SlideShare una empresa de Scribd logo

Robert Williams Final Project

Descargar como PPTX, PDF
R
Robert D. Williams
1 de 15
STATE RFP RESPONSE A COMPREHENSIVE PROJECT SUBMITTED TO THE INFORMATION SYSTEMS SECURITY PROGRAM IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE BACHELOR’S DEGREE By Robert D. Williams
EXECUTIVE SUMMARY • Layered Security Solution • Organizations need to develop a multilayered security strategy that focuses on the confidentiality, integrity and availability of the information being protected. A multi-layered approach to security ensures that if one layer fails or is compromised, other layers will compensate and maintain the security of that information. In turn, each of these layers should have multiple controls deployed to preserve the confidentiality, integrity and availability of the information. Some of these more critical controls include system configuration hardening, file integrity monitoring, and log management.
REVIEW OF FIRM’S QUALIFICATIONS • Must be in business for at least the last five consecutive years: Aperture Security has been in business now for eleven years. • • Report annual gross sales of at least one million U.S. dollars: Our annual gross sales are currently $2.6 million dollars. • • Present at least three references of previous engagements-within the last three years-that are materially similar to the requirements contained in this document: Aperture Security has won four major contracts in the last four years for vulnerability assessments and penetration tests. • Our team of twenty-two employees hold certifications in the areas asked. Of the eight employees that work on the new prospective products and services, five hold Certified Information Systems Security Professional (CISSP) certifications, four hold Certified Information Security Manager (CISM), four hold Global Information Assurance Certification (GIAC) Security Essentials Certification (GSEC) and six hold other GIAC certifications.
RFP TECHNICAL REQUIREMENTS Gap Analysis: current gaps • Application Control • User Privilege Control • Operating System Access Controls • Use of Shared Technology Resources • Personnel Background Investigation • Segregation of Duties Data Privacy Legal Requirements • Compliance with Legal Requirements • Applicable Legislation • Agencies must be in compliance with all legislation passed by the state government. • Data Breach and Disclosure
SECURITY ASSESSMENT PROJECT PLAN DEFINITION Workstation Domain • Secure data deletion group policies to delete recycle bin contents securely by overwriting the data with zeros. • Secure disposal personnel to remove drives and RAM from computers that will be considered inactive. • Malicious software protection anti- malware and anti-virus software on the enterprise level. • Upgrade to Microsoft Windows 7 System/Application Domain • Patching WSUS server to control what patches are installed on organizational hardware. • E-mail server software to actively scan incoming and outgoing e-mails for malicious software and hidden data. • Database servers need to have blocks in place to block SQL injection attacks and cross- site scripting attacks. • Web servers need to have blocks in place to block SQL injection attacks and cross-site scripting attacks. • Upgrade to Microsoft Server 2012 for system under 2008r2
RISK ASSESSMENT PROJECT PLAN DEFINITION • Segmentation and Layered Security • Developers’ implement layered security technologies and configurations based on role, risk, sensitivity, and access control rules. • Media Handling and Security • Auditing and enforcement to ensure that only licensed software is installed on systems. • User Access Management • Management and employees to handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion. • Network Access Control • Network designers to design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. Employees to keep the network running.
RISK PRIORITIZATION AND MITIGATION PROJECT PLAN DEFINITION • User Identification and Authorization • System in place to that requires the use of a user ID and password that uniquely identifies the user before providing access to protected information resources. • User Password Management • Guidelines developed which require user to create and maintain passwords to protect against unauthorized access. • Segregation in Networks • Design a network that at a minimum has separate public, demilitarized, and private security zones based on risk. • Data Protection and Privacy • Systems in place to ensure all personal information is protected from unauthorized use, modification, or disclosure.
RISK MITIGATION ACTIONS BASED ON QUALITATIVE RISK ASSESSMENT’S RISK PRIORITIZATION • Acquire the software from Symantec to install on each workstation, while Internet is temporarily disconnected through the network • Update workstation's OS with Microsoft Windows 7 enterprise • Upgrade server O/S and other software to meet PCI DSS and HIPAA compliance
COMPLIANCE PROJECT PLAN DEFINITION • Data Breach and Disclosure • Workers trained to provide notices of disclosure to those individuals affected. • Data Protection and Privacy • Policy writers to create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed/enforced. • Compliance with Legal Requirements • Lawyers and legislation subject matter experts to review legislation. Auditors and managers to ensure regulatory requirements are being followed/enforced. • Compliance with Legal Requirements • Lawyers and regulatory requirement subject matter experts to review requirements. Auditors and managers to ensure regulatory requirements are being followed/enforced.
DISASTER RECOVERY PLAN • The need to ensure that all employees fully understand their duties in implementing such a plan • The need to ensure that operational policies are adhered to within all planned activities • The need to ensure that proposed contingency arrangements are cost- effective • The need to consider implications on other company sites • Disaster recovery capabilities as applicable to key customers, vendors and others
EMERGENCY RESPONSE • Key trigger issues at headquarters that would lead to activation of the DRP are: • Total loss of all communications • Total loss of power • Flooding of the premises • Loss of the building
ACTIVATION OF EMERGENCY RESPONSE TEAM • Respond immediately to a potential disaster and call emergency services; • Assess the extent of the disaster and its impact on the business, data center, etc.; • Decide which elements of the DR Plan should be activated; • Establish and manage disaster recovery team to maintain vital services and return to normal operation; • Ensure employees are notified and allocate responsibilities and activities as required.
DISASTER RECOVERY TEAM • The team will be contacted and assembled by the ERT. The team's responsibilities include: • Establish facilities for an emergency level of service within 2.0 business hours; • Restore key services within 4.0 business hours of the incident; • Recover to business as usual within 8.0 to 24.0 hours after the incident; • Coordinate activities with disaster recovery team, first responders, etc. • Report to the emergency response team.
BUSINESS CONTINUITY PLAN • Our company’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and company property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the company’s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to their funds and securities.
THANK YOU FROM APERTURE SECURITY By Robert Williams

Recomendados

Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
George Delikouras
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 
Prevention is not enough
Prevention is not enoughPrevention is not enough
Prevention is not enough
Novosco
 
Essential Security Control Implementation in IT
Essential Security Control Implementation in ITEssential Security Control Implementation in IT
Essential Security Control Implementation in IT
Professor Lili Saghafi
 
Disaster recovery solution
Disaster recovery solutionDisaster recovery solution
Disaster recovery solution
Anton An
 
ITIL # Lecture 8
ITIL # Lecture 8ITIL # Lecture 8
ITIL # Lecture 8
Kabul Education University
 
Advanced Data Center Security
Advanced Data Center SecurityAdvanced Data Center Security
Advanced Data Center Security
manoharparakh
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 

Recomendados

Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
George Delikouras
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 
Prevention is not enough
Prevention is not enoughPrevention is not enough
Prevention is not enough
Novosco
 
Essential Security Control Implementation in IT
Essential Security Control Implementation in ITEssential Security Control Implementation in IT
Essential Security Control Implementation in IT
Professor Lili Saghafi
 
Disaster recovery solution
Disaster recovery solutionDisaster recovery solution
Disaster recovery solution
Anton An
 
ITIL # Lecture 8
ITIL # Lecture 8ITIL # Lecture 8
ITIL # Lecture 8
Kabul Education University
 
Advanced Data Center Security
Advanced Data Center SecurityAdvanced Data Center Security
Advanced Data Center Security
manoharparakh
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
Quick Heal Technologies Ltd.
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
Adetula Bunmi
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information security
Dr. Lasantha Ranwala
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5
Alain Charpentier
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
nado-web
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
Alert Logic
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
Dr. Lasantha Ranwala
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
Nicholas Davis
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
LokNathRegmi1
 
School of Computer & Information SciencesITS-532 Cloud Com
School of Computer & Information SciencesITS-532 Cloud ComSchool of Computer & Information SciencesITS-532 Cloud Com
School of Computer & Information SciencesITS-532 Cloud Com
TaunyaCoffman887
 

Más contenido relacionado

La actualidad más candente

Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 

La actualidad más candente (19)

Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
CISSP Chapter 1 BCP
CISSP Chapter 1 BCPCISSP Chapter 1 BCP
CISSP Chapter 1 BCP
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information security
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Coud discovery chap 5
Coud discovery chap 5Coud discovery chap 5
Coud discovery chap 5
 
Cybersecurity
Cybersecurity Cybersecurity
Cybersecurity
 
Modern vs. Traditional SIEM
Modern vs. Traditional SIEM Modern vs. Traditional SIEM
Modern vs. Traditional SIEM
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
 

Similar a Robert Williams Final Project

Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
Nicholas Davis
 
School of Computer & Information SciencesITS-532 Cloud Com
School of Computer & Information SciencesITS-532 Cloud ComSchool of Computer & Information SciencesITS-532 Cloud Com
School of Computer & Information SciencesITS-532 Cloud Com
TaunyaCoffman887
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposal
Dale White
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
chris odle
 

Similar a Robert Williams Final Project (20)

Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
School of Computer & Information SciencesITS-532 Cloud Com
School of Computer & Information SciencesITS-532 Cloud ComSchool of Computer & Information SciencesITS-532 Cloud Com
School of Computer & Information SciencesITS-532 Cloud Com
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Maintenance of Hospital Information System
Maintenance of Hospital Information SystemMaintenance of Hospital Information System
Maintenance of Hospital Information System
 
Harsha CV
Harsha CVHarsha CV
Harsha CV
 
Avoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slidesAvoid outages-from-misconfigured-devices-webinar-slides
Avoid outages-from-misconfigured-devices-webinar-slides
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposal
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
 
RESUME16
RESUME16RESUME16
RESUME16
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your Data
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Slide Structure
Slide StructureSlide Structure
Slide Structure
 
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best PracticesThe Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
Protecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesProtecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security Services
 

Más de Robert D. Williams

Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
Robert D. Williams
 

Más de Robert D. Williams (6)

Robert-DOD Project
Robert-DOD ProjectRobert-DOD Project
Robert-DOD Project
 
Robert-Project Presentation
Robert-Project PresentationRobert-Project Presentation
Robert-Project Presentation
 
.Final Project Complete
.Final Project Complete.Final Project Complete
.Final Project Complete
 
Corporation Tech
Corporation TechCorporation Tech
Corporation Tech
 
IT Infrastructure Project
IT Infrastructure ProjectIT Infrastructure Project
IT Infrastructure Project
 
Robert Williams Final Project
Robert Williams Final Project Robert Williams Final Project
Robert Williams Final Project
 

Robert Williams Final Project

  • 1. STATE RFP RESPONSE A COMPREHENSIVE PROJECT SUBMITTED TO THE INFORMATION SYSTEMS SECURITY PROGRAM IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE BACHELOR’S DEGREE By Robert D. Williams
  • 2. EXECUTIVE SUMMARY • Layered Security Solution • Organizations need to develop a multilayered security strategy that focuses on the confidentiality, integrity and availability of the information being protected. A multi-layered approach to security ensures that if one layer fails or is compromised, other layers will compensate and maintain the security of that information. In turn, each of these layers should have multiple controls deployed to preserve the confidentiality, integrity and availability of the information. Some of these more critical controls include system configuration hardening, file integrity monitoring, and log management.
  • 3. REVIEW OF FIRM’S QUALIFICATIONS • Must be in business for at least the last five consecutive years: Aperture Security has been in business now for eleven years. • • Report annual gross sales of at least one million U.S. dollars: Our annual gross sales are currently $2.6 million dollars. • • Present at least three references of previous engagements-within the last three years-that are materially similar to the requirements contained in this document: Aperture Security has won four major contracts in the last four years for vulnerability assessments and penetration tests. • Our team of twenty-two employees hold certifications in the areas asked. Of the eight employees that work on the new prospective products and services, five hold Certified Information Systems Security Professional (CISSP) certifications, four hold Certified Information Security Manager (CISM), four hold Global Information Assurance Certification (GIAC) Security Essentials Certification (GSEC) and six hold other GIAC certifications.
  • 4. RFP TECHNICAL REQUIREMENTS Gap Analysis: current gaps • Application Control • User Privilege Control • Operating System Access Controls • Use of Shared Technology Resources • Personnel Background Investigation • Segregation of Duties Data Privacy Legal Requirements • Compliance with Legal Requirements • Applicable Legislation • Agencies must be in compliance with all legislation passed by the state government. • Data Breach and Disclosure
  • 5. SECURITY ASSESSMENT PROJECT PLAN DEFINITION Workstation Domain • Secure data deletion group policies to delete recycle bin contents securely by overwriting the data with zeros. • Secure disposal personnel to remove drives and RAM from computers that will be considered inactive. • Malicious software protection anti- malware and anti-virus software on the enterprise level. • Upgrade to Microsoft Windows 7 System/Application Domain • Patching WSUS server to control what patches are installed on organizational hardware. • E-mail server software to actively scan incoming and outgoing e-mails for malicious software and hidden data. • Database servers need to have blocks in place to block SQL injection attacks and cross- site scripting attacks. • Web servers need to have blocks in place to block SQL injection attacks and cross-site scripting attacks. • Upgrade to Microsoft Server 2012 for system under 2008r2
  • 6. RISK ASSESSMENT PROJECT PLAN DEFINITION • Segmentation and Layered Security • Developers’ implement layered security technologies and configurations based on role, risk, sensitivity, and access control rules. • Media Handling and Security • Auditing and enforcement to ensure that only licensed software is installed on systems. • User Access Management • Management and employees to handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion. • Network Access Control • Network designers to design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. Employees to keep the network running.
  • 7. RISK PRIORITIZATION AND MITIGATION PROJECT PLAN DEFINITION • User Identification and Authorization • System in place to that requires the use of a user ID and password that uniquely identifies the user before providing access to protected information resources. • User Password Management • Guidelines developed which require user to create and maintain passwords to protect against unauthorized access. • Segregation in Networks • Design a network that at a minimum has separate public, demilitarized, and private security zones based on risk. • Data Protection and Privacy • Systems in place to ensure all personal information is protected from unauthorized use, modification, or disclosure.
  • 8. RISK MITIGATION ACTIONS BASED ON QUALITATIVE RISK ASSESSMENT’S RISK PRIORITIZATION • Acquire the software from Symantec to install on each workstation, while Internet is temporarily disconnected through the network • Update workstation's OS with Microsoft Windows 7 enterprise • Upgrade server O/S and other software to meet PCI DSS and HIPAA compliance
  • 9. COMPLIANCE PROJECT PLAN DEFINITION • Data Breach and Disclosure • Workers trained to provide notices of disclosure to those individuals affected. • Data Protection and Privacy • Policy writers to create standard operating procedures for acceptable use of personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed/enforced. • Compliance with Legal Requirements • Lawyers and legislation subject matter experts to review legislation. Auditors and managers to ensure regulatory requirements are being followed/enforced. • Compliance with Legal Requirements • Lawyers and regulatory requirement subject matter experts to review requirements. Auditors and managers to ensure regulatory requirements are being followed/enforced.
  • 10. DISASTER RECOVERY PLAN • The need to ensure that all employees fully understand their duties in implementing such a plan • The need to ensure that operational policies are adhered to within all planned activities • The need to ensure that proposed contingency arrangements are cost- effective • The need to consider implications on other company sites • Disaster recovery capabilities as applicable to key customers, vendors and others
  • 11. EMERGENCY RESPONSE • Key trigger issues at headquarters that would lead to activation of the DRP are: • Total loss of all communications • Total loss of power • Flooding of the premises • Loss of the building
  • 12. ACTIVATION OF EMERGENCY RESPONSE TEAM • Respond immediately to a potential disaster and call emergency services; • Assess the extent of the disaster and its impact on the business, data center, etc.; • Decide which elements of the DR Plan should be activated; • Establish and manage disaster recovery team to maintain vital services and return to normal operation; • Ensure employees are notified and allocate responsibilities and activities as required.
  • 13. DISASTER RECOVERY TEAM • The team will be contacted and assembled by the ERT. The team's responsibilities include: • Establish facilities for an emergency level of service within 2.0 business hours; • Restore key services within 4.0 business hours of the incident; • Recover to business as usual within 8.0 to 24.0 hours after the incident; • Coordinate activities with disaster recovery team, first responders, etc. • Report to the emergency response team.
  • 14. BUSINESS CONTINUITY PLAN • Our company’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and company property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the company’s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to their funds and securities.
  • 15. THANK YOU FROM APERTURE SECURITY By Robert Williams