Security Capstone(CSS450-1803A-01) Physical and Environmental Security Student 08/06/2018 Contents Security Capstone(CSS450-1803A-01) ........................................................................................................ 1 Abstract ......................................................................................................................................................... 3 Paper Topic Background............................................................................................................................... 4 Section 1 : Policies, Procedures, Roles, and Responsibilities ................................................................... 5 Section 2 : Data Governance .................................................................................................................... 6 Section 3 : Network Security .................................................................................................................... 7 Section 4: Asset Security Management .................................................................................................... 9 Section 5 : Compliance with Security Regulations (TBD) ..................................................................... 12 Conclusion .............................................................................................................................................. 13 References ............................................................................................................................................... 14 Abstract Physical and Environmental Security is the basis for my paper and research. The implications of these items have wide and far-reaching consequences if not done correctly. When I was in the Army we learned a variety of methods to secure not only data but multiple types of materials including: buildings, weapons, information, people, vehicles, data and more. The one I worked with the least was data, but after taking courses dealing with hacking I realize that data is the most important one. Physical security is very different than technological security in the method for making sure it is not compromised. Environmental has aspects of physical but is more about securing an area of interest or AOI. I think I’m really going to enjoy researching this topic since it is near and dear to me. Paper Topic Background Thinking of physical and environmental security for an organization in the past meant using strategies that aren’t as up to date as we are now. That doesn’t mean that it was any less important though. Securing the facilities that you do business in helps ensure a smooth flow to your business continuity and makes everyone’s job a bit easier. There are several facets to security that should be consistent with the industry but that’s only if you find a business or organization with near identical characteristics to model your security after. Otherwise you will need a custom solution all your own. Think back to how cowboys used jails to lock up cattle rustlers, murderers and thieves. In many cases the regular jails were sufficient to keep these ornery people contained. On the other hand, some had gangs that would break them out so they would have to either beef up security or transfer them to a more secure facility. The same premise has stood since then with a few modifications of course. Nowadays physical and environmental security has stepped up to the big leagues but so have the enemies who are trying to compromise data steal information or assets, or even harm workers in the organization. Section 1 : Policies, Procedures, Roles, and Responsibilities • These four things are independent of each other but also work together in concept to do one thing and that’s to achieve the goals of the organization that they are used under. • Policies would be the guidelines and strategies for categories, specialized groups etc. • Procedures would be all about setting organization goals and the big picture of what the Organization approach to doing business is. This is very streamlined in scope and is a way to keep everyone focused with laser like precision. • Roles are first used by company or organization rank so CEO, President, VP, CFO and so on. Next roles would be by knowledge of certain aspects of company business so the CEO would oversee everything, but the IT Director would know more about who has access to which components of the company network. Roles make it possible to divide tasks but also to juxtapose those roles so that no one has absolute power to do whatever they want and are bound by their role. • Responsibilities are things that must be done for the company to succeed and everyone has a responsibility to do their job, and to fulfill their roles guided by policies and procedures. Section 2 : Data Governance The governance of data you can similarly equate to the governing of a state, city or country in the way that you make decisions that will form the foundation of the organizations stance on how information is used for the betterment of the whole. Alignment – Deliver a strategic path of IT and the placement of IT and the business with respect to services and projects. Value Delivery – Approve that the IT/Business organization is designed to drive maximum business value from IT. Oversee the delivery of value by IT to the business and assess Return On Investment or ROI. Risk Management – Ascertain that processes are in place to ensure that risks have been satisfactorily accomplished. Include assessment of the risk aspects of IT investments. Resource Management – Provide high-level direction for sourcing and use of IT resources. Oversee the cumulative backing of IT at enterprise level. Ensure there is an adequate IT competence and substructure to support current and expected future business needs. Performance Measurement – Verify strategic compliance, i.e. achievement of strategic IT objectives. Review the quantity and quality of IT efficiency and the input of IT to the business (i.e. is the department delivering on its role effectively and efficiently). There is no perfect pill for data governance because things in IT are in constant change. The policies, procedures and roles will need to be updated regularly along with IT training and security training for everyone in the organization. The problems that have arisen in the last decade show that in the future physical and environmental security will be a part of every facet of our lives. To prepare for this inevitability we must strive to pay close attention to who has access to pertinent information and how we classify this data. Company leaders at times change yearly so the people who are in the day to day functionality of the company must have a strong grasp on what makes the company run well. Section 3 : Network Security A really good question would be, “Where did physical and environmental security begin?”. I know it may not be a super philosophical question but since I am writing about it is something I had to at least consider where in history it belonged. So, it would have to begin with the first animals on earth who had to deal with living, eating, and overall survival daily so paying attention to their environment would be paramount. Even though it is very different from today these things shaped security in a way that in the beginning centered on living to see another day. If you jump ahead to say the Roman empire you’d see that there were many advances in the culture especially when it came to security. On the environment aspect they took over so much land that it was a challenge at times to keep it. They did come up with many protocols for securing land and information that were taken forward by later conquerors though. Another jump would take you to the 2nd World War where the U.S. Military needed a secure way to send messages but knowing that these messages could be stolen they enlisted Navajo code talkers and it did the trick. You may say that this had nothing to do with physical and environmental security but think about what would happen if your enemy knew where to find you and any information to compromise your position. It makes sense that all of these securities are tied together by a common thread, the need to secure a person place or thing and make it safe for certain individuals to access it at will. This holds true in cybersecurity as well. The transition from making sure that physical items are safe started when information became a hot commodity starting with secrets from governments and large manufacturers and coming to today where secrets create millionaires on a regular basis on and off the black markets. Hackers run rampant for the most part with some interference but for the most part they have a large footprint that lets them make lots of money without much threat to getting caught. In an organization to combat this there are things that you can do starting with a router and several layers of defense on your network. An IPS and IDS are paramount as well to be able to further protect your information. On the physical and environmental side, you must have passwords and codes set to individual people, so you know who is accessing the information. You can add fingerprint scanners, computerized door locks, guards as well as guard dogs are very prominent and make a statement of do not trespass here. If you have the funding you can utilize a service for the protection of company assets instead and that way offload the responsibility. There are drawbacks to that as well though. You won’t have direct control, it is very expensive as well. Balancing how much damage you can handle and to what types of information will help to decide which route is best for your organization whether governmental or business sector. Section 4: Asset Security Management This portion of the paper has a very clear kindred spirit, Risk Management, and is something that you need to get right if your business is going to succeed. Assets no matter the type are what governments, companies, and organizations use to move forward. The protection of these assets and minimizing of risk of theft, damage, or any kind of loss will keep you out of the red. This is a job for every person working in the organization to pay attention to or else it just loses the full effect. A plan should be in place to visit key assets on a regular basis and update people on a need to know basis by level. Training should also be a priority for all employees involving physical security, environmental security, network security, policies and procedures as well as company standards pertaining to conduct that can lead to issues with security. Protocols for password management and maintenance are a must. You also want to make sure that the personnel setting up the passwords are not the same people who are doing checks for password security, this is another checks and balance recommendation. The stereotypical risks comprise of situational predicaments, which expose social groups in an organization in anxious situations. In asset security management, risks result in real word performance gaps. Examples of risks in security management include the physical security risk, the network security risk, procedures security risk, and environmental security and policy security risks (Ackermann 7). Therefore, the paper analyzes the different risks and how they can be assessed to improve the management of an organization. Description of the Risks The physical security risk involves the evaluation of security program metrics that assess the vulnerability of cybersecurity to an organization. In most business organizations, existing physical security programs include patrol logs used by online bloggers to secure the company’s business websites. Also, the physical security risks comprise of adversary sequence diagrams, which are prone to criminal acts of online bloggers (Ackermann 7). Procedures security risk involves assessing survey tools in information security, which relate to navigations of different online networks. Some procedures with errors may expose critical information of the company to external competitors who may post irrelevant fraud information in the company's website, and this lowers the trust of customers to the company's operations. More so, network security risks threaten the websites of business companies, causing vulnerability to cybersecurity. Protecting the company’s network require the company stakeholders to work on computer viruses, actions of hackers, software vulnerabilities and issues of employees breaching security as they conduct their daily business operations. Global environment risks combine the rapid changes of the surrounding causing environmental pressures and resulting in conflicts. Environmental risks undermine economic development and result in social instability if changes result in exploitation of means of production utilized by community members for social developments (Ackermann 8). Moreover, the information security risks have both internal and external effects on the operations of an organization. Policy risks if neglected undermine the activities of organizational standardization since policies are in charge of standardizing security managerial processes. Safeguards for the Risks The issue of physical security risk can be safeguarded by enforcing protective and corrective measures that detect activities of cybersecurity. Also, adaptive, resilient responses to safeguard against possible threats is highly recommended. Business companies should also employ technicians who help detect earlier attempts of cybersecurity so that resolutions can be administered earlier (Cohen 6). For the case of network security risk, the best safeguarding measure is safeguarding big data in dense volumes. Also, ensuring all employees are proactive to safeguard data and not reactive. Procedures security risks can be safeguarded by use of micro data systems and use of beef defense network to ensure online errors are minimized. The environmental security risks together with policy risks can be safeguarded by funding the protective cyber security services and safeguarding the public and private networks to minimize the vulnerability of a company. Section 5 : Compliance with Security Regulations (TBD) Conclusion(TBD) References 4 Critical Challenges to State and Local Government Cybersecurity Efforts (Industry Perspective). (2018). Retrieved from http://www.govtech.com/opinion/4-Critical-Challenges-toState-and-Local-Government-Cybersecurity-Efforts.html (2018). Retrieved from http://www.envirosecurity.org/activities/What_is_Environmental_Security.pdf Ackermann, T. "Evaluation of Perceived IT Security Risks." IT Security Risk Management, 2013, pp. 2-8. Chavez, L. (2018). Securing Your Environment: Practical Approaches to IT Security. [online] Security Intelligence. Retrieved from: https://securityintelligence.com/securing-yourenvironment-practical-approaches-to-it-security/ [Accessed 14 Jul. 2018]. Cohen, F. "Managing network security — Part 5: Risk management or risk analysis." Network Security, vol. 1997, no. 4, 1997, pp. 5-9. Isaca.(2018). [online] Retrieved from: https://www.isaca.org/Certification/CGEIT-Certified-inthe-Governance-of-Enterprise-IT/Prepare-for-the-Exam/StudyMaterials/Documents/Developing-a-Successful-Governance-Strategy.pdf [Accessed 13 Jul. 2018]. ISO 17799 Section 7: Physical and Environmental Security. (2018). Retrieved from http://www.praxiom.com/iso-17799-7.htm Lindros, K. (2018). What is IT governance? A formal way to align IT & business strategy. [online] CIO. Retrieved from: https://www.cio.com/article/2438931/governance/governanceitgovernance-definition-and-solutions.html [Accessed 13 Jul. 2018]. Mata, W. (2018). The Role of Physical Security for Network Security. Retrieved from https://centretechnologies.com/the-role-of-physical-security-for-network-security/ Physical Security. (2018). Retrieved from https://www.sans.edu/cyber-research/securitylaboratory/article/281 University, C. (2018). Guidelines for Data Classification - Information Security Office Computing Services - Carnegie Mellon University. [online] Cmu.edu. Retrieved from: https://www.cmu.edu/iso/governance/guidelines/data-classification.html [Accessed 16 Jul. 2018].
Purchase answer to see full attachment