...Axia College Material Information Security Policy Axia College IT/244 Intro to IT Security Dr. Jimmie Flores April 10, 2011 Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3. Network/server equipment 2 4.2.4. Equipment maintenance 2 4.2.5. Security of laptops/roaming equipment 2 5. Access Control Policy 2 6. Network Security Policy 3 7. References 3 Executive Summary There are several threats to the security of networks and data. While there is no definite way to prevent all of the incidents that can befall a network, by developing a proactive security plan that will encompass many of the known threats data loss and corruption can be minimized. Sunica obtains different levels of customer information and records large amounts of financial information on their network. The best way to prevent the loss...
Words: 4350 - Pages: 18
...Friday, September 06, 2013 Introduction Since UNFO’s customer base will have the ability to call in by using credit card numbers to make online purchases with an expectation of 6,000,000 transactions, the need for a well thought out framework plan is essential. The conversations will be recorded and stored in the organization's Private Branch Exchange (PBX) system to where data storage hardware and software requirements will be needed. This document is to outline a Web security life cycle for the organization that will later be compiled as part of the organization's overall security policy by the organization's Senior Security Engineer. Therefore the following categories will serve as the staple of this outline: Application development, QA/testing, deployments, website encryption/key management, data storage/access, systems/devices that interact with the website, 3rd party vendor access, employee web security training, regulatory compliance, emerging laws and regulations for website security. 1. Application development : a. System Analysis: i. Define clearly of the purpose of the software ii. Provide direction for further development iii. Refine project goals for clear function and intended application b. Design: iv. Application’s features and operational functions v. Documentation of application vi. Visualization of the software and user use c. Implementation: vii. Code is...
Words: 1842 - Pages: 8
...Network Access Control, no matter what architecture you select, you definitely want to start by building a small interoperability lab. In this white paper, we’ll give you some advice on what to think about before you get started, and outline what resources you’ll need to have in place in order to begin testing. Any NAC deployment must start by answering three critical questions: 1) What is my access control policy? 2) What are the access methods (such as LAN, wireless, or VPN) I want to protect? 3) How will this integrate with my existing infrastructure? Once you answer these questions, you can begin to gather test lab resources, such as servers (for policy definition points), laptops or desktops (for network access requestors), and switches, access points, and VPN servers (for policy enforcement points). Getting Started with Network Access Control What is my access control policy? NAC is a generic concept that deals with defining access controls based on user authentication, end-point security assessment, and network environmental information. That’s too big for most network managers to bite off in a single chunk, so many NAC deployments hone in on a subset of these goals and expand over time. You’d be wise to do the same---trying to do too much too early in the lifecycle of this emerging group of products will lead to undue frustration and unnecessary complexity. To start, you should define a simple network access control policy. It is important to define your access control...
Words: 1611 - Pages: 7
...Richman Investments | Richman Internet Infrastructure Security Management Upgrade | ITT Technical Institute NT2580 Course Project | | Jason R Spitler | 5/30/2014 | Based on the premises that Richman has 5000 employees throughout the main office and several branch offices, this document dictates research solutions and details the appropriate access controls including policies, standards, and procedures that define who users are, what they can do, which resources they can access, and which operations they can perform on a system. | Final Project I. Richman Internet Infrastructure Security Management Upgrade A. Purpose Based on the premises that Richman has 5000 employees throughout the main office and several branch offices, this document dictates research solutions and details the appropriate access controls including policies, standards, and procedures that define who users are, what they can do, which resources they can access, and which operations they can perform on a system. II. Basic Authentication Procedures and Standards, (Who users are.) A. Trinity-Three-factor Authentication Method replaces Basic Authentication It is my view the Administrator’s responsibility is to provide secure communications by adding layers of security at all levels to assure the amount of protection for company’s valuable assets. Richman will provide its employees a new method of authentication I call Trinity. It is a three-factor authentication method requiring updated laptops...
Words: 1901 - Pages: 8
...computer and information security ■ Identify the basic approaches to computer and information security ■ Distinguish among various methods to implement access controls ■ Describe methods used to verify the identity and authenticity of an individual ■ Describe methods used to conduct social engineering ■ Recognize some of the basic models used to implement security in operating systems 20 P:\010Comp\BaseTech\619-8\ch02.vp Wednesday, November 09, 2011 2:01:20 PM I n Chapter 1, you learned about some of the various threats that we, as security professionals, face on a daily basis. In this chapter, you start exploring the field of computer security. Color profile: Disabled Composite Default screen BaseTech / Principles of Computer Security: CompTIA Security+™ and Beyond / Wm. Arthur Conklin / 619-8 / Chapter 2 ■ Basic Security Terminology The term hacking has been used frequently in the media. A hacker was once considered an individual who understood the technical aspects of computer operating systems and networks. Hackers were individuals you turned to when you had a problem and needed extreme technical expertise. Today, primarily as a result of the media, the term is used more often to refer to individuals who attempt to gain unauthorized access to computer systems or networks. While some would prefer to use the terms cracker and cracking when referring to this nefarious type of...
Words: 16889 - Pages: 68
...ACCESS CONTROL MODELS An access control model is a framework that dictates how subjects access objects. There are three main types of access control model mandatory access control, discretionary access control and role-based access control. Discretionary (DAC) The creator of a file is the ‘owner’ and can grant ownership to others. Access control is at the discretion of the owner. Most common implementation is through access control lists. Discretionary access control is required for the Orange Book “C” Level. Mandatory (MAC) Much more structured. Is based on security labels and classifications. Access decisions are based on clearance level of the data and clearance level of the user, and, classification of the object. Rules are made by management, configured by the administrators and enforced by the operating system. Mandatory access control is required for the Orange Book “B” Level. Role-Based (RBAC) Continually administered set of controls by role within organization. Access rights assigned to roles – not directly to users. Roles are tighter controlled than groups - a user can only have one role. Can use different types of RBAC Role-based Role within organization. Task-based Specific task assigned to the user. Lattice-based Upper and Lower bounds Access Control Techniques and Technologies Once a company decides on the access control model to use, the technologies and techniques to implement that model need to be determined Role-based Can be used with...
Words: 1719 - Pages: 7
...size * Managerial diseconomies: too large to manage efficiently * Worker motivation * Distance to Market and Suppliers: transportation cost is too expensive and eat up those profit. c. Experience differences and Learning-curve economies: cumulated volume of production greater experience in manufacturing a product or service cost↓ * Learning curve vs economic scale: a) cumulated volume vs the volume at a given point in time and average units cost. b) Optimal volume affects cost per unit vs No optimal volume affects cost per unit * The learning curve and competitive advantages: to driven down learning curve a firm needs to aggressively acquire market share. d. Differential Low-cost Access to Factors of Production: more access to factors of production (such as labor, capital, land and raw materials.) e. Technological advantages independent of scale: technological hardware and software. Software such as “the...
Words: 555 - Pages: 3
...of Mandatory Access Control (MAC) in the Linux kernel, adds the ability to administratively define policies on all subjects (processes) and objects (devices, files, and signaled processes). This mechanism is in the Linux kernel, checking for allowed operations after standard Linux Discretionary Access Controls DAC are checked. Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of Kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA), It has been integrated into the mainline Linux kernel since version 2.6. NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. Security-enhanced Linux (SELinux) is a reference implementation of the Flask security architecture for flexible mandatory access control. It was created to demonstrate the value of flexible mandatory access controls...
Words: 1860 - Pages: 8
...prevent from malicious cyber attacks that often attempt to breach into critical private information or gain control of the internal systems. These are: 1. As your server is the main point for data entering and leaving the network, you need to be extra cautious about it. You might need to keep it updated and always patched. Use a reputed firewall that keeps hackers away from your network. 2. Use a software that creates log of all the activities on the network. Normally, your firewall provides you with the list of programs trying to access external entities via the server. You can check these logs regularly...
Words: 1597 - Pages: 7
...security policy across its connections. It is comparable to a wall that has a window where the wall serves to keep things out, except those permitted through the window. A security policy acts like the glass in the window; it permits some things to pass, light, while blocking others, air. The heart of a firewall is the security policy that it enforces. Security policies are a series of rules that define what traffic is permissible and what traffic is to be blocked or denied. These are not universal rules, and there are many different sets of rules for a single company with multiple connections. A web server connected to the Internet may be configured only to allow traffic on port 80 for HTTP, and have all other ports blocked. An e-mail server may have only necessary ports for e-mail open, with others blocked. A key to security policies for firewalls is the same as has been seen for other security policies, the principle of least access. Only allow the necessary access for a function, block or deny all unneeded functionality. How an organization deploys its firewalls determines what is needed for security policies for each firewall. The security topology will determine what network devices are employed at what points in a network. At a minimum, the corporate connection to the Internet should pass through a firewall. This firewall should block all network traffic except that specifically authorized by the security policy. Blocking communications on a port is simple; just tell...
Words: 1184 - Pages: 5
...Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. Application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security. The results of several of these projects in this area have yielded a strong, flexible mandatory access control architecture called Flask. This has been mainstreamed into Linux and ported to several other systems, including the Solaris™ operating system, the FreeBSD® operating system, and the Darwin kernel. This provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements and it allows threats of tampering and bypassing of application security mechanisms to be addressed while enabling the confinement of damage that can be caused by malicious or flawed applications. This is simply an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system. The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system. The security mechanisms implemented in the system provide flexible support for a wide range of security policies, making it possible to configure the system to meet a...
Words: 1522 - Pages: 7
...misuse and inappropriate access from unauthorized persons.. To do this some logical approaches and best practices have been proven to facilitate a business meeting the PCI DSS standards. These best practices start with a simple install of a firewall that isolates the business' network from unauthorized outside access to the customer's information. Also, make sure that all defaults setting on the network are changed as the default information is a generally known value and easy to bypass security if not changed. (Gibson, 2011) These are generally good practices for security on any network anyway, but definitely a good start to achieving the PCI DSS standard. Once these measures are taken, it is now important to protect the data that you are using from the customer to complete a purchases. The best way is to setup access control measure within the LAN and that the LAN to WAN interface is protected by a firewall. When using the information to authorize outside of the LAN environment it is important to protect the information by encrypting the data being sent to the authorizing entity. By doing this you can further protect the information stored at your business from unwanted access and viewing. Within the business itself physical access control is another way to further protect the data. Doing this physical access control will limit the access within the business by unauthorized employees. (Gibson, 2011) Next, and not to be overlooked, a policy needs to be created that...
Words: 504 - Pages: 3
...Security Topics * Local Security * Physical Security * Firewall * Authentication * Encryption * Wireless Security * Viruses * Physical Security video 5.01 * Lock and control access to serves * Lock server and computer cases * Use audible alarms * Create administrative alerts * Locate servers room in high traffic area * Store backup tapes in secure area * Lock users operating system * Physically destroy old hard drive Authentication Policies * CMOS passwords * Username and password * Smart card and pin * Key fob * Biometric CMOS passwords Power-on Password * Supervisor’s password * User password * Full access * Liminted access * View only access * No access * Hard Drive Password * Protects data even if HD is stolen * Password required each time the system boots Reset CMOS password * Acess CMOS settings * Reset jumper * Remove/replace CMOS battery Create strong password * Six or more chraractors * Passphrase * Upper and lower case letters * Mix in numbers and symbols * Don’t use * Consecutive letters * Consecutive numbers * Consecutive keys Kerberos * Authentication method used by windows to encrypt passwords * Passwords are case sensitive This video shows the proper way to secure servers and...
Words: 1170 - Pages: 5
...University of Illinois hospital has its policy and procedures located on the hospital’s web page. It is simple and easy to access. It is available twenty for hours a day, every day, and any employee of the hospital can access it from any computer as long as they have valid identification. Each hospital employee was told where to find certain policies and procedures, and they are notified through e-mail of any policy changes and updates. Most importantly all policy and procedures are based on evidence that has been collected and recorded. According to the Center for Disease Control and Prevention [CDC], around two million patients get infected while in a hospital settings in the United States each year, ("Hand Hygiene Basics," 2011) . The infection attained can be either simple or life threatening. One can prevent the spread of infection by simply washing their hands. In fact, hand washing is the single most important way to prevent or reduce the spread of infection. As a nurse I follow all of the policies and procedures of my hospital. I work in the Neonatal Intensive Care Unit, so it is essential that policies and procedures are held to the utmost standard. Premature babies are very susceptible to infection since their immune system is still in the stages of development. Premature infants have special needs and their challenges are very different compared to the average patient population. Our unit has a very strict hand and hygiene policy. Anyone entering our unit, and goes...
Words: 611 - Pages: 3
...proposing that access control lists (ACLs) be installed on routers at the Cleveland office. Security policies and procedures have also been considered in order to handle and maintain the ACLs. Access controls are a sequence of instructions that a router will refer to before either allowing a packet into or out of an interface. This is done by making sure that there are security features in place that control the flow of information as well as how users access the network. An access control list is written as a sequence of one line statements that are processed by the router one line at a time in the order in which the commands were entered. The action will be permitted when the testing criteria in an ACL entry matches that of the incoming or outgoing packet. ACL’s make sure that unauthorized access is not allowed and that unauthorized users cannot make wrong modifications. There are security policies and other tools and techniques that will help keep everything secure. Identification, authentication, and authorization are important components of access control. The user must supply information such as an account number in order to identify itself. This information is authenticated by supplying a password or a pin number in order to verify the identity of the user. The password is then authorized in order to decide what the user can have access to. Authorization is based on access criteria, which is developed by the administrator and enforced through an access control list in order...
Words: 972 - Pages: 4
