...Remote Access Control Policy The Remote Access Control Policy for Richman Investments is designed to protect the confidentiality and integrity of our corporate and customer information. All remote sessions, including internal wireless access will utilize PKI certificates from a public trusted third party vendor using encrypted tunnels on the Internet. Site-to-Site data exchanges will be conducted using IPSec encrypted Tunnels. Customer Remote Access These Connections must allow the customer to securely exchange information with our Web Server applications. The Web Servers will be place on the Corporate DMZ and the Database Servers on the interior corporate LAN. Web to Database traffic will be encrypted. The Web Servers will have PKI certificates from a trusted third party vendor to eliminate spoofing. Data will be encrypted using SSL connections initiated on the customer’s Browser to maintain confidentiality. The customer will need to supply a username and password which the Web browser will pass to a RADIUS Server for Authentication, and Access permissions prior to granting access to protected areas of the Website. Employee Access All Employee Connections, internal and external, to the Internal LAN at all sites will utilize Two Party Authentication to minimize the risks of utilizing passwords as the primary access method. Employees will have a employees will have a onetime pass key generating token (Ex. RSA) and PIN in addition to their Username and Password to access...
Words: 510 - Pages: 3
...Remote access security policy involves the policies and conditions that are in place that allow users to connect to servers when out of the network. In the case of Richman industries, they are interested in maintaining connections with their users, and sharing app data that is on a server for their day to day operations. In their case, I would have access policy that is based on Explicit Allow policies. This means that the policy grants “Permission” to access the servers remotely if the connection attempt matches the policy conditions. Some of the requirements would include strict control enforced via one-time password authentication or public keys with strong pass-phrases. Also, anyone trying to gain access must not be connected to any other network at the same time, aside from personal home networks under the user's complete control. Further, employees with access must not use email accounts other than the company's standards, so that personal use won't be confused with business. Users must have approved virus control and spyware protection in place on all devices accessing the company network. Remote access will be limited in certain areas, while at least Applications will be approved for access (Shared application data is an important part of Richman’s network). Systems and system settings will not be accessible from remote, out of network connections, to protect from outside alterations of systems or system settings, and any Data access will be read only, with safeguards...
Words: 300 - Pages: 2
...Remote Access Control Policy Definition Introduction to Information Security Remote access is the ability to log onto a network from a distant location. Generally, this implies a computer, a modem, and some remote access software to connect to the network. Whereas remote control refers to taking control of another computer, remote access means that the remote computer actually becomes a full-fledged host on the network. The remote access software dials in directly to the network server. The only difference between a remote host and workstations connected directly to the network is slower data transfer speeds. The purpose of a remote access policy is to define the standard connection to the company’s network from any remote host, untrusted host and remote network, including untrusted hosts on the company’s intranet. These standards are designed to minimize the potential exposure to the company’s from damages, which may result from unauthorized use of the company’s resources. At the main location, a set switches and routers are interconnected to from a Wide Area Network. The switches can be connected in different topologies. All remote users must follow the security requirements set forth in the standard for the company’s remote host accessing Information Technology Resources prior to such access, as well as any guidelines, procedures or other requirements issued by the Information Technology Department. Within the virtual private network multiple Virtual Private Network routers...
Words: 660 - Pages: 3
...The following are types of Remote Access Control Policy I would like to put into place to make sure our company’s data is secure. We need to get the right security measures so the correct people can have access to the data they need to do their job. I would start by setting up a Remote Authentication Dial-In User Service (RADIUS), a VPN, Firewall, Local Biometrics, RSA – F.O.B. by using a security key carried by the employee or set it up on the local server. I would start in the Main office that is located in Phoenix, AZ by install a RADUIS, this is a client/server protocol that runs in the application layer and will connect all the employee and visitor to the server. In the main office, we need to set up a database with all username and passwords for the employees’. At all the satellite facilities, we need to set up the proper VPN, Firewall protection as well as setting up some type of biometric logon system or a random number generator where a user will be given a security key and they will need to input that when they log on to the system. We need to set up the password system to reset every 3 months and set up a password remembrance. For the mobile devices that the sales department will need, I would suggest to encrypt the local hard drives if stolen and set up biometric thumb scanner as well as a security key require to log on to their...
Words: 261 - Pages: 2
...Richman Investment Richman Investment Remote Access Control Policy Document Remote Access Control Policy Document 01/14/14 01/14/14 Contents 1 Policy Statement 4 2 Purpose 4 3 Scope 4 4 Definition 4 5 Risks 4 6 Applying the Policy - Passwords 5 6.1 Choosing Passwords 5 6.1.1 Weak and strong passwords 5 6.2 Protecting Passwords 5 6.3 Changing Passwords 5 6.4 System Administration Standards 6 7 Applying the Policy – Employee Access 6 7.1 User Access Management 6 7.2 User Registration 6 7.3 User Responsibilities 6 7.4 Network Access Control 7 7.5 User Authentication for External Connections 7 7.6 Supplier’s Remote Access to the Council Network 7 7.7 Operating System Access Control 7 7.8 Application and Information Access 8 8 Policy Compliance 8 9 Policy Governance 8 10 Review and Revision 9 11 References 9 12 Key Messages 9 13 Appendix 1 10 Policy Statement Richman Investments will establish specific requirements for protecting information and information systems against unauthorised access. Richman Investments will effectively communicate the need for information and information system access control. Purpose Information security is the protection of information against accidental or malicious disclosure, modification or destruction. Information is an important, valuable asset of Richman Investments which must be managed with care. All information has a value to the Council. However, not all of this information has an equal...
Words: 2211 - Pages: 9
...SHAUN PARE 4/9/12 ESSAY 2/ 500 WORD What is the OSI model the 7 layers The Open Systems Interconnection or (OSI model) “Is an architectural model that represents networking communication. It was introduced in 1978 by the International Organization for Standards to standardize the level of services and types of interactions for computers communicating over a network” (Emdad). The OSI is the standard that sets the path that data must travel through from one computer to another through a network. The OSI does this by the sending the through seven different layers almost like sending the data through checkpoints and at each checkpoint the data must be cleared so it is able to move on to the next stop. This is what the seven layers of OSI do. The data must go each layer, each layer performs a specific task in order to pass the data through to the next layer, and these layers also communicate to the layer above and below to make sure that everything in order. There are seven layers and each one has a specific function that prepares it for next layer the data must pass through all seven layers. The layers are separated into two sets the first is the application set • Application layer 7- This is the layer that provides the interface between the network protocol and the software running on the computer. This layer handles anything that communicates with the internet; this layer also handles any network related activity such as file transfers or reading and sending email. This...
Words: 606 - Pages: 3
...Authorization- Richman Investments must define rules as to who has access to which computer and network resources. My suggestion is that RI implements either a group membership policy or an authority-level policy to achieve this. Group policy would allow the administrator to assign different privileges to different groups. The admin would then assign different individual users to those different groups. So the users permissions would depend on the permissions of the group they were a member of. With authority-level policy the admin would assign different permissions to individual users based on their position and authority level within the company and what access that position requires. Identification- Richman Investments needs to assign a unique identifier to each user in order to have accurate records of who is accessing, or trying to access, what applications, which network resource, and what data. The most common ID is the username, account number, or PIN Authentication- In order to keep the remote access to Richman Investments secure, there must be proof that the person trying to gain access to the network remotely is the same person who has been granted access by identification. To do this RI can choose one of the following knowledge type authentications: PIN, password, or passphrase along with one of the following ownership type of authentication: smart card, key, badge, or token. Using a combination of ownership authentication and knowledge authentication...
Words: 298 - Pages: 2
...just incase something happens with the network Richman can know exactly when, where, and more details of how this incident transpired. Authorization- Richmann’s investments have to clarify and make known the rules as to who and what computers can gain access to the network resources. I would be best to create a group membership to help avoid accidents within the network. The administrator can assign different users to different group within the network ensuring that everything is place as he/she wants it. The users’ access would be based upon what group they are in that was put in place by the administrator of the network. Authentication- When a user try’s to get into the network system there must be proof in order to enter the network. Some people may think there is a lot of security to enter and access parts of the network but it is better to be safe as possible as a hacker taking or corrupting all the information causing a major or a possible critical problem. Accountability- Users will be held accountable and responsible for anything they do within the network system. I suggest using logs files that information is kept and users have to log in on a daily bases. Using a log book can help prevent, detect, or monitor access to the network...
Words: 261 - Pages: 2
...VPN access control model for a large scale company. * This policy will support remote access control for systems, applications, and data access. Remote access Defined Remote access for employees is deployed by using remote access VPN connections across the Internet based on the settings configured for the VPN Server, and the following additional settings. The following diagram shows the VPN server that provides remote access VPN connections. Domain/Network Config: For each employee that is allowed VPN access: * The network access permission on the dial-in properties of the user account is set to Control access through NPS Network Policy. * The user account is added to the VPN_Users group in Active Directory. To define the authentication and encryption settings for remote access VPN clients, the following remote access network policy is created in Network Policy Server (NPS): * Policy name: Remote Access VPN Clients * Conditions: * NAS Port Type is set to Virtual (VPN) * Windows Groups is set to VPN_Users * Calling Station ID is set to 207.209.68.1 * Permission is set to Grant access. NPS policy settings: * On the Constraints tab, under Authentication Methods, for EAP Types select Microsoft: Smart Card or other certificate. Also enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2). * Or SSTP, L2tp/IPsec, PPTP, IKEv2 Access control model/ policy: This model would support Role based access controls and allow mandatory access control to be...
Words: 339 - Pages: 2
...design a remote access control policy for all systems, applications and data access within Richman Investments. With so many different modes of Access Control to choose from it is my assessment that by choosing only one model would not be appropriate for Richman Investments. My recommendation would be a combination of multiple Access Control Models that overlap to provide maximum coverage and overall security. Here are my suggestions for access controls. Role Based Access Control or RBAC, this will work well with the Non-Discretionary Access Control model, which will be detailed in the next paragraph. RBAC is defined as setting permissions or granting access to a group of people with the same job roles or responsibilities. With many different locations along with many different users it is important to identify the different users and different workstations within this network. Every effort should be dedicated towards preventing user to access information they should not have access to. Non-Discretionary Access Control is defined as controls that are monitored by a security administrator. While RBAC identifies those with permissions, it is a security administrator that should further identify the level of access to each Role that is created. The security administrator should also designate certain users or workstations access to the information available within the network. VPN access control model for a large scale company. * This policy will support remote access control...
Words: 548 - Pages: 3
...Project: Access Control Proposal * Phase I: Risk mitigation plan to identify critical IT assets * Phase II: Policies and procedures for protecting the IT assets Contents I. Introduction 2 II. Diagram of the proposed solution 3 III. Phase I:Access Control Risk Mitigation 3 1. Identified Treats and vulnerabilities 3 2. IT assets 4 3. Treats and vulnerabilities per IT Domain 4 4. The System Security Team 5 5. Access Control Plan 5 IV. Phase II: Policies and procedures for protecting the IT assets 6 1) General Security Practices for VPN Remote Access 6 2. Protecting Cyber Assets: Secure Interactive Remote Access Concepts 7 2. How Employee Accesses the Corporate Network 9 3. How external Partners (Vendor) Access the Corporate Network 9 V. Conclusion 13 I. Introduction Access control mechanisms operate at a number of levels in a system, from applications down through the operating system to the hardware. Higher-level mechanisms can be more expressive, but also tend to be more vulnerable to attack, for a variety of reasons ranging from intrinsic complexity to implementer skill levels. Most attacks involve the opportunistic exploitation of bugs; and software that is very large, very widely used, or both (as with operating systems) is particularly likely to have security bugs found and publicized. Operating systems are also vulnerable to environmental changes that undermine the assumptions used in their design. The main function of access control...
Words: 2458 - Pages: 10
...Audit an Existing IT Security Policy Framework Definition Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure * Review existing IT security policies as part of a policy framework definition * Align IT security policies throughout the 7 domains of a typical IT infrastructure as part of a layered security strategy * Identify gaps in the IT security policy framework definition * Recommend other IT security policies that can help mitigate all known risks, threats, and vulnerabilities throughout the 7 domains of a typical IT infrastructure Week 5 Lab Part 1: Assessment Worksheet (PART A) Sample IT Security Policy Framework Definition Overview Given the following IT security policy framework definition, specify which policy probably can cover the identified risk, threat, or vulnerability. If there is none, then identify that as a gap. Insert your recommendation for an IT security policy that can eliminate the gap. Risk – Threat – Vulnerability | IT Security Policy Definition | Unauthorized access from pubic Internet | Acceptable use policy | User destroys data in application and deletes all files | Backup Recovery Policy | Hacker penetrates your IT infrastructure and gains access to your internal network | Threat Assessment & Management Policy | Intra-office employee romance...
Words: 1625 - Pages: 7
...Assignment & Lab Unit 3. Assignment 1 - Remote Access Control Policy Definition There are three key parts I will have to take into account while designing a Remote Access Control Policy for Richman Investments. These three parts (Identification, Authentication and Authorization) will not be all for the Remote Access Control Policy, I will need to include the appropriate access controls for systems, applications and data access. I will also need to include my justification for using the selected access controls for systems, applications and data access. The first part I need to implement for this Remote Access Control Policy is Identification, which is defined in this sense as: physical keys or cards, smart cards, and other physical devices that might be used to gain access to something. What needs to be done for the Remote Access Control Policy is a group member policy needs to be setup which uniquely identifies each user. Users should be identified by rank with higher ranking users requiring more authentication. Each individual user should be assigned to a group based on rank with special permissions. Using this system for Identification will make our company more secure in day to day operations. The second part I need to implement for this remote access control policy is Authentication, which is defined as: what you know or passwords, numeric keys, PIN numbers, secret questions and answers. For remote access, there must be proof that the person...
Words: 477 - Pages: 2
...255 Unit 3 Assignment 1: Remote Access Control Policy Definition Remote Access Control Policy I. Technician responsible for: - Remote Access will be controlled. Control will be enforced one time via password authentication. - Richman’s employees shouldn’t provide their login or email password to any one even their family members. - Richman’s employees with remote access privileges must ensure that their workstation or personal computer. Which is remotely connect to Richman’s company network - All hosts that are connecting to Richman internal network via remote access must use the most up to date antivirus software. This includes personal computers. - All confidential and personal information transmitted via a remote access connection must be encrypted prior to transmission or sent through an encrypted tunnel, except for where the remote connection forms a direct part of the Richman network. - Remote access connections must only be used for approved Richman company purposes in a lawful and ethical manner. - All passwords used to access remote access connections must be created and managed in accordance with the Richman password standards policy. - Remote access user must force to change their password at their first logon. - All remote access sessions which are inactive for more than 30 minutes must be automatically ‘locked’ or logged out. - All remote access sessions must be monitored...
Words: 429 - Pages: 2
...Appropriate Access Controls for Systems, Applications, and Data Access Learning Objective Explain the role of access controls in implementing security policy. Key Concepts The authorization policies applying access control to systems, application, and data The role of identification in granting access to information systems The role of authentication in granting access to information systems The authentication factor types and the need for two- or three-factor authentication The pros and cons of the formal models used for access controls Reading Kim and Solomon, Chapter 5: Access Controls. Keywords Use the following keywords to search for additional materials to support your work: Biometrics Content Dependent Access Control Decentralized Access Control Discretionary Access Control Kerberos Mandatory Access Control Remote Authentication Dial In User Service (Radius) Role-Based Access Control Security Controls Secure European System for Applications in a Multi-Vendor Environment (SESAME) Single Sign-on Terminal Access Controller Access-Control System (TACACS) ------------------------------------------------- Week 3 Discussion * Access Control Models * Unit 3 Access Control Models (lT255.U3.TS2) Lab * Enable Windows Active Directory and User Access Controls Assignment * Remote Access Control Policy Definition ...
Words: 542 - Pages: 3
