ISOL 631 ACE Department of Defense Operations Security Discussion

User Generated

nlvgln

Engineering

ISOL 631

Academy of Computer Education

ISOL

Description

Q1) Submit a draft of your research of DOD-specific requirements for an organization’s IT infrastructure and U.S. compliance laws that may affect the firm.

REQUIREMENTS

- APA Format 7th edition

- Page length - 6 pages

Scenario

You work for a high-tech company with approximately 390 employees. Your firm recently won a large DoD contract, which will add 30% to the revenue of your organization. It is a high-priority, high-visibility project. You will be allowed to make your own budget, project timeline, and tollgate decisions.

This course project will require you to form a team of 2 to 3 coworkers (fellow students) and develop the proper DoD security policies required to meet DoD standards for delivery of technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency. To do this, you must develop DoD-approved policies and standards for your IT infrastructure (see the “Tasks” section below). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies or controls in place.

Your firm's computing environment includes the following:

§12 servers running Microsoft Server 2012 R2, providing the following:

o Active Directory (AD)

o Domain Name System (DNS)

o Dynamic Host Configuration Protocol (DHCP)

o Enterprise Resource Planning (ERP) application (Oracle)

o A Research and Development (R&D) Engineering network segment for testing, separate from the production environment

o Microsoft Exchange Server for e-mail

o Symantec e-mail filter

o Websense for Internet use

§Two Linux servers running Apache Server to host your Web site

§390 PCs/laptops running Microsoft Windows 7 or Windows 8, Microsoft Office 2013, Microsoft Visio, Microsoft Project, and Adobe Reader

Tasks

§Create policies that are DoD compliant for the organization’s IT infrastructure.

§Develop a list of compliance laws required for DoD contracts.

§List controls placed on domains in the IT infrastructure.

§List required standards for all devices, categorized by IT domain.

§Develop a deployment plan for implementation of these polices, standards, and controls.

§List all applicable DoD frameworks in the final delivery document.

  • Write a professional report that includes all of the above content-related items.

Self-Assessment Checklist

§I developed a list of compliance laws required for DoD contracts.

§I listed controls placed on domains in the IT infrastructure.

§I listed required standards for all devices, categorized by IT domain.

§I developed DoD policies and standards for our organization’s IT infrastructure.
I developed a deployment plan for implementation of these polices, standards, and controls.

§I listed all applicable DoD frameworks in the final report.

§I involved myself in each of the lessons and asked my instructor questions.

§I found additional references/resources than those provided.

§I created an academic paper describing the policies, standards, and controls that would make our organization DoD compliant.

§I submitted my work per the deliverable timeline to the instructor for monitoring and comment.

User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Hi, ayitya! I have attached the final output of our work. Please let me know if you need more revisions. I am more than willing to help.

OUTLINE


Create

policies

that

are

Department

of

Defense

compliant

for

the

organization’s IT infrastructure.
o For the employees and officers in IT Department and Human Resources
o For the organization staff who uses the IT systems
o For all employees whether full-time, part-time, or contractual
o For all supervisors, deans, managers, and directors


Develop a list of compliance laws required for DoD contracts.



List controls placed on domains in the IT infrastructure.



Definition of terms



Monitoring Tools



Policies Manuals



Monitoring policy



Policies manual



Privacy concerns



Conclusion



Create

policies

that

are

Department

of

Defense

compliant

for

the

organization’s IT infrastructure.
o For the employees and officers in IT Department and Human Resources
Policy No. 1 – Our organization has to implement, maintain, and
provide on-going information technology Security Awareness Training
using various training delivery techniques in awareness sessions, use
email distribution for security awareness communications, and publish a
security web site to promote and reinforce good security practices, policies
and procedures, and employee responsibilities.
Policy No. 2 – Our organization needs to promote better
accountability and monitor compliance by implementing an automated
tracking system to capture key information regarding program activity (i.e.
courses, certificates, attendance, etc.).
Policy No. 3 – Our organization needs to implement formal
evaluation

and

feedback

mechanism

to

address

quality,

scope,

deployment method (e.g., web-based, onsite, offsite), level of difficulty,
ease of use, duration of session, relevancy, currency, and suggestions for
modification.
o For the organization staff who uses the IT systems
Policy No. 1 – Complete an annual online Security Awareness
Training course every twelve (12) months. All newly hired employees are
required to complete the Security Awareness Training course within the

first 30 days from date of hire or prior to receiving access to the
Communication's IT systems and data.
Policy No. 2 – Sign an "Acceptable Use Policy and IT Acceptable
Use

Standards

and

User

Acknowledgement

Agreement"

which

acknowledges that they are fully aware of security best practices, their
roles in protecting the Communication's information technology systems
and data. Access to computer technology will not be granted without this
agreement.
o For all employees whether full-time, part-time, or contractual
Policy No. 1 – Complete the online Security Awareness Training
course prior to receiving access to the Communication's IT systems and
data.
Policy No. 2 – Sign an "Acceptable Use Policy and IT Acceptable
Use

Standards

and

User

Acknowledgement

Agreement"

which

acknowledges that they are fully aware of security best practices, their
roles in protecting the ABC123 Communication's information technology
systems and data.
o For all supervisors, deans, managers, and directors
Policy No. 1 – Ensure each employee under his/her supervision
has attended and completed the Security Awareness Training and should

include the training as a part of the employee's annual performance
evaluation.
Policy No. 2 – Maintain a copy of each employee's Security
Awareness Training certificate in the department's personnel file and
forward a copy of the employee's certificate to the Human Resource
Department for the employee's personnel file.


Develop a list of compliance laws required for DoD contracts.
Federal Information Security Management Act (FISMA) is heavily
related to DoD contracts. FISMA is United States legislation that defines a
comprehensive framework to protect government information, operations
and assets against natural or man-made threats. FISMA was signed into
law part of the Electronic Government Act of 2002.
FISMA is a law stating the measures to implement in order to
secure United States federal property and information. The FISMA
assigned the National Institute of Standards and Technology (NIST), the
responsibility of defining standards and security procedures to be
respected by American governmental agencies and to reinforce the
information systems security level (FISMA / NIST 800-53 / FIPS PUB 200
compliance, n.d.). There are nine steps that The National Institute of
Standards and Technology (NIST) outline towards compliance with
FISMA:
1 Categorize the information to be protected.

2 Select minimum baseline controls.
3 Refine controls using a risk assessment procedure.
4 Document the controls in the system security plan.
5 Implement security controls in appropriate information systems.
6 Assess the effectiveness of the security controls once they have
been implemented.
7 Determine agency-level risk to the mission or business case.
8 Authorize the information system for processing.
9 Monitor the security controls on a continuous basis.


List controls placed on domains in the IT infrastructure.
A typical IT infrastructure has seven domains namely User Domain,
Workstation Domain, LAN Domain, LAN-to-WAN Domain, Remote Access
Domain, WAN Domain, and System/Application Domain.
o User Domain


Authentication Controls



Security Awareness Training



Data Classification



Policies and Procedures



Incident/Problem Reporting

o Workstation Domain


Apply all workstations with latest and



Updated Anti-Virus programs



Equip all workstations with the latest OS versions and Security
patches

o LAN Domain


Prevent unauthorized access to the network system, applications,
and data.



Prevents, and monitors incoming and outgoing network access.



Ensure C-I-A

o LAN to WAN Domain – This is where the IT infrastructure links to a WAN
network and the Internet. This domain is responsible for applying the
defined security controls to:


Prevent unauthorized network probing and port scanning



Prevent unauthorized access thru LAN-WAN Domain

o WAN Domain – Domain connects remote locations. The goal is to allow
users the most access possible by making sure the data traveling in and
out is safe


Manages client’s firewalls and router configurations.



Prevent open, public, easily accessible to anyone that wants to
connect



Prohibit using the Internet for private communications without
encryption and VPN tunnels.



Use encryption and VPN tunnels for secure IP communications.



Deploy DMZ with IP stateful firewalls, IDS/IPS



Prevent DOS attack



Prevent TCP SYN flooding, and IP spoofing attacks



TCP/IP applications are inherently insecure (HTTP, FTP, TFTP,
etc.).
➢ Never use TCP/IP applications for confidential data without
proper encryption.
➢ Create a VLAN and isolate TFTP and SNMP traffic used for
network management

o Remote Access Domain – This domain connects remote users to the
organizations IT Infrastructure through the public Internet. Remote access
security controls must use the following:


Identification



Authentication



Authorization



Accountability—the process of recording user actions

o System /Application Domain


Patching on regular basis



Keeping up with vendor’s latest patches, OS versions on regular
basis




Limit access to system

Definition of terms
A. Information Assets are defined as (1) All categories of automated information,
including (but not limited to) records, files, and data bases; and (2) information

technology facilities, equipment (including personal computer systems), and
software owned or leased by the company. It includes all IT systems and data.
B. Security Awareness Training (SAT), is a method to inform users in the
importance of promoting and protecting information technology systems and
assets. SAT is a training course that teaches security key concepts and best
practices, such as creating a strong password, protecting mobile data, following
acceptable use policy, and reporting security incidents.


Monitoring Tools
It is now important to implement a monitoring process to validate adherence and
to flag violations. The CSI/FBI report stated that the total annual losses attributed to
insider abuse of the Internet total more than $50 Million for 2002, which is according
to GIAC Security Essentials Certification. The monitoring process will apply to all
devices attached or connected in any manner to this network.



Policies Manual
Many new monitoring, filtering and reporting tools are now available and
are relatively inexpensive to implement. Some examples are Lan Sweep...


Anonymous
Just what I needed…Fantastic!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags