information system project
Project Information
Company/Agency/Organization: ___________________________________ Date: _____________
Team Name: _______________________________ Project Lead: ___________________________
Chief Executive Officer (CEO): ______________________
Role(s): Define your role(s) for this policy
Chief Info Security Officer (CISO): ___________________
Role(s): Define your role(s) for this policy
Senior Security Engineer (SSE): _____________________
Role(s): Define your role(s) for this policy
SysSP Details:
1. Access Control list (ACL)
(see pg 189 Fig 4-3)
[Group name, Description, user account type: ADMIN, EMPLOYEE, CONTRACTOR, USER, GUEST]
|
Group |
Description |
Account Type |
|
Administrator |
System and network administrators |
Admin |
|
Staffs of company |
Insurance Brochures and customer services |
Employee |
|
Security tester |
Members who analyzes the security of the company |
Contractor |
|
Backup Operators |
Members who restores the customer’s information |
User |
|
Visitor/customer |
Guest who has the same access to the company default |
Guest |
|
|
|
|
|
|
|
|
|
|
|
|
2. Access Control matrix
(focus on user access)
[user account type, group, asset, control, time limits] Hint: one user per policy
|
Account Type |
Group |
Asset |
Control |
Time limits |
|
Admin |
Administrator |
Servers, switches, internet, system |
Controls policies and information from disclosure to unauthorized employee or user |
24 hours |
|
Staffs of company |
Employee |
Employee’s identification, mission critical application |
Control on customer’s data and employee’s information |
Office hours |
|
Security tester |
Contractor |
Hardware, software |
Controls the company’s reliability |
Maintenance in everyone month |
|
Backup Operators |
User |
Confidential information |
Controls every information provided by customer |
Office hours (every days) |
|
Visitor/ customer |
Guest |
Customer’s data, network access |
Controls its own assets from different malicious software |
Office hours |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Capability table
(Focus on control capabilities: (account office apps, system tools, network tools, policy that applies) (Policy control for above users and groups)
|
Group |
Account Type |
Capability tools |
Policy that apply |
|
Administrator |
Admin |
Handling data breaches |
Fair and responsible use of system in the company |
|
Employee |
Staffs of company |
Expertise on security field |
Responsible use of customer’s information to handle data breaches |
|
Contractor |
Security tester |
|
Security tester must make sure that any kind of malicious codes will not irrupt into the company’s internet |
|
User |
Backup Operators |
Restore systems and network |
Backup operators must have restriction to their access of information |
|
Guest |
Visitor/ customer |
Securing personal data |
Providing correct information to the company so that the company can make a better change |
|
|
|
|
|
|
|
|
|
|
4. Configuration rules
(focus on assets like servers) (server, port, protocol, access rule, time limits)
|
Server |
Port(s) |
Protocol |
Access Rule |
Time limit |
|
Web server |
Port 80 |
HTTP |
|
|
|
Mail Server |
Port 25 |
SMTP |
|
|
|
FTP server |
Port 21 |
|
|
|
|
Real time communication server |
|
|
|
|
|
Application server |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5. Technical Specifications SysSP
(Focus on asset hardware both network equipment, servers, and user PCs/Laptop) (Make, model, type, Quantity, cost)
|
Asset Type |
Make |
Model |
Qty |
Cost |
|
Laptop |
|
VGN-FW550F |
5 |
$1599.00 |
|
Router |
|
192.168 |
10 |
$309.99 |
|
Modem |
|
DOCSIS |
14 |
$120.00 |
|
Ethernet |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
References:
Page 2 of 2