week 4 security management
Running head: CISCO SYSTEMS 1
CISCO SYSTEMS 2
CS654-Secuirty Management
Security Management Plan for Cisco Systems
Sneha Bantu
Date:03/06/2019
Table of Contents Introduction 5 Project Outline and Security Requirements 5 Initial Security Projects 6 Corporate Organizational Chart 6 WG Structure and Ties Added to Corporate Organizational Chart 6 Information Security Management Best Practices 7 Security Policy 8 Organizational Security 8 Asset Classification and Control 8 Personnel Security 8 Physical and Environmental security 8 Communications and Operations Management 8 Access Control 8 Systems Development and Maintenance 8 Business Continuity Management 8 Compliance 9 Communication Flows with Working Group 9 Security Management Plan 10 Security Business Requirements 10 Capability Maturity Model Integration (CMMI) 10 CMMI level 1, Initial 10 CMMI level 2, Managed 11 CMMI level 3, Defined 11 CMMI level 4, Quantitatively managed 11 CMMI level 5, Optimizing 11 CMMI Model with Basic level of Architecture for an Organization 12 Process Areas of CMMI 13 Project Management Category 14 Integrated project management (IPM) 14 Project monitoring and control (PMC) 14 Project planning (PP) 14 Quantitative project management (QPM) 14 Requirements Management (REQM) 14 Risk Management (RSKM) 14 Supplier Agreement Management (SAM) 14 Engineering Category 14 Product Integration (PI) 14 Requirements Development (RD) 15 Technical Solution (TS) 15 Validation (VAL) 15 Verification (VER) 15 Process Management Category 15 Organizational Performance Management (OPM) 15 Organizational Process Focus (OPF) 15 Organizational Process Performance (OPP) 15 Organizational Training (OT) 15 Organizational Process Definition (OPD) 16 Support Category 16 Causal Analysis and Resolution (CAR) 16 Configuration Management (CM) 16 Decision Analysis and Resolution (DAR) 16 Measurement and Analysis (MA) 16 Process and Product Quality Assurance (PPQA) 16 Security Management Plan 17 Security Policy 17 Business security requirements into policies 19 Equipment and computer services policy 19 Employee acceptance use policy (EAUP) 19 Account access request policy 19 Acquisition assessment policy 19 Audit policy 19 Information sensitivity policy 19 Password policy 19 Risk-assessment policy 20 Global web server policy 20 Email policies 20 Automatically forwarded email policy 20 Email policy 20 Remote access policies 20 Dial-in access policy 20 Remote-access policy 20 VPN security policy 20 Personal devices ad phone policies 20 Analog and ISDN line policy 21 Application policies 21 Acceptable encryption policy 21 Application service provider (ASP) policy 21 Database credentials coding policy 21 Inter process communications policy 21 Project security policy 21 Source code protection policy 21 Network policies 22 Extranet policy 22 Minimum requirements for network access policy 22 Network access standards 22 Router, firewalls and switch security policy 22 Server security policy 22 Document retention policies 22 Electronic communication retention policy 22 Financial retention policy 23 Employee records retention policy 23 Operation records retention policy 23 System Design Principles 24 The Training Module 25 References 26 Cisco Systems for the security management plan project
Introduction
I am selecting Cisco Systems for the security management plan project.
Cisco systems is an American multinational company headquarters located in San Jose, California. Cisco systems manufactures and sells networking hardware, telecommunications equipment and other high-technology services and products like cisco WebEx. I feel this is the best option for me to research and learn the security management plan.
Project Outline and Security Requirements
Cisco systems organization has many other locations across the all regions and its headquarters located in San Jose, California, USA. Employees count is around 74,200 members operated from different locations like USA, Canada, India and UK. Cisco system organization pioneered the concept of a local area network (LAN) to connect the geographically disparate computers over a multiprotocol router system. by year 1990 Cisco Systems had a market capitalization of $224 million and it continues to grow with $500 billion market capitalization by year 2000.
Initial Security Projects
Corporate Organizational Chart
Cisco systems has many departments in it including sales, marketing, HR, finance, IT ad line of business (product business applications). Below organizational chart shows the simple chart of its departments and business (Cisco, 2019).
Figure01 Organizational Chart
WG Structure and Ties Added to Corporate Organizational Chart
The Workgroup structure is one of the good structures in the security management. This is based on the realistic goal of the company like Cisco systems and it will help an organization to reach the maximum-security stabilization. CEO (Chief executive officer), board of directors, CFO (Chief financial officer), CIO (chief information officer), VP (vice president) and other few officials are part of the working group structure.
Information Security Management Best Practices
According to Germain (2005), In this section we will discuss about few information security best practices based on the ISO/IEC 17799. Security have become an integral part of daily life, and organizations need to ensure that they are adequately secured. In the below figure we have few security domains where the Cisco systems organization have to consider. These are the industry wide best practices adapted by the many organizations.
Figure -02 The ten domains as of ISO/IEC 17799
Security Policy – This will demonstrate management commitment to, and support for, information security in the organization.
Organizational Security – This will develop a management framework for the coordination in the organization. This will trigger the information security responsibility in an organization.
Asset Classification and Control – This will keep an appropriate level of protection for all critical assets.
Personnel Security – In any organization, employee must be trained well to reduce the risk of error. Personal security will help an organization from theft, fraud, or misuse of computer resources by promoting user training and awareness regarding risks, vulnerabilities and threats to information.
Physical and Environmental security – This will prevent unauthorized access to information processing facilities and prevent damage to information and to the organization's premises.
Communications and Operations Management – This is necessary to reduce the risk of failure
Access Control – Proper access controls (read, write, and delete) protects the information from unauthorized users/devices.
Systems Development and Maintenance – This will make sure the development of the security and maintenance of the security in safe hands with proper incident response team.
Business Continuity Management – This will make sure the operations to run during critical failures, incidents, natural disasters, or catastrophes.
Compliance – This will make sure the organization meets the requirement of all laws and regulations are respected and that existing policies comply with the security policy for the better security protection.
Communication Flows with Working Group
In an organization, the formal communication follows practices shaped by hierarchy, technology systems, and official policy. Formal communication involves documentation and training. Policy related formal communications are usually “one-way”, and these are initiated by management and received by employees.
In major organizations like cisco systems, the formal Communication content is perceived as authoritative because it originates from the highest levels of the company depends on their roles and responsibilities.
Security Management Plan
Security Business Requirements
A study by Acevedo (2019), Precisely securing the business from physical and data threats can help minimize risks from thefts or physical violence. Security business requirements in an organization includes, physical security, data security, document security and equipment security.
Capability Maturity Model Integration (CMMI)
Research by ( White, 2018) discusses, Security business requirements for an organization like Cisco Systems is very important. This will decide the CMMI level of an organization. The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.
In the current market scenario, the CMMI model breaks down organizational maturity into five levels. Many organizations are following these CMMI model to prove their standard and attract customers from the competitive market. All major organizations in the market embrace CMMI, the goal is to raise the organization up to CMMI Level 5, the “optimizing” maturity level. All CMMI level 5 companies are focus on maintenance and regular improvements.
Here are the CMMI’s five Maturity Levels, let’s discuss them in short:
CMMI level 1, Initial: Processes are viewed as unpredictable and reactive. For example, an organization’s “work gets completed but it’s often delayed and over budget.” This is the worst stage in the business and it shows the unpredictable environment that increases risk and inefficiency of an organization.
CMMI level 2, Managed: There’s a level of project management achieved. For example, in an organization, the projects are “planned, performed, measured and controlled” well, but there are still a lot of issues to address.
CMMI level 3, Defined: in this level, organizations are more proactive than reactive. There’s a set of “organization-wide standards” to “provide guidance across projects, programs and portfolios.” The organization’s businesses appreciate their shortcomings, how to address them and what the goal is for improvement.
CMMI level 4, Quantitatively managed: at this level it is more measured and controlled. The organization conducts the surveys and is working off quantitative data to determine predictable processes that align with stakeholder needs. At this level the risk assessments are advanced and the business is ahead of risks, with more data-driven insight into process deficiencies.
CMMI level 5, Optimizing: This is the best level among all levels. Here, an organization’s processes are stable and flexible. The organization always work towards improving and responding to changes or other opportunities with respect to the current trending of the market. All CMMI level organizations are stable, which allows for more “agility and innovation,” in a predictable environment.
CMMI Model with Basic level of Architecture for an Organization
A Study by ( Lee & Wang, 2007) Discusses, Capability Maturity Model Integration (CMMI) is combination of best practices that deliberate the development and maintenance of products on time with a quality and services covering the product life cycle from conception through delivery and maintenance. In any type of organization integration of these bodies of knowledge, which are essential for developing products, CMMI provides a comprehensive solution for developing and maintaining products and services. The process areas of the CMMI are divided into four categories, they are process management, project management, engineering, and support. Major organizations, like cisco systems follow this process areas for the casual analysis, better resolution and organizational performance management. Below picture has not covered all process areas but it has the minimum process areas for the CMMI level organization.
Figure -3 Architecture of the CMMI level company with few processes
Process Areas of CMMI
Research by (Delhi Quality Services, 2019) discusses above four categorizations. All these categories have the 22 process areas. An organization have to follow these 22 process areas in CMMI and each process area represents an activity needs to be followed to achieve a maturity level.
Cisco systems have to follow all these 22 process areas to maintain its CMMI level 5 standard, to get into details of the goal of these process areas are as below. All 22 process areas are divided into 4 categories.
Project Management Category
Integrated project management (IPM): This helps in establishing and managing the project in Cisco systems and the involvement of relevant stakeholders.
Project monitoring and control (PMC): Cisco systems organization monitors the project through reviews, meetings, milestone reviews, and status reporting with controlling issues.
Project planning (PP): Project Planning process area provides best practices to cisco systems in project estimation, project plan preparation including availability of resources in organization, resource planning, scheduling timelines of the project (Dev, testing, UAT and go-live), risk assessment etc. and taking commitment.
Quantitative project management (QPM): Using this process area, Cisco systems advance measurement and help in the quantitative control and improvement of the in the ongoing projects.
Requirements Management (REQM): As per this process area, cisco systems manage the user requirements. It also takes care of the alignment between project work and requirements.
Risk Management (RSKM): This process area helps the cisco systems to identify potential risks in the project, so that an organization can work to mitigate the risks.
Supplier Agreement Management (SAM): This process area helps the Cisco systems in the management of products and services required from the vendors.
Engineering Category
Product Integration (PI): Cisco system also has manufacturing unites where they manufacture and sells networking hardware, telecommunications equipment and other high technology services and products. The product integration area helps the cisco systems to assemble the products into a final product.
Requirements Development (RD): Cisco systems has many customers, requirement and development process area helps the collecting requirements from customers, analyzing them and then detailing them into different requirements like product, product support, defects and product component requirements.
Technical Solution (TS): This process area helps cisco systems in designing and implementing solutions to the project.
Validation (VAL): This process area helps the cisco systems in validating the product in desired environment.
Verification (VER): This process area helps the cisco systems ensuring the product meet the specified requirements by verifying them.
Process Management Category
Organizational Performance Management (OPM): Major organizations like cisco systems needs a proactive management and OPM process area helps to proactive management for the organization’s performance to meet its business objectives.
Organizational Process Focus (OPF): This process will help in planning, implementing, and deploying organizational process.
Organizational Process Performance (OPP): This helps in establishing and maintaining quantitative understanding of performance of selected processes towards achieving the organizational goals.
Organizational Training (OT): This process area helps in train the new Cisco systems employees for the required skills of an organization.
Organizational Process Definition (OPD): This will help the Cisco system to maintain the library of organizations assets, policies, rules and regulations.
Support Category
Causal Analysis and Resolution (CAR): This process helps Cisco systems to find out the root causes of the issues and then plan corrective and preventive actions.
Configuration Management (CM): This process helps the Cisco systems to identify configuration items of an organization and maintenance.
Decision Analysis and Resolution (DAR): This helps in selecting the best alternative with the evaluation technique.
Measurement and Analysis (MA): This process area helps the Cisco systems management in decision making capability for the senior management.
Process and Product Quality Assurance (PPQA): This process area helps the cisco systems quality of processes and products by using audits and quality assurance activities.
Organizations follow the above process area depends on the organization type, needs and their products.
Security Management Plan
Security Policy
Research by Godfrey (2017) discussed, There are 5 stages of security policy management. Cisco systems follow this approach for the smooth process of operations. It provides a structured and automated process for identifying and safely removing redundant rules as soon as applications are decommissioned, while verifying that their removal will not impact active applications or create compliance violations.
Figure-4 Security policy (Godfrey , 2017).
In the first stage the organization discover all the security related issues as per the integrity of the cisco organization. IT staff’s work must adhere to meet the all requirements as per the cisco systems organization standard.
In the plan and access stage, all access control policies will be planned and access controls are created for the staff. All security policy rules provide the access to the right people as per their job function.
Migrate and deploy stage involves applying security policies in the organization as per the leadership approvals. Deploying connectivity and security rules can be a labor-intensive and error-prone process. Security management process have to involve all types of groups in this process to make sure all security policies are accepted by the employees of an organization. Security firewalls have to be implanted to mitigate future risks.
Maintain stage involves the updates to the security policies on time as per the updated process and procedures. For example, most firewalls accumulate thousands of rules which become outdated or obsolete over the years. Maintain stage makes sure all firewalls are updated as per the implemented security policies.
Decommission stage involves end date of the policy. Every business application eventually reaches the end of its life. But when they are decommissioned, their security policies are often left in place, either by oversight or from fear that removing policies could negatively affect active business applications. Decommission stage also makes sure the new policies are placed on time to continue the operation and initiates a process to create a new policy.
Business security requirements into policies
Cisco systems organization policies will be created as per the business requirements and job functions. Cisco systems is a hardware manufacturing and software product company, due to this this organization has many policies. We will discuss them in below section.
Equipment and computer services policy
A study by Paquet (2013), Business requirement for the Equipment and computer services policy is mapped to the Employee acceptance use policy (EAUP), Account access request policy, Acquisition assessment policy, Audit policy, Information sensitivity policy, Password policy, Risk-assessment policy, and Global web server policy.
Employee acceptance use policy (EAUP): This policy is related to the acceptable use of equipment and computing services to protect the corporate resources and proprietary information. All employees have to accept this policy before they use device in the organization.
Account access request policy: This policy formalizes the account and access request process within the organization.
Acquisition assessment policy: This policy defines the procedure for the smooth process of responsibilities regarding corporate acquisitions.
Audit policy: This makes sure the conduct responsible parties are to do audits and risk assessments to ensure integrity of information and resources in the cisco systems organization
Information sensitivity policy: This policy takes care of the requirements for classifying and securing information as per its sensitivity level.
Password policy: This policy provides the standards for creating, protecting, and changing strong passwords in the organization.
Risk-assessment policy: This policy provides the authority for the information security team or security management team to identify, assess, and remediate risks.
Global web server policy: This policy describes the standards that are required by all web hosts.
Email policies
Business requirement for the email polices are mapped to automatically forwarded email policy, and Email policy.
Automatically forwarded email policy: This policy restricts the sensitive information inside the organization domain. To forward any sensitive document requires and approval from higher management.
Email policy: This policy takes care of standards to prevent tarnishing the public image of the organization.
Remote access policies
Business requirement for the Remote-access policies are mapped to Dial-in access policy, Remote-access policy, and VPN security policy.
Dial-in access policy: This policy defines to make sure only authorized users are dial in.
Remote-access policy: This will protect the information in the laptop while connecting to the organization network from other external network (home Wi-Fi network).
VPN security policy: Defines the requirements for remote-access IP Security (IPsec) or Layer 2 Tunneling Protocol (L2TP) VPN connections to the organization network.
Personal devices ad phone policies
Business requirement for the Personal device and phone policies are mapped to Analog and ISDN line policy, and Personal communication device policy
Analog and ISDN line policy: This policy provides the standards to use analog and ISDN lines for sending and receiving faxes and for connection to computers.
Personal communication device policy: This policy defines the information security’s requirements for personal communication devices, such as smartphones, voice mails, and etc.
Application policies
Business requirement for the Application policies are mapped to Acceptable encryption policy, Application service provider (ASP) policy, Database credentials coding policy, Interposes communications policy, Project security policy and Source code protection policy.
Acceptable encryption policy: This policy defines that the proper encryption is maintained during file transfer. Encryption using RSA (Rivest, Shamir, & Adleman) is used in cisco systems organization.
Application service provider (ASP) policy: This defines the minimum-security criteria for the servers.
Database credentials coding policy: This policy defines the securely storing and retrieving database usernames and passwords in the organization.
Inter process communications policy: This policy makes sure two parties are communicating with secure network sockets.
Project security policy: This policy defines for the project managers to review all projects for possible security requirements.
Source code protection policy: This policy protests the source code with minimum security restriction defines as per the process.
Network policies
Business requirement for the Network policies are mapped to extranet policy, Minimum requirements for network access policy, Network access standards, Router and switch security policy, and Server security policy.
Extranet policy: This policy defines the security restriction for the third-party organizations to communicate with cisco systems organization networks. Example, third party vendor has to accept this policy to integrate their system with cisco systems product.
Minimum requirements for network access policy: This policy defines the standards and requirements for any new device that requires connectivity to the cisco systems network.
Network access standards: This policy defines the secure port access to all wired and wire-less devices in the cisco systems organization.
Router, firewalls and switch security policy: This defines minimal security configuration standards for routers, firewalls and switches inside cisco systems production network.
Server security policy: This policy defines the minimal security configuration standards for servers inside cisco systems production network.
Document retention policies
Business requirement for the Document retention policy are mapped to Electronic communication retention policy, financial retention policy, Employee records retention policy, and Operation records retention policy
Electronic communication retention policy: This policy defines standards for the retention of email and messages with a specific time of period. In cisco systems it is 3 months and after 3 months all emails will be deleted, user can request to increase a retention period for his account.
Financial retention policy: This policy defines standards for the retention of bank statements, pay checkup records, and etc.
Employee records retention policy: This policy defines the standards for the retention of employee personal records in a secure location.
Operation records retention policy: This policy defines standards for the retention of past inventories information, suppliers lists, third party vendors and training manuals.
System Design Principles
TBD
The Training Module
TBD
References
Acevedo, L. (2019, Feburary 25). Business Security requirements. Retrieved from https://smallbusiness.chron.com/business-security-requirements-3370.html Cisco. (2019, Feburary). Cisco. Retrieved from https://www.cisco.com/c/en/us/products/security/sas-risk-compliance.html Delhi Quality Services. (2019, Feburary 25). Delhi Quality Services. Retrieved from https://dqsindia.com/cmmi/getting-started/ Germain, R. S. (2005, July/August). Setting Standards. Retrieved from https://pdfs.semanticscholar.org/a94d/b6ae3b0676a975ea094fe818c467350d2a7e.pdf Godfrey , J. (2017, September 06). Retrieved from https://www.algosec.com/blog/five-stages-security-policy-management/ Lee, C.-S., & Wang, M.-H. (2007, July 06). Springer. Retrieved from https://rd.springer.com/article/10.1007/s10489-007-0071-1 Paquet, C. (2013, Feburary 05). Cisco. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1998559&seqNum=3 White, S. (2018, March 16). CIO from Dig. Retrieved from https://www.cio.com/article/2437864/developer/process-improvement-capability-maturity-model-integration-cmmi-definition-and-solutions.html