Posted: June 15th, 2022

Security Policy Paper Outline

I need this outline Today, whoever make the outline get the job for the paper that is due in 3 Weeks.

 

THIS IS ONLY FOR THE OUTLINE

 

I am attaching an example for the outline and the rubric for the assigment.

ATTACHED FILE(S)


Security Policy Document Project

Objectives

The purpose of this two-part project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. By completing the two documents, the student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation.

Detailed Requirements

Project Deliverable #1 (Due Week 3)

· Using the GDI Case Study below, complete the Security Policy Document Outline.

· Provide a one or two-page Security Policy Document Outline. The Outline should cover all aspects of the security policy document and convey the accurate and appropriate information for the stakeholders to make the appropriate decision.

· Ungraded but instructor will provide feedback to make sure students are on-track. This outline can become major part of the “

Executive

Summary” of the final deliverable.

Project Deliverable #2 (Due Week 7)

· Using the GDI Case Study, complete the Security Policy Document.

· Provide a seven- to ten-page analysis summarizing the security policy to the executive management team of GDI. The student designs effective real-time security and continuous monitoring measures to mitigate any known vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce.

Guidelines

· Using the GDI Case Study, create the security policy document.

· The security policy document must be 8 to 10 pages long, conforming to APA standards. NO more than 10 pages (excluding title page, table of contents (optional), and references page). The document must be double-spaced and Time New Roman 12-point font. See “Writing Guideline” in WebTycho where you’ll find help on writing for research projects.

· At least three authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled “References.”

· Appropriate citations are required. See the syllabus regarding plagiarism policies.

· This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity.

· The paper is due during Week 7 of this course.

 

Grading Rubrics

%

25

25

25

25

Final Deliverable

Category

Points

Description

Documentation and Formatting

 10

 10%

 Appropriate APA citations/referenced sources and formats of characters/content.

Case Study Security Policy Analysis

 25

 25%

 Accurate Completion of Security Policy.

Real-time Security

Real-time Security Protection against dynamically changing threats.

Continuous Monitoring

Continuous Monitoring for up-to-date Asset Management and Security Posture

Executive Summary

 15

 15%

 Provide an appropriate summary of the Security Policy Document.

Total

 100

100%

 A quality paper will meet or exceed all of the above requirements.

No Outline Submitted

-10

If no outline is submitted at the end of week 3, it will be minus 10 points from the final document grade.

Criteria

Good

Fair

Poor

Documentation and formatting

7-10 points

At least 3 Appropriate APA citations/referenced sources and formats of characters/ content.

3-6 points

Included 3 references but incorrect formatting or referencing/ citation

0-2 points

Does not include at least 3 references

Security Policy analysis

17-25 points

Effectively describes the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce.

Analysis is supported with documentation and evidence.

8-16 points

Describes the security policy in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make the appropriate decisions to enforce. And/or is not sufficiently supported with documentation and evidence. And/or the description is somewhat unclear.

0-7 points

Describes the security policy in a manner that is unclear to the Senior Management. The analysis Is not sufficiently supported with documentation and evidence. Senior management would not have enough detail to make appropriate decisions.

Real-time Security

17-25 points

Effectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; and also efficiently meets the organization’s objectives.

8-16 points

Designs technically feasible real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats, but lacks efficiency to meet the organization’s objectives.

0-7 points

Ineffectively designs real-time security measures to mitigate any known vulnerabilities, prevent attacks, and deter any real-time threats; also lacks efficiency to meet the organization’s objectives.

Continuous Monitoring

17-25 points

Effectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; and also efficiently meets the organization’s objectives.

8-16 points

Designs technically feasible continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats, but lacks efficiency to meet the organization’s objectives.

0-7 points

Ineffectively designs continuous monitoring measures to mitigate any unknown vulnerabilities, prevent future attacks, and deter any real-time unknown threats; also lacks efficiency to meet the organization’s objectives.

Executive summary

11-15 points

Effectively summarizes the security policy analysis. Includes all key points of the analysis and allows the senior management to understand the organizational security requirements but not enough to make appropriate decisions

.

6-10 points

Describes the security policy analysis in a manner that allows the Senior Management to understand the organizational security requirements but not enough to make appropriate decisions. Key information is left out or not made clear.

0-5 points

Describes the security policy analysis in a manner that is unclear and/or insufficient. Summary is difficult to follow or does not include key information and details.

Background

For those that are not familiar with the term, this project is called an Authentic Assessment Project. These projects are designed to reflect “real life” activities and will require you to perform considerable self-directed study. Like real life problems, you will not find all the answers you need in the textbook. You will, however, have the help of your instructor to resolve issues you may encounter.

Project Description

The project is to write a company Security Policy Document for a fictitious company called Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document with a maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the GDI Company is given below.

You will work individually on this project for a total of 25% of your grading for the course. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project in your individual project assignment folders. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables.

Suggested Approach

These are only recommendations on the general approach you might take for this project. This is your project to develop individually.

1. Determine the most important assets of the company, which must be protected

2. Determine a general security architecture for the company

3. Determine the real-time security measures that must be put in place

4. Determine the monitoring and preventative measures that must be put in place

5. Develop a list of 15 to 20 specific policies that could be applied along with details and rationale for each policy

6. Integrate and write up the final version of the Security Policy Document for submittal

The GDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Attach the assumptions/rationale to each specific security policy.

References

There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates.


http://www.sans.org/security-resources/policies/

Company Description

GLOBAL FINANCE, INC. (GFI)

Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers.

GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine.

The executive management team of GFI:

CEO

John Thompson

Vice Presidnet

Trey Elway

Executive

Assistant

Julie Anderson

Executive
Assistant

Kim Johnson

Executive
Assistant

Michelle Wang

CFO

Ron Johnson

COO

Mike Willy

CCO

Andy Murphy

Director of

Marketing

John King

Director of HR

Ted Young

Figure 1 GFI Management Organizational Chart

BACKGROUND AND YOUR ROLE

You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system.

You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team.

There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.

GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence.

There’s no question that the company’s CEO sees the strategic importance of technology in executing his business plan, and in this way you share a common basis of principle with him: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns.

CORPORATE OFFICE NETWORK TOPOLOGY

Remote
Dial UpUsers
Trusted Computing Base Internal Network
Off-Site Office
Internet
Global Finance, Inc.
VPN
Gateway
VPN
Gateway
PBX
PSTN
Worstations
(x25)
Worstations
(x12)
Worstations
(x63)
Worstations
(x5)
Worstations
(x10)
Worstations
(x49)
Border (Core) Routers
Accounting
Loan Dept
Customer
Services
Mgmt
Credit Dept
Finance
Internal
DNS
Exchange
E-mail
Distribution Routers
File and Print Server
Oracle DB
Server
Intranet Web
Server
Printers
(x7)
Printers
(x5)
Printers
(x3)
Printers
(x3)
Printers
(x3)
Printers
(x5)
Workstations
(x7)
SUS Server
Access
Layer
VLAN
Switch
10 Gbps
100Mbps
10Gbps
100Mbps
10 Gbps
OC193
10Gbps
RAS
10 Gbps
10 Gbps
10 Gbps
OC193
10Gbps
90
90
Wireless
Antenna
90

You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted.

A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
OTHER CONSIDERATIONS

1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information.
2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you.
3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited.
4. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be addressed.
5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents.
6. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over the cloud security in case the customer database had been breached.
_1430024514.vsd

3

CMIT320

Security Policy Paper

Week 3

Table of Contents

Introduction: GDI background and given problem……………………………………… 1

Important Assets…………………………………………………………………………. 2

Security Architecture for GDI…………………………………………………………… 3

Twenty Possible Security Policies………………………………………………………. 4

Details and Rationale of the Twenty Security Policies………………………………….. 5

Twelve Security Policies that should be Applied to GDI……………………………….. 6

Conclusion……………………………………………………………………………..… 7

References……………………………………………………………………………….. 8

Outline

I. Introduction

a. Briefly discuss the background of GDI.

b. Also, discuss about the given problem of the IT security, infrastructure, cost, etc.

II. Discuss the important assets of the company that need protection

a. Asset identification: “Identity and quantify the company’s assets” (Meyers, 2009, p. 215)

i. Important assets include:

1. Computer network equipment (Meyers, 2009, p. 215)

2. Data (Meyers, 2009, p. 215)

3. Servers, printers

4. Routers, firewalls, switches, wireless devices, etc.

b. Access control methods: sensitivity, integrity, availability (Meyers, 2009, p. 157).

c. Risk and threat assessment: “Identify and access the possible security vulnerabilities and threats” (Meyers, 2009, p. 215).

d. Identify solutions and countermeasures: “Identify a cost-effective solution to protect assets” (Meyers, 2009, p. 215).

III. Security architecture for the company

a. “The IT department should always have current diagrams of your overall network architecture on hand” (Meyers, 2009, p. 381).

IV. A list of 20 or more policies that could be applied to this situation

a. User Account Policy (Meyers, 2009, p. 170)

b. Audit Security Policy (SANS)

c. Email Security Policy (SANS)

d. Internet Security Policy (SANS)

e. Server Security Policy (SANS)

f. Wireless Security Policy (SANS)

g. Network Security Policy (SANS)

h. Physical Security Policy (SANS)

i. Remote Access Security Policy

j. Ethics Policy (SANS)

k. Privacy Policy

(Meyers, 2009, p. 369)

l. Incident Response Policy (Meyers, 2009, p. 371)

m. Access Control Policy (Meyers, 2009, p. 372)

n. Separation of Duties Policy (Meyers, 2009, p. 372)

o. Password Policy (Meyers, 2009, p. 374)

p. Data Retention Policy (Meyers, 2009, p. 375)

q. Hardware Disposal and Data Destruction Policy (Meyers, 2009, p. 375)

r. Documentation policy (Meyers, 2009, p. 378)

s. Termination Policy (Meyers, 2009, p. 377)

t. Acceptable Use Policy (Meyers, 2009, p. 367)

V. Specific details and rationale of each policy from above

a. Ethics Policy – “User Education and Awareness Training” (Meyers, 2009, p. 384)

b. Documentation policy- “Standards and Guidelines for Documentation, Data Classification, document retention and storage, document destruction, system architecture, logs inventory, change management and control documentation (Meyers, 2009, p. 378-383).

c. Network Security Policy- risk and threat assessment, vulnerabilities, threats, risk, impact, probabilities, natural disasters, equipment malfunction, intruders, malicious hackers, potential loss, and threat profiles (Meyers, 2009, p. 216-218). It also includes firewall, intrusion detection system, audits, etc.

d. Wireless Security Policy- Access point security, encryption protocols, MAC address filtering, VPN, etc. (Meyers, 2009, p. 144-147).

e. Physical Security Policy- physical barriers, video surveillance and monitoring, lighting, locks, access logs, ID badges, man-trap (Meyers, 2009, p. 200-204).

VI. Review the policies and select 12 important policies that can be applied to GDI

a. Network Security Policy

b. Internet Security Policy

c. Physical Security Policy

d. Ethics Policy

e. Remote Access Security Policy

f. Incident Response Policy

g. Hardware Disposal and Data Destruction Policy

h. Wireless Security Policy

i. Password Security Policy

j. Separation of Duties Policy

k. Privacy Policy

l. Server Security Policy

VII. Conclusion

a. Conclude discussion and proposal of the security policy document.

References

Include any references here with full citations.

Security Policy Document Project
Objectives

The purpose of this two-part project is to evaluate the student’s ability to analyze security
requirements and develop a security policy that fully addresses them. By completing the two
documents, the student will also gain practical knowledge of the security policy documentation
process. The project will enable the student to see and understand the required standards in
practice, as well as the details that should be covered within the security policy documentation.

Detailed Requirements

Project Deliverable #1 (Due Week 3)

o Using the GDI Case Study below, complete the Security Policy Document
Outline.

o Provide a one or two-page Security Policy Document Outline. The Outline should
cover all aspects of the security policy document and convey the accurate and
appropriate information for the stakeholders to make the appropriate decision.

o Ungraded but instructor will provide feedback to make sure students are on-track.
This outline can become major part of the “Executive Summary” of the final
deliverable.

Project Deliverable #2 (Due Week 7)

o Using the GDI Case Study, complete the Security Policy Document.
o Provide a seven- to ten-page analysis summarizing the security policy to the

executive management team of GDI. The student designs effective real-time
security and continuous monitoring measures to mitigate any known
vulnerabilities, prevent future attacks, and deter any real-time unknown threats;
and also efficiently meets the organization’s objectives. The summary should
effectively describe the security policy in a manner that will allow the Senior
Management to understand the organizational security requirements and make the
appropriate decisions to enforce.

Guidelines

 Using the GDI Case Study, create the security policy document.
 The security policy document must be 8 to 10 pages long, conforming to APA standards.

NO more than 10 pages (excluding title page, table of contents (optional), and
references page). The document must be double-spaced and Time New Roman 12-
point font. See “Writing Guideline” in WebTycho where you’ll find help on writing for
research projects.

 At least three authoritative, outside references are required (anonymous authors or web
pages are not acceptable). These should be listed on the last page titled “References.”

 Appropriate citations are required. See the syllabus regarding plagiarism policies.
 This will be graded on quality of research topic, quality of paper information, use of

citations, grammar and sentence structure, and creativity.
 The paper is due during Week 7 of this course.

Grading Rubrics

Final Deliverable
Category Points % Description
Documentation and
Formatting 10 10%

Appropriate APA citations/referenced sources and
formats of characters/content.

Case Study Security
Policy Analysis 25 25% Accurate Completion of Security Policy.

Real-time Security 25 25 Real-time Security Protection against dynamically changing threats.
Continuous
Monitoring 25 25

Continuous Monitoring for up-to-date Asset
Management and Security Posture

Executive Summary 15 15% Provide an appropriate summary of the Security Policy Document.

Total 100 100% A quality paper will meet or exceed all of the above requirements.

No Outline
Submitted -10

If no outline is submitted at the end of week 3, it
will be minus 10 points from the final document
grade.

Criteria Good Fair Poor
Documentation
and formatting

7-10 points

At least 3 Appropriate
APA
citations/referenced
sources and formats
of characters/ content.

3-6 points

Included 3 references but
incorrect formatting or
referencing/ citation

0-2 points

Does not include at
least 3 references

Security Policy
analysis

17-25 points

Effectively describes
the security policy in
a manner that will
allow the Senior
Management to
understand the
organizational
security requirements

8-16 points

Describes the security
policy in a manner that
allows the Senior
Management to
understand the
organizational security
requirements but not
enough to make the

0-7 points

Describes the security
policy in a manner that
is unclear to the Senior
Management. The
analysis Is not
sufficiently supported
with documentation

and make the
appropriate decisions
to enforce.
Analysis is supported
with documentation
and evidence.

appropriate decisions to
enforce. And/or is not
sufficiently supported with
documentation and
evidence. And/or the
description is somewhat
unclear.

and evidence. Senior
management would not
have enough detail to
make appropriate
decisions.

Real-time
Security

17-25 points

Effectively designs
real-time security
measures to mitigate
any known
vulnerabilities, prevent
attacks, and deter any
real-time threats; and
also efficiently meets
the organization’s
objectives.

8-16 points

Designs technically
feasible real-time
security measures to
mitigate any known
vulnerabilities, prevent
attacks, and deter any
real-time threats, but
lacks efficiency to meet
the organization’s
objectives.

0-7 points

Ineffectively designs
real-time security
measures to mitigate
any known
vulnerabilities, prevent
attacks, and deter any
real-time threats; also
lacks efficiency to
meet the
organization’s
objectives.

Continuous
Monitoring

17-25 points

Effectively designs
continuous monitoring
measures to mitigate
any unknown
vulnerabilities, prevent
future attacks, and
deter any real-time
unknown threats; and
also efficiently meets
the organization’s
objectives.

8-16 points

Designs technically
feasible continuous
monitoring measures to
mitigate any unknown
vulnerabilities, prevent
future attacks, and deter
any real-time unknown
threats, but lacks
efficiency to meet the
organization’s objectives.

0-7 points

Ineffectively designs
continuous monitoring
measures to mitigate
any unknown
vulnerabilities, prevent
future attacks, and
deter any real-time
unknown threats; also
lacks efficiency to
meet the
organization’s
objectives.

Executive
summary

11-15 points

Effectively
summarizes the
security policy
analysis. Includes all
key points of the
analysis and allows
the senior

6-10 points

Describes the security
policy analysis in a
manner that allows the
Senior Management to
understand the
organizational security

0-5 points

Describes the security
policy analysis in a
manner that is unclear
and/or insufficient.
Summary is difficult to
follow or does not

management to
understand the
organizational
security requirements
but not enough to
make appropriate
decisions
.

requirements but not
enough to make
appropriate decisions. Key
information is left out or
not made clear.

include key information
and details.

Background
For those that are not familiar with the term, this project is called an Authentic Assessment
Project. These projects are designed to reflect “real life” activities and will require you to
perform considerable self-directed study. Like real life problems, you will not find all the
answers you need in the textbook. You will, however, have the help of your instructor to resolve
issues you may encounter.

Project Description

The project is to write a company Security Policy Document for a fictitious company called
Global Distribution, Inc. (GDI). A Security Policy Document is an absolutely essential item for
any organization that is subjected to a security audit. Lack of such a document will result in an
automatic failed audit. A Security Policy Document within an organization provides a high-level
description of the various security controls the organization will use to protect its information
and assets. A typical Security Policy Document contains a large set of specific policies and can
run several hundred pages. However, for this project, you will write a brief document with a
maximum of 20 specific policies for the GDI Company. Therefore, you must carefully consider
and select only the most important policies from hundreds of possible specific policies. A brief
description of the GDI Company is given below.

You will work individually on this project for a total of 25% of your grading for the course. You
may collaborate with your classmates to share ideas and activities in preparation of the final
project deliverable. However, you will be graded for your individual effort and deliverables, and
you will submit the project in your individual project assignment folders. You will treat this
project deliverable as if you would deliver it to your own customer or client who will be paying
you for the deliverables.

Suggested Approach

These are only recommendations on the general approach you might take for this project. This is
your project to develop individually.

1. Determine the most important assets of the company, which must be protected
2. Determine a general security architecture for the company
3. Determine the real-time security measures that must be put in place

4. Determine the monitoring and preventative measures that must be put in place
5. Develop a list of 15 to 20 specific policies that could be applied along with details and

rationale for each policy
6. Integrate and write up the final version of the Security Policy Document for submittal

The GDI company description is deliberately brief. In all real life projects, you typically add
complexity as you become smarter as you go along. State the assumptions/rationale you make to
justify the selection of the particular security policies you select. Attach the
assumptions/rationale to each specific security policy.

References
There are many information sources for Security Policy Documents on the Internet. However,
one good source to start with is the SANS Security Policy Project that lists many example
security policy templates.
http://www.sans.org/security-resources/policies/

Company Description

GLOBAL FINANCE, INC. (GFI)

Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United
States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan
application approval, wholesale loan processing, and investment of money management for their customers.

GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages
(approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational
performance through automation and technological innovation has propelled the company into the big leagues; GFI
was only recently profiled in Fortune Magazine.

The executive management team of GFI:

Figure 1 GFI Management Organizational Chart

BACKGROUND AND YOUR ROLE

You are the Computer Security Manager educated, trained, and hired to protect the physical and operational
security of GFI’s corporate information system.

You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m
annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the
corporate tower. This position is the pinnacle of your career – you are counting on your performance here
to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so
significantly lacking from the executive team.

There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity –
that is, he feels the IT function can be nearly entirely outsourced at fractions of the cost associated with
creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT
from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO
has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s
budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you:
maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s
act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology
combined with a diminishing IT footprint gravely concerned Willy, and he begged to at least bring in a
manager to whom these obligations could be delegated to. Willy’s worst nightmare is a situation where the
Confidentiality, Integrity, and Availability of the information system was compromised – bringing the
company to its knees – then having to rely on vendors to pull him out of the mess.

GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle
database server was attacked and its customer database lost its confidentiality, integrity, and availability for
several days. Although the company restored the Oracle database server back online, its lost confidentiality
damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their
loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the
entire network for several days. While infected the Oracle and e-mail servers had to be shut down to
quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible
customer confidence.

There’s no question that the company’s CEO sees the strategic importance of technology in executing his
business plan, and in this way you share a common basis of principle with him: that IT is a competitive
differentiator. However, you believe that diminishing internal IT services risks security and strategic
capability, whereas the CEO feels he can acquire that capability immediately at a low cost through the open
market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s
concerns.

CORPORATE OFFICE NETWORK TOPOLOGY

Remote
Dial UpUsers

Trusted Computing Base Internal Network

Off-Site Office
Internet

Global Finance, Inc.

VPN
Gateway

VPN
Gateway PBX

PSTN

Worstations
(x25)

Worstations
(x12)

Worstations
(x63)

Worstations
(x5)

Worstations
(x10)

Worstations
(x49)

Border (Core) Routers

Accounting

Loan Dept

Customer
Services

Mgmt

Credit Dept

Finance

Internal
DNS

Exchange
E-mail

Distribution Routers

File and Print Server

Oracle DB
Server

Intranet Web
Server

Printers
(x7)

Printers
(x5)

Printers
(x3)

Printers
(x3)
Printers
(x3)
Printers
(x5)

Workstations
(x7)

SUS Server

Access
Layer
VLAN
Switch

10 Gbps

100Mbps

10Gbps

100Mbps
10 Gbps

OC193
10Gbps

RAS

10 Gbps
10 Gbps
10 Gbps
OC193
10Gbps

90
90

Wireless
Antenna90

You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities
to the central data processing environment. Data is transmitted from a remote site through a VPN
appliance situated in the border layer of the routing topology; the remote VPN connects to the internal
Oracle database to update the customer data tables. Data transaction from the remote access to the
corporate internal databases is not encrypted.

A bulk of the data processing for your company is handled by Oracle database on a high end super
computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet.
This is where all corporate data processing is completed and internal support team has its own intranet web
server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each
corporate department is segregated physically on a different subnet and shares the corporate data in the
TCB network.

OTHER CONSIDERATIONS

1. Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a
significant spike in network traffic crossing into the internal networks. They report that they cannot be
certain what or who is generating this traffic, but the volume and frequency of traffic is certainly
abnormal. The management is very concerned over securing the corporate confidential data and
customer information.

2. Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of
a plan from COO Willy to outsource network management and security functions away from your
department and to a service integrator. COO Willy warns you that the political environment will only
become more contentious over time; you must make a compelling case as to what value your
department can bring over an integrator that can provide secure services at 40% less annual cost than
you.

3. The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote
sites have been reporting significant problems with network latency, slow performance, and
application time-outs against the Oracle database. The company’s business model is driving higher
and higher demand for data, but your capability to respond to these problems are drastically limited.

4. Mobility is important for the organization to interact with the customers and other co-workers in near
real-time. However, the CEO is concerned with the mobility security and would like to research for the
best practice for mobility security. The CEO is willing to implement a BYOD policy if security can be
addressed.

5. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network.
However, the CEO is concerned over the security ramifications over the wireless network that is
widely open to the company and nearby residents.

6. The company plans to offer its products and services online and requested its IT department to design a
Cloud Computing based on an e-commerce platform. However, the CEO is particularly concerned over
the cloud security in case the customer database had been breached.

Expert paper writers are just a few clicks away

Place an order in 3 easy steps. Takes less than 5 mins.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00