Project: Outline for an Enterprise IT Security Policy
Introduction
The purpose of this outline is to introduce the client organization and their need for an Enterprise IT Security Policy. This document examines 15 Enterprise areas: Access Control, Application Development, Asset Management, Business Operations, Communications, Compliance, Corporate Governance, Customers, Incident Management, IT Operations, Physical/Environmental, Policies & Procedures, Privacy, and IT Security Program Implementation. Each area is described with potential risks to the client organization along with two solutions or technologies to mitigate the risks.
Organization Overview
The United States Air Force's (2014) mission is to "fly, fight and win ... in air, space and cyberspace" (airforce.com). It is a component of the U.S. military with bases spread across the world with the purpose of supporting and defending the constitution of the United States. With its geographical spread and wide scope of missions ranging from combative to humanitarian, the type of information ranges from FOUO to Top Secret. The information systems and infrastructure consists of thousands of computers, servers, switches, routers, and other network devices which are all connected on different unclassified and classified networks spanning its global reach. Specific regulation which establishes a cybersecurity program to protect and defend DoD information and information systems is DoDI 8500.01. Additionally, the Air Force builds off of this instruction to implement AFI 33-200, Air Force Cybersecurity Program Management, and AFI 33-115, Air Force Information Technology Service Management. The Air Force provides many services to its customers including combative air support, air transit, intelligence products, and humanitarian efforts.
Enterprise Areas
I. Access Control
This area aims to limit access to assets and related facilities to authorized users, processes, or devices (NIST, 2014, pg. 23). Access is also limited to authorized activities and transactions. Although the Air Force employs the use of tokens to make it harder to gain access, if the token were to be stolen by an attacker, they may be able to brute force the pin associated with the token to gain access. Additionally, personnel may leave workstations unattended while being logged in with their token, which presents a risk to confidentiality and integrity.
a. Implement a limit on consecutive invalid logon attempts during a pre-defined period of time and if triggered, automatically lock the account until released by an administrator.
b. Implement a Session Lock by locking the terminal after a pre-defined time period of inactivity.
II. Application Development
This area refers to the process in which the organization uses to develop its applications or systems to be implemented or integrated within the Enterprise. Without a process which includes security as part of the development of systems or applications, the organization risks the integrity of the final product. Even with the inclusion of security personnel at the initiation of system development, there is still risk in the integrity of the system as it hasn't been tested against an actual attack.
a. Implement the System Development Life Cycle paying special attention to including security personnel in the SDLC activities to ensure security requirements are incorporated into the applications and systems.
b. Employ an independent penetration testing team to attempt to exploit the system using methods anticipated to be used by adversaries to pinpoint vulnerabilities.
III. Asset Management
This area is the identification and management of data, personnel, devices, systems, and facilities used for business purposes.Software platforms, physical devices, and systems on the network present a confidentiality risk if items are not accounted for on a controlled inventory. External information system services used to transmit government data also present an integrity risk since the systems are maintained by an outside entity.
a. Implement a centralized information system component inventories which captures information necessary for effective accountability.
b. Require providers of external information systems to comply with DoDI 8500.01 cybersecurity requirements.
IV. Business Operations
This refers to the organization's prioritization of the mission, objectives, stakeholders, and activities. The organization risks availability in the information systems without a plan in place in the event of a breach or natural disaster. The supply chain also presents a risk in confidentiality and integrity if it were to be compromised.
a. Implement contingency planning policy and procedures coordinated with organizational entities to address purpose, scope, roles, responsibilities, and management commitment.
b. Require supply chain entities to use tamper-evident packaging during shipping/warehousing.
V. Communications
This refers to the response and restoration coordination with internal and external stakeholders. Without being tested, the incident response capability may have potential weaknesses risking availability in the event of an actual incident. Furthermore, the communication between all entities can get confusing and limit the effectiveness of incident response.
a. Implement incident response testing to determine effectiveness of incident response.
b. Implement incident handling with online incident management systems.
VI. Compliance
This area is the state of an organization's alignment with regulations. Risk to system integrity presents itself when regulations aren't followed, go unnoticed, or continue without response.
a. Identify audit events significant to the security of information systems and the operating environment.
b. Implement automated audit review, analysis, and reporting to incident response team, help desk, information security group/department.
VII. Corporate Governance
This area refers to all policies, procedures, and processes used to maintain the organization's regulatory, risk, environment, and operational requirements. Risk in integrity, availability, and confidentiality are all significantly increased without the use of governance.
a. Controls from all families in NIST SP 800-53 Rev. 4 should be implemented as part of the information security policy.
b. Implement an information security program plan which includes the assignment of roles, responsibilities, management commitment, coordination, and compliance.
VIII. Customers
This area refers to the customers of the Air Force which include the other military branches, its own employees, and foreign countries. Users of the network present a risk since every user isn't an IT professional. The Air Force also provides its customers with classified information and its integrity is at risk during transit.
a. Provide annual cybersecurity awareness education for any users that have access to an information system.
b. Employ encryption when transmitting classified data.
IX. Incident Management
This area refers to how an organization responds to an incident impacting sensitive information or its systems. Security incidents have the risk of repeating themselves possibly impacting availability if not tracked and treated properly. Unclear roles for incident response can also lead to integrity risks in incident management.
a. Implement the Einstein network monitoring device for automated incident tracking, collecting/analyzing.
b. Form an integrated information security analysis team with clear roles to leverage team knowledge of threats to handle incidents and deter intrusions more effectively.
X. IT Operations
This consists of the processes, people, and technology used to provide services to its customers to support the business. IT personnel maintain the equipment and run the risk of affecting availability with malpractice. Removable media also presents a risk to integrity and confidentiality to information systems.
a. Implement the use of physical cages on to prohibit access to external ports.
b. Implement controlled maintenance in order to schedule, perform, and document repairs in accordance with manufacturer and vendor specifications.
XI. Outsourcing
This area refers to obtaining a product or service from an external entity. Any changes to provided services or products present a risk to integrity if it isn't documented or reported. Developers may also lack in security testing which would present vulnerabilities in the final product provided.
a. Require Developer Configuration Management which requires the developer to document, manage, and control the integrity of changes.
b. Require Developer Security Testing and Evaluation through static code analysis tools to identify common flaws while documenting the results.
XII. Physical/Environmental
This refers to the security of the physical devices and area of information systems including environmental factors of temperature and geographical location. Confidentiality risk in unauthorized access to physical locations exists when physical measures aren't in place. If temperature isn't monitored there is a risk to availability as systems can fail if they overheat.
a. Implement physical access authorizations through access lists, issuance of credentials, and quarterly reviews of access lists.
b. Implement temperature sensors in critical data centers with alarms and auto shutdown capability.
XIII. Policies & Procedures
This area refers to the policies, processes, and procedures that are maintained and used to manage protection of information systems and assets. An enterprise architecture can get very complicated and without policies and procedures in place to manage the baseline, the integrity of the EA is at risk. Implementing change without a process can also create a vulnerability by producing incompatibility leading to availability risk.
a. Establish a baseline configuration which is formally reviewed and contains validated specifications for the information systems.
b. Implement configuration change control to avoid creating new problems in the baseline.
XIV. Privacy
This area mainly refers to handling of PII which the Air Force maintains a lot of on their employees. Maintaining this information mainly presents confidentiality risk.
a. Implement an organization-wide Governance and Privacy Program to ensure compliance with applicable laws and regulations in regards to all matters of handling PII.
b. Conduct a Privacy Impact and Risk Assessment to identify privacy risks and methods to mitigate the risks.
XV. IT Security Program Implementation
This area refers to the overall method of implementation of the security program. Not following the NIST framework may present a risk in all areas of cybersecurity as it is a guideline developed based off of the top experts in the field. Also, without a plan to implement a security program, the organization risks not identifying high level requirements.
a. Implement the NIST framework to systematically improve the security program through the 7 steps outlined on pg. 14 of the NIST Framework guideline.
b. Implement system security plan to describe the relationship of high level security controls with requirements.
References
NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
U.S. Air Force. (2014). Our Mission. Retrieved from http://www.airforce.com/learn-about/our-mission/.