Security Implementation PlanNovember 13, 2017
The establishment of this information security plan will benefit the Aegis Technologies Group by providing a more secure environment for the storage and processing of our data and information. Risk Management: Risk Management is the process by which we identify a risk, evaluate that risk, and take the appropriate steps to diminish or mitigate that risk to a level that can be accepted or tolerated (Business Dictionary, n. D. ). It is paramount for Aegis Technologies Group to successfully put into place and sustain a secure environment.
Risk assessments will provide the ability to recognize, classify, measure, and rank the risks in order of priority. Necessary actions can then be applied to protect information assets, based on the assessment results. The following steps will be included as part off risk assessment (Hubs, 2012): 1. Detection and classification of the risks a. Determine company assets and the owners of specific information b. Determine existing threats c. Classify any weaknesses that could be subjugated by existing threats d.
Determine the effects that a loss of confidentiality, integrity and availability could SSE to a company’s assets 2. Examine and assess the risks e. Evaluate the potential impact that could result from security failures f. Determine the genuine possibility of security failures taking place g. Approximate the level of risks h. Decide whether potential risks are acceptable 3. Isolate and assess options to mitigate risk I. Put applicable control measures in place J. Risk acceptance k.
Risk avoidance Human Resources Security: Every employee, volunteer, sub-contractor, or third party user of Aegis Technologies Group’s information and information assets needs to be fully aware and understand heir individual responsibilities with respect to security, and for the Job positions they are considered for to minimize the peril of theft, deception or exploitation. Prior to employment, security responsibilities will need to be addressed, based on individual position. Screening shall take place, where appropriate, for all Job applicants, volunteers, and/or sub-contractors for all positions requiring access to sensitive information.
Safeguards include the following: 1 . Background checks 2. Drug screening 3. Financial screening 4. Non-disclosure agreements 5. Reading and signing of all security related policies Security awareness training, along with regularly scheduled updates on all appropriate policies and procedures will be administered to all employees and, where applicable, to all volunteers, sub-contractors and third party users, where applicable to their position or function, to include: 1. Information Security Awareness Training 2.
Privacy and Security of Personal Information Procedures will be implemented to ensure employees, volunteers, contractors or third parties exit from Aegis Technologies Group’s is properly managed, and that all equipment is returned, and all applicable access rights have been removed (Vogel, 011). Physical Security: The purpose of physical security is the prevention and protection against unauthorized physical access, damage, destruction, stealing, compromise, and interference to Aegis Technologies Group’s information and facilities.
Our company’s locations that house vital or sensitive information or assets need to be protected with proper security barriers and access/entry control measures. Areas that require security shall be protected with security entry controls, ensuring that only individuals with a need to know, and proper identification will be granted access. Various access intro measures that will be used are (Davis, 2012): 1. Key Card Entry Systems 2. Identification Badges 3. Video Surveillance Cameras 4. Combination Locks 5. Biometric Locks 6.
Motion detectors and alarms Environmental Security: The objective of environment security is to protect our company’s information from environmental hazards, such as flooding, fire, wind, earthquakes, explosions, civil unrest and other forms of natural and man-made risks. Safeguards and measures can include (Davis, 2012): 1. Backup facilities and off-site redundant storage 2. Appropriate fire-fighting equipment and other countermeasures, and fire oppression systems 3. Consideration of security threats posed by neighboring facilities 4. Appropriate heating and cooling 5.
Uninterrupted Power Supplies and backup power generators Mobile Security: The objective of mobile security is to provide our employees with access to our company’s business applications, corporate resources and email through the use of smart phones and Pad’s, but at the same time – safeguard our information. Some key requirements include: 1 . Centralized management 2. Personal firewall 3. Lightweight SSL-based VPN Client 4. Predefined Security Policies 5. Secure Session Maintenance Security Assessment Risk Assessment: Cyber threats to our system include, but are not limited to the following: 1.
Denial of Service Attacks – a method used to limit or completely disallow system access to valid users without the necessity of compromising the system being targeted. Messages are used to overrun and completely shut down a targeted system and its network by blocking legitimate traffic. This method of attack can stop a system from to use the internet. Such attacks have most commonly been perpetrated via bootees, a network of hijacked computers compromised by mallard coordinated by a nomad and control server. Such attacks are referred to as Distributed Denial of Service (Dodos). Mitigation and prevention (Cisco, n. D. ): * CISCO Routers that can examine each packet for proper routing. * Access Control Lists. * Ingress and Egress Filtering. 2. Pushing – a modern scam which commonly utilizes spam or pop-up messages for the purpose of deceiving individuals into revealing sensitive information. Internet scampers often utilize e-mail as bait to “Phips” for passwords and financial data from the vast ocean of internet users. * Mitigation and prevention (Bradley, 2012): * Be skeptical. Use pushing protection with latest internet browsers (II and Firebox).
Report Suspicious Activity. 3. Spoofing – the creation of a deceptive web site for the purpose of imitating an authentic and well recognized web site which is run by another party. E-mail spoofing takes place when the senders address and other parts of an e-mail header are changed to look as though the e-mail was derived from a different source. The origination of an e-mail message is hidden by spoofing. * Mitigation and prevention (Hassle, 2006): * Use authentication based on key exchange between machines on your network, such as Pipes.
Use Access Control Lists to deny private IP addresses. Implement filtering of both inbound and outbound traffic. * Enable encryption sessions on your router to allow trusted hosts outside your network to securely communicate with local hosts. 4. Virus – a program that “contaminates” computer files, and primarily executable programs, by introducing a replica of itself into the file. These replicas are typically executed when the contaminated file is loaded into memory, permitting the virus to contaminate other files.
Dissimilar from a computer worm, a virus needs human involvement (usually unsuspecting) in order to spread. Mitigation and prevention (Collins, n. D. ): * Be aware of unsolicited e-mail, specifically those with executable attachments. * Installation of reputable Anti-virus software. * Installation of reputable Firewall software. 5. Worm – an autonomous, self-regulating computer program that replicates by copying itself from one system to another across a network. In contrast to computer viruses, no human intervention or involvement is required by worms in order to propagate. Mitigation and prevention (Napes, 2009): * Keep up to date with software security patches. * Installation of reputable Ann-virus software. Intrusion Detection and Prevention: Intrusion detection is the practice or method of examining events as they occur within a computer system or network, and then performing analysis on those events impending risk to existing computer security guidelines, standard operating procedures, or normal security practices, and pose the potential to compromise the confidentiality, integrity or availability of a resource (SANS. Org, n. D. ). Intrusion prevention is the method of executing intrusion detection in an effort to halt or mitigate all potential incidents that have been detected. The primary focus of Intrusion Detection and Prevention Systems (DIPS), lies with the identification of potential incidents, recording all pertinent information that pertains to them, endeavoring to either stop or mitigate them, and the reporting of all incidents to security administrators.
Dip’s are further utilized within organizations for the purpose of identifying problematic security policies, recording existing threats, and preventing the violation of security procedures. Having become an essential addition to the security infrastructure of virtually every organization, Dip’s normally document information associated with observed events, provide notification of important observed events, and produce reports for security administrators. There are a variety of these systems that are capable of responding to a perceived threat in an attempt to thwart its success.
A number of different response techniques are utilized, which can consist of the DIPS preventing the actual attack, effecting a change in the security environment – such as a firewall reconfiguration, or by changing the content of the attack. The most typical technology is network-based – monitoring and analyzing all outwork traffic and identifying suspicious activity, but DIPS does exist in wireless and host based technology as well (Scarceness & Mel, 2007).