Project: Outline for an Enterprise IT Security Policy

Scenario: A client company has asked you to help it develop an outline for an Enterprise IT Security Policy which addresses the following Enterprise Areas:

1. Access Control
2. Application Development
3. Asset Management
4. Business Operations
5. Communications
6. Compliance
7. Corporate Governance
8. Customers
9. Incident Management
10. IT Operations
11. Outsourcing
12. Physical/Environmental
13. Policies & Procedures
14. Privacy
15. IT Security Program Implementation

The client has specifically requested that you address applicable elements of theFramework Core and protective technologies aslisted in the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity(see Table 2 inhttp://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf). The client has also requested that you address relevant security policies and controls from other sources, including NIST SP-800-53 and the CIS Critical Security Controls.

Note: Typical critical infrastructure organizations include: banks / financial institutions, regional healthcare providers (e.g. hospitals or urgent care providers), transportation providers (air, rail, water), telecommunications or Internet services providers or local energy utilities.

Read / Research:

1. Read the Week 1 & Week 2 readings.
a. http://www.nist.gov/director/speeches/20150204rominespeech.cfm
b. https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
c. NIST Economic Case Study - Planning Report 13-2; The Impact of NSTIC on the Internal Revenue Service (See attachment)
d. Perspective on 2015 DoD Cyber Strategy Before the Committee on Armed Services, United States House of Representatives(See attachment)
e. Federal Register Notice. Part III, The President, Executive Order 13636 (See attachment)

2. Review the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity(pay special attention to Table 2 in http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf)

3. Review the security controls as presented in NIST SP 800-53http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf and the CIS Critical Security Controls (https://www.sans.org/critical-security-controls ). Pay special attention to the types of risks / threats which the various controls or control families address or mitigate.

4. Choose an existing "client" company or create one of your own ("fictional"). Research (or develop) thefollowing:
a. mission statement for this client which provides a brief overview of the client's organization and the critical infrastructure sector in which it operates
b. types of information, information systems, and information infrastructure (networks, communications capabilities) included in its enterprise
c. regulations and laws which it must comply with (paying special attention to those which impact the use of information and information systems)
d. products / services which the organization provides to its customers

5. Research each of the 15 areas which the client has asked you to address. For each area, you must identify major risks or threats to confidentiality, integrity, and availability. You must also identify security controls which can be used to mitigate these risks. Where appropriate, you must list two or more technologies which will implement those controls.

Write:

1. Develop an introduction to the security policy outline which you will present in your deliverable.

2. Develop an overview of the client company (mission, functions, information / information systems which need to be protected, laws and regulations, etc.).

3. Using your research, write a 2 - 3 page outline for an Enterprise IT Security Policy. This outline should address all of the areas requested by the client. For each major area in the outline you must provide a brief introduction which explains what is covered in each area. You must also identifyrisks / threats to confidentiality, integrity, and availability which are addressed in each area. Provide at least two examples of policies which would implement applicable security controls and, as appropriate, identify two or more protective technologies.

4. Use the following format for your outline:

I. Enterprise Area
[Descriptive paragraph about this enterprise area and policies required to implement appropriate security for it.]

a. Policy Area #1
b. Policy Area #2
Example:
I. Access Control
[Brief descriptive paragraph for this enterprise area]

a. Implement Separation of Duties [one sentence explanation]

b. Control the Use of Administrative Privileges[one sentence explanation]