Security Policy Document Project Objectives The purpose of this project is to evaluate the student’s ability to analyze security requirements and develop a security policy that fully addresses them. The student will also gain practical knowledge of the security policy documentation process. The project will enable the student to see and understand the required standards in practice, as well as the details that should be covered within the security policy documentation. Detailed Requirements Project Deliverable (Due Week 7) o Using the WDI Case Study, develop a Security Policy which addresses the needs and requirements in the case study. o Provide an analysis summarizing the security policy to share with the executive management team of WDI. The summary should effectively describe the security policy in a manner that will allow the Senior Management to understand the organizational security requirements and make the appropriate decisions to enforce. Guidelines Using the WDI Case Study, create a security policy. The security policy document must be 7 to 10 pages long, conforming to APA standards. The first page should be an executive memo to management providing a high-level overview of your proposed policy to management. The second page will be an analysis of the case study requirements and needs WDI. At least 3 authoritative, outside references are required (anonymous authors or web pages are not acceptable). These should be listed on the last page titled "References." Appropriate citations are required. See the syllabus regarding plagiarism policies. This will be graded on quality of research topic, quality of paper information, use of citations, grammar and sentence structure, and creativity. The paper is due during Week 7 of this course. Grading Rubrics Category % Description Documentation and Formatting 10% Appropriate APA citations/referenced sources and formats of characters/content. Case Study Security Policy Analysis 25% Provides an accurate analysis and overview of the case study needs and requirements. Real-time Security 25 The policy addresses the need for real-time security protection against dynamically changing threats. Continuous Monitoring 25 The policy addresses the need for continuous monitoring for up-to-date asset management and security posture Executive Summary 15% Provide an appropriate summary of the Security Policy Document. Total 100% A quality paper will meet or exceed all of the above requirements. Project Description The project is to write a company Security Policy Document for a fictitious company called Western Distribution, Inc. (WDI). A Security Policy Document is an absolutely essential item for any organization that is subjected to a security audit. Lack of such a document will result in an automatic failed audit. A Security Policy Document within an organization provides a high-level description of the various security controls the organization will use to protect its information and assets. A typical Security Policy Document contains a large set of specific policies and can run several hundred pages. However, for this project, you will write a brief document and develop a policy document which addresses the most critical needs for the organization. Therefore, you must carefully consider and select only the most important policies from hundreds of possible specific policies. A brief description of the WDI Company is given below. You will work individually on this project. You may collaborate with your classmates to share ideas and activities in preparation of the final project deliverable. However, you will be graded for your individual effort and deliverables, and you will submit the project as an individual assignment. You will treat this project deliverable as if you would deliver it to your own customer or client who will be paying you for the deliverables. Suggested Approach These are only recommendations on the general approach you might take for this project. This is your project to develop individually. 1. Determine the most important assets of the company, which must be protected 2. Determine a general security architecture for the company 3. Determine the real-time security measures that must be put in place 4. Determine the monitoring and preventative measures that must be put in place 5. Develop a list of 15 to 20 specific aspects that could be applied along with details and rationale for each policy 6. Integrate and write up the final version of the Security Policy Document for submittal The WDI company description is deliberately brief. In all real life projects, you typically add complexity as you become smarter as you go along. State the assumptions/rationale you make to justify the selection of the particular security policies you select. Please be sure to describe and include any assumptions that you make as you develop this policy.. References There are many information sources for Security Policy Documents on the Internet. However, one good source to start with is the SANS Security Policy Project that lists many example security policy templates. http://www.sans.org/security-resources/policies/ CASE STUDY – WESTERN DISTRIBUTION, INC. Company Description Western Distribution, Inc. (WDI) Western Distribution, Inc. (WDI) is a distribution company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, WDI specializes in supply chain management and in coordinating the warehousing, staging, distribution, transportation, and wholesaler/VAR relationship for their customers. WDI employs over 3,200 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; WDI was only recently profiled in Fortune Magazine. The executive management team of WDI: CEO Jamie Pierce Exec. Assistant Stacy Farnsworth Dir. Of HR Tad Willingham CCO Mike Sullivan Vice President, Americas Vinay Sahdid Exec. Assistant Barbara Clooney Exec. Assistant Greg Gaiman COO Don Jacobson CFO Ron Singletary Dir. Of Marketing Korie Smith BACKGROUND AND YOUR ROLE You are the Computer Security Program Manager (CSPM) educated, trained, and hired to protect the physical and operational security of WDI’s corporate information system. You were hired by COO Don Jacobson and currently report to the COO. You are responsible for a $7.25m annual budget, a staff of 17, and a sprawling and expansive data center located on the 9th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team. There is actually a reason for this. CEO Jamie Pierce believes that the IT problem is a known quantity – that is, she feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Jacobson’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Jacobson, and he begged to at least bring in a manager to whom these obligations could be delegated to. Jacobson’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess. There’s no question that the company’s CEO sees the strategic importance of technology in executing her business plan, and in this way you share a common basis of principle with her: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels she can acquire that capability immediately and on the cheap through the open market. You’re told that CEO Pierce reluctantly agreed to your position if only to pacify COO Jacobson’s concerns. CORPORATE OFFICE NETWORK TOPOLOGY Utility (Micro) Servers Public Router FTP/SMTP Bridgehead Application Mainframes and DS Internal Switch (VLAN) Proxy Server ISP T1 CSU Workgroup Server/DS Switch CSU F-T1 (768kb) FRAME FRAME Internal Switch (VLAN) CSU F-T1 (768kb) CENTRAL DATA PROCESSING REMOTE WAREHOUSES Public File Replica File Shares Email 802.11g WAP You are responsible for a corporate WAN spanning 81 remote facilities (warehouses) and interconnecting those facilities to the central data processing environment. Data is transmitted from suppliers and customers through an FTP bridgehead server situated in the DMZ; files are encrypted and copied to the FTP server through automated replication; remote automation or users connect with the FTP server to transmit or receive encrypted EDI files. A bulk of the data processing for your company is handled by twin IBM System/390 mainframes; all GL and financial functions are located on the mainframe platform; a microcomputer cluster manages email routing, file storage functions, HRIS, and other value-added applications; an application-layer proxy server serves as the central gateway for Internet connectivity for the corporate office and 81 remote sites – a strict philosophy of control, centralization, and outsourced services has guided much of the design of this network; WDI’ web server and e-commerce functions are hosted by an external party outside of the scope of this topology. OTHER CONSIDERATIONS 1. Ever since the article ran in Fortune about WDI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the DMZ. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. 2. Increasingly, WDI’s CEO Pierce attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Jacobson to outsource network management functions away from your department and to a service integrator. COO Jacobson warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide services at 40% less annual cost than you. 3. The interrelationship between data and operations concerns you. Increasingly, some of the 81 warehouses have been reporting significant problems with network latency, slow performance, and application time-outs against the System/390’s. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited.