Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Executive Summary ........................................................................................................................ 4
Introduction ..................................................................................................................................... 4
Operations Security......................................................................................................................... 4
Preventive Controls ..................................................................................................................... 4
Detective Controls ....................................................................................................................... 5
Corrective Controls ..................................................................................................................... 5
Deterrent Controls ....................................................................................................................... 5
Application-Level Controls ......................................................................................................... 5
Transaction-Level Controls ......................................................................................................... 5
Privileges ..................................................................................................................................... 6
Separation of Duties ................................................................................................................ 6
Software Support ............................................................................................................................ 6
Configuration and Change Management ........................................................................................ 7
Backups ........................................................................................................................................... 7
Media Controls................................................................................................................................ 8
Marking ....................................................................................................................................... 8
Logging ....................................................................................................................................... 8
Physical Access Protection.......................................................................................................... 8
Environmental Protection ............................................................................................................ 9
Disposition ................................................................................................................................ 10
Documentation .............................................................................................................................. 10
Maintenance .................................................................................................................................. 10
Resources ...................................................................................................................................... 11
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 4
Executive Summary
The objective of this security implementation plan is to protect the information system resources.
This plan was intended to provide the necessary tools needed to secure a data center. It will focus
on the operations security and security controls necessary for a data center to protect its assets.
Introduction
With the creation of a new data center in the western region, it is vital that it is as secure as
possible. It is critical the as the largest of the data center in the region that stores sensitive
customer information, that the security program implementation plan is as thorough as possible.
With this in mind, it was also decided that with such critical information stored, that no expense
will be spared in protecting the customer’s information. This plan uses multiple layers of defense
Operations Security
The purpose of this section is to identify the controls necessary to control software, hardware,
media, and the operators and administrators who possess elevated access privileges to any of
these resources. The operations security will be implemented via the controls, processes, and
Preventive Controls
These controls are meant to prevent unauthorized individuals from accessing the data
center and its information. It is also meant to reduce the frequency and impact of errors in
the data center. Examples of this are security guards, electric fences, signs that caution
training, and firewalls. These are all good things to have to better prevent unauthorized
access and reduce the frequency and impact of errors that may occur.
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 5
Detective Controls
These controls are meant to discover unauthorized access and errors after they have
occurred. Examples of this are security cameras, motion detectors, anti-virus, system
monitoring, IDS, and IDPS. These are all good ways to detect unauthorized users and
Corrective Controls
These controls are meant to help mitigate the impact of a loss. Examples of this are
vulnerability mitigation, anti-virus, backup data restoration, having steps in place in case
of loss of data, and upgrading the operating system. These are good ways to correct or
recover the data from the data center if something were to go wrong.
Deterrent Controls
These controls are meant to encourage compliance with external controls. Examples of
this are alarms, security dogs, cameras, electric fences, moats, guard towers, and other
Application-Level Controls
These controls are meant to minimize and detect software operational errors. Examples of
this are auditing and logging at the application layer, inherent controls built into the
application, and security controls that dictate who has access to certain applications and
what they are able to accomplish on said application. These controls prevent those access
who could cause errors and detects other errors that could be inherent in the application.
Transaction-Level Controls
These controls are meant to provide control over various stages of a transaction.
authorization rules. These will prevent authorized and unauthorized from being able to
complete transactions for operations they may not normally be able to complete.
Privileges
Privileges are set to promote the minimal user profile privileges based on users’ job
necessities. This is to prevent those who do not have the knowledge or qualifications to
access certain materials do not. This could cause for that user to accidentally delete or
modify data when it should not occur. This will also allow for data to be set a “need to
know” basis to restrict data that may be considered very sensitive. This will allow for
there to be less individuals from gaining access to data when it is irrelevant to their job.
Separation of Duties
In order to prevent fraud and error, it is also best to have more important tasks be
completed by more than one individual. This is especially important in the face of the
data center storing sensitive information of or customers. This will minimize the
future.
Software Support
Software is the heart of operations, making it essential that software functions correctly and is
corrected from corruption. This can be achieved by limiting what software is used on any
system. This will prevent users and system personnel from making the system become more
vulnerable to viruses, worms, malware, unexpected software interactions, or software that can
bypass security controls. Another way to achieve this is to test software before it is deployed on
all systems. It is best to be cautious of whether or not software will be compatible with custom
applications, and if there are other unforeseen interactions. This can also be achieved through
proper licensing. This will be through auditing of illegal copies of copyrighted software. The last
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 7
thing that will be implemented is ensuring software is not modified without proper authorization.
system. This addresses hardware, software, networking, documentation, and other changes that
may occur. It is meant to ensure that users do not cause unintentional changes to the system that
could lessen the security. To achieve this, the software security controls and parameter settings in
the software will be reviewed quarterly. The systems connected to the network will be heavily
monitored, and a record will be kept of shat systems connected to the network and the length of
time this occurred. There will also be documentation of all configuration and changes made to
the system when they occur in case of errors or needing to recover lost data.
Backups
Backups are vital to contingency plans. In the case of lost data, it is best to always have them
present. To ensure that it is as up to date as possible without bring excessive, if the data that is
being backed up changes every day, it will be backed up weekly; if the data changes every week,
it will be backed up monthly; if the data changes monthly, it will be backed up quarterly; if the
data backed up changes less frequently than a month, it will be backed up biannually. All
backups will be stored at a warm site. In addition to that, there will also be a cold site available to
relocate to in the event of a disaster that makes the current location a hazard. To ensure that the
transition between sites is efficient and does not harm normal business practices, there will be
quarterly training sessions that educate and refresh the knowledge of employees on what to do in
the event of a disaster. In addition to this, there will be monthly tests to ensure that the data
stored is reliable.
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 8
Media Controls
These controls are meant to prevent the loss of confidentiality, integrity, or availability of
information. To help achieve this there will be logging of the use of individual media to provide
detailed accountability and to hold authorized employees responsible for their actions. In
addition to keeping logs of activity, there will also be marking, physical access protection,
Marking
All backups will be marked appropriately using a barcode and stored in its proper
location based on the information stored. All printouts will have a banner page that at
least specifies the date it was printed, who printed it, and the location of where it was
printed from. All systems will be named based on location and numbered based on
Logging
There will logs keep track of media accessing the network, those who enter the facility,
time and dates of when a user accesses the network through their system, and the
software and website that they access. There will also be audits to monitor storage usage,
accessing data, how often a group prints, errors and failures that occur on a system, and
there will be several physical access control in place. The facility will be surrounded by
fifteen feet barbed wire fences. To get through the fence, you must enter through one of
two entrances that will be guarded by two security guards that will personally check the
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 9
contains the watermark. The watermark will only be visible under black light, which will
be stored at the station that employees will pull up to, to enter the gate. To access more
sensitive locations, such as the server room, the employee must complete a fingerprint
and retinal scan. Desks will have at least one set of locked draws. All file cabinets must
have locks. Safes will vary in protection, but all must be kept out of immediate sight and
be well maintained. All locations, including offsite locations, will have security cameras
that are constantly monitored, alarm systems, motion detectors, and a security detail that
will patrol the area at least ten times offsite, and fifteen onsite. The patrol patterns will
change every other day. All systems will require a username and password. Usernames
will be provided to the employee based on their name. Passwords must be at least ten
characters, that include one capital letter, one lowercase letter, a number, and a special
character. Passwords must be changed quarterly and cannot have more than four similar
characters in a string. Passwords also cannot be the same for the cycle of thirty
passwords. User access will be based on a “need to know” basis and with least privilege
in mind.
Environmental Protection
All media will be stored in appropriate locations that will not compromise the data stored
within. This means that no beverages may be kept near any of the systems. Magnets are
Disposition
All papers will be shredded or burned onsite. All other media will be overwritten three
times, or destroyed using a magnet or burning it. This is to prevent threats from
Documentation
All logging, plans, changes, backups, locations, and operations will be documented at all times.
There is no exception.
Maintenance
All systems will be properly maintained physically and logically. Repairs will occur in a timely
manner. Notices will be sent when there are network wide maintenances and updates.
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 11
Resources
Merkow, M. S., & Breithaupt, J. (2014). Information Security: Principles and Practices (2nd