STATE RFP RESPONSE

A COMPREHENSIVE PROJECT

SUBMITTED TO THE

INFORMATION SYSTEMS SECURITY PROGRAM

IN PARTIAL FULFILLMENT OF THE REQUIREMENTS

FOR THE BACHELOR’S DEGREE

By Robert D. Williams

EXECUTIVE SUMMARY

• Layered Security Solution• Organizations need to develop a multilayered security strategy that focuses

on the confidentiality, integrity and availability of the information being protected. A multi-layered approach to security ensures that if one layer fails or is compromised, other layers will compensate and maintain the security of that information. In turn, each of these layers should have multiple controls deployed to preserve the confidentiality, integrity and availability of the information. Some of these more critical controls include system configuration hardening, file integrity monitoring, and log management.

REVIEW OF FIRM’S QUALIFICATIONS

• Must be in business for at least the last five consecutive years: Aperture Security has been in business now for eleven years.

• • Report annual gross sales of at least one million U.S. dollars: Our annual gross sales are currently $2.6 million dollars.

• • Present at least three references of previous engagements-within the last three years-that are materially similar to the requirements contained in this document: Aperture Security has won four major contracts in the last four years for vulnerability assessments and penetration tests.

• Our team of twenty-two employees hold certifications in the areas asked. Of the eight employees that work on the new prospective products and services, five hold Certified Information Systems Security Professional (CISSP) certifications, four hold Certified Information Security Manager (CISM), four hold Global Information Assurance Certification (GIAC) Security Essentials Certification (GSEC) and six hold other GIAC certifications.

RFP TECHNICAL REQUIREMENTS

Gap Analysis: current gaps

• Application Control

• User Privilege Control

• Operating System Access Controls• Use of Shared Technology

Resources• Personnel Background

Investigation• Segregation of Duties

Data Privacy Legal Requirements

• Compliance with Legal Requirements

• Applicable Legislation

• Agencies must be in compliance with all legislation passed by the state government.

• Data Breach and Disclosure

SECURITY ASSESSMENT PROJECT PLAN DEFINITION

Workstation Domain• Secure data deletion group policies to

delete recycle bin contents securely by overwriting the data with zeros.

• Secure disposal personnel to remove drives and RAM from computers that will be considered inactive.

• Malicious software protection anti-malware and anti-virus software on the enterprise level.

• Upgrade to Microsoft Windows 7

System/Application Domain

• Patching WSUS server to control what patches are installed on organizational hardware.

• E-mail server software to actively scan incoming and outgoing e-mails for malicious software and hidden data.

• Database servers need to have blocks in place to block SQL injection attacks and cross-site scripting attacks.

• Web servers need to have blocks in place to block SQL injection attacks and cross-site scripting attacks.

• Upgrade to Microsoft Server 2012 for system under 2008r2

RISK ASSESSMENT PROJECT PLAN DEFINITION

• Segmentation and Layered Security

• Developers’ implement layered security technologies and configurations based on role, risk, sensitivity, and access control rules.

• Media Handling and Security

• Auditing and enforcement to ensure that only licensed software is installed on systems.

• User Access Management

• Management and employees to handle procedures such as new account creation, account transfer, job profile changes, account termination, and/or account deletion.

• Network Access Control

• Network designers to design a network that provides the ability to segregate and control traffic between systems, connected devices, and third parties based on role, risk, and sensitivity. Employees to keep the network running.

RISK PRIORITIZATION AND MITIGATION PROJECT PLAN DEFINITION

• User Identification and Authorization• System in place to that requires the use of a user ID and password that uniquely

identifies the user before providing access to protected information resources.

• User Password Management• Guidelines developed which require user to create and maintain passwords to

protect against unauthorized access.

• Segregation in Networks• Design a network that at a minimum has separate public, demilitarized, and

private security zones based on risk.

• Data Protection and Privacy• Systems in place to ensure all personal information is protected from

unauthorized use, modification, or disclosure.

RISK MITIGATION ACTIONS BASED ON QUALITATIVE RISK ASSESSMENT’S RISK

PRIORITIZATION

• Acquire the software from Symantec to install on each workstation, while Internet is temporarily disconnected through the network•Update workstation's OS with Microsoft Windows 7 enterprise•Upgrade server O/S and other software to meet PCI DSS and HIPAA compliance

COMPLIANCE PROJECT PLAN DEFINITION

• Data Breach and Disclosure• Workers trained to provide notices of disclosure to those individuals affected.

• Data Protection and Privacy• Policy writers to create standard operating procedures for acceptable use of

personal information, protecting it unauthorized use, modification, or disclosure. Auditors and managers to ensure policies are being followed/enforced.

• Compliance with Legal Requirements• Lawyers and legislation subject matter experts to review legislation. Auditors and

managers to ensure regulatory requirements are being followed/enforced.

• Compliance with Legal Requirements• Lawyers and regulatory requirement subject matter experts to review requirements.

Auditors and managers to ensure regulatory requirements are being followed/enforced.

DISASTER RECOVERY PLAN

• The need to ensure that all employees fully understand their duties in implementing such a plan

• The need to ensure that operational policies are adhered to within all planned activities

• The need to ensure that proposed contingency arrangements are cost-effective

• The need to consider implications on other company sites

• Disaster recovery capabilities as applicable to key customers, vendors and others

EMERGENCY RESPONSE

• Key trigger issues at headquarters that would lead to activation of the DRP are: • Total loss of all communications• Total loss of power• Flooding of the premises• Loss of the building

ACTIVATION OF EMERGENCY RESPONSE TEAM

• Respond immediately to a potential disaster and call emergency services;

• Assess the extent of the disaster and its impact on the business, data center, etc.;

• Decide which elements of the DR Plan should be activated;

• Establish and manage disaster recovery team to maintain vital services and return to normal operation;

• Ensure employees are notified and allocate responsibilities and activities as required.

DISASTER RECOVERY TEAM

• The team will be contacted and assembled by the ERT. The team's responsibilities include:• Establish facilities for an emergency level of service within 2.0 business

hours;• Restore key services within 4.0 business hours of the incident;• Recover to business as usual within 8.0 to 24.0 hours after the incident;• Coordinate activities with disaster recovery team, first responders, etc. • Report to the emergency response team.

BUSINESS CONTINUITY PLAN

• Our company’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and company property, making a financial and operational assessment, quickly recovering and resuming operations, protecting all of the company’s books and records, and allowing our customers to transact business. In the event that we determine we are unable to continue our business, we will assure customers prompt access to their funds and securities.

THANK YOU FROM APERTURE SECURITY

By Robert Williams