1. STATE RFP RESPONSE
A COMPREHENSIVE PROJECT
SUBMITTED TO THE
INFORMATION SYSTEMS SECURITY PROGRAM
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE BACHELOR’S DEGREE
By Robert D. Williams
2. EXECUTIVE SUMMARY
• Layered Security Solution
• Organizations need to develop a multilayered security strategy that focuses on
the confidentiality, integrity and availability of the information being protected.
A multi-layered approach to security ensures that if one layer fails or is
compromised, other layers will compensate and maintain the security of that
information. In turn, each of these layers should have multiple controls deployed
to preserve the confidentiality, integrity and availability of the information. Some
of these more critical controls include system configuration hardening, file
integrity monitoring, and log management.
3. REVIEW OF FIRM’S
QUALIFICATIONS
• Must be in business for at least the last five consecutive years: Aperture Security has
been in business now for eleven years.
• • Report annual gross sales of at least one million U.S. dollars: Our annual gross sales
are currently $2.6 million dollars.
• • Present at least three references of previous engagements-within the last three
years-that are materially similar to the requirements contained in this document:
Aperture Security has won four major contracts in the last four years for vulnerability
assessments and penetration tests.
• Our team of twenty-two employees hold certifications in the areas asked. Of the
eight employees that work on the new prospective products and services, five hold
Certified Information Systems Security Professional (CISSP) certifications, four hold
Certified Information Security Manager (CISM), four hold Global Information
Assurance Certification (GIAC) Security Essentials Certification (GSEC) and six hold
other GIAC certifications.
4. RFP TECHNICAL REQUIREMENTS
Gap Analysis: current gaps
• Application Control
• User Privilege Control
• Operating System Access Controls
• Use of Shared Technology
Resources
• Personnel Background Investigation
• Segregation of Duties
Data Privacy Legal
Requirements
• Compliance with Legal
Requirements
• Applicable Legislation
• Agencies must be in compliance
with all legislation passed by the
state government.
• Data Breach and Disclosure
5. SECURITY ASSESSMENT PROJECT
PLAN DEFINITION
Workstation Domain
• Secure data deletion group policies to
delete recycle bin contents securely by
overwriting the data with zeros.
• Secure disposal personnel to remove
drives and RAM from computers that
will be considered inactive.
• Malicious software protection anti-
malware and anti-virus software on the
enterprise level.
• Upgrade to Microsoft Windows 7
System/Application Domain
• Patching WSUS server to control what patches
are installed on organizational hardware.
• E-mail server software to actively scan
incoming and outgoing e-mails for malicious
software and hidden data.
• Database servers need to have blocks in
place to block SQL injection attacks and cross-
site scripting attacks.
• Web servers need to have blocks in place to
block SQL injection attacks and cross-site
scripting attacks.
• Upgrade to Microsoft Server 2012 for system
under 2008r2
6. RISK ASSESSMENT PROJECT PLAN
DEFINITION
• Segmentation and Layered Security
• Developers’ implement layered security technologies and configurations based on
role, risk, sensitivity, and access control rules.
• Media Handling and Security
• Auditing and enforcement to ensure that only licensed software is installed on
systems.
• User Access Management
• Management and employees to handle procedures such as new account creation,
account transfer, job profile changes, account termination, and/or account
deletion.
• Network Access Control
• Network designers to design a network that provides the ability to segregate and
control traffic between systems, connected devices, and third parties based on role,
risk, and sensitivity. Employees to keep the network running.
7. RISK PRIORITIZATION AND MITIGATION
PROJECT PLAN DEFINITION
• User Identification and Authorization
• System in place to that requires the use of a user ID and password that uniquely
identifies the user before providing access to protected information resources.
• User Password Management
• Guidelines developed which require user to create and maintain passwords to
protect against unauthorized access.
• Segregation in Networks
• Design a network that at a minimum has separate public, demilitarized, and
private security zones based on risk.
• Data Protection and Privacy
• Systems in place to ensure all personal information is protected from
unauthorized use, modification, or disclosure.
8. RISK MITIGATION ACTIONS BASED ON
QUALITATIVE RISK ASSESSMENT’S RISK
PRIORITIZATION
• Acquire the software from Symantec to install on
each workstation, while Internet is temporarily
disconnected through the network
• Update workstation's OS with Microsoft Windows 7
enterprise
• Upgrade server O/S and other software to meet PCI
DSS and HIPAA compliance
9. COMPLIANCE PROJECT PLAN
DEFINITION
• Data Breach and Disclosure
• Workers trained to provide notices of disclosure to those individuals affected.
• Data Protection and Privacy
• Policy writers to create standard operating procedures for acceptable use of
personal information, protecting it unauthorized use, modification, or disclosure.
Auditors and managers to ensure policies are being followed/enforced.
• Compliance with Legal Requirements
• Lawyers and legislation subject matter experts to review legislation. Auditors and
managers to ensure regulatory requirements are being followed/enforced.
• Compliance with Legal Requirements
• Lawyers and regulatory requirement subject matter experts to review requirements.
Auditors and managers to ensure regulatory requirements are being
followed/enforced.
10. DISASTER RECOVERY PLAN
• The need to ensure that all employees fully understand their duties in
implementing such a plan
• The need to ensure that operational policies are adhered to within all
planned activities
• The need to ensure that proposed contingency arrangements are cost-
effective
• The need to consider implications on other company sites
• Disaster recovery capabilities as applicable to key customers, vendors and
others
11. EMERGENCY RESPONSE
• Key trigger issues at headquarters that would lead to activation of the DRP
are:
• Total loss of all communications
• Total loss of power
• Flooding of the premises
• Loss of the building
12. ACTIVATION OF EMERGENCY
RESPONSE TEAM
• Respond immediately to a potential disaster and call emergency services;
• Assess the extent of the disaster and its impact on the business, data center,
etc.;
• Decide which elements of the DR Plan should be activated;
• Establish and manage disaster recovery team to maintain vital services and
return to normal operation;
• Ensure employees are notified and allocate responsibilities and activities as
required.
13. DISASTER RECOVERY TEAM
• The team will be contacted and assembled by the ERT. The team's
responsibilities include:
• Establish facilities for an emergency level of service within 2.0 business hours;
• Restore key services within 4.0 business hours of the incident;
• Recover to business as usual within 8.0 to 24.0 hours after the incident;
• Coordinate activities with disaster recovery team, first responders, etc.
• Report to the emergency response team.
14. BUSINESS CONTINUITY PLAN
• Our company’s policy is to respond to a Significant Business
Disruption (SBD) by safeguarding employees’ lives and
company property, making a financial and operational
assessment, quickly recovering and resuming operations,
protecting all of the company’s books and records, and
allowing our customers to transact business. In the event
that we determine we are unable to continue our business,
we will assure customers prompt access to their funds and
securities.