Information Security Policy Document
Transcript of Information Security Policy Document
-
7/27/2019 Information Security Policy Document
1/84
Vantage Point Computing
Benjamin Dahl
-
7/27/2019 Information Security Policy Document
2/84
2
IS533 Course Project | Vantage Point Computing
ContentsInformation Security Policy Document .......................................................................................................................... 3
Scope ......................................................................................................................................................................... 3
Overall objectives ...................................................................................................................................................... 3
Standards ....................................................................................................................................................................... 5
Antivirus .................................................................................................................................................................... 5
Penetration Testing .................................................................................................. Error! Bookmark not defined.7
Patch Management ................................................................................................................................................... 8
Vulnerability Scanning ............................................................................................................................................... 9
Firewall/Router logging ........................................................................................................................................... 10
Procedures ................................................................................................................................................................... 11
Antivirus Procedure ................................................................................................................................................. 11
Penetration Testing Procedure ................................................................................................................................ 29
Patch Management Procedure ............................................................................................................................... 43
Vulnerability Scanning Procedures .......................................................................................................................... 50
Firewall/Router logging Procedure ......................................................................................................................... 62
Evidence ....................................................................................................................................................................... 65
Antivirus .................................................................................................................................................................. 65
Penetration Testing ................................................................................................................................................. 71
Patch Management ................................................................................................................................................. 72
Vulnerability Scanning ............................................................................................................................................. 74
Firewall/Router logging ........................................................................................................................................... 75
Corrected Risk Assessment .......................................................................................................................................... 76
Corrected Control Framework ..................................................................................................................................... 79
-
7/27/2019 Information Security Policy Document
3/84
Vantage Point Computing |IS533 Course Project 3
Information Security Policy Document
Information is the most critical asset in any organization. Proprietary data, information, and knowledge
are just as valuable to a business as tangible assets. As such, information needs to be suitably protected and
secured in a fashion as rigorous as that of other business assets. This is especially important with the increasing
number of vulnerabilities and threats and the interconnected nature of the business environment.
Information exists in a multitude of formats; information can be digital or analog, and tangible or non-
tangible. Regardless of the form the information takes, controls must be followed in order to secure information.
The goal of information security is to protect information from a varying array of threats to maximize return on
investment, minimize or negate risk, and ensure business continuity.
This goal is achieved by implementing a suitable set of controls which include: policies, processes, and
procedures. These controls are concerned with both hardware, software, and data aspects and need to be created,
implemented, monitored, and reviewed. If necessary, these controls must be revised, amended, or replaced to
adhere to the primary goal of information security. In order to fully adhere to the security and business tenets of
the business, this must be done in conjunction with other business units.
Scope
The scope of this information security policy document is limited to the Vantage Point Computing business
network (SPACEBRIDGE), specifically the laptop (WHEELJACK) which is the primary network connection device.
Overall objectives
The importance of information sharing is critical in the increasingly interconnected business environment.
Security of this information is paramount because information loses value when it is compromised.
If the hardware, software, or information is compromised in any way, full availability cannot be ensured.
In light of the nature of the business, a laptop must be available to ensure continued business operations. Coupled
with the sensitive information contained on the laptop, security controls must be followed by all users in order to
reduce risk and maximize output. All users will be required to attend training for all policies, procedures, and
standards in this document, along with certifying that they have read and understand this document.
The following standards will be covered in this document:
Antivirus: BitDefender Game Safe, real-time Antivirus protection
Penetration Testing: Metasploit Patch Management: Vulnerability Scanning: Firewall/Router Logging:
-
7/27/2019 Information Security Policy Document
4/84
4
IS533 Course Project | Vantage Point Computing
Vantage Point Computing is concerned with the security of all assets, whether physical or non-physical. As
such, the following requirements must be adhered to:
Compliance with all information presented in this document; including, but not limited to, current versionupdates of all software.
Compliance with instructor agreed upon contractual requirements
Vantage Point Computing considers increased awareness and continued education to be of the utmost
importance. The following vendors and organizations provide this security education, training and awareness:
CompTIA [http://www.comptia.org/] DePaul University[http://www.depaul.edu] DarkReading [http://www.darkreading.com/] US-Cert[http://www.us-cert.gov/] NIST[http://csrc.nist.gov/]
Vantage Point Computing recommends the A+, N+, and Security+ training from CompTIA. DePaul University offers
security focused classes taught by James Krev; Vantage Point Computing recommends all of these classes
(specifically IS433 and IS533). US-CERT, NIST, and DarkReading all provide information, updates, and articles based
on current security topics, issues, and threats. These resources should be utilized on a weekly basis.
http://www.comptia.org/http://www.comptia.org/http://www.comptia.org/http://www.depaul.edu/http://www.depaul.edu/http://www.depaul.edu/http://www.darkreading.com/http://www.darkreading.com/http://www.darkreading.com/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://csrc.nist.gov/http://csrc.nist.gov/http://csrc.nist.gov/http://csrc.nist.gov/http://www.us-cert.gov/http://www.darkreading.com/http://www.depaul.edu/http://www.comptia.org/ -
7/27/2019 Information Security Policy Document
5/84
Vantage Point Computing |IS533 Course Project 5
Standards
Antivirus
Description:
BitDefender Game Safe [BitDefender Game Safe]
Protects systems in real time from viruses, spyware, and malware. Includes software firewall to control application access to the Internet. Includes Gamer Mode which allows preferred applications to access the Internet without disabling the
firewall.
Compatible with all Vantage Point Computing systems.Implementation:
BitDefender Game Safe is installed and configured on all Vantage Point Computing systems. These
systems include: WHEELJACK, AUTOBOTS, DECEPTICONS, ASTROTRAIN, HOTROD, SOUNDBEAK, and STARSCREAM.
The software is installed through a single installation file located on the Vantage Point Computing server with a
multiple user license.
Configuration:
Bit Defender Game Safe is configured with the following options:
Antivirus / Antispyware Antiphishing Outlook E-mail protection Gamer Mode
o All alerts and notifications are disabledo Real-time Protection set to Permissiveo Firewall set to Game Mode to accept incoming connectionso Must be enabled with Alt+G hotkey
Automatic Updateso Silent update every 5 hourso Does not update if scan is in progresso Does not update if Game Mode is on
Full System Scan Daily Scano Scan all fileso Scan for viruses and spywareo Minimize scan window to Sys Trayo Schedule: Daily 3:00am
Deep System Scano Scan all fileso Scan for viruses and spyware
http://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.htmlhttp://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.htmlhttp://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.htmlhttp://www.bitdefender.com/PRODUCT-2213-en--BitDefender-GameSafe.html -
7/27/2019 Information Security Policy Document
6/84
6
IS533 Course Project | Vantage Point Computing
o Scan archiveso Scan for hidden files and processeso Schedule: Sunday 3:00am
-
7/27/2019 Information Security Policy Document
7/84
Vantage Point Computing |IS533 Course Project 7
Penetration Testing
Description:
Metasploit[Metasploit]
On-demand penetration testing tool. Includes a comprehensive list of exploits and packages for testing Allows the user to test individual exploits. Compatible with all Vantage Point Computing systems.
Implementation:
Metasploit is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup.
The software is installed through a downloadable installation file located on the Vantage Point Computing server.
Configuration:
Metasploit is configured with the following options:
Exploits: windows/smb/ms08_067_netapi (Microsoft Server Service Relative Path Stack Corruption) Target: netapi32.dll (Windows LAN Manager) Payload: windows/meterpreter/bind_tcp (Generic Shell TCP payload) Remote Host: Local IP Address (192.168.0.197)
http://spool.metasploit.com/releases/framework-3.2.exehttp://spool.metasploit.com/releases/framework-3.2.exehttp://spool.metasploit.com/releases/framework-3.2.exehttp://spool.metasploit.com/releases/framework-3.2.exe -
7/27/2019 Information Security Policy Document
8/84
8
IS533 Course Project | Vantage Point Computing
Patch Management
Description:
Windows Automatic Updates
Automatic Updates for the Windows Operating System Compatible with all Windows Systems
Microsoft Baseline Security Analyzer[MBSA]
On-demand scanning of Microsoft vulnerabilities Allows analysis of system based on manufacturer specifications Compatible with all Windows Systems
Implementation:
Windows Automatic Updates are configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup.
MBSA is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE workgroup. The software
is installed through a downloadable installation file located on the Vantage Point Computing server.
Configuration:
Windows Automatic Updates are configured with the following options:
Automatic Every day at 2:00 am
MBSA is configured with the following options:
Computer: SPACEBRIDGE\WHEELJACK Check for Windows administrative vulnerabilities Check for weak passwords Check for IIS administrative vulnerabilities Check for SQL administrative vulnerabilities Check for security updates
http://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en -
7/27/2019 Information Security Policy Document
9/84
Vantage Point Computing |IS533 Course Project 9
Vulnerability Scanning
Description:
Tenable Nessus 4.0.1 [Nessus]
Cutting edge Patch, Configuration, and Content Auditing Constantly updated vulnerability library Network Assessment Determine weak points in system security
Implementation:
Tenable Nessus is installed and configured on the WHEELJACK computer, part of the SPACEBRIDGE
workgroup. The software is installed through a downloadable installation file located on the Vantage Point
Computing server. The software is installed through a single installation file located on the Vantage Point
Computing server.
Configuration:
Nessus is configured with the following options:
Network: Loopback (127.0.0.1) Default Scan Policy: Options:
o Safe Checks Enabledo Log details on the server
Plugins:o Backdoorso Peer-to-Peer File Sharingo Windowso Windows: Microsoft Bulletinso Windows: User Management
http://www.nessus.org/download/http://www.nessus.org/download/http://www.nessus.org/download/http://www.nessus.org/download/ -
7/27/2019 Information Security Policy Document
10/84
10
IS533 Course Project | Vantage Point Computing
Firewall/Router Logging
Description:
Logging is enabled for the D-Link DGL4300 Router[DGL4300]
Primary link between all Vantage Point Computing systems and the Internet. Provides 108Mbps 802.11g Wireless Connectivity. 4 Gigabit Ethernet Ports. 1 WAN Port Logging enabled to assess incidents Compatible with all Vantage Point Computing systems.
Implementation:
The DGL4300 router is configured as the primary router for Vantage Point Computing.
Configuration:DGL4300 logging configured with the following options:
What to View :o Firewall & Securityo Systemo Router Status
View Levels :o Criticalo Warningo Informational
http://games.dlink.com/products/?pid=370http://games.dlink.com/products/?pid=370http://games.dlink.com/products/?pid=370http://games.dlink.com/products/?pid=370 -
7/27/2019 Information Security Policy Document
11/84
Vantage Point Computing |IS533 Course Project 11
Procedures
Antivirus Procedure
1. Execute bitdefender_gamesafe.exe.2. Click Next
-
7/27/2019 Information Security Policy Document
12/84
12
IS533 Course Project | Vantage Point Computing
3. Click Next
4. Select "I accept the License Agreement" then click Next
-
7/27/2019 Information Security Policy Document
13/84
Vantage Point Computing |IS533 Course Project 13
5. Click Next
6. Click Install
-
7/27/2019 Information Security Policy Document
14/84
14
IS533 Course Project | Vantage Point Computing
7. Deselect "Run a quick system scan (may require reboot)" and "Schedule a full system scan every day at 2AM then click Next
8. Allow BitDefender to update and then click OK
-
7/27/2019 Information Security Policy Document
15/84
Vantage Point Computing |IS533 Course Project 15
9. Click Next
-
7/27/2019 Information Security Policy Document
16/84
16
IS533 Course Project | Vantage Point Computing
10. Click Finish
11. Click Yes to restart the computer and apply changes.
-
7/27/2019 Information Security Policy Document
17/84
Vantage Point Computing |IS533 Course Project 17
12.After the system restarts, select "My computer is connected to a home, office or trusted network" and clickOK.
-
7/27/2019 Information Security Policy Document
18/84
18
IS533 Course Project | Vantage Point Computing
13.After BitDefender loads, click Settings.
-
7/27/2019 Information Security Policy Document
19/84
Vantage Point Computing |IS533 Course Project 19
14. Click Custom Level.
-
7/27/2019 Information Security Policy Document
20/84
20
IS533 Course Project | Vantage Point Computing
15. Configure settings as follows and click OK.
-
7/27/2019 Information Security Policy Document
21/84
-
7/27/2019 Information Security Policy Document
22/84
22
IS533 Course Project | Vantage Point Computing
17. Configure the settings as follows and click Custom.
-
7/27/2019 Information Security Policy Document
23/84
Vantage Point Computing |IS533 Course Project 23
18. Configure settings as follows and click OK.
-
7/27/2019 Information Security Policy Document
24/84
-
7/27/2019 Information Security Policy Document
25/84
Vantage Point Computing |IS533 Course Project 25
20. Select Scheduler tab and configure as follows, then click OK.
-
7/27/2019 Information Security Policy Document
26/84
26
IS533 Course Project | Vantage Point Computing
21. Select Firewall option on the left and configure as follows:
-
7/27/2019 Information Security Policy Document
27/84
Vantage Point Computing |IS533 Course Project 27
22. Click Advanced, configure as follows and then click OK.
-
7/27/2019 Information Security Policy Document
28/84
28
IS533 Course Project | Vantage Point Computing
23. Click Close.
24. Close BitDefender.
-
7/27/2019 Information Security Policy Document
29/84
-
7/27/2019 Information Security Policy Document
30/84
30
IS533 Course Project | Vantage Point Computing
4. Click Next
5. Click Install
-
7/27/2019 Information Security Policy Document
31/84
Vantage Point Computing |IS533 Course Project 31
6. Click Yes
7. Click I Agree
-
7/27/2019 Information Security Policy Document
32/84
32
IS533 Course Project | Vantage Point Computing
8. Click Next
9. Click Install
-
7/27/2019 Information Security Policy Document
33/84
Vantage Point Computing |IS533 Course Project 33
10. Click I Agree
11. Click Next
-
7/27/2019 Information Security Policy Document
34/84
34
IS533 Course Project | Vantage Point Computing
12. Click Next
13. Click Finish
-
7/27/2019 Information Security Policy Document
35/84
-
7/27/2019 Information Security Policy Document
36/84
36
IS533 Course Project | Vantage Point Computing
16. Click Finish
17. Click Finish
-
7/27/2019 Information Security Policy Document
37/84
-
7/27/2019 Information Security Policy Document
38/84
38
IS533 Course Project | Vantage Point Computing
20. Type show exploits and hit Enter on your keyboard
21. The exploits will display
22. Type use windows/smb/ms08_067_netapi and hit Enter on your keyboard
-
7/27/2019 Information Security Policy Document
39/84
Vantage Point Computing |IS533 Course Project 39
23. Type show payloads and hit Enter on your keyboard
24. Type set payload windows/meterpreter/bind_tcp and hit Enter on your keyboard
-
7/27/2019 Information Security Policy Document
40/84
-
7/27/2019 Information Security Policy Document
41/84
Vantage Point Computing |IS533 Course Project 41
26. Hit Enter on your keyboard
27. Type exploit and hit Enter on your keyboard
28.29. The vulnerability will be triggered and results will be displayed.
-
7/27/2019 Information Security Policy Document
42/84
42
IS533 Course Project | Vantage Point Computing
30. Click the red X to close the Metasploit Console
31. Click the red X to close Metasploit
-
7/27/2019 Information Security Policy Document
43/84
Vantage Point Computing |IS533 Course Project 43
Patch Management Procedure
1. Double-click MBSASetup-x86-EN.msi
2. Click Next
3. Select I accept the license agreement and click Next
-
7/27/2019 Information Security Policy Document
44/84
44
IS533 Course Project | Vantage Point Computing
4. Click Next
5. Click Install6. Click Ok in the Confirmation Window
-
7/27/2019 Information Security Policy Document
45/84
Vantage Point Computing |IS533 Course Project 45
7. Launch Microsoft Baseline Security Analyzer 2.1 from your desktop
8. Click Scan a computer
9. Click Start Scan
-
7/27/2019 Information Security Policy Document
46/84
46
IS533 Course Project | Vantage Point Computing
10. Review the outputs of the scan.11. Click OK
-
7/27/2019 Information Security Policy Document
47/84
-
7/27/2019 Information Security Policy Document
48/84
48
IS533 Course Project | Vantage Point Computing
15. Double-click Security Center
16. Click Turn on Automatic Updates
17. Click Automatic Updates in the Manage security settings for: section
-
7/27/2019 Information Security Policy Document
49/84
-
7/27/2019 Information Security Policy Document
50/84
50
IS533 Course Project | Vantage Point Computing
Vulnerability Scanning Procedures
1. Double-click Nessus-4.0.1-i386.msi
2. Click Next
3. Select I accept the license agreement and click Next
-
7/27/2019 Information Security Policy Document
51/84
-
7/27/2019 Information Security Policy Document
52/84
-
7/27/2019 Information Security Policy Document
53/84
Vantage Point Computing |IS533 Course Project 53
8. Verify the Nessus Server is running, or click Start Server
9. Click the Red X to close Nessus Server Manager
-
7/27/2019 Information Security Policy Document
54/84
-
7/27/2019 Information Security Policy Document
55/84
-
7/27/2019 Information Security Policy Document
56/84
-
7/27/2019 Information Security Policy Document
57/84
Vantage Point Computing |IS533 Course Project 57
15. Click + in the Select a scan policy: section
16. Enter the desired policy name in the Policy name: section
-
7/27/2019 Information Security Policy Document
58/84
-
7/27/2019 Information Security Policy Document
59/84
Vantage Point Computing |IS533 Course Project 59
21. Check Backdoors22. Check Peer-To-Peer File Sharing23. Check Windows24. Check Windows : Microsoft Bulletins25. Check Windows : User Management26. Click Save
-
7/27/2019 Information Security Policy Document
60/84
-
7/27/2019 Information Security Policy Document
61/84
Vantage Point Computing |IS533 Course Project 61
29. Review the Report details30. Click Export...
31. Choose the location and File name for your report and click Save32. Click the Red X to close Nessus
-
7/27/2019 Information Security Policy Document
62/84
62
IS533 Course Project | Vantage Point Computing
Firewall/Router Logging Procedure
1. Open web browser (Internet Explorer or Firefox)2. Enter the web address (192.168.0.1)
3. Enter your router password4. Click Log In
-
7/27/2019 Information Security Policy Document
63/84
Vantage Point Computing |IS533 Course Project 63
5. The Status page will load
6. Click Logs in the left menu
-
7/27/2019 Information Security Policy Document
64/84
64
IS533 Course Project | Vantage Point Computing
7. Check the Firewall & Security checkbox8. Check the System checkbox9. Check the Router Status checkbox10. Check the Critical checkbox11. Check the Warning checkbox12. Check the Informational checkbox13. Click Apply Log Settings Now14. Click Ok in the Confirmation window
-
7/27/2019 Information Security Policy Document
65/84
Vantage Point Computing |IS533 Course Project Evidence 65
Evidence
Antivirus
1. Verify PC SECURITY, NETWORK SECURITY, and IDENTITY CONTROL are all Protected2. Click History.
-
7/27/2019 Information Security Policy Document
66/84
-
7/27/2019 Information Security Policy Document
67/84
Vantage Point Computing |IS533 Course Project Evidence 67
6. Review .xml file (C:\Documents and Settings\All Users\ApplicationData\BitDefender\Desktop\Profiles\Logs\full_scan\1241971935_1_02.xml) for any issues.
7. Close BitDefender Log File.
-
7/27/2019 Information Security Policy Document
68/84
68 EvidenceIS533 Course Project | Vantage Point Computing
8. Select Firewall.
9. Review Firewall events.
-
7/27/2019 Information Security Policy Document
69/84
-
7/27/2019 Information Security Policy Document
70/84
-
7/27/2019 Information Security Policy Document
71/84
Vantage Point Computing |IS533 Course Project Evidence 71
Penetration Testing
1. View the output of the Metasploit Vulnerability Test.
2. Verify that the exploit completed, but no session was created
-
7/27/2019 Information Security Policy Document
72/84
72 EvidenceIS533 Course Project | Vantage Point Computing
Patch Management
1. Review the Automatic Updates section of Windows Security Center
2. Open the .mbsa file from %userprofile%\SecurityScans3. Verify update log
-
7/27/2019 Information Security Policy Document
73/84
Vantage Point Computing |IS533 Course Project Evidence 73
4. Visual Studio was removed from WHEELJACK5.
SQL services have been stopped.
6. The Office Service pack was installed, but is not recognized.
-
7/27/2019 Information Security Policy Document
74/84
74 EvidenceIS533 Course Project | Vantage Point Computing
Vulnerability Scanning
1. Open the Nessus report file
2. Verify there are no Medium or High vulnerabilities.
-
7/27/2019 Information Security Policy Document
75/84
Vantage Point Computing |IS533 Course Project Evidence 75
Firewall/Router logging
4. Review the Log Details section of the Router page
-
7/27/2019 Information Security Policy Document
76/84
76 Corrected Risk AssessmentIS533 Course Project | Vantage Point Computing
Corrected Risk Assessment
I. IntroductionThe purpose of this assessment is to observe and address risks to the WHEELJACK laptop operating on the
Spacebridge network. Performing this risk assessment will allow threat-sources and actions to be discovered,
quantified, and addressed later in a more effective matter. Performing this assessment will ultimately allow thisbusiness critical system to be hardened to maximize availability.
The scope of this assessment is concerned with a single portable system, WHEELJACK. This system is an
Averatec EV3715-EH1 AMD-based laptop running Windows XP Professional Service Pack 3. This machine connects
to three different networks on a regular basis: Spacebridge (Home Office), HALPNT (Work), and DePaul. The system
only has one user, and there are no additional administrators or guest accounts.
II. Risk Assessment ApproachThe only member of the risk assessment team is the business owner/custodian Ben Dahl. There are two
techniques that were used to gather information for the assessment. Tenable Nessus v3.2.1.1 (build 2G301_Q) was
used to scan the machine for open ports and vulnerabilities. In addition to this, Microsoft Baseline Security
Analyzer v2.1 was used to determine if there were any missing Microsoft system patches.
The risk scale for this assessment was built using a risk scale of high, medium, and low. High risk denotes
a threat that has a high likelihood of happening and represents a critical system threat. This may include missing
critical updates, vulnerabilities that have not been patched, and open firewall ports. Medium risk denotes a threat
that could happen, but does not represent a critical system threat. This may include missing non-critical updates,
and software updates. Low risk denotes a threat that has a low likelihood of happening and represents an
inconvenience. This may include lack of surge protection, improper documentation, and low-priority updates.
III. System CharacterizationThis document is concerned with the WHEELJACK laptop and the local hardware and software utilized by
this machine and the primary business owner/data custodian Ben Dahl. The primary mission of this system is
portable completion of work and school projects, technological tether. This system is also used for Internet access,
desktop publishing, data storage, and music management. The system interfaces to the SPACEBRIDGE, HALPNT,
and DePaul networks via wired, wireless, and TightVNC connections. The system contains personal data (contacts,
media, and university work), business information (project documents), cookies, and the following:
Hardware:
Averatec EV3715-EH1 AMD Sempron 3000 (1.8g) 1gb Corsair DDR3200 Toshiba MK8025GAS 80gb Atheros AR5212 A/B/G Comcast Surfboard D-Link DGL4300 Linksys WRT54GL Patriot Xporter XT 16gb
-
7/27/2019 Information Security Policy Document
77/84
Vantage Point Computing |IS533 Course Project Corrected Risk Assessment 77
Software:
Windows XP Pro SP3 Office Pro 2007 Enterprise Adobe Reader 9.1 Mozilla Firefox 3.0.8 Acronis True Image TrueCrypt DDWRT Linksys Firmware
The system has been classified as Business Critical with confidential data sensitivity.
IV. Threat StatementThreat Source Threat Action
Machine could be lost by user. System could be left at DePaul
System could be left at Harris Associates
System could be left in public
The system could be compromised by an attacker. Unauthorized access to sensitive information
A natural disaster could compromise the availability of
the system.
Power outage could cause system to be unusable
Flood could lead to destruction of machine
Tornado could lead to destruction of machine
System could be stolen by third party System could be stolen if left in public
System could be stolen if left unsecured
Missing Updates Vulnerability System could be compromised by viruses or malware
Unsecure Networks DePaul or HALPNT network could become compromised
and corrupt system
Remote Connection Vulnerability System could be compromised if connected to unsecure
VPN
Data Compromise or Corruption While using thumbdrives, information transmitted could
become compromised or corrupted
V. Risk Assessment ResultsObservation 1: System is vulnerable due to missing operating system or software updates or incomplete installation
System is missing 33 security updates which, if discovered by an attacker, could be used to compromiseconfidentiality, integrity, or availability of the system.
Existing controls: System is protected by hardware and software firewall. System is protected by strongpasswords. System is backed up on a regular basis. Nessus and MBSA are used for vulnerability and patch
analysis.
Likelihood is low - System has been operational for approximately two years without issue. System is onlypowered on approximately three hours a day. Windows Service Pack 3 was installed on machine soon
after release which decreased likelihood of issue.
Magnitude of impact is low - System can be repaired inexpensively, data is encrypted and backed up. Risk rating is low - Low likelihood and low magnitude of impact along with cost/benefit makes this a low
risk
Recommend implementing automatic updates for Windows and Microsoft Office, as well as running morefrequent Nessus and MBSA scans.
Observation 2: Windows RDP Terminal Service is not run through SSL
-
7/27/2019 Information Security Policy Document
78/84
-
7/27/2019 Information Security Policy Document
79/84
Vantage Point Computing |IS533 Course Project Corrected Control Framework 79
Corrected Control Framework
Control Objective #1 5.1 Information Security Policy
To provide management direction and support for information security in accordance with business requirements
and relevant laws and regulations.
Risk Mitigation:
To ensure that management has identified the information security program requirements and that employees
understand the programs intent.
Control
Name
Control Description Testing Steps Evidence Requested Point of
Contact
Control 1.1
Information
Security
Policy
Document
Annual
An information
security policy
document is approved
by management,
published and
communicated to all
employees and
relevant external
parties.
1. Obtain a copy of the
information security policy
document and verify that it
defines the programs
intent, compliance with
legislation, commitment to
security awareness and
training, a brief
explanation of the security
standards and procedures.
1. Provide a copy of the
information security policy
document.
Ben
-
7/27/2019 Information Security Policy Document
80/84
-
7/27/2019 Information Security Policy Document
81/84
-
7/27/2019 Information Security Policy Document
82/84
82 Corrected Control FrameworkIS533 Course Project | Vantage Point Computing
Control Objective #4: 12.6 Patch Management
To reduce risks resulting from exploitation of published technical vulnerabilities.
Risk Mitigation:
To ensure that systems are updated with the newest patches for known vulnerabilities.
Control Name Control Description Testing Steps Evidence Requested Point of
Contact
Control 4.1 -
Patch
Management
Standard
Weekly
A patch management
standard is
documented andimplemented to
ensure that systems
have the most current
patches installed.
1. Obtain a copy and
examine the patch
management standardand the related
procedures to determine
if they are being followed.
2. Test the system to
determine if the patch
updates were applied
according to the
procedures outlined andimplemented in a timely
manner.
1. Provide a copy Patch
Management Standard.
2. Provide a print screen of
the patch management
configuration. Provide a
print screen that shows the
most recent system
patches.
Ben
-
7/27/2019 Information Security Policy Document
83/84
Vantage Point Computing |IS533 Course Project Corrected Control Framework 83
Control Objective #5: 15.2.2 Vulnerability Scanning
Information systems should be regularly checked for compliance with security implementation standards.
Risk Mitigation:
To ensure that assets remain protected from known exploits or vulnerabilities that may compromise or otherwiseharm an asset.
Control Name Control Description Testing Steps Evidence Requested Point of
Contact
5.1 - Technical
ComplianceStandard
Weekly
A technical compliance
standard isdocumented and
implemented to
describe the process
that should be taken
to determine if
vulnerabilities are
present, and how to
become compliant
should events be
found.
1. Obtain a copy of thestandard.
2. Obtain the latestscan reports.
1. Provide a copy of thestandards and
procedures. Provide a
copy of the outputs of
the vulnerability scan.
2. Provide a copy of theresulting report that
states that
vulnerabilities have
been corrected.
Ben
-
7/27/2019 Information Security Policy Document
84/84
Control Objective #6: 10.10.1 Firewall & Router Logging
Audit logs recording user activities, exceptions, and information security events should be produced and kept
for an agreed period to assist in future investigations and access control monitoring.
Risk Mitigation:
To ensure that system activities and traffic
Control
Name
Control Description Testing Steps Evidence Requested Point of
Contact
Control
6.1 - Audit
Logging
Daily /
Weekly
Router and firewall
logging are enabled to
monitor and record all
activity on the network
to ensure security and
safety of corporate and
personal assets.
1. Obtain a copy of thestandard.
2. Enable router andfirewall logging.
3. If an event is recorded,review logs
immediately.
4. Review all logs on aweekly basis.
5. Maintain redundantlog copies.
1. Obtain a copy of thestandard and procedures.
2. Provide log copies.
3. Maintain a secure logbackup.
Ben