[SOLVED] Operation Security User Policy Discussion Paper – Computer Science

Subject: Operation SecurityAssignment: Create User PolicyLearning Objectives and OutcomesCreate a report detailing user access policies based on research.Explain the details of user policy creation in organizations.SCENARIO:You work for a large, private health care organization that has server, mainframe, and RSA user access. Your organization requires identification of the types of user access policies provided to its employees.Sean, your manager, just came into your office at 6:00 p.m. on Friday and asks you to write a report detailing these user access policies. He needs you to research a generic template and use that as a starting point from which to move forward. He wants you to complete this task over the weekend as he has just been given a boatload of tasks in the management meeting which ended a few minutes ago. He is counting on you to take some of the load off his shoulders. The report is due to senior management next week.Assignment RequirementsLook for existing policy templates and examples from organizations of similar type. Write a report detailing these user access policies based on your research, and place them into a table with an introduction explaining the following: who, what, when, why. Be sure to add a conclusion with a rationale for your selection. Reference your research so Sean may add or refine this report before submission to senior management.Required ResourcesNoneSubmission RequirementsFormat: Microsoft WordFont: Arial, 12-Point, Double-SpaceCitation Style: Your school’s preferred style guide -> APALength: 3–4 pagesSelf-Assessment ChecklistI created a professional report.I included a table listing policies for the given scenario.I used references.I used my school’s preferred style guide and formulated my report clearly.I provided a rationale and conclusion.Reference textbook:Texbook: Security Policies and Implementation Issues, Author: Robert JohnsonReadingReview the Required Readings assigned for this lesson from your textbook, Security Policies and Implementation Issues, 2nd edition:Chapter 9: “User Domain Policies”Review the Required Readings assigned for this lesson from your textbook, Security Policies and Implementation Issues, 2nd edition:Chapter 10: “IT Infrastructure Security Policies”Security Policies and
Implementation Issues
Week 9 – Chapter 9
User Domain Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
▪ Reasons for governing users with policies
▪ Regular and privileged users
▪ Acceptable use policy (AUP) and
privileged-level access agreement (PAA)
▪ Security awareness policy (SAP)
▪ Differences between public and private
User Domain policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
The User as the Weakest Link in the
Security Chain
People that use computers have different skill levels, thus
have different perceptions on information security
Social engineering can occur at any time within any
organization
Human mistakes often occur and can lead to security
breaches
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
The User as the Weakest Link in the
Security Chain
One of the most significant threats come from within an
organization from an “Insider”
Applications have weaknesses that are not known and
these weaknesses can be exploited by users either
knowingly or unknowingly
Security awareness training can remove this weakest link
in the security chain
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Different Types of Users Within an
Organization
Employees
Contractors
System
admins
Security
personnel
Vendors
Guests and
general
public
Control
partners
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Contingent and System Accounts
Contingent Need unlimited rights to install, configure, repair, and
recover networks and applications, and to restore data
Accounts
Credentials are prime targets for hackers
IDs are not assigned to individuals until a disaster
recovery event is declared
System
Accounts
Need elevated privileges to start, stop, and manage
system services
Accounts can be interactive or non-interactive
System accounts are also referred to as “service
accounts”
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
User Access Requirements
Users require different access
Users require information from
different systems
Data has different security
controls
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Differences and Similarities in User
Domain Policies
Similarities
• Private organizations may follow publiccompliance laws depending on their governance
requirements
• Public organizations may be small is size and
thus have similar control over their user
populations
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Differences and Similarities in User
Domain Policies
Differences
• Public organizations must follow Sarbanes Oxley
Compliance (SOX), Health Insurance Portability
and Accountability Act (HIPAA), and other
compliance laws
• Private organizations are often smaller and
easier to control from a user standpoint
• Private organizations may not follow publiccompliance laws
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Acceptable Use Policy (AUP)
▪ Attempts to protect an organization’s
computers and network
▪ Addresses password management
▪ Addresses software licenses
▪ Addresses intellectual property management
▪ Describes e-mail etiquette
▪ Describes the level of privacy an individual
should expect when using an organization’s
computer or network
▪ Describes noncompliance consequences
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Privileged-Level Access Agreement
(PAA)
▪ Acknowledges the risk associated with
elevated access in the event the credentials
are breached or abused
▪ Asks user to promise to use access only for
approved organization business
▪ Asks user to promise not to attempt to “hack”
or breach security
▪ Asks user to promise to protect any output from
these credentials such as reports, logs, files,
and downloads
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Security Awareness Policy (SAP)
▪ Addresses:
• Basic principles of information security
• Awareness of risk and threats
• Dealing with unexpected risk
• Reporting suspicious activity, incidents, and
breaches
• Building a culture that is security and risk
aware
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Roles and Responsibilities: Who
Needs Training?
All Users
Executive Managers
Program and Functional Managers
IT Security Program Managers
Auditors
IT Function Management and Operations Personnel
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Best Practices for User Domain
Policies
Attachments—Never
open an e-mail
attachment from a
source that is not trusted
or known
Encryption—Always
encrypt sensitive data
that leaves the confines
of a secure server
Layered defense—Use
an approach that
establishes overlapping
layers of security
Least privilege—
Individuals should only
have the access
necessary to perform
their responsibilities
Patch management—All
network devices should
have the latest security
patches
Unique identity—All
users must use unique
credentials
Virus protection—Virus
and malware prevention
must be installed on
every desktop and laptop
computer
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Lease Access Privilege and Best Fit
Access Privilege
Least Access
Privileges
Best Fit Privileges
Customizes access to the
individual
Customizes access to the
group or class of users
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Who Develops User Policies
▪ Chief financial officer (CFO)
▪ Chief operations officer (COO)
▪ Information security manager
▪ IT manager
▪ Marketing and sales manager
▪ Unit manager
▪ Materials manager
▪ Purchasing manager
▪ Inventory manager
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Summary
▪ Different user types and user access
requirements in an organization
▪ SAP, AUP, and PAA
▪ Roles and responsibilities associated with
user policies
▪ User policies in public and private
organizations
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Security Policies and
Implementation Issues
Week 9 Chapter 10
IT Infrastructure Security Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
▪ Elements of an infrastructure security policy
▪ Policies associated with various domains of a
typical IT infrastructure
▪ Best practices in creating and maintaining IT
policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Key Purpose of an IT Infrastructure
Policy
Provide technical knowledge of:
The
interaction
of various
layers of the
network
Security Policies and Implementation Issues
The
placement
of key
controls
The types of
risks to be
detected and
guarded
against
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Three Ways to Organize Policies
Domain
Functional Area
Layers of Security
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Seven Domains of a Typical IT
Infrastructure
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Policy Organization
▪ Requirements may cross domains
− Malware protection
− Password/Authentication requirements
▪ Requirements may conflict between domains
▪ Policies will vary among organizations
▪ Use standard document types to identify
domain security control requirements
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Creating Policy Documents
▪ Documents should
− Differentiate between core requirements and
technological requirements
− Follow a standard format
− Remain relevant without constant modification
− Not contain duplicate content
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Policy Documents
Control Standards
• Policy statements concerned with
core requirements
Baseline Standards
• Minimum security requirements for
specific technologies
Procedure
Documents
• Implementation processes; each
baseline standard needs a
procedure
Guidelines
• Recommendations
Dictionary
Security Policies and Implementation Issues
• Used in the policies that define the
scope and meaning of terms used
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Workstation Domain
▪ Control Standards
Workstation
− Device management
− User permissions
• End user devices
• Laptops, desktops, mobile devices
• Focus on physical and logical security
− Align with functional
responsibilities
▪ Baseline Standards
− Specific technology requirements for each device
− Review standards from vendors or organizations
▪ Procedures
− Step-by-step configuration instructions
▪ Guidelines
− Acquisitions (e.g., preferred vendors)
− Description of threats and countermeasures
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
LAN Domain
▪ Control Standards
LAN
• Local area network infrastructure
• Servers, network infrastructure
• Focus on connectivity and traffic
management
− Firewalls
− Denial of Service
− Align with functional
responsibilities
▪ Baseline Standards
− Specific technology requirements for each device
− Review standards from vendors or organizations
▪ Procedures
− Step-by-step configuration
▪ Guidelines
− Acquisitions (e.g., preferred vendors)
− Description of threats and countermeasures
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
LAN-to-WAN Domain
▪ Control Standards
LAN to WAN
− Access control to the
• Connects LAN to outside network (e.g.,
Internet)
• Focus on securing resources that
bridge internal and external networks
Internet
− Traffic filtering
▪ Baseline Standards
− Specific technology requirements for perimeter devices
▪ Procedures
− Step-by-step configuration
▪ Guidelines
− DMZ, IDS/IPS, content filtering
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
WAN Domain
▪ Control Standards
WAN
− WAN management,
Domain Name Services,
router security, protocols,
Web services
• Wide Area Network (e.g., Internet)
services and hardware
• Focus on WAN connection
management, DNS
▪ Baseline Standards
− Review standards from vendors or organizations
▪ Procedures
− Step-by-step configuration of routers and firewalls
− Change management
▪ Guidelines
− When and how Web services may be used
− DNS management within the LAN and WAN environments
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Remote Access Domain
▪ Control Standards
− VPN connections
Remote Access
− Multi-factor authentication
• End user remote connection technology
• Focus on authentication and connection
▪ Baseline Standards
− VPN gateway options
− VPN client options
▪ Procedures
− Step-by-step VPN configuration and debugging
▪ Guidelines
− Description of threats
− Security of remote computing environments, such as working from
home
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
System/Application Domain
▪ Control Standards
System/Application
− Firewalls
• Data processing and storage technology
• Focus on security issues associated
with applications and data
− Denial of Service
− Align with functional
responsibilities
▪ Baseline Standards
− Specific technology
requirements for each device
− Review standards from
vendors or organizations
▪ Procedures
− Step-by-step configuration
▪ Guidelines
− Acquisitions (e.g., preferred vendors)
− Description of threats and countermeasures
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Telecommunications Policies
▪ Control Standards
Telecommunications
− Protect with FIPS encryption
− Segregation of data and
voice networks
• Technology, service, or system that
provides transmission of electronic data
and information
▪ Baseline Standards
− Specific technology
requirements for each device
− Review standards from
vendors or organizations
▪ Procedures
− Step-by-step configuration
▪ Guidelines
− May include VoIP systems architecture and security guidelines
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Best Practices for IT Infrastructure
Security Policies
Select a framework, such as ISO or COBIT
Develop requirements and standards
based on the framework
Review and adapt
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Best Practices for IT Infrastructure
Security Policies (Continued)
Make policies/standards available to all
Keep content cohesive
Keep content coherent
Maintain the same “voice” throughout
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Best Practices for IT Infrastructure
Security Policies (Continued)
Add only necessary information
Stay on message
Make your library searchable
Federate ownership to where it best belongs
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Roles and Responsibilities
▪ Information Security (IS) Manager
− Policy creation, application, and alignment with
organizational goals
▪ IT Auditor
− Ensuring that controls are in place per policy
▪ System/Application Administrator
− Applying controls to Workstation, LAN, and LANto-WAN Domains
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
Lack of Controls
▪ With lack of controls all of the following and
more are possible:
• Workstations would have different
•
•
•
•
configurations
LANs would allow unauthorized traffic
WANs would have vulnerabilities
Network devices would not be configured the
same
Users would have access to data they are not
directly working with
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 37
Summary
▪ Elements of an infrastructure security policy
▪ Policies associated with various domains of a
typical IT infrastructure
▪ Best practices in creating and maintaining IT
policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 38

Purchase answer to see full
attachment

Why Choose Us

• 100% non-plagiarized Papers
• 24/7 /365 Service Available
• Affordable Prices
• Any Paper, Urgency, and Subject
• Will complete your papers in 6 hours
• On-time Delivery
• Money-back and Privacy guarantees
• Unlimited Amendments upon request
• Satisfaction guarantee

How it Works

• Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
• Fill in your paper’s requirements in the "PAPER DETAILS" section.
• Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
• Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
• From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.