ability to identify, design, and organize information technology (IT) security policies.

Anonymous
timer Asked: Oct 20th, 2018
account_balance_wallet $180

Question Description

Project: Department of Defense (DoD) Ready

Purpose

This course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.

Learning Objectives and Outcomes

You will be able to develop draft IT security policies for an organization and apply learning constructs from the course.

Required Source Information and Tools

The following tools and resources will be needed to complete this project:

Scenario

You work for a high-tech company with approximately 390 employees. Your firm recently won a large DoD contract, which will add 30% to the revenue of your organization. It is a high-priority, high-visibility project. You will be allowed to make your own budget, project timeline, and tollgate decisions.

This course project will require you to form a team and develop the proper DoD security policies required to meet DoD standards for delivery of technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency. To do this, you must develop DoD-approved policies and standards for your IT infrastructure (see the “Tasks” section below). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies or controls in place.

Your firm's computing environment includes the following:

  • 12 servers running Microsoft Server 2012 R2, providing the following:
  • Active Directory (AD)
  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Enterprise Resource Planning (ERP) application (Oracle)
  • A Research and Development (R&D) Engineering network segment for testing, separate from the production environment
  • Microsoft Exchange Server for e-mail
  • Symantec e-mail filter
  • Websense for Internet use
  • Two Linux servers running Apache Server to host your Web site
  • 390 PCs/laptops running Microsoft Windows 7 or Windows 8, Microsoft Office 2013, Microsoft Visio, Microsoft Project, and Adobe Reader

Tasks

You should:

  • Select a team leader for your project group.
  • Create policies that are DoD compliant for the organization’s IT infrastructure.
  • Develop a list of compliance laws required for DoD contracts.
  • List controls placed on domains in the IT infrastructure.
  • List required standards for all devices, categorized by IT domain.
  • Develop a deployment plan for implementation of these polices, standards, and controls.
  • List all applicable DoD frameworks in the final delivery document.
  • Write a professional report that includes all of the above content-related items.

Submission Requirements

  • Format: Microsoft Word
  • Font: Times New Roman, Size 12, Double-Space
  • Citation Style: APA format
  • At least 10 references (including the book)
  • Length 10 pages (not including title page and (10)references )

Self-Assessment Checklist

  • I developed a list of compliance laws required for DoD contracts.
  • I listed controls placed on domains in the IT infrastructure.
  • I listed required standards for all devices, categorized by IT domain.
  • I developed DoD policies and standards for our organization’s IT infrastructure.
  • I developed a deployment plan for implementation of these polices, standards, and controls.
  • I listed all applicable DoD frameworks in the final report.
  • I found additional references/resources than those provided.
  • I created an academic paper describing the policies, standards, and controls that would make our organization DoD compliant.
  • I submitted my work by the due date including the PPT slides.

Your paper should not be in list format. It should be in proper paper format with paragraphs, section headings, and properly formatted sentences. Lists can be used, but kept to a minimum throughout the document.

Tutor Answer

Doctor_Ralph
School: UT Austin

Attached.

Final Project: Department of Defense Security Auditing for
Compliance

Group Names
Institution of Affiliation
Course
Date

Introduction






The US DoD implement strict security compliance and policy requirements of its contractor to ensure
that they fully comply with its laws, framework, control, and policies.
Consequently, the networks and security compliance and policies of the DoD requires that a
contractor must comply with its specifications by making on the manner in which it handles
information and the overall function of its network.
This report provides a detailed overview of
– the policies compliant to the DoD requirements,
– the compliance laws that the contract by DoD should adhere to.
– the relevant controls that would be placed on domains within the IT infrastructure.
– The specific standards required for all devices as per the categories provided by the IT domain
will also be enlisted in this project.
– The deployment plan that would be used during the implementation phase of these controls,
policies, and standards is also provided
– the applicable DoD frameworks that would guide the implementation process will also be
provided in this report.

Policies That Are DOD Compliant for the Organization’s IT
Infrastructure
• 4.1. DoD shall use enterprise process to accredit and certify the Information Systems to facilitate
implementation, identification, and management of the IA services and capabilities that must remain
consistent with the ref (a).2 DoDI 8510.01, of 28th Nov 2007
• 4.2. DoD undertakes an IA C&A using enterprise decision structure to integrate GIG MAs to (DoDD)
8115.01 and the DIACAP codes.
• 4.3. The DIACAP to create a net-centric environment that facilitates sharing of information across
networks to facilitate the transition of the Information System of the DoD ISs into the applicable GIG
standards
• 4.3.1. It must provide a standardized C&A method.
• 4.3.2. It must give directions on dissemination and management of the guidelines and standards of the
DoD
• 4.3.3. It must dynamically accommodate various Information Systems.
• 4.4. All DoD- controlled Information Systems shall be put under the DoD Component governance
• 4.5. The Information system of the DoD ISs will rely on the DoD IA controls.

Policies That Are DOD Compliant for the Organization’s IT
Infrastructure
• 4.6. The (CIO) and CIOs at the DoD will view the A DIACAP Scorecard using a DoD certified digital
signature
• 4.61. The designated accrediting authority (DAA) will be documented by the DIACAP Scorecard and
other outcomes of the IA control implementation baselines.
• 4.7. A Plan of Action and Milestones (POA&M) shall be designed and maintained
• 4.8. The supporting packages relating to DIACAP and accreditation status of the DoD ISs shall remain
available for Information System interconnection upon request from the (FISMA).
• 4.9. All information system of the DoD with an authorization to operate (ATO) will be subjected to
annually review
• 4.10. During the Defense budgeting, planning, execution, and programming process all the resources
required for the implementation of the DIACAP shall be ascertained.
• 4.11. Any contract relating to programs, systems, and services, and programs included in this
agreement shall be in accordance with the DIACAP compliance and any failure would not be tolerated.

A List Of Compliance Laws Required For DoD Contracts









No sharing of DoD information with external users.
The transmission follows the highest level of privacy and security procedure
The transmission must be done through fax or telephone to the authorized recipients.
All the DOD information are protected using more than one physical control
The media devices must be sanitized in compliance with NIST protocols
No sharing information related to the DOD with third parties
More safeguards for the unclassified DoD information
Protection of withholding data under the FOIA program subject to the provision of the
DOD Directive number 5400.07.
• Protection of any data with prior or current designated disseminations or controlled
access such as those specified for proprietary, official use only, or for limited
distribution

Controls Placed On Domains In The IT Infrastructure
• User Domain:
– Proper security controls requires careful planning so that multiple layers of controls are developed
to provide sufficient protection.
– Acceptable Use Policies (AUP) to facilitate smooth access to the user domain.
– Users sign confidentiality agreements before gaining access to the networkers containing classified
and sensitive information.
– Users have unique login credentials accompanied by an authenticated and strong passwords.
– Using the principle of Least Privilege and Need so that the login activities can be traced (Weiss,
2011).
• Workstation Domain:
– Restricting the use of one user account to a single user and allowing the use of only unique user
accounts.
– Use of strong passwords and the creation of a unique user account that would be assigned a distinct
role form the other user accounts.
– Using multiple accounts for multiple roles
– Using anti-malware and continuous update of the network applications and operating systems to
enhance the compliance of the workstation domain

Controls Placed On Domains In The IT Infrastructure
• LAN Domain:
– Limit the use of the network to a very small area such as an office or the premises of the DoD.
– More monitoring will be required to keep the access to the resource of this network under control.
– Mapping the architecture of the LAN prior to the installation
– Implementing a single login strategy to deter multiple signing
– Implementing a backup and recovery plan
– Continuous update procedure for all its software, network applications, firmware, and operating
systems.
• Remote Access Domain:
– Carefully selecting the VPN provider
– Limiting the number of administrator accounts
– Frequent updates to all application, and procedures
• System/Application Domain:
– Physical barriers: locks, smart cards, security camera, walls, lockable doors, water, pressure, and
fire detector
– Logical controls: firewalls, using NAC device.

The Required Standards For All Devices, Categorized By IT
Domain.
Required Standard
Classify the information requiring protection
Identify the least baseline controls
Apply risk assessment procedure to refine the controls
Documentation of the controls onto a system security plan
Apply the security controls into the applicable information systems.

IT Domain
Categorization
2
3
4
5
6

Assessment of security controls effectiveness
Determination of risks at the agency-level relating to the business case

7
8

Authorization of the information system to undertake to process

9

Monitoring the security controls continuously

10

A Deployment Plan for Implementation of These Policies,
Standards, and Controls
• The entire workforce of the organization will be a requirement to emphasize the management
and operation of the devices and equipment.
• The controls policies and standards will be implemented through adequate security measures,
policies and procedures applicable to the DoD's (Army, 2009).
• The implementation plan will follow the DoD 8570.01-M, Change 2 outline as per the (DoD
8570.01-M par C1.4.4.4).
• An effective audience training
• Changing contracts to provide the required specification for the baseline certification
requirements DoD 8570.01- M, Change 3
• A mandatory registration to the Army Training and Certification Tracking program must be
undertaken.
• All other officers who will occupy the positions of Information Assurance Technicians such as
the Computer Network Defense-Service Providers and manager (CND-SP) and (CND-SPM)
will also be obliged to meet the certification for computing environment or any relevant training
to enhance their technical capabilities (Army, 2009).

Applicable DoD Frameworks


...

flag Report DMCA
Review

Anonymous
Excellent job

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors