Security

Program
Nicholas Diley

NTS201 SECURITY ESSENTIALS

Implementation Plan

5 Steps to Security Implementation:

1. Periodically assess risk
2. Document an entity-wide security program plan
3. Establish a security management structure and clearly assign security
responsibilities
4. Implement effective security related personnel policies
5. Monitor the security programs effectiveness and make changes as necessary

RISK ASSESSMENT
One of the first steps of implementing information security is the assessment of risk
in the workplace, while assessing everything that comes with it. Risk assessment
can be summed into three major components:
1. Threat Assessment
2. Vulnerability Assessment
3. Asset Identification
We need to identify the risks of what we are caring for, and the possibility for
outside entrance either through connection, or perhaps the loss of data that would
come with employees discussing matters outside of the confidentiality of the
workplace. These all pose risks and must be assessed for. Simple matters can be
contained in various plans, below will be a handful of procedures to comply with risk
assessment and protection:

1. Identification and Authentication

a. What password policy does your system enforce?
i. Number of Characters (minimum 7 or 8)
ii. Complexity (Pass Phrases or Special Characters)
iii. Aging (90 days max)

iv. Account Lockout (5 attempts)

v. What method do you use to encrype passwords in transit and
storage?
b. Do you have a procedure for identifying users before resetting
passwords?
2. External Connectivity
a. Does this system have any external connectivity?
i. Wireless
ii. Internet
iii. Dial-in
3. Security Products
a. Do you use a firewall
b. Do you use an Intrusion Detection System (IDS)?
c. Do you use a policy compliance tool or agent?
d. Do you use a vulnerability scanning tool?
e. Do you use encryption?
f. Do you have anti-virus software?
If an answer was no to any of these, or there is to be a weak or unsure answer to
any of these questions with the guidelines, then there are means to be
implemented. By not having password policies for users, they will tend to make all
of the wrong decisions in the workplace by either using simple passwords, or those
that can be cracked in a short period of time by someone accessing from the
outside. Such means could be through the internet, or even using a Virtual Private
Network as a means to connect to the server and access data without the proper
clearance. And the lack of software that would be included as a firewall, Intrusion
Detection or Antivirus software would pose almost deadly for the workplace, as
these are absolutely necessary when trying to protect information.
Always perform maintenance where necessary and make sure that the programs
that you are using are up to date. Such means would be updating the firewall,
security policies on the respective operating systems, and the software that you
would use as anti-virus or malware protection, along with the scripts that are
included by such means.

Based on the Risk Assessment of your information, you can create the means of
protecting the data by implementing systems that would correspond to that which
you are protecting. It is best to educate the employees about proper procedures to
take involving security, such as proper password etiquette, to not disclose
confidential data to outside sources, and secure the user accounts.
You need a general idea of how important the asset is to the organization in order to
justify to management the cost of the security controls. In addition to cost, you
need to have an understanding of which area of CIA warrants the most attention,
and thus security controls. You need to develop a rating system for confidentiality,
integrity, and availability that can be applied across your enterprise. Your
companys latest research project data may have the highest level of confidentiality
whereas your e-commerce website may be most affected by availability

Document an entity-wide security

program plan
Security wide program plans allow for the management of the security structure
and apply responsibilities along with guidelines and standards to follow. This would
involve means of Security training for all personnel and awareness of threats that

could pose a problem. There are differences of opinion these days about how to
establish a security management structure. Some feel there needs to be a Chief
Information Security Officer (CISO) that reports directly to the head of the
organization. Others feel the security program should be run out of the Office of the
Chief Information Officer (CIO) and the top security official should report directly to
the CIO. There are differences of opinion these days about how to establish a
security management structure. Some feel there needs to be a Chief Information
Security Officer (CISO) that reports directly to the head of the organization. Others
feel the security program should be run out of the Office of the Chief Information
Officer (CIO) and the top security official should report directly to the CIO.
Regardless of the setup, there is the need for those who will develop the security
programs, and the staff to make sure they are upheld and being implemented
properly. This pyramid of sorts designates the management of the administrative
and operational aspects of security, so that they may be implemented properly.
Depending on the size of the organization, there can also be information systems
security managers that manage and coordinate the various activities of their ISSOs.
They also act as a liaison between the central security office and the individual
system security officer.

Annual security training courses is an absolute necessity to keep people up on the

latest security information, but equally important are short email updates,
newsletters, and other reminders. It is important to train security officers,
administrators, executives and business managers as they are essential in
implementing the comprehensive processes included above. After awareness and
training, employees or others in the workforce would hopefully be less opt to make
business critical decisions.

Implement Effective Security

Personnel Policies
In the decisions or changes in the workforce, it is important to coordinate to be able
to get concurrence with different organizations to make sure that those who are
working for you are under strict guidelines. Such means would be involved in labor
relations, human resources, legal, and contracting people. Below are some outlined
policies:
1.
2.
3.
4.
5.

Background checks
Reinvestigations
Nondisclosure agreements
Regular vacations and shift rotations
Termination and Transfer Procedures
a. Return of equipment, ID, keys, etc.
b. Termination of User IDs and Passwords
c. Identifying Non-Disclosure period effectiveness
6. Skills needed are identified in job descriptions and employees are rated
against those skills
7. Employee has a training plan and training is documented and monitored
When working with critical information, it is important to see the background of the
person that you would be hiring onto staff, to allow for the ease of mind to be able
to work with the personnel respectively. Having different levels of access is
appropriate for this sort of work as well, as we need to implement the means
necessary to have those who need to access certain information, to be able to do
so. Some users may not need the same levels of access, of which they can be set
up accordingly.

Physical security is equally as important as the Digital security and means must be
attributed as such.

Media Sanitization/Disposal
o Is your data sensitive, so that it should not be obtainable upon
disposal?
What method do you use to dispose of data?
Hard Drive (Triple Overwrite, degauss)
Tapes (degauss)
CDs (Incinerate, chemically destroy)
Paper (Shred (Diamond))
Physical Environment
o Are your servers in a locked room with tight access controls?
o What kind of access controls does your building have?
o Are there any special considerations that need to be taken into
o

consideration based on building location? (hurricanes, floods, etc)

Is your system protected from environmental threats? (heat, fire,
water, etc)

It is important to make sure that circumstances are accounted for, whether it be the
placement or location of the building and proper failures or disasters. There should
be means to make sure that the servers are located in a room secure from the
outside elements, including breaking into by normal means. This idea enforces
against the idea of windows, and allowing for the means of physical security on the
premises at all times to make sure that the building Is secure. Some of these means
might include personal guards, security cameras with uninterrupted feed, contact
with local law enforcement and/or miniguns.

Personnel Security
o Are your users trained on the security of this system or have they
o

taken security awareness training?

Have your users read the rules of behavior for either this system or

organizational rules or policies?

Have employees and/or contractors who have privileged access to this

system undergone background investigations?

Do you have separation of duties between programmers and
administrators?

Incident Handling/Security Advisory Handling

o Be prepared to handle incidents
o Be prepared to handle security advisories
Security Awareness
o Have you provided security awareness training to all employees?
o Is security awareness an ongoing activity throughout the year?

Monitory Effectiveness and Make

Changes
When working with the security program, it is also very important to make changes
where necessary for the sake of improvement. Monitoring the effectiveness of the
security program can be one of the most challenging aspects of running a security
program, but also one of the most important. It is critical that you use a common
sense approach when implementing this or you can get very bogged down in a lot
of documentation that does not really increase your security posture. Quickly
getting at the critical elements by having your system security officers first perform
a risk assessment and create a security plan for their system will greatly enhance
the usability. That is why it is critical to get out and talk to your system
administrators, security officers, business and system program managers and upper
level executives. You have to work with them to come up with a viable solution to
their problems with implementation.
You have to make sure that your office becomes a central focal point and that
different divisions can leverage off your expertise as well as the expertise of others
in the organization.
Cooperation in the workplace is an absolute necessity, where issues will most likely
only surface once somebody speaks up about them, of which if it Is a critical
situation, it must be fixed ASAP. These are absolutely necessary in the face of
information security as we need to protect not only the employees in the company,
but the clients as well.

Works Cited:
Garbars, K. (n.d.). Implementing an Effective IT Security Program. . Retrieved July 14, 2014, from
http://www.sans.org/reading-room/whitepapers/bestprac/implementing-effective-security-program-80

Kadel, L. (2004, March 24). Designing And Implementing An Effective Information Security Program:
Protecting The Data Assets Of Individuals, Small And Large Businesses. . Retrieved July 14, 2014,
from http://www.sans.org/reading-room/whitepapers/hsoffice/designing-implementing-effectiveinformation-security-program-protecting-data-assets-of-1398