€¦ · web view · 2016-12-29agency-wide security awareness program proposal. ... the data...

Running Head: SECURITY AWARENESS

Final Project Security Awareness

Terri Y. Hudson

Southern New Hampshire University – IT 552

December 20, 2016

Security Awareness 2

Agency-wide security awareness Program Proposal

Introduction

For the organization to comply with the current PCT DSS requirement version 12,6, a

security awareness program must be in place. The CISCO of the organization has an immediate

requirement of creating an agency-wide security awareness program. As a means of

implementing security awareness program the organization has conducted a security gap analysis

which is one of the component of security awareness program which showed the 10 security

findings. As one of the means of conducting the program, I will submit awareness program

proposal.

Objective

This SOW (Statement of Work) is being done on behalf of the senior information officer.

He has requested for the creation of an agency-wide security awareness program by handing over

the security gap analysis which was done prior to this process. Hence the major aim of this

document is to set a security awareness program which shows ten major key security findings.

The document will also include a risk assessment of the current security awareness practices,

processes and practices. By having this document, the organization will be able to have a well-

organized maintenance plan. It is also important in maintaining and establishing an information-

security awareness program (United States, 2000).

Background

The mission of the organization is to provide efficient IT services with the best security

program in place with an aim of protecting organizations assets.


1. Technical infrastructure

The organization is engaged in short-term effort aiming at modernizing its information-

processing infrastructure. These efforts have incorporated software enhancements, installation of

firewalls and high end network systems for an improved communication. The senior information

officer is the one who is responsible top oversee modernization effort. He has of late completed

conducting a security awareness program and deployment of the organization’s LAN (Local area

Network). The hardware being used is of CISCO products.

2. Computing Environment

The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are

of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window

based.

3. Security Posture of the Organization

The organization has a basic network structure with only one router which acts as a

firewall. It has several working stations and switches to this working stations. In addition the

organization has installed Kasperky’s antivirus in of their desktop machines with a motive of

reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The

organization physical security in server rooms has rocks, network closets and the network

cabinet is rocked always. The organization has a worry on its current security plan this is because

of hackers, spammers and cybercrimes. Also the security plan of the organization has not proved

to have the best controls after the current security gap analysis that was conducted.

Security Gaps Findings


From the findings one of the largest organization’s risks is not the weakness in the IT

infrastructure but the action and reaction of the employees. This has happen through disclosure

of sensitive information by the workers and social engineering attacks. After the gap analysis

report, the organization found that confidential customer data and the some of the IT assets were

at risk. From the gap analysis findings it is evident that loss of customer confidential information

was very high. The risks in Information technology assets were classified as moderate. The top

ten security findings were internet; this has become one of the greatest avenues for hackers.

Others are data breaches, ransom ware, browser plug-ins, virus, worms, spyware, key loggers,

rogue security software and pharming. Lastly some of the organization factors are contributing to

unhealthy of IT assets. Example a poor plan by the organization CEO of the best IT personnel,

identification of the critical assets of the organization, wrong mapping of the existing cyber

security capabilities across the organization so as to identify organizational risks, poor

assessment of the organization’s security maturity level and poor identification of the potential

cyber security threats (Roper, 2006).

The best practices in the organizational security program

Assemble all the security awareness team. The team will be mandated in ensuring

development, maintenance and delivery of the security awareness. The recommendation is for

the team to be well-staffed. In addition to this all the employee dough to be trained on the ten

securities gas findings. The security awareness program ought to have reference materials such

as ISO 27002:2013 which outlines the code practices of the information security control, the

NIST (National Institute of Standards and Technology) and COBIT 5 (Desman, 2002).


Tasks

Some of the roles to be performed include performing a general description of the

security posture of the organization and a risk analysis, drafting security deliverable of the

organization and outlining responsibilities of each and every member in the organization in

ensuring the security of organizational assets.

Personnel

It is highly recommended that security training includes how social engineering happens

and what are the consequences to the organization IT assets. One of the ways hackers are using

social engineering is to acquire user’s credentials. The program should tailor this awareness to

reflect the types of attacks that the organization is encountering and what the organization can

encounter in long-run. As one of the findings from the security gap is confidentiality of

customers’ data, it is highly recommended that different ways of how to safeguard customers’

information to be covered at the basic level for all the personnel. Example is protecting data in

electronic and non-electronic form. Others that need to be included in the awareness program is

organization’s security awareness policy, the impact of unauthorized access and the awareness of

the CHD security requirements (Gardner, 2014).

Conclusion

This SOW document has highlighted the objective of SOW. The document has addressed

four critical elements which must be addressed in the security program, these are; the security

posture of the organization and the major findings from the security gap analysis, the human

factors which undermine the security of the organization IT assets and organization factors that

contribute to unhealthy of the organization. Lastly I have included what need to be done in the

security awareness program.


Introduction

Information security involves keeping corporate records secured. Policies are used to

address the necessities to protect data from unauthorized access, disclosure, loss, interferences

and corruption and are appropriate to information in both physical and electronic formats. A

security policy refers to a well-documented strategy with the purpose of protecting and

maintaining accessibility to a person network and its resources. Enough security in an

organization is the responsibility of the management. At this era that there is high risk of data

threat, almost all organizations have taken the initiative to implement security policies in their

companies. This paper will address the ten available security policies, and their importance,

which are: access control policies, addressing remote access, encryption and hashing, auditing

network accounts, configuration change management, segregation of duties, mandatory vacation,

information breaches, media protection, and social engineering (Bowden, February 18, 2003).

1. Access control policies

Access control is concentrates in determining the authorized activities of rightful users,

mediating each trial by a user to get entry to a resource in the system. In several systems, total

access is given upon a successful verification of the user, although many systems need more

complicated and compound control. Additionally, to the verification method like a password,

access control concentrates with how verifications are designed. In several scenarios,

authorization might reflect the organization’s structure, while in others it might rely on the

sensitivity degree of a range of documents and the clearance degree of the user contacting those

documents.


Organizations thinking of access control system implementation should look at three

abstractions which are: access control policy, mechanisms and models. Access control policies

mean high-level requirements that state how access is managed and the person who has the

authority to access information and also under what circumstances. For example, policies might

be appropriate to resource utilization in or over units of an organization or might be based on

need-to-know, authority, competence, conflict-of-interest, or obligation factors. In a high level,

access control policies are implemented over a mechanism that translate request of a user,

regularly in terms of design that a system offers (NIST, May 6, 2015).

2. Addressing remote access

The importance of this policy is to describe rules and requirements for connecting to a

company’s network from any host. The reason these rules and requirements are designed is to

increase the likelihood exposure to the company from damages which may be brought from

unlawful use of the resources of the company. Damages consist of loss of sensitive or

confidential data of the company, intellectual property, damage to critical internal systems of the

company, damage to public image, and fines or other financial liabilities acquired from those

losses.

Remote access policy applies to company’s staffs, contractors, vendors and agents company

owned or personally-owned workstation or computer used to link to the network of the company.

It applies to remote access links used to carry out tasks on behalf of the company, including

sending or reading email and screening intranet web resources. Remote access policy covers

each and all technical executions of remote access used to connect company’s networks. It is the

duty of company staffs, contractors, vendors and agents with remote access rights to corporate


network of a company to make sure that their remote access link is offered equal consideration as

the user’s on-site link to the company (SANS Institute, 2014).

3. Encryption and hashing (to control data flow)

The main goal of encryption is to change data so as to keep it secret from others in order to

control data flow. For example, sending somebody a secret letter, which only them that can be in

a position to read or securely sending password in the internet. Instead of concentrating on

usability, the objective is to make sure the data cannot be consumed by somebody else apart

from the intended recipient. Encryption changes data into a different format in a way that only

particular person can undo the transformation. It applies a key, which is kept secret, in

combination with the plaintext and the algorithm, so as to carry out the encryption activity.

Ciphertext, key, and algorithm are needed to undo to the plaintext.

Hashing acts the role of guaranteeing integrity that is, making it so that if something is

transformed one will be able to know it. To be precise, hashing consumes arbitrary input and

give a fixed-length string. It is implemented in combination with verification to give strong proof

that a particular message has not been changed. This is achieved through taking a specific input,

hashing it, and later signing the hash with the private key of the sender. Upon receiving the

message, the recipient can confirm the signature of the hash with the public key of the sender,

and later the hash the message itself and contrast it to the hash which the sender signed. If they

are similar it is unchanged message, sent by the right person (Miessler, 1999-2016).

4. Auditing network accounts

Network auditing is the collective measure carried out to analyze, study, and collect data

regarding a network with the aim of guaranteeing its health in line with the requirements of the


organization or network. Primarily, network auditing offers insight into how helpful network

practices and control are, that is, its fulfillment to internal and external network policies and

regulations. When it comes to auditing network works it entails checking what user accounts and

groups are on every machine and the shares are accessible and to whom.

Many auditing tools will deal more on the basic user account information that requires to

be included in the audit. These main properties and settings are a good place to begin with the

audit and will normally consist of the following properties: Workstations, LogonScript, last time

password was set, password is needed, password expires, password time expires, account is

disabled, and last logon time. From the fact that attacks are available through a user account that

got one or several inaccurate and non-secured settings, it brings sense to concentrate on user

account properties in time of audit. (Melber, August 4, 2005).

5. Configuration change management (to reduce unintentional threats)

Organizations have minimum visibility into the efficiency of their change management

controls over their IT infrastructure. When there is no effective management and monitoring of

change controls, the consequences of this can be distressing. At first, minimized availability over

key corporate, customer, and financial systems can happen if unauthorized changes or updates of

software are performed, even if their nature is non-malicious. These operations can impact main

functionality, or a time brings breakdown the whole systems. As systems must later be taken

offline to lessen a security problem or just withdraw the unauthorized change, this can result to

dramatic revenue loss as capital expenditures are raised to resolve the problems, and clients are

not able to access revenue-producing systems (Constellation Software Engineering, 2015).

6. Segregation of duties


Segregation of duties security policy manages conflict of interest, the manifestation of

conflict of interest, and fraud. This policy is important since it makes sure that there is separation

of various functions and explains authority and accountability over transactions. It is important to

efficient internal control; it minimizes the danger of erroneous as well as inappropriate actions.

This policy limits the power amount held by a person. It creates a boundary in place to keep

away fraud, which might be committed by one person. There will still be occurrence of fraud

when there is collusion. For one to be guaranteed that all segregation duties problems have been

identified, one will first require to develop an information flow diagram for each function in each

part of the organization.

Administrators who are responsible should consider the rule of segregation of duties when

planning and describing job roles. They must use processes and control procedures that, to the

degree practicable, segregate duties to the employees and that consist of effective oversight of

operations and transactions. To the situation when it is not possible to separate these functions,

for instance in small number of staffs, more reliance must be positioned on administrative scene

(Lowa State University, 1995-2016).

7. Mandatory vacation (to mitigate intentional threats)

Mandatory vacation policy assists to detect when staffs get caught up in malicious action, like

embezzlement or fraud. For embezzlement activity of any considerable size to be successful, a

staff would require to be constantly available so as to stage-manage records and respond to

various inquiries. Alternatively, if a staff is forced to be absent for a minimum of five

consecutive workdays, the possibility of any illegal activity flourishing is minimized, because

another person will be forced to respond to the queries in time of the staff’s absence.


This policy is not restricted to financial institutions only. Numerous organizations need same

policies for administrators. For instance, an administrator might be the only individual needed to

carry out sensitive actions like reviewing logs. An administrator who is malicious may overlook

or cover up some actions revealed in the logs. But, a mandatory vacation policy would call for

somebody else to carry out these activities and raise the likelihood of discovery (Darril, 2015).

8. Personally identifiable information breaches

Personally identifiable information (PII) means any data that could possible identify a

particular person. Any information which can be used to differentiate an individual from the

other can be applied for de-anonymizing anonymous data can be said as PII. PII can be grouped

into two: sensitive and non-sensitive. Sensitive PII refers to that information, when exposed,

could cause harm to the person whose privacy has been violated or breached.

Therefore, sensitive PII should be encrypted in transit and when data is at rest. Examples of

such kind of information are: biometric information, personally identifiable financial information

(PIFI), medical information, as well as unique identifiers like passport or Social Security

numbers. Non-sensitive PII is information which can be sent in an unencrypted format without

causing any harm to the person. It can also be gathered with ease from public records, corporate

directories, and phonebooks (Rouse, January, 2014).

9. Information breaches

The importance of information breach procedure is to offer general guidance to employees who

manage IT resources in an organization, to facilitate quick and effective recovery from security

events; react in an orderly manner to events and perform all required steps to rightfully take on

an event; minimize or prevent interference of critical computing services, as well as reduce theft


or loss of sensitive or mission important information. The IT security breach notification also is

used to breaches regarding all organization’s Health Insurance Portability and Accountability

Act (HIPAA) and all organization’s business associates incorporated under HIPAA. The Health

Information Technology for Economic and Clinical Health (HITECH) Act, as well as their

implementing regulations increase the privacy and security features of HIPAA.

10. Media protection and Social engineering

Information security media protection policy creates the enterprise media protection

policy, for managing risks rooting from media access, media transport, media storage, as well as

media protection by the establishment of an efficient media protection program. The media

protection program assists an organization to implement security best practices in relation to

enterprise media usage, storage, and clearance.

Social engineering simply means the act of manipulating people so as confidential

information is given. The kind of information that criminals look upon may be different, though

when peoples are aimed the criminals are normally attempting to trick the individual into giving

them their passwords or information about their bank, or access a user’s computer to secretly

install malicious software that will offer them access to user’s passwords and bank information

and providing them control over one’s personal computer. Security entails identifying the person

and what to trust. Knowing when and when not to take an individual at their word, when to rely

the person one is talking to is actually the person one thinks he or she is talking with; when to

rely on a website; when to trust that person on a phone; when giving information is or is not a

good idea (Criddle, n.d.).


Introduction

Purpose

Continuous monitoring is one of six stages in the Risk Management Framework

portrayed in NIST Special Publication 800‐137. The motivation behind a Continuous monitoring

project is to figure out whether the entire arrangement of planned, required, and conveyed

security controls inside a data framework or acquired by the framework keep on being

compelling after some time in light of the inescapable changes that might happen. Nonstop

checking is a vital action in surveying the security impacts on a data framework coming about

because of arranged and spontaneous changes to firmware, the programming, or environment of

operation (Whitman & Mattord, 11 May 2016).

Overall security posture

To see any organizations' security pose, group significant discoveries were classes of

digital security that is affected: security knowledge, application, information, business

accomplices and outsourcing, and risk insight. These subjects serve as an extraordinary

beginning stage for critical talks encompassing an association's security hone, with basic security

address including: What is association's greatest security concern and is its security spends and

ability legitimately apportioned to address that hazard? There's no specific business needs,

business hazard, most important resources, and so on. Security pose that doesn't attach

specifically to an organization goal can lead security vanity appeal, however, doesn't offer a

genuine assessment of where an association stands (Alexander, Finch, Sutton, & Taylor, 18 Jun.

2013).


Human factors

Human elements that antagonistically influence the security atmosphere specifically,

human qualities conduct impacts data security and at last related dangers. searching into

employments constraint field investigation comprehends driving and limiting strengths of human

issues and consider these powers as objectives and snags of data security. The examination will

demonstrate the human variables while endeavoring to comprehend the present Information

Security Management System circumstance of an association and its change considering perfect

circumstance. It will give measures to interest in elements that satisfy the objectives of ISMS

since the association is powerless against both unintentional and intentional security dangers.

Proposal

Setting and keeping up a safe processing environment is progressively more troublesome

as systems turn out to be progressively interconnected and information streams perpetually

openly. In the business world, the network is no more drawn out discretionary, and the

conceivable dangers of availability don't exceed the advantages. Subsequently, it is imperative to

empower systems to bolster security benefits that give satisfactory assurance to organizations

that lead a business in a moderately open environment (Solms & Solms, 26 Nov. 2008). To give

satisfactory security of system assets, the strategies, and advances that individual send needs to

ensure three things:

Privacy: Providing classification of information ensures that exclusively approved clients can see

delicate data.

Respectability: Providing uprightness of information ensures that exclusively approved

clients can change touchy data and gives an approach to identify whether information has been

messed with amid transmission; this may likewise ensure the credibility of information.


Accessibility of frameworks and information: System and information accessibility gives

continuous access by approved clients to essential figuring assets and information.

The unintentional risk that the association is probably going to face is that the approved client

may erase delicate information by oversight or unintentionally. The information may likewise be

undermined or erased because of: the specialized disappointment of equipment, disappointment

of some program running on the PC, the sudden breakdown of electric supply as well as viruses.

The solutions for inadvertent danger actualized are: Backing up of information will be taken

frequently. The reinforcement of information can be utilized to recoup the erased information.

Most recent antivirus programming will be utilized to output all information coming into the PC

(Sutton, 26 Nov. 2014).

While the Intentional threat, the unapproved (or approved) client may erase delicate

information purposefully. The client might be an irate representative of an association or

whatever another unapproved individual. For the most part, programmers can erase the delicate

information. A programmer can break the security of the PC framework for erasing or changing

information. He accesses information through PC network utilizing PC programming or devices

or different procedures.

The solution for deliberate risk:

Just the approved staffs that have rights to get to information might be permitted to erase

or adjust information subsequent to taking after a well-ordered process. An appropriate secret

word assurance ought to be utilized. A log record ought to likewise be kept up to monitor every

one of the exercises performed on the information/documents. Approved clients ought to change

their passwords intermittently. Some solid encryption calculation ought to be utilized where

useful information is encoded before its stockpiling or transmission over a system. On the off


chance that anybody (unapproved individual) accesses the information; he will most likely be

unable to comprehend it. PCs and all sponsorship stockpiling gadgets ought to be put in bolted

rooms. Just approved clients ought to get to these assets (Solms & Solms, 26 Nov. 2008).

Work Settings

At the point when people feel that they can't act naturally at work, they won't connect

with completely as a major aspect of the group or in allocated work. Hierarchical pioneers will

assume an imperative part in setting the tone for the move towards expanded differing qualities

and comprehensiveness in an association. An instructive approach can discredit many feelings of

trepidation that individuals have with regards to tending to assorted qualities. Representatives

need to realize that differing qualities and incorporation are best supported in an open working

environment where errors can be utilized for learning not for humiliating or disgracing people.

Work Planning and Control

Upkeep work administration is the center of support administration. It's the place where

the capability of administrators, organizers and specialists are illustrated, and where the

achievement and cost-adequacy of an upkeep administration framework are resolved. A

compelling work plan and control processor framework will recognize and approve all the

support work to be done (both strategic and non-strategic), matches it with the required assets

through legitimate arranging, plans when it will be done, distributes the undertakings to skilled

people and guarantees that it is done effectively and hesitantly. At long last, the work points of

interest and expenses will catch for reporting and examination purposes (Alexander, Finch,

Sutton, & Taylor, 18 Jun. 2013).


Correspondence Plan

A corporate security mindfulness program means to make every one of the

representatives comprehend and acknowledge not just the estimation of the organization's data

security resources additionally the outcomes on the off chance that these advantages are traded

off. In principle, the procedure is clear and easy.

Informing procedures

Interpersonal Communication

A standout amongst the most critical if not the most imperative types of correspondence a

supervisor will take part in consistently is interpersonal correspondence. The benefit of

Interpersonal Communication aptitudes is that:

Detailed data: When managing an unpredictable issue, email misses the mark. There's a

lot forward and backward that can bring about mistaken assumptions and deficient trades that

prompt to botches. Better to get up from your work area, talk face to face, and clear up points of

interest.

Significant tasks: Working on real activities, coordinate correspondence can maintain a

strategic distance from issues and underscore key focuses. For instance, amid discussions, extra

issues may emerge, which can be specifically tended to. You complete the discussion sure you

have a grip on new data.

Better understanding: Face-to-face communication permits you to watch non-verbal

communication and how somebody responds sincerely to your thoughts. Since quite a bit of

correspondence is nonverbal upwards one will pick up a full comprehension of collaborators'

viewpoint and point of view, something you can't get from a PC screen or cell phone.


Persuading Stakeholders

The most imperative will be to distinguish and comprehend partners' level of intrigue; it

permits one to enroll them as a feature of the exertion. Utilizing Interpersonal Communication

aptitudes will build the odds for the accomplishment of security collaboration. For the majority

of the above reasons, recognizing partners and reacting to their worries makes it significantly

more probable that collaborations will have both the partners' bolster it needs and the suitable

concentration to be viable (Sutton, 26 Nov. 2014). Interpersonal Communication techniques will

likewise make space for a question and answer session since it's a one on one style of

correspondence, making it easy clarify further and demonstrate partner the advantage of putting

resources into the proposed innovation.

Conclusion

The blend of preventive and analyst observing controls is essential in building a

successful constant checking program. The fruitful usage of continuous monitoring project will

require normal duty through initiative support, approving authority authorization, and framework

proprietor obligation. A very much outlined and actualized consistent checking project can

enhance the nature of organization data security programs by giving administration present,

significant data on the security stance of their IT resources (Alexander, Finch, Sutton, & Taylor,

18 Jun. 2013).


References:

United States. & United States. (2000). Summary statement of work. Washington:

National Commission on Air Quality.

Desman, M. B. (2002). Building an information security awareness program.

Boca Raton: Auerbach Publications.

Gardner, B., & Thomas, V. (2014). Building an information security awareness

program: Defending against social engineering and technical threats.

Waltham, Massachusetts: Syngress.

Roper, C. A., Grau, J. J., & Fischer, L. F. (2006). Security education, awareness, and

training: From theory to practice. Burlington, MA: Elsevier Butterworth-Heinemann.

Bowden, J. S. (February 18, 2003). Security Policy: What it is and Why – The Basics. SANS

Institute InfoSec Reading Room. Retrieved from

https://www.sans.org/reading-room/whitepapers/policyissues/security-policy-basics-488

Constellation Software Engineering. (2015). Minimize Risk and Downtime With Change

Management Controls. CSE. Retrieved from https://www.cse-corp.com/cybersecurity-

change-management/

Criddle, L. (n.d.). What is Social Engineering? WEBROOT. Retrieved from

https://www.webroot.com/ie/en/home/resources/tips/online-shopping-banking/secure-

what-is-social-engineering

Darril. (2015). Mandatory Vacations. Get Certified Get Ahead. Retrieved from

http://blogs.getcertifiedgetahead.com/mandatory-vacations/


Lowa State University. (1995-2016). Segregation of Duties. Retrieved from

http://www.policy.iastate.edu/policy/duties

Melber, D. (August 4, 2005). Auditing User Accounts. Windows Security. Retrieved from

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/

Auditing-user-accounts.html

Miessler, D. (1999-2016). Encoding vs. Encryption vs. Hashing vs. Obfuscation. Retrieved from

https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/#gs.0kQuJwE

NIST. (May 6, 2015). Access Control Policy and Implementation Guides. Computer Security

Division Security Resource Center. National Institute of Standards and Technology.

Retrieved from http://csrc.nist.gov/projects/ac-policy-igs/index.html

Rouse, M. (January, 2014). Personally Identifiable Information (PII). TechTarget. Retrieved

from http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-

information

SANS Institute. (2014). Remote Access Policy. Consensus Policy Resource Community. SANS.

Retrieved from https://www.sans.org/security-resources/policies/network-security/pdf/

remote-access-policy

Agarwal R. and Prasad J. 1998.A conceptual and operational definition of personal

innovativeness in the domain of Information Technology, Information Systems

Research,Vol. 9, no. 2:204-215.

Bandura, A. 1989 Social cognitive theory, In R. Vasta (Ed.), Annals of child development.Vol.6.

Six theories of child development (pp. 1-60). Greenwich, CT: JAI Press.


Garson, B. 2005. Work addiction in the age of information technology: An analysis. IIMB

Management Review, Vol. 15: 21

McCue, K. 2008. A comparison of employee benefits data from the MEPS-IC and form 5500.

Working Papers 08-32, Center for Economic Studies, U.S. Census Bureau.

Murray, B. 1991. Running corporate and national security awareness programmers. Proceedings

of the IFIP TC11 Seventh International Conference on IS security: 203-207.

€¦ · web view · 2016-12-29agency-wide security awareness program proposal. ... the data...

Documents