000

• Network Administrator $120,000

• Procurement/Compliance $160,000$730,000

$4m - $730k = $3,999,270,000

Page 43: ISStateGovtProposal

Closing

• It would be advantageous of the State Government and the Department of Finance and Administration to make sure that the information on the databases are safe and above other State Governments’ level of security. By using the analysis of the NIST framework and of COBIT, all layers of security shall be perlustrated to ensure the client’s satisfaction of the services provided by Inception Securities.

Page 44: ISStateGovtProposal

Closing (cont.)

• Proven specialists in penetration testing, vulnerability assessments, risk management/mitigation analysis, network systems and software hardening, and compliance/regulation analysis

• We will ensure that the State Government and the Department of Finance and Administration does not suffer any unforeseen penalty due to noncompliance.


Barclays1

Venture Capital

Rubik's cube solution

Star Wars Trivia!

Do you admire Leonardo da Vinci?

(Tesla) - The Tesla Magnetic Car Engine

Simple Functions in Haskell

Jan Van Eyck and the Man In A Red Turban

Effective Parenting: Establishing Boundaries

Algorithms

Chapter-01

Introduction to Six Sigma

Heidegger Kritik

xCDC14a

Oedipus The King: The Ideal Tragic Play

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Chapter 24

The Best American Humorous Short Stories

Tragic Heroes

Improve the Color Quality Of Your Monitor

Cakes Recipes

One Flew Over the Cuckoo's Nest

Aesops Fables

How Computer Monitors Work

Disclaimer

Daniel Zanella and Alexander Weygers

The Last Carnival I Ever Saw

Iron Mills Essay

Keyboard Shortcuts for the Opera Browser for Mac OS X

Fortran

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Basic Buffer Overflows Explained

Explore The Levels of Creation

Physical Modelling Synthesis Overview

Personality Development