Project Part 1 Multi-Layered Security Plan
1.User Domain-The people who access an organization’s information system. Layers of Security
Develop an acceptable use policy to define what users can and cannot do with company IT assets. Conduct security awareness training and review acceptable use policies with employees periodically. Disable internal CD drives and USB ports.
Enable content filtering and antivirus scanning on any emails, media, and downloaded files. Restrict access for users to only systems, applications, and data needed to perform their job. Track and monitor abnormal employee behavior and use of IT infrastructure during off hours.
2.Workstation Domain-Where most users connect to the IT infrastructure. A workstation can be any desktop, laptop, or other device that connects to your network. Layers of Security
Enable password protection on workstations for access.
Enable auto screen lockout for inactive times.
Define strict access control policies, standards, procedures, and guidelines. Disable all CD, DVD, and USB ports.
Enable an automated antivirus solution that scans and updates each workstation’s protection. Define workstation operating system and application software vulnerability window policies.
3.LAN Domain-The LAN domain includes both physical network components and logical configuration of services for users. Layers of Security
Make sure wiring closets, data centers, and computer rooms are secure. Define strict access control policies, standards, procedures, and guidelines. Define strict server/desktop/laptop and software vulnerability window policies, standards, procedures and guidelines. Conduct vulnerability assessments periodically to find security gaps. Use WLAN network keys that require a password for wireless access. Turn off broadcasting on WAPs.
Require second-level authentication prior to granting WLAN access Implement
encryption between workstations and WAPs to maintain confidentiality. Implement LAN server and configuration standards, procedures and guidelines.
4.LAN-to-WAN Domain-Where the IT infrastructure links to a wide area network and the internet. Layers of Security
Disable ping, probing, and port scanning on all exterior devices within the LAN-to-WAN domain. Apply strict security monitoring controls for intrusion detection and prevention. Monitor for inbound IP traffic anomalies and malicious-intent traffic. Define a strict zero-day vulnerability window definition.
Conduct penetration tests to identify and fix any gaps in inbound and outbound traffic. Apply and enforce the company’s data classification standard. Apply domain-name content filtering ant the internet entry/access point.
5.WAN Domain-Connects remote locations. Includes both physical components and the logical design of routers and communication equipment. Layers of Security
Implement encryption and VPN tunneling for all sensitive communications across the internet. Deploy security countermeasures such as a DMZ with IP stateful firewalls and IDS/IPS for security monitoring. Apply filters on exterior firewalls and routers to block TCP SYN and ICMP. Back up and store data in off-site data vaults with tested recovery procedures. Deploy redundant internet and WAN connections and 100 percent availability is required. Enable access control lists on outbound router interfaces in keeping with policy.
6.Remote Access Domain-Connects remote users to the company’s IT infrastructure. Critical for employees who work in the field or from home. Layers of Security
Establish user ID and password policies requiring periodic changes. Set automatic blocking for multiple attempted logon retries. Apply two tiered security for remote access to sensitive systems, applications, and data. Encrypt all private data within the database or hard drive.
Apply real time lockout procedures if devices/tokens are lost, stolen, or compromised.
7.System/Application Domain-Holds all the mission critical systems, applications, and data. Layers of Security
Apply policies, standards, procedures, and guidelines for staff and visitors to secure facilities. Implement virtual firewalls and server segmentation separate VLANs. Separate private data elements into different databases.
Encrypt data within databases and storage devices.
Implement daily data backups, off site data storage, and data recovery procedures. Develop a business continuity plan for mission critical applications for maintaining availability of operations. Develop a disaster recovery plan specific to the recovery of mission critical applications and data.
Kim, David, and Michael G. Solomon. “Chapter 1.” Fundamentals of information systems security. Burlington, MA: Jones & Bartlett Learning, 2012. 15-36. Print