week 4 security management
Running head: Security Solutions 1
Solutions 2
Security Solutions IP3
Lindsey Miller
March 3, 2019
Professor: Patrick Laverty
Colorado Technical University
Table of Contents Project Outline (Week 1) 3 Security Requirements (Week 1) 4 Matrix Table Security Solutions 5 Security Business Requirement (Week 2) 6 CMMI 6 Process Areas 8 Security Policy (Week 3) 10 Overview 10 Policies 10 Procedures 12 System Design Principles (Week 4) 13 The Training Module (Week 5) 14 References 15
Project Outline (Week 1)
Security solutions is in beautiful Monument, Colorado in a small town that is growing. It’s a small company of about 100 employees.
Security Solutions is a business that will help customers protect their identities, from getting stolen and to keep confidential information, stored in a protected cloud to keep information secure. Our team will have 24/7 monitoring to make sure there isn’t any type of suspicious activities going on in our system. Using access controls which, is a fundamental component of security compliance programs that ensures security technology and access control policies are in place to protect confidential information. By having a chief security manager, will make sure the team are making the right decisions and providing feedback of how to go about if there are vulnerabilities to go about acting.
Security Requirements (Week 1)
The document provided below shows high level requirements. This will allow our team to understand, the process of how to develop our security system, to protect confidential information such as credit cards, social security numbers, birth certificates, mobile devices and much more. The steps and requirements such as policies and procedures to take if there were such cyber-attacks. Shilpa, (2017). 4 Simple steps to create Requirement Traceability Matrix (RTM). Retrieved from https://www.opencodez.com
Security module: this would allow the user to act, security solutions would already be able to help the customer act, so we can start right away to help the customer, recover from the incident. Placing an intrusion detection system in place, such as a firewall. Encryption is important to have in place to keep passwords protected by violators.
Recovery module: this would be action that security solutions would immediately take to backtrack to find who took the customers identity and be able to help customer without them being affected more than what they already are.
Privacy and Policy module: this will allow us to take the necessary steps to act.
Training Employee module: this requirement is suited specifically to train new and current employees, making sure everyone is up to date and understand their position. Making sure the team has all current certification updated.
Matrix Table Security Solutions
|
Physical Controls |
Administrative Controls |
Technical Controls |
|
Preventive: back up files, security guards, locks and keys, backup power, biometric access control |
Preventive: security awareness and technical training. Procedures for recruiting and terminating employees, security policies and procedures. |
Preventive: Access control software. |
|
Detective: |
Recovery Plan and contingency plan |
Anti- Virus software |
|
24/7 monitoring |
Computer access |
Passwords |
|
|
Detective: |
Encryption |
|
|
Security reviews and audits |
Detective: |
|
|
24/7 monitoring and rotation shifts |
Intrusion-detection expert systems. |
|
|
Performance evaluations |
|
Killmeyer, J. (2006) Information Security Architecture. Published by Taylor and Francis Group.
Security Business Requirement (Week 2)
CMMI
CMMI is a maturity model integration process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development. CMMI is part of (DOD) Department of Defense. U.S. government helps develop CMMI, which is a specific requirement for government software development contracts.
CMMI starts with an appraisal process that evaluates three specific areas: process and service development, service establishment and management and product and service acquisition. This is to help performance by providing businesses, with everything you need to consistently develop better products and services. CMMI helps with logistics of improving performance to develop measurable benchmarks. By using benchmarks, it shows milestones when specific dates, requirements, what process or techniques or tools used, and when the product will be finished. CMMI is a software to help my organization to make it easier for my team to understand the model and it’s cost-effective an easier way to integrate or deploy. By using this software for Security Solutions, it will help by focusing on quality and quantity for vendors and suppliers. This will help minimizing mitigation and issues.
The first step of using this software is SCAMPI, this is the official way of using the appraisal method. It has three parts class a, class b and class c. A: is most useful used in multiple processes have been implemented. Benchmark is indicated for the steps in levels for an official rating. It’s important to have a certified appraiser during this step. Class B: this finds the maturity level for CMMI. This part of the process gives Security Solutions a better understanding of where we are in the maturity process. Class C: this appraisal method is shorter and less expensive. This method is designed to access my business to establish practices and how it will integrate or align with CMMI practices.
CMMI follows five Maturity levels:
Initial: This part of the process is viewed, generally there is a delay and is over budget. This stage is unpredictable environment and increases more risk and it’s inefficient.
Managed: Projects are “planned, performed, measure and controlled.” Generally, there is a lot of issues that need to be addressed.
Defined: business is more proactive and reactive. This stage is guidance across projects to help with improvements.
Quantitatively Managed: this step is more measured and controlled. This helps with stakeholders to determine predictable process and quantitatively data.
Optimizing: this is final stage for the organization of improving any changes or other opportunities to help keep agility and innovation.
What is CMMI? A model for optimizing developing process. (2019), Retrieved from cio.com
The best place to implement CMMI into my business, would be with the technical controls, with the other software and access controls. This would further help with protecting the software in the system, with vulnerabilities that could come up, that is more concise and easier to monitor. To help with verification and validation to measure the best results. By following the correct steps for each process and following all CMMI requirements. It will help make sure the performance of my business developing is spot on before allowing anyone to use it.
Process Areas
Security Solutions whole goal is to keep customers information confidential, so hackers can’t get to their information. By implementing data encryption this is how it supports making information unreadable while it is being communicated. This would be part of my business, that specifically needs a process area for: project management concepts, this consists of project planning, project monitoring and control and risk management, quality assurance, configuration management. Being able to monitor control and risk management would be the most important area to integrate this into the system. Having a 24/7 rotating schedule for my teams. This would monitor and check for vulnerabilities and threats. By having this system, the quality assurance team would run test to making sure all confidential information, such as social security numbers, bank accounts, mobile devices, credit cards etc. All are tracked, making sure no one is trying to get into our customers information as well as getting into our system. Different Process Area in CMMI-CMMI, (2016). [Software Testing]. Retrieved from www.careerride.com
Configuration baselines in the system can contain predefined configuration items optionally, other configuration baselines. After creating the baseline, you can deploy it to a collection so devices in that collection download the configuration baseline and assess their compliance with it. By using baseline configuration in system security will allow my business database to be updated periodically. It’s important to limit each configuration baseline to no more than 1000 software updates. This would help Security Solutions, for the reason it would be more protected and easier to monitor. Another thing to have are certain passwords for those employees for certain positions, that would be able to access only certain parts of the network. To implement biometrics, tokens to authenticate the user’s passwords. By having embedded terminal or port to describe the actions taken when that limit is exceeded. Describe any policies that provide for bypassing user authentication requirements. Implementing firewalls to detect viruses. Security Solutions specifically implements all these technical controls for keeping our client’s information confidential.
Create configuration baselines in system center configuration manager. (2018) Retrieved from docs.microsoft.com
Security Policy (Week 3)
Overview
Security Solutions is a business that helps keep client’s personal information confidential. Our job is to keep unauthorize users from getting to the client’s data by having system administrators that are responsible for keeping all the networks in our business protected. System administrators must also implement adequate security for requirements of any Data Trustees, who resides in the system. Part of the administrator’s job is to consider sensitivity of correspondence, security proposals, as well as operational requirements. I’ll be talking further into internet policies, scope of security policies, internet use policy, email policy, production policy and password and wireless policy.
Policies
Security Policy- is a definition that means to secure a system, organization or other entity. Security policy addresses the constraints on functions and flow among them. Constraints can be accessed by external systems, including programs and data to be accessed by the user. Security Policy, Retrieved from Wikipedia. This policy will fit in with my organization to keep our networks and system secure from threats and vulnerabilities.
Internet Policy- used for employees to use company internet for the following reasons:
Complete job duties seek information to improve their work, to have a certain time limited to get on social media, during breaks. To use the internet at their own leisure, if they are staying productive at work.
Protection Policy: any use of our network must follow the confidentially and data.
Employees should:
Always keep passwords a secret.
Log into their corporate accounts on safe devices.
Use strong passwords to log in, so that it would be hard to get into.
Employees are responsible for our devices and equipment, such as laptops, software, phones etc.
Email: Employees can use their corporate email accounts for both work-related and personal purposes if they don’t violate the policies rules.
Should not use email to register illegal or unsafe website or services.
Solicitation Emails.
Signup with a competitor’s services unless authorized.
Security Solutions has the right to monitor corporate emails, as well with website’s employees visit.
Scope: The employee internet usage policy applies to all employees including contractors, volunteers and partners whoever access our network and computers.
Employees must be advised to be careful when downloading and opening/executing files and software. Always, ask your manager or IT manager if your unsure of opening a file, that could corrupt the system. Security Solutions will install anti-virus and disk encryption software to keep suspicious activity away. Employees may not deactivate or configure settings and firewalls without the chief security manager permission.
Wireless Security Policy- allows to secure and protect the information assets owned by Security Solutions. The wireless infrastructure devices that meet the standard and being approved by Security Solutions. Employee Internet Usage Policy, (2019). Retrieved from resources.workable.com
Procedures
Security Solutions will have a process of creating a plan to manage our company. Risk through security technologies is auditable work processes. It’s important to well document policies and procedures. It’s important that we have procedures for access control standards such as NIST’s and implementation guides. For examples user access, network access controls and operating system. Complexity of corporate passwords. Security Solutions is essential for keeping employees up to date on any IT and cybersecurity procedure changes. By employees knowing exactly what we are looking for, and following our policy and procedures, employees will know what we expect. It’s important that everyone in the company reads the procedures and policies and fully understand and initial each line after the employees finish reading each procedure and policy.
System Design Principles (Week 4)
The Training Module (Week 5)
References
Create configuration baselines in system center configuration manager. (2018)
Retrieved from docs.microsoft.com
Different Process Area in CMMI-CMMI, (2016). [Software Testing].
Retrieved from www.careerride.com
Employee Internet Usage Policy, (2019).
Retrieved from resources.workable.com
Killmeyer, J. (2006) Information Security Architecture. Published by Taylor and Francis Group.
Security Policy
Retrieved from Wikipedia
Shilpa, (2017). 4 Simple steps to create Requirement Traceability Matrix (RTM).
Retrieved from https://www.opencodez.com
What is CMMI? A model for optimizing developing process. (2019).
Retrieved from cio.com