NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 1

NTS201 Security Program Implementation Plan

Alyssa Evans
University of Advancing Technology
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 2
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 3

Table of Contents
Executive Summary ........................................................................................................................ 4
Introduction ..................................................................................................................................... 4
Operations Security......................................................................................................................... 4
Preventive Controls ..................................................................................................................... 4
Detective Controls ....................................................................................................................... 5
Corrective Controls ..................................................................................................................... 5
Deterrent Controls ....................................................................................................................... 5
Application-Level Controls ......................................................................................................... 5
Transaction-Level Controls ......................................................................................................... 5
Privileges ..................................................................................................................................... 6
Separation of Duties ................................................................................................................ 6
Software Support ............................................................................................................................ 6
Configuration and Change Management ........................................................................................ 7
Backups ........................................................................................................................................... 7
Media Controls................................................................................................................................ 8
Marking ....................................................................................................................................... 8
Logging ....................................................................................................................................... 8
Physical Access Protection.......................................................................................................... 8
Environmental Protection ............................................................................................................ 9
Disposition ................................................................................................................................ 10
Documentation .............................................................................................................................. 10
Maintenance .................................................................................................................................. 10
Resources ...................................................................................................................................... 11
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 4

Executive Summary
The objective of this security implementation plan is to protect the information system resources.

This plan was intended to provide the necessary tools needed to secure a data center. It will focus

on the operations security and security controls necessary for a data center to protect its assets.

Introduction
With the creation of a new data center in the western region, it is vital that it is as secure as

possible. It is critical the as the largest of the data center in the region that stores sensitive

customer information, that the security program implementation plan is as thorough as possible.

With this in mind, it was also decided that with such critical information stored, that no expense

will be spared in protecting the customer’s information. This plan uses multiple layers of defense

and is prepared to grow with the organization.

Operations Security
The purpose of this section is to identify the controls necessary to control software, hardware,

media, and the operators and administrators who possess elevated access privileges to any of

these resources. The operations security will be implemented via the controls, processes, and

personnel listed below.

Preventive Controls
These controls are meant to prevent unauthorized individuals from accessing the data

center and its information. It is also meant to reduce the frequency and impact of errors in

the data center. Examples of this are security guards, electric fences, signs that caution

against trespassing, biometric scanners, security dogs, ID cards, security awareness

training, and firewalls. These are all good things to have to better prevent unauthorized

access and reduce the frequency and impact of errors that may occur.
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 5

Detective Controls
These controls are meant to discover unauthorized access and errors after they have

occurred. Examples of this are security cameras, motion detectors, anti-virus, system

monitoring, IDS, and IDPS. These are all good ways to detect unauthorized users and

errors once they have occurred.

Corrective Controls
These controls are meant to help mitigate the impact of a loss. Examples of this are

vulnerability mitigation, anti-virus, backup data restoration, having steps in place in case

of loss of data, and upgrading the operating system. These are good ways to correct or

recover the data from the data center if something were to go wrong.

Deterrent Controls
These controls are meant to encourage compliance with external controls. Examples of

this are alarms, security dogs, cameras, electric fences, moats, guard towers, and other

displays of force. These controls will discourage unauthorized individuals from

attempting to access the data center.

Application-Level Controls
These controls are meant to minimize and detect software operational errors. Examples of

this are auditing and logging at the application layer, inherent controls built into the

application, and security controls that dictate who has access to certain applications and

what they are able to accomplish on said application. These controls prevent those access

who could cause errors and detects other errors that could be inherent in the application.

Transaction-Level Controls
These controls are meant to provide control over various stages of a transaction.

Examples of this is internal controls such as auditing, delegated authority, and

NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 6

authorization rules. These will prevent authorized and unauthorized from being able to

complete transactions for operations they may not normally be able to complete.

Privileges
Privileges are set to promote the minimal user profile privileges based on users’ job

necessities. This is to prevent those who do not have the knowledge or qualifications to

access certain materials do not. This could cause for that user to accidentally delete or

modify data when it should not occur. This will also allow for data to be set a “need to

know” basis to restrict data that may be considered very sensitive. This will allow for

there to be less individuals from gaining access to data when it is irrelevant to their job.

Separation of Duties
In order to prevent fraud and error, it is also best to have more important tasks be

completed by more than one individual. This is especially important in the face of the

data center storing sensitive information of or customers. This will minimize the

likelihood of that data being entered in wrong or stolen/released by employee in the

future.

Software Support
Software is the heart of operations, making it essential that software functions correctly and is

corrected from corruption. This can be achieved by limiting what software is used on any

system. This will prevent users and system personnel from making the system become more

vulnerable to viruses, worms, malware, unexpected software interactions, or software that can

bypass security controls. Another way to achieve this is to test software before it is deployed on

all systems. It is best to be cautious of whether or not software will be compatible with custom

applications, and if there are other unforeseen interactions. This can also be achieved through

proper licensing. This will be through auditing of illegal copies of copyrighted software. The last
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 7

thing that will be implemented is ensuring software is not modified without proper authorization.

This will include all software and backup copies.

Configuration and Change Management

This is similar to software support, but it tracks, and if necessary, approves changes to the

system. This addresses hardware, software, networking, documentation, and other changes that

may occur. It is meant to ensure that users do not cause unintentional changes to the system that

could lessen the security. To achieve this, the software security controls and parameter settings in

the software will be reviewed quarterly. The systems connected to the network will be heavily

monitored, and a record will be kept of shat systems connected to the network and the length of

time this occurred. There will also be documentation of all configuration and changes made to

the system when they occur in case of errors or needing to recover lost data.

Backups
Backups are vital to contingency plans. In the case of lost data, it is best to always have them

present. To ensure that it is as up to date as possible without bring excessive, if the data that is

being backed up changes every day, it will be backed up weekly; if the data changes every week,

it will be backed up monthly; if the data changes monthly, it will be backed up quarterly; if the

data backed up changes less frequently than a month, it will be backed up biannually. All

backups will be stored at a warm site. In addition to that, there will also be a cold site available to

relocate to in the event of a disaster that makes the current location a hazard. To ensure that the

transition between sites is efficient and does not harm normal business practices, there will be

quarterly training sessions that educate and refresh the knowledge of employees on what to do in

the event of a disaster. In addition to this, there will be monthly tests to ensure that the data

stored is reliable.
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 8

Media Controls
These controls are meant to prevent the loss of confidentiality, integrity, or availability of

information. To help achieve this there will be logging of the use of individual media to provide

detailed accountability and to hold authorized employees responsible for their actions. In

addition to keeping logs of activity, there will also be marking, physical access protection,

environmental protection, disposition, documentation, and maintenance to protect the

information stored at the data center.

Marking
All backups will be marked appropriately using a barcode and stored in its proper

location based on the information stored. All printouts will have a banner page that at

least specifies the date it was printed, who printed it, and the location of where it was

printed from. All systems will be named based on location and numbered based on

creation/added to the network. All Ethernet ports will be labeled similarly.

Logging
There will logs keep track of media accessing the network, those who enter the facility,

time and dates of when a user accesses the network through their system, and the

software and website that they access. There will also be audits to monitor storage usage,

accessing data, how often a group prints, errors and failures that occur on a system, and

unauthorized media access.

Physical Access Protection

To prevent media from being stolen, destroyed, replaced with a look-alike copy, or lost,

there will be several physical access control in place. The facility will be surrounded by

fifteen feet barbed wire fences. To get through the fence, you must enter through one of

two entrances that will be guarded by two security guards that will personally check the
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 9

employees badge in addition to having the employee’s ID scanned to ensure that it

contains the watermark. The watermark will only be visible under black light, which will

be stored at the station that employees will pull up to, to enter the gate. To access more

sensitive locations, such as the server room, the employee must complete a fingerprint

and retinal scan. Desks will have at least one set of locked draws. All file cabinets must

have locks. Safes will vary in protection, but all must be kept out of immediate sight and

be well maintained. All locations, including offsite locations, will have security cameras

that are constantly monitored, alarm systems, motion detectors, and a security detail that

will patrol the area at least ten times offsite, and fifteen onsite. The patrol patterns will

change every other day. All systems will require a username and password. Usernames

will be provided to the employee based on their name. Passwords must be at least ten

characters, that include one capital letter, one lowercase letter, a number, and a special

character. Passwords must be changed quarterly and cannot have more than four similar

characters in a string. Passwords also cannot be the same for the cycle of thirty

passwords. User access will be based on a “need to know” basis and with least privilege

in mind.

Environmental Protection
All media will be stored in appropriate locations that will not compromise the data stored

within. This means that no beverages may be kept near any of the systems. Magnets are

not allowed. Temperatures will be kept at a maximum of 70 degrees Fahrenheit. All

paper must be stored in the appropriate place.

NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 10

Disposition
All papers will be shredded or burned onsite. All other media will be overwritten three

times, or destroyed using a magnet or burning it. This is to prevent threats from

recovering confidential data.

Documentation
All logging, plans, changes, backups, locations, and operations will be documented at all times.

There is no exception.

Maintenance
All systems will be properly maintained physically and logically. Repairs will occur in a timely

manner. Notices will be sent when there are network wide maintenances and updates.
NTS201 SECUIRTY PROGRAM IMPLEMENATION PLAN 11

Resources
Merkow, M. S., & Breithaupt, J. (2014). Information Security: Principles and Practices (2nd

ed.). Indianapolis, IN: Pearson Education.