computer network security policy and design policy
batrafuck
WWTCSecurityPoliciesandSecurityDesignsample1.docxRunning head: SECURITY POLICIES AND SECURITY DESIGN 1
SECURITY POLICIES AND SECURITY DESIGN 21
Security Policies and Security Design
Group 3
Mogees Ahmed – Security Diagram and Security Policies (2)
Lazaro Chavez – Business Needs and Security Policy (1)
David Conrad – Security Design and Essay Writing
Bryan Dufresne – Security Design
Edward Guzinski – Security Policies (4)
Maximilian Laray – Role of Devices and Security Policy (1)
Parbat Parajuli – Security Policies (4)
UMUC
CMIT 495 7982 Current Trends and Projects in Computer Networks and Security (2172)
April 16, 2017
Dr. Sam Musa
I. Introduction
The World-Wide Trading Company (WWTC) is an international brokerage firm that conducts operations primarily online and is now looking to expand those operations by adding New York City as a new physical location to setup a regional office. With 9,000 employees spread across the world at different locations to include their headquarters in Hong Kong, a location on Wall Street is where they have recently leased the floor of a building which will foster the continued success of their business. That location is adequate enough to support the network infrastructure they need since sufficient wiring and power are already in place. We have been contracted with the implementation of a cutting edge network by year’s end that will initially support a staff of 100 employees while allowing for growth in the future as well. This paper is going to identify the security business needs for WWTC along with the security policies to meet those needs as well as present the security design, role of devices, and security diagram.
II. Business Needs
WWTC goals must be addressed to find a balance between security and business needs. This will be used to balance what risk could be taken if less security measures were in place. The company needs to identify which expenses can be covered on their budget while also calculating the return on investment. This would be a balance between obtaining state of the art computer security equipment that is very expensive, or buying less expensive equipment that is not as secure. . The network needs to be available every day and it must be able to handle the workload of day to day operations. Another need the company must have is ensuring their data is safe. For instance, if an employee sends an email or any other type of data to another employee, the network should ensure the integrity of the data by preventing it from being tampered with. WWTC must conduct business analyses, return on investment (ROI), and the triad of confidentiality, integrity, and availability (CIA) to continue business operations with minimal disruption.
Business analyses will be needed to calculate what the expenses of security devices and configuration are going to be, along with whether the cost would be worth additional security or not. The return on investment will be calculated by using the following formula: ROI = (Gain from investment - cost of investment) / Cost of investment. This will cover all the expenses that will be used for network devices along with the configuration and maintenance of the network. WWTC will ensure confidentiality by providing access only to authorized personnel on a need to know basis. The controls that will be configured are the use of encryption, authentication, and access controls. Integrity will be provided through the use of authentication, non-repudiation, and accountability. The organization will have audit logs in case of security breaches, which will not only save time but revenue as well. High availability will be provided by having WWTC networks adopt the Cisco modular approach by having networks separated into modules, which will ease the congestion in the network and provide fault tolerance. Availability will also be needed to prevent degradation of business operations, resulting in a loss of revenue.
III. Security Policies
When designing a state of the art network, it is imperative to have policies in place to govern and guide security practices along with forming a baseline security posture. A high profile company is often a huge target for hackers and adversaries since they house a lot of sensitive data that can be sold for money. In addition, once the attack is announced on the news, the attackers may gain a lot of fame and notoriety, which is something they can leverage for their own personal gain in the future. Because of these threats, WWTC must implement strong security policies to protect their data and assets from being compromised. Otherwise, WWTC may find themselves in the same situation as the South Carolina Department of Revenue, where a data breach that happened to them was caused by the lack of a strong security policy (Smith, 2012, para. 2). Below are some security policies that define how data on the network will be protected and safeguarded from both external and internal threats. These are important to identify as it sets a standard for how users behave on the network and what constitutes a security violation.
1) Acceptable Use Policy
1. Overview
The WWTC unclassified network contains sensitive data that must not be exposed to unauthorized entities. The Acceptable Use Policy (AUP) is designed to inform users of the unclassified network of their responsibilities in safeguarding access to the information and resources contained on this network, while adhering to the principles that WWTC considers its core guiding beliefs. WWTC is dedicated to ensuring that its employees have the access that they need to perform their functions to the highest level possible, promoting the availability of information while protecting its integrity and authenticity.
This AUP applies to all unclassified local network related systems and devices, including but not limited to network devices, computing systems, personal mobile devices, storage devices, and email accounts. Any device that contains WWTC company data at rest, as well as any device that facilitates the transmission of data in motion falls under the domain of this AUP.
It is imperative that all WWTC employees understand that by using any of the described company assets, they are acknowledging an agreement to adhere to the rules set forth by the AUP, and must perform their activities in accordance with the mandated guidelines.
2. Purpose
The purpose of this AUP is to identify and describe the acceptable use of all company resources pertaining to the WWTC unclassified network. In the event that any employee fails to adhere to these rules, they risk exposing WWTC to external attack or exploitation, loss of network functionality, and potential legal issues.
3. Scope
This AUP creates an umbrella that covers all devices related to the unclassified network, used to both store data at rest as well as facilitate the transfer of data in motion. Any and all devices used, whether owned by WWTC or by its employees, must only be used in accordance with the AUP.
4. Policy
4.1 General Use
4.1.1 WWTC confidential data either stored or in motion on any digital device is considered the property of WWTC. This information must be protected and controlled in accordance with the AUP.
4.1.2 The loss of any confidential data, whether through theft or destruction must be reported to the Chief Technical Officer immediately.
4.1.3 Access to WWTC company data is limited to the extent that is required to completely perform employee job requirements.
4.1.4 The monitoring of any and all equipment connected to or used in conjunction with the unclassified network is possible at any time without notice.
4.1.5 WWTC has the right and ability to perform security audits on any networked devices at any time, without notice to employees.
4.2 Information Security
4.2.1 Any device used to connect to the unclassified network will be required to adhere to WWTC security policy.
4.2.2 Employee access to workstations and servers will be controlled using smartcards with 8 digit numerical PINs.
4.2.3 The recipient of electronic mail from unknown sources is to be treated as untrusted at all times, and the opening of attachments is strictly prohibited.
4.3 Unacceptable Use
4.3.1 The unauthorized copying or dissemination of any WWTC intellectual property is forbidden through any means, including but not limited to digital means and written word.
4.3.2 Unauthorized access to resources on the unclassified network that a user does not have permission to access is strictly forbidden.
4.3.3 Installation of any software or program on unclassified network resources, computing system, mobile device, networking appliance is prohibited.
5. Policy Compliance
The WWTC Information Security department closely monitors all activities conducted on WWTC networks. Any user found in violation of this policy will be subject to immediate disciplinary action, including possible termination or legal action.
2) Classified Network Use Policy
1. Overview
This policy outlines classified network use for all the WWTC network employees, its administrators, and its higher management. This policy is not for imposing restrictions on its employees but to bring awareness about trust and integrity among the WWTC employees.
2. Purpose
This policy serves as a guideline for how to deal with the classified network, as inappropriate usage of the classified network will put the WWTC network at risk to multiple threat vectors.
3. Scope
This policy applies to all classified network usage to include access, communication, and storage.
4. Policy
4.1 Any communication that requires transport via the Internet must be encrypted.
4.2 WWTC audit team can audit the network at any time to enforce the compliance of this policy.
4.3 Only WWTC authorized administrators may conduct system configurations and network device management.
4.4 Employees must not open email from unknown senders since they may contain malware such as viruses, worms or Trojan horses.
4.5 Employees must keep their passwords secure and must not share with others.
4.6 Employees must not download any software.
4.7 Employees must not provide information about WWTC or its employees to another agency.
4.8 Unauthorized access or copying of sensitive or classified information is strictly prohibited.
5. Policy Compliance
The WWTC Information Security department closely monitors all activities conducted on WWTC networks. Any user found in violation of this policy will be subject to immediate disciplinary action, including possible termination or legal action.
3) Remote Access Policy
1. Overview
Remote access provides the flexibility and mobility to WWTC users to maintain and increase productivity. While this feature allows users to connect from any remote host, untrusted host, and remote network to connect to the WWTC intranet, it still possesses some serious threats. Standards must be designed to minimize the potential exposure to the WWTC internal network.
2. Purpose
The purpose of this policy is to identify how users will be able to remotely connect to the WWTC internal network. Rules and regulations must be designed to mitigate damages to the WWTC network or computer systems while preventing any form of compromise or loss of data.
3. Scope
The remote access policy applies to all users, employees, and vendors that intend to use the WWTC network. All devices such as WWTC owned as well as personally owned devices must comply with the policy in order to connect to the WWTC network remotely. This policy applies to all remote access connections including using email services and well as utilizing the WWTC resources.
4. Policy
4.1 General
4.1.1 To connect to WWTC remotely, all users must comply and acknowledge an agreement to adhere to the rules set forth by the remote access policy.
4.2 Requirements
4.2.1 Only authorized users shall be able to connect to WWTC remotely.
4.2.2 All devices remotely connected to the WWTC internal network must have up-to-date anti-virus software.
4.2.3 Personally owned devices must meet the WWTC device requirements in order to connect remotely.
4.2.4 Remote access connection must be secured via encryption.
4.2.5 While using remote access connection, users shall ensure that no other networks are connected to the device.
4.2.6 While connecting to the WWTC internal network, remote access users are strictly required to follow the WWTC policies at all times.
5. Policy Compliance
The WWTC Information Security department closely monitors all activities conducted on WWTC networks. Any user found in violation of this policy will be subject to immediate disciplinary action, including possible termination or legal action.
4) Removable Media Policy
1. Overview
The ability for removable media to be used to cause damage to a network has increased drastically over the past several years. This is why it is imperative a removable media policy must be set.
2. Purpose
The purpose of this policy is to define what behaviors are acceptable when using removable media on WWTC systems. This is necessary to prevent harm to computer systems and to hinder the spread of leaked confidential data and viruses. If an employee fails to meet these policies due to grave negligence, they will be terminated immediately.
3. Scope
This policy applies to any type of removable media and any interaction it has with a WWTC computer system. This includes devices such as CDs, DVDs, Blu-rays, USB drives, External hard drives, etc. The policy will cover the types of approved removable media, where it can be used, who can use it, and how data stored on removable media must be treated and logged.
4. Policy
4.1 Approved Media
4.1.1 The following list contains all approved formats of removable media to be used on WWTC’s unclassified network only:
· Disc based media such as CDs, DVDs, and Blu rays (no RW formats)
· SD Cards
· External Hard Drives
· USB drives
4.1.2 All approved types of removable media must be owned by WWTC. Use of personally owned media is prohibited. Removable media is not permitted on classified networks under any circumstance.
4.2 Authorized Users of Removable Media
4.2.1 Not all employees will have authorization to use removable media at WWTC. If a user wishes to have the privilege of using removable media, they must apply for this through the WWTC security team. Once they have been vetted and approved, the user will have to read and sign a document stating that they have read and understand WWTC’s removable media policy and agree to abide by it. From this point, the user will have their accounts on the system be granted with the privilege to write to external media.
4.2.2 Authorized users of removable media are the only ones who are allowed to handle it. All transfers of data must be handled solely by the authorized individual.
4.3 Adding files to Removable Media
4.3.1 Before an authorized user can add files to removable media, they must get it approved by the security team. The request will ask the individual:
· The type of removable media that is being used
· The file that is being copied
· Where the file will be copied from
· Where the file will be copied to
· The user that is performing the move
· The serial number of the workstation where data is being copied from
· The serial number of the device where the data will reside
4.3.2 Once the request is approved, the user may proceed with the removable media transfer. Once the file is placed on removable media, the file must be virus scanned on a stand-alone virus scanning workstation. If no viruses are detected, the user must notify security so this can be placed in the data log. If a virus is detected, cease the transfer and notify security as soon as possible.
4.3.3 If using a disc based format, the disc must be finalized before transferring the media to the destination system.
4.4 Handling and Logging Data Transfers
4.4.1 The user authorized to handle the removable media must do so through every step of the process. Another individual, even if they are authorized to use removable media, must not handle a transfer they were not approved for. All removable media must be kept in a locked cabinet when not in use. Ideally, this will be a place where unauthorized individuals will not be able to access it, such as a personal desk drawer.
4.4.2 Once the transfer of removable media has been complete, the user that performed the transfer must keep a log of all the transfers that they have performed. The log verifies that the request made to security was correct and that nothing had changed along the way.
5. Policy Compliance
The WWTC Information Security department closely monitors all activities conducted on WWTC networks. Any user found in violation of this policy will be subject to immediate disciplinary action, including possible termination or legal action.
5) User Education Policy
1. Overview
With many sophisticated vectors of attack being used today, it is important to train all WWTC employees on how to avoid these incidents and what to do if one occurs.
2. Purpose
The purpose of this policy is to identify the training that will be needed by employees in order to use WWTC computer networks in a safe manner. This is so employees know what is expected of them and measures they can take to keep the company’s assets safe.
3. Scope
This policy applies to all new employees and employees that have not had computer security training in the past year. The policy will discuss the type of training that will be covered, how long the training should last, when employees should take it, and what will happen if they do not comply.
4. Policy
4.1 Training Intervals
4.1.1 All new users are required to sign up for computer security training on their first day of employment. They can do this by registering for the course on the WWTC unclassified intranet. Once they have registered for the course, the user will be permitted to take an hour and a half to two hour course on computer security. If this course cannot be completed on the first day of employment, the employee must take it within three months from their starting date. If the three month deadline is not met, all of the employee’s computer accounts will be disabled until they agree to meet this requirement. Employees are expected to renew this training annually.
4.2 Training Topics
4.2.1 The below subjects are the material covered by the training and things all new employees at WWTC should be familiar with before using the organization’s computer systems:
· Safe Internet browsing techniques
· The definition of terms such as virus, malware, ransomware, botnets, etc.
· How to identify phishing and other malicious emails
· How to identify malicious email attachments
· How to protect confidential company data
· How to recognize physical and virtual attempts at social engineering
· What constitutes a computer security violation
· How a computer security violation should be reported
4.2.2 Once the training has been completed, the employee must acknowledge that they have completed it and that they understand what their responsibilities are in safeguarding the network.
5. Policy Compliance
The WWTC Information Security department closely monitors all activities conducted on WWTC networks. Any user found in violation of this policy will be subject to immediate disciplinary action, including possible termination or legal action.
6) VPN Security Policy
1. Overview
Virtual private network (VPN) allows personally owned computers or workstations to connect to the WWTC internal network while off the building site. A VPN connection will also be configured as a point-to-point connection to Hong Kong and will run IPSec over Generic Route Encapsulation (GRE). VPN provides a secure access using encryption and tunneling to connect users to branch offices.
2. Purpose
This virtual private network policy outlines guidelines for remote access connection to the WWTC internal network.
3. Scope
The virtual private network policy applies to all users, employees, and vendors that intend to use the WWTC network remotely. All personally owned devices must comply with the policy in order to connect to the WWTC network remotely and securely. This policy applies to all remote access connections including using email services and well as utilizing the WWTC resources from a remote location.
4. Policy
4.1 General
4.1.1 In order to remotely connect to WWTC networks, all users must comply and acknowledge an agreement to adhere to the rules set forth by the virtual private network policy.
4.2 Requirements
4.2.1 VPN privileges strictly apply to all WWTC employees, users, and vendors. Unauthorized users shall not have access to the WWTC internal network.
4.2.2 Strong user authentication such as PKI will be enforced.
4.2.3 While on VPN connection, VPN tunneling will be used to segregate all traffic coming from the remote host to the internal network, from all other types of traffic, such as those on the Internet.
4.2.4 Dual split tunneling is prohibited and is not permitted. Only one connection is allowed at a given time from an authorized remote user.
4.2.5 VPN users will be automatically disconnected after 45 minutes of inactivity.
4.2.6 Personally owned computers and devices that are using VPN connection must comply with the WWTC VPN and remote access policies.
5. Policy Compliance
The WWTC Information Security department closely monitors all activities conducted on WWTC networks. Any user found in violation of this policy will be subject to immediate disciplinary action, including possible termination or legal action.
7) Device Security Baseline Policy
1. Overview
With any computer device having the potential to be exploited, it is important to have minimum security standards for these devices. The following policy details the minimum security configurations that must be applied to WWTC devices.
2. Purpose
The purpose of this policy is to identify security measures that should be implemented on WWTC computer systems that will provide the first boundary of defense to protect against security breaches. This is a must to provide a basic defense for network attacks. All applicable computer devices must meet this policy in order to be connected to WWTC systems, unless an exception is made by the security team.
3. Scope
This policy applies to all network devices that are connected to WWTC systems. This includes devices such as desktops, laptops, switches, routers, firewalls, servers and other computer devices.
4. Policy
4.1 General Guidance
4.1.1 Before any new device can be added to a WWTC network, even if the same type of device is already running on the network, it must be vetted by the WWTC security team. During the vetting process, the security team will determine:
· The purpose of the device
· Who will use the device
· The capabilities the device has
· Any major exploits for the device that exist in its present state
· If there are exploits, what can be done to correct them
4.1.2 If the device has exploits of some sort in its present state, they must be remediated before they can connect to the WWTC network. If no remediation is available, the device will not be allowed to connect to the network. Exceptions may be granted for certain devices, but only if the device is essential for business operations and no other device can replace it.
4.2 User Endpoint Security
4.2.1 The following security requirements must be implemented on all user endpoint devices before they can be connected to any WWTC network. These include desktops, laptops, tablets, cellular devices, and other such mediums operated by the end user:
· Full hard disk encryption
· All sessions with servers will be encrypted
· Users must be authenticated via Active Directory and PKI via smart cards
· Vendor specific hardening guidelines are followed
· Antivirus must be installed and running on device
· Email filters must be enabled to scan for viruses and block dangerous file extensions
4.3 Server Security
4.3.1 The following must be implemented on WWTC servers before they can be installed on the network. The guidance listed under User Endpoint Security also applies here:
· Some sort of firewall or IPS application must be implemented
· Logs must be kept for all server activity extending back 5 years
· Servers facing the public Internet must be located in the DMZ
· No additional features may be enabled on a server other than the functions that are absolutely necessary
4.4 Network Infrastructure Security
4.4.1 The following must be implemented on network devices being installed on the WWTC network. This includes, switches, firewalls, Wi-Fi access points, and other such devices:
· All WAN connections must be secured via a VPN
· All switches and routers must have ACL’s configured and enabled to provide the access layer with a solid layer of defense before moving to higher layers
· All switch ports that connect to end devices will have port security enabled to allow two MAC addresses at a time (aside from WAPs) on the unclassified network. The classified network will only allow for one MAC at a time. If port security is tripped, that switch port will shut down and will need to be re-enabled by a network admin. Trunking will also be disabled on these ports
· VLANs will be configured on each switch as needed. Routing will only occur between VLANs that are absolutely necessary
· Hardening guides for each system must be implemented
· Firewalls must be implemented to protect the WWTC networks from any external threats
· Intrusion Prevention Systems will be used to supplement the firewalls and provide another layer of security
· Wi-Fi access points will be secured with WPA2 encryption and will require user credentials via RADIUS to use. Guests will be issued credentials to log in with as well
4.5 Physical Security for Network Devices
4.5.1 The following physical security measures must be implemented for all network devices that reside in a network closet:
· All network closets should be locked when not in use
· Once unlocked, network closets for the Demarcation and Unclassified equipment will require employees to swipe their badge and enter their PIN before gaining entry
· Entry to classified network closets require a fingerprint scan in addition to a badge and PIN
5. Policy Compliance
Designated members of the WWTC IT team will quality check device configurations prior to connecting them to the production network. Additionally, production devices will be spot checked monthly to ensure continued compliance.
8) Router & Switch Security Policy
1. Overview
This policy outlines minimum configuration standards for all routers and switches connected to WWTC networks.
2. Purpose
This policy serves to provide a list of services and features which must be disabled or utilized per industry standards.
3. Scope
This policy applies to all configurations for routers and switches connected to WWTC networks.
4. Policy
4.1 RADIUS will provide authentication for user accounts.
· Local accounts should be configured with a standard credential set, and only utilized in the event of RADIUS failure.
4.2 Disable unnecessary services on the routers to reserve resources and to avoid potential security breaches.
4.3 All devices must be configured for RADIUS authentication, authorization and accountability.
4.4 The enable secret command must be used to secure the passwords across the network.
4.5 Each device must have the following logon message for all the local and remote users:
· "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."
4.6 Routers must shutdown the following:
· TCP small services
· UDP small services
· IP directed broadcast
· All source routing
· Automatic configurations
5. Policy Compliance
Designated members of the WWTC IT team will quality check device configurations prior to connecting a router or switch to the production network. Additionally, production routers and switches will be spot checked monthly to ensure continued compliance.
9) Server Security Policy
1. Overview
Server security is a crucial part of any organizational network security. Almost all data is at risk of being compromised if not properly configured, updated, and secured. Unsecured and vulnerable servers possess a serious threat, which can create a backdoor to the network.
2. Purpose
This server security policy outlines the guidelines for basic and minimum standards of WWTC server configuration.
3. Scope
This server security policy applies and addresses all of the servers that are connected to the WWTC network. This includes all of the servers operated by WWTC.
4. Policy
4.1 General
4.1.1 Before connecting a server to the WWTC domain, certain requirements must be met.
4.2 Management and Responsibilities
4.2.1 All the internal servers deployed at WWTC are the responsibility of the system administrator.
4.2.2 Prior to deploying servers, it must meet be approved and meet basic configuration standards.
4.2.3 It is the responsibility of the system administrator to monitor server configuration in compliance with the network security policy.
4.3 Requirements
4.3.1 All server configurations must be pre-approved.
4.3.2 Servers should be located in a secured area that is only accessible to system administrator along with members IT.
4.3.3 All WWTC servers should be regularly patched and use the latest software updates.
4.3.4 Servers should have host-based anti-malware installed, updated regularly, and implemented properly, such as ensuring that real-time protection is turned on.
4.3.5 Only approved workstations and devices are allowed access to server resources.
4.3.6 System administrator shall manage and maintain backups up to 30 days.
4.3.7 All devices connected to WWTC are required to implement full disk encryption.
4.3.8 Session-based encryption between clients and servers will be implemented in the form of SSL authentication.
5. Policy Compliance
Designated members of the WWTC IT team will quality check device configurations prior to connecting a server to the production network. Additionally, production servers will be spot checked monthly to ensure continued compliance.
10) Information Sensitivity Policy
1. Overview
Information sensitivity policy helps determine and specify how information or data within the WWTC network should be classified.
2. Purpose
The information sensitivity policy outlines the guidelines for what type of information or data can be available or disclosed to the WWTC user, employees, and vendors.
3. Scope
This information sensitivity policy applies to all of the data and information that is stored on the WWTC domain. This policy also covers all of the internally and externally stored data that is owned by WWTC as well.
4. Policy
4.1 General
4.1.1 Information sensitivity policy shall determine the level of classification by severity of the damage.
4.2 Requirements
4.2.1 Role-based access control must be implemented.
4.2.2 Network admins should be assigned minimal access based on the needs of the users to in order perform their jobs.
4.3 Levels of Classification
4.3.1 Unclassified
· Access: Accessible to all WWTC users, employees, and vendors
· Encryption: Full Disk Encryption
· Electronic Distribution: Only approved electronic mail and file transmissions sent by authorized recipients under the WWTC domain
· Storage: Available and accessible to only authorized users that are part of the active directory
· Users and employees shall comply with individual access control
4.3.2 For Official Use Only (FOUO)
· Access: Accessible only to WWTC employees
· Encryption: Full Disk Encryption
· Electronic Distribution: Only approved electronic mail and file transmissions sent by authorized recipients under the WWTC domain.
· Storage: Available and accessible to only authorized users that are part of the active directory
· Users and employees shall comply with individual access control
4.3.3 Classified
· Access: Only to those with approved access
· Encryption: Full Disk Encryption
· Electronic Distribution: Only approved electronic mail sent by authorized recipients under the WWTC domain
· Storage: Available and accessible to only authorized users that are part of the active directory
· Users and employees shall comply with individual access control
5. Policy Compliance
WWTC reserves the right to verify compliance to this policy using various methods including inspection, video monitoring, internal, and external audits. Any user found to have violated this policy may subject to disciplinary action.
11) Incident Response Handling Policy
1. Overview
This policy outlines how WWTC will handle any security incidents that may occur.
2. Purpose
This policy serves as a reference for the WWTC incident response team to follow.
3. Scope
This policy applies to all actions taken when an incident requires a response.
4. Policy
4.1 Incident reporting
4.1.1 Incident reporting would be conducted when there is a breach in the network or any other security related incident. For example, when an employee receives an email that appeared to be from a co-worker he/she clicked on the link and an auto-drive by download occurred.
4.2 Escalation
4.2.1 Escalation of an incident would be determined by the severity of the breach. This would involve IT managers and supervisor of the department to determine the level of the breach.
4.3 Mitigation and Containment
4.3.1 Mitigation will be performed by system, network, or security administrator that notices any intruder attempting to access the network. Once the intruder has been discovered the affected system will be placed on a separate network isolated from the any of WWTC network.
4.4 Eradication and Restoration
4.4.1 The damage that was done on the affected systems will be determined and appropriate measures will be taken. A plan will be drafted and passed along the appropriate parties. For example, when an attack was cause by an employee clicking on a link from an email, the corrective measure would be to block the send of the email and educate employee on phishing emails.
4.5 Information Dissemination
4.5.1 This concerns releasing information of computer related incidents. Before any information is released, this must go through CIO and security director.
4.6 Ongoing Reporting
4.6.1 After the incidents are reported and filed, depending on the severity of the incident (insider threat, compromise DNS, data theft, etc.) the written up reported shall be passed on to CIO, IT manager, and commissioners.
5. Policy Compliance
WWTC reserves the right to verify compliance to this policy using various methods including inspection, video monitoring, internal, and external audits. Any user found to have violated this policy may subject to disciplinary action.
12) Privacy Policy
1. Overview
When employees use the corporate networks, they must be familiar with how their data may be used on the network. This is vital so employees know the rights they have as a user and what they can expect from the organization regarding auditing activities and how their data is protected.
2. Purpose
The purpose of this policy is to identify how user data on the WWTC networks will be handled and treated. It identifies what rights WWTC has regarding the data that is transmitted and stored on their network, along with the rights users have to the data that is created, transmitted, or received by them. The measures that are taken to protect user data as well as areas where user information may be vulnerable are identified. The policy also details what users consent to by using WWTC’s networks and how their activities will be monitored and tracked. Details are also outlined on what responsibilities WWTC has if a user’s data is lost or stolen.
3. Scope
This policy applies to all individuals with a user account on either the unclassified or classified WWTC networks. All activities conducted by users on these networks are governed by this policy as well as the data that is affected as a result of their actions.
4. Policy
4.1 General Requirements
4.1.1 By logging into any systems that are owned or operated by WWTC, users consent to having all of their activities monitored and logged on the network. This includes but is not limited to:
· File creation, modification, or deletion
· Email messages sent by WWTC employees, including any responses that are received
· Websites that are attempted to be visited or visited by WWTC employees or users
· Any actions performed using a user account, including access to devices by the account, logon attempts (both successes and failures), and modifications made to any computer equipment settings or configurations
4.2 Security Protection
4.2.1 All data that is present on WWTC’s networks is protected using WWTC’s network infrastructure. All best attempts are made to protect all data from being tampered with, damaged, lost, or stolen. However, these measures are in place to protect the interests of WWTC, not the interest of the user. WWTC is not responsible for the loss or damage of any information that is of a personal nature to a user or another entity. If corporate data or assets are affected, a user must report this to the WWTC computer security team immediately so a report can be created regarding the incident.
4.3 Auditing and Ownership of Data
4.3.1 When using WWTC networks, all data that is generated or residing on network infrastructure belongs to WWTC. At any time, WWTC has the right to inspect data on the network to look for signs of malicious intent by users, improper use of the network, and for any other purpose that ensures the protection of WWTC assets. These audits may come without warning to the user and could result in disciplinary action for the employee if anything is found that breaks the terms of use for the network.
5. Policy Compliance
WWTC reserves the right to verify compliance to this policy using various methods including inspection, video monitoring, internal, and external audits. Any user found to have violated this policy may subject to disciplinary action.
IV. Security Design
The security design for WWTC’s network implementation will be the foundation established to prevent the network, along with the data stored and transmitted on it, from being compromised. To accomplish this, the security design will focus on the confidentiality, integrity, and availability of information on the network. According to Rouse (2014), confidentiality is limiting information access to authorized individuals only, such as using encryption or a multiple factor authentication, integrity is assuring the trustworthiness or accuracy of information, such as through file permissions, access controls or checksums, and availability is guaranteeing that authorized individuals can access information reliably, such as ensuring adequate bandwidth, no bottlenecks, redundancy is used or a disaster recovery plan exists (para. 2). Some of these methods to include additional ones will be implemented in this security design, which will be broken up into the security control categories of physical, logical, and administrative.
The physical security control category is the implementation of measures to control physical access to areas where networked devices are located along with physical access to the hardware device itself as well. First, every employee will be issued a smart card, which will be used as picture identification along with also having radio-frequency identification (RFID) capabilities and the ability to hold employee digital certificates. Second, closed-circuit surveillance cameras will be strategically located throughout WWTC’s office space and they will be monitored by security personnel located in the Security office. Third, picture identification will be verified at the Reception areas by security personnel, allowing authorized WWTC employees to enter their office spaces and enforcing that authorized guests be escorted the entire time while in company areas. Authorized guests will be logged when entering and exiting company areas along with being issued a visitor badge that specifies a WWTC employee escort is required at all times. A key thing to note as well is that all traffic in and out of WWTC’s office spaces will go through one of the four Reception areas. The following diagram is the New York City office layout for WWTC, which shows how the office space is segregated along with also showing the location of the Security office in the lower right quadrant:
Fourth, every door within WWTC’s office spaces will be locked and will only open to authorized individuals using the RFID portion of their issued employee smart card. Controlling access in this way will also allow WWTC to track and maintain a history of all access to and from the areas within WWTC’s office spaces, which will not only be beneficial to detect suspicious activity, but to support investigations as well. Most doors only require an authorized RFID to unlock, but some more sensitive areas require two and three-factor authentication to access. For instance, locked doors to the Demarcation and Unclassified LAN closets require two-factor authentication, such as a keypad entry, which is something you know, and RFID in an issued employee smart card, which is something you have. However, the locked doors to the Classified LAN closet and Security office require three-factor authentication, such as a biometric fingerprint scan, which is something you are, a keypad entry, which is something you know, and RFID in an issued employee smart card, which is something you have. Access to any location within WWTC’s office spaces will be authorized based on an individual’s job and on the least required access in order to do their job.
Fifth, the classified computers located in the President, VPs, and Department head offices will be physically locked up in their desks when not in use. Two-factor authentication will be required to unlock the desk and remove the classified computer, such as a biometric fingerprint scan and a keypad entry. Additional authentications factors are also required in addition to company issued RFID capable smart cards. These cards allow all personnel access to the areas within the WWTC workspace, whereas only executive personnel that have offices will be authorized to access their office. Additionally, those personnel will also be issued the classified network access card along with an individualized personal identification number (PIN), which is needed to log onto the classified computer. These classified network access cards will only be issued to authorized individuals, such as the President, VPs, Department heads, and network administrators. Sixth and final, the equipment racks in the Demarcation, Unclassified LAN, and Classified LAN closets will be physically locked and unlocked using keys, which only authorized individuals, such as network administrators, will have access to. These keys will not be allowed to leave WWTC’s office spaces and will be locked up in the security office where they will be guarded by security personnel when not in use.
The logical security control category is the implementation of measures to control access on the network by technical means. First, full disk encryption will be mandatory for all WWTC computers and servers. Group policy will be configured to establish BitLocker on all workstations and servers in the domain using on-board Trusted Platform Modules (TPM). By leveraging the TPM, the disk will be decrypted during power-on, removing the need for members to handle keys for decryption manually. BitLocker will also be used on servers in the same fashion, meaning if a drive were to be removed from a server and utilized in a different machine, it would be inaccessible. By configuring full disk encryption, the integrity and confidentiality of the data is preserved, while only minimally affecting availability of the machines during power on and power off sequences. Session-based encryption between clients and servers will be implemented in the form of SSL authentication. All servers within WWTC will be configured to use SSL and all SSL capable apps will be configured to only use SSL as well.
Second, the Virtual Private Network (VPN) connection will be configured as a point-to-point connection to Hong Kong and will run IPSec over Generic Route Encapsulation (GRE). A GRE tunnel will be established, creating a “direct” virtual tunnel to Hong Kong, which will only be a single hop away from the internal side. The GRE tunnel will be configured with IPSec AES 256-bit encryption. This method requires that the VPN router in Hong Kong and the VPN router in New York must mutually authenticate in order to receive traffic from one another. In the event that the connection is compromised by means of Man-in-the-Middle (MITM), the mutual authentication will be interrupted, hash values will change, and the tunnel will drop causing traffic flow to cease. By employing this method of encryption, additional security features such as Access Control Lists (ACLs) will be implemented in order to only allow GRE traffic in and out of the specific port. This would require an adversary to have functional knowledge of the network to spoof correctly. Since this is a complex, yet simple solution, it would be difficult to emulate and take advantage of this system.
Third, the classified network will be physically separated from the unclassified network to ensure there is no crossover of data classifications. The classified network will utilize the unclassified network as a transport layer. Prior to entering the transport layer, the data will go through the core classified router where it will be encapsulated using GRE as well as IPSec and forwarded. Once it is forwarded, it will go through a bulk IP encryption hardware device and transported over the unclassified VPN connection to Hong Kong. Once at Hong Kong, it will go through the bulk IP encryption hardware device to be decrypted. Then the IPSec protection will be removed and de-encapsulated from GRE so it can be processed. The classified network equipment and data will be centrally located in the classified LAN closet. It will also be protected by three-factor authentication as mentioned previously in the physical security section. The purpose of the classified network is only for secure e-mail communications between the executives in New York City and the headquarters in Hong Kong. The communications will consist of sensitive business matters and trade secrets, which is why it must be protected against accidental or intentional reproduction. To prevent said reproduction, safeguards must be put into place to protect the classified data. Firstly, classified processing devices are only accessible by the Information Owner (IO) and will be locked up when not being used. Secondly, all recording, storage, or photographic devices including, but not limited to: cell phones, cameras, voice recorders, flash drives, removable hard drives, CDs, DVDs, printers, papers, and pens or pencils must be removed during classified data processing.
Fourth, the wireless network will be protected by leveraging WPA2-Enterprise with 802.1x. With this solution, wireless clients must connect to the Wireless Access Point (WAP) using authorized credentials. This authorization will be configured by implementing RADIUS to check credentials, such as a user’s smart card, against Active Directory to authenticate and authorize users to connect to the wireless network. Additionally, guest network access will be configured to authenticate guest usernames and passwords, which will be documented and given out at the reception areas. Each guest will sign for the username and password along with being required to sign an Acceptable Use Policy agreement in order to receive guest credentials.
Fifth, smart cards will be employed for two-factor authentication and will be equipped with owner photo, RFID chip associated with card serial number and owner’s name, and certificates issued by the CA, which will also be associated with card serial number and owner’s name. By leveraging smart cards, these will be configured to grant physical access to offices, serve as security badges, and provide logical access to computers, network resources, and e-mails.
Sixth, Active Directory (AD) will be the method used to authenticate users to network resources. Each user account will be created and associated with a smart card. Each smart card will hold 2 certificates which will be signed by WWTC’s Certification Authority. These certificates will be the identity certificate and private encryption certificate. The user will be authenticated to AD with the identity certificate, and will use the private certificate on their card to decrypt e-mails addressed to them. Accompanying every private certificate is a “matching” public certificate, which will be published to the Global Address List upon creation of a user’s account. This public certificate will enable users to send encrypted e-mail to one another as well as send digitally signed e-mails to ensure message integrity and nonrepudiation. With the Public Key Infrastructure (PKI) implemented, User A would use User B’s public certificate to encrypt an e-mail and send it to User B. User B would be the only person capable of decrypting this e-mail by using their private encryption certificate. This ensures confidentiality and integrity by only allowing the authorized receiver the capability to decrypt the e-mail as well as ensuring that the e-mail was not modified in transit. If the e-mail was modified before it was decrypted, then the decryption would not work correctly and the e-mail would not be readable.
Seventh, Access Control Lists (ACL) will be established at various levels in the core and distribution layers of the network to prevent unauthorized traffic. ACLs will be configured not only on routing devices, but also within the firewalls to prevent unauthorized traffic. One such ACL will be allowing only port 443 for SSL traffic inbound to web servers in the DMZ. Another ACL preventing ICMP traffic will be configured at the core routers to prevent reconnaissance in the form of enumeration of devices within the network. Another ACL will prevent remote desktop traffic into servers from any subnet other than IT. Additionally, SSH traffic will be blocked from all non-IT IP addresses.
Eighth, port security will be configured at each access switch for all access ports. The method of port security will be MAC sticky, which will maintain a preset number of MAC addresses per port. For the unclassified network, MAC sticky will be implemented with two MACs, which allows only two devices to be connected to a port. Once a third MAC is learned on the port, the port will be configured to be shut down in error disable mode. This will require IT to reset the port and verify only authorized devices are connected. By setting the limit to two, this ensures all ports will allow a phone and workstation to be connected. One potential issue with this configuration is that desk moves will require IT intervention to ensure MAC sticky is cleared. However, for the classified network, MAC sticky will be implemented with one MAC, which allows only one device to be connected to a port. All user ports on both networks will also be configured with switchport mode access, switchport access vlan ##, and switchport voice vlan ##. By configuring these options, the ports are configured only as access ports and are unable to have 802.1q trunking configured.
Ninth, the VLANs within the network have been divided by role and responsibility within the company. Management and Executives have been placed in their own VLAN. Similarly, Brokers, Staff, Reception, Printers, Servers, Wireless clients, and Device Management have their own respective VLANs to isolate broadcast domains and prevent sensitive but unclassified data from traversing network segments to users that do not have the need to know.
Tenth, network device hardening will occur in compliance with WWTC policy as well as industry best practices. Telnet will be disabled on all devices and only SSH will be configured. Network device authentication will occur via Active Directory by use of RADIUS. Default local logon and enable passwords will be changed and configured uniformly throughout the network. The local credentials will be stored in a classified storage container in the classified network closet and will be changed quarterly.
Eleventh, host-based anti-malware will be implemented on every networked computer and device. Since new malware is created every day for malicious purposes that can compromise the confidentiality, integrity, and availability of networks along with the data that resides on them, WWTC will have host-based anti-malware updated regularly and implemented properly, such as ensuring that real-time protection is turned on. Email filtering will also be implemented, which will scan for viruses and prevent files with certain extensions, such as .exe, .bat, .ps1 or .scr, from being transmitted or received. This will help prevent the possibility of malware from accidently being installed by a user opening an attachment from their email. Additionally, host-based intrusion detection systems will be implemented on all servers to monitor and analyze all traffic to and from the internal servers to identify any malicious behavior or attack.
Twelfth, firewalls and intrusion prevention systems (IPS) are provided by the Cisco Adaptive Security Appliance (ASA). Two firewalls will be implemented in order to provide a perimeter defense for the unclassified network and one will be implemented for the classified network. Firewalls are used to prevent attackers or any other type of unauthorized communications from entering the internal network and to only allow those specific types of communications through that are required to conduct operations. No matter what, all external communications will go through a firewall, which will ensure that nothing bypasses the security measures that are put in place. IPS’s will be implemented in order to automatically prevent unauthorized intrusions, such as denial of service (DoS) attacks, without any interaction required from a network administrator. It is also recommended to use a DoS protection service since those companies will have more resources available to protect against DoS attacks.
Thirteenth and final, a demilitarized zone (DMZ) will be established to allow public users to access the public servers from the Internet while also isolating them from WWTC’s internal network in the case a public server is ever compromised. A firewall is the barrier between the DMZ and the internal network, which will allow users on the internal network access to the public servers as well, but will prevent communications coming from anyone else from going through to the internal network. In addition to the firewall, public users will connect to the public servers in a secure manner, such as requiring the use of robust passwords that are ten characters long and requiring the use of HTTPS for all server communications along with also implementing web application hardening by removing vulnerabilities and limiting user input to avoid buffer overflow attacks. It is also recommended that a honeypot be implemented to lure in would be attackers so their actions can be logged and tracked. Doing this will allow WWTC to learn how attackers attempt to break in so new security measures can be implemented along with also gathering forensic evidence to prosecute attackers.
The administrative security control category is the implementation of administrative measures to maintain security. This includes the development and compliance with local policies, industry best practices, and federal laws. Since WWTC is a trade company, many guidelines set forth by the Federal Trade Commission (FTC) will be followed, to include the Payment Card Industry Data Security Standard (PCI DSS). First, in dealing with customer transactions, WWTC must be compliant with the PCI DSS. In order to be compliant, the criteria in the table below must be met, which was taken directly from the PCI DSS document (PCI Security Standards Council, 2016):
In addition to the table criteria, quarterly PCI scans must be accomplished to ensure continued PCI compliance. Currently, it is estimated that WWTC will process between 20,000 and 1 million transactions annually. If this holds true, WWTC will be a level 3 company, however, if WWTC processes between 1 million and 6 million transactions annually, it will be a level 2 company. There is no change in requirements for PCI compliance between level 3 and level 2, as they are both required to conduct yearly risk assessments while utilizing a Self-Assessment Questionnaire.
Second, twelve security policies, as mentioned previously above, are written to provide guidelines on how WWTC plans to protect their information technology network and assets. They are strategic level documentation that are sponsored by executive level management at WWTC and provide formal guidance on the execution as well as coordination of information security activities for WWTC. Third, user education, which is covered in the User Education policy above, is to educate WWTC users in order to mitigate social engineering attacks, on proper network etiquette, and on established security policies to just name a few. This will ensure that all users at WWTC are well informed on the security practices that need to be followed in order to effectively protect WWTC’s network. Human error and lack of knowledge are weak points in security and user education aims to mitigate that vulnerability. Users will be required to undergo user security awareness training periodically. During their orientation they will be walked through the current standing policies, as well as participate in basic information protection and information assurance training in order to be made aware of the security practices and reporting procedures in the event of a potential security breach. Additionally, users will be required to pass a yearly information assurance awareness test to validate they know and understand what is required of them.
Fourth, disaster preparedness and recovery plans will be established in order to effectively recover from disasters and resume operations as quickly as possible with little to no data loss in the process. All data will be backed up daily and also checked on a periodic basis to validate the integrity of the data. Additionally, scheduled exercises will be conducted at least once a year to evaluate and validate the procedures in place to recover from a disaster as well as to ensure network administrators are trained in those procedures in order to improve efficiency. It is recommended that WWTC consider offsite backups and an alternate location or cold site in case any disaster is severe enough to prevent them from recovering at their primary location.
Fifth, personnel registration and accounting procedures will be established to ensure all employee information will be officially documented and tracked. User accounts and access are based on that information, which includes job titles and responsibilities. Since it is very important that the information is correct in order to ensure all access is granted to authorized individuals only, audits will be conducted on a quarterly basis to validate all employee information. Additionally, personnel separation procedures will be established to remove access, delete all accounts, and retrieve any employee issued material, including smart cards. Conducting those procedures will be required immediately once an employee is separated to ensure their access, accounts, or employee issued material can no longer be used. This will prevent ex-employee credentials from being used to gain unauthorized access to WWTC’s physical offices and network resources.
Sixth and final, configuration management will be established to track configurations of networking equipment and an approval process will be implemented for any configuration changes that need to be made. Not only will this help maintain network performance and availability, but it will also maintain security measures that are put in place to protect WWTC’s network resources. As previously mentioned, human errors occur and are weak points in security, such as when the wrong configurations are implemented due to a lack of knowledge or when security measures are removed to assist in troubleshooting a network issue. While the approval process may require more time to make configuration changes, including more people in the situation will help ensure that any configuration changes being made are correct and will not adversely affect anything else on the network.
Lastly, this security design will mitigate four primary network attack categories, which are reconnaissance, access, and DoS attacks along with malware as well. Reconnaissance attacks, previously mentioned in the ACL section above, will be denied by preventing enumeration through the use of ACL’s to block ICMP. Access attacks can be perpetrated by methods of social engineering, privilege escalation, and password attacks. These threat vectors will be safeguarded by means of user education about dealing with IT personnel and protecting smart cards or other credentials along with implementing the principle of least privilege, enforcing complex passwords, and encrypting the Active Directory database. DoS attacks, previously mentioned in the firewalls and intrusion prevention systems section above, will be denied by preventing them through the use of the IPS in the Cisco ASA or the recommended DoS protection service. Malware, previously mentioned in the host-based anti-malware section above, will be prevented by implementing host-based anti-malware on every computer and device. An up to date and properly implemented host-based anti-malware will prevent malware, such as worms, viruses, and Trojan horses, from compromising WWTC’s networks and devices.
V. Role of Devices
This section of the document covers the role that each of the separate devices play in providing security regarding the separate layers of the Open System Interconnection (OSI) model, as well as those devices that provide physical security. By installing multiple layers of security devices, WWTC will achieve better security through defense in depth.
In relation to the OSI model, the physical layer is concerned with threats in the real world to the actual devices that provide the ability for the network to function. The physical connectors and power that are required to maintain the network are at risk and as such, the role of physical security devices is two-fold by restricting access and to ensuring continued operation. Through the use of access restricting devices like door locks, smart card readers, keypads, biometric fingerprint scanners, security cameras and human measures like security guards, WWTC will decrease the chances of any unauthorized access from occurring that could result in physical damage to networking equipment or provide easier access through direct communication with a router or switch. Better accountability is also provided as these security devices provide a better measure of tracking who has access to specific devices or areas and when they actually access said things. In addition to these roles, physical security will also be the first step in preventing a common form of attack against the network known as Address Resolution Protocol (ARP) cache poisoning, where an unauthorized device is physically connected to the network by spoofing an authorized device’s media access control (MAC) address.
The environment that the networking equipment is physically located within is also very important. Too much humidity, temperature, or lack of proper air flow can have disastrous consequences. Because of this, a proper heating, ventilation, and air conditioning (HVAC) system will play the key role WWTC needs to mitigate any sort of damage of this type from occurring to networking devices. By installing battery backups as well as onsite emergency generators, WWTC can be assured that in the event of a power loss their network will continue to function properly. Surge protection and other insulation from electrical damage are critical, and those roles are filled by those types of devices.
At the datalink layer, a switch will act as a juncture between the network and physical layer. This extremely important function will be performed by a layer 2 switch made by Cisco. The configuration of the switch is what will provide data link layer security. The role that the switch plays in security will mainly consist of restricting unauthorized access to the network through the actual network itself. These switches will be configured to improve security and performance on the network.
Through the creation of multiple subnets using a best practices design of network hierarchy, WWTC can improve the performance of the network by reducing network broadcasts. It will also allow for more efficient scaling or modification of specific departments that are assigned to individual subnets. These subnets can be assigned to multiple VLANs, allowing improved security as well through restricting access and communications between them in the network layer.
If the WWTC network remains around the current number of users, then it is possible that the layer 2 switches can also play a role in preventing unauthorized MAC addresses from connecting. Unused ports on the switches will be disabled as well, which will prevent unauthorized devices from being able to connect to an empty port. As previously mentioned, physical security will reduce the opportunity for the unauthorized addition of a new device to the network from occurring. However, in the event that it does happen, configuring static versus dynamic ARP cache entries on layer 2 switches will prevent ARP cache poisoning from happening.
The routers and routing protocols that make up the network layer will play a crucial role in controlling what devices are able to communicate and who they are able to communicate with. This role is achieved through several steps which limit access to the router configurations, control of IP address assignment, and implement strict access control lists (ACLs) to restrict permission of network resources to the proper users. By first securing and limiting virtual access to the router through its telnet port, the configuration of the router itself can be controlled. A strong password will play the role of preventing any unauthorized access. If this is not implemented, an attacker could simply brute force their way past and have total control over changing any aspect of the router’s configuration to suit their needs. With the proper configuration of ACLs, WWTC can restrict different departments or users access to specific objects, networks, and devices. This is a critical role to be filled as it allows very strict controls to be put in place, essentially allowing a very finely tuned design to be implemented. Specific subnets and VLANs can be targeted to disallow or allow access to any resource.
While the configuration of the layer 3 routers will be imperative to filling the role of protecting and controlling internal network access, another device will be needed to provide more protection to external access from the Internet. Both a firewall and an IPS will be needed, and both roles will be completed by a Cisco ASA. The firewall will perform the function of preventing unauthorized external sources from reaching internal resources. Additionally, it will provide secure access to external resources and allow secure communication from devices that need to send data across the wide area network (WAN). The IPS will increase both the security and efficiency of the network by automatically preventing attacks that could interrupt or compromise network resources.
VI. Security Diagram
The network architecture for WWTC is taking the defense in depth strategy when it comes to security, which was previously mentioned in the Security Design section above. The following is the security diagram for WWTC’s New York office:
VII. Conclusion
In conclusion, WWTC’s security business needs along with the security policies to support those needs were identified as well as the security design, role of devices, and security diagram were presented. WWTC requires a highly secure network infrastructure to ensure the confidentiality, integrity, and availability of all data that resides on as well as transits their network to ensure that business operations can be conducted freely without compromise. This network implementation will provide WWTC with the secure foundation they need while at the same time instilling public confidence that customer information will be protected, which will enable the success of their business for many years to come.
References
PCI Security Standards Council (2016, April). Payment Card Industry (PCI) data security standard - Requirements and security assessment procedures. Retrieved from: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
Rouse, M. (2014, November). What is confidentiality, integrity, and availability (CIA triad)? Retrieved from http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
Smith, T. (2012, November 14). Lack of security policy cited in S.C. breach. Retrieved April 14, 2017, from https://www.usatoday.com/story/news/nation/2012/11/14/lack-computer-security-policy-sc-hacking/1704529/
