Step 5. IT Security Plan

 

The goal of your IT Security Plan should be to determine an appropriate level of security and arrange to organize suitable security for your departmental IT assets. No department or PC (or MAC or workstation) is immune to compromise. University information and network assets are of significant value and protecting them is our responsibility. Every department is expected to develop a security plan. The Risk Assessment helped determine your department's IT security risk level; the Departmental Security Checklist helped evaluate your department's IT security strengths and weaknesses. The IT plan is the remainder of the statements gleaned from your evaluation of the earlier steps.

When you've finished making your list of statements from the Checklist which were answered in the negative (or questions in which you answered 'no'), review it and decide if any of the questions are worth looking in to.  Please take into consideration your departmental inventory, the information assets you are protecting and the level of protection you should have.  Consider any problems you would have whether they are legal problems, support issues, availability or any other evils that might beset your department.

Remember to consider the recommended security additions in the Risk Assessment based on the categories of confidentiality, integrity and availability.  Add these to issues/statements from the Security Checklist which you have decided to improve or implement.  Include your inventory (which will come in handy for future reference and possible insurance claims) in the beginning of the report. 

Make an effort to understand your systems and your department.  The systems a-dministrator may develop the plan to have approved by the Dean/Director/Administrator.  The departmental Systems Administrator and Dean/Director/Administrator should discuss issues, possibilities, time lines and develop a realistic plan.  Responsibilities for every part of the plan should be determined and assigned.  Target dates should also be set.

The Departmental Security Plan should be reviewed annually.  The Plan should be monitored with progress reports provided to the Dean/Director/Administrator quarterly.

The Checklist and Risk Assessment developed by the Information Protection and Security Division will remain online and be updated annually in December. 
  
  

Sample Security Plan

In developing a Departmental Security Plan the Asset Inventory and Risk Assessment should be considered.  The following 
Sample Security Plan is for a department that has evaluated itself as needing a highly secure environment. This department's system rated high in all areas (confidentiality, integrity and availability) of the Risk Assessment.  The Asset Inventory is also listed below.

(Statements on this template have been gleaned from the Departmental Security Checklist. All items answered 'no', should be addressed in the Security Plan.) 
 

 

Asset Inventory

According to the Risk Assessment the Sample department scored in the high probability and high impact areas for all categories (confidentiality, integrity and availability).

The following is an inventory of the physical and information assets of the Sample department:

Physical Assets 
17 workstations 
file server 
web server 
projector 
network printer 
UPS 
tape Back-up 
2 laptops

Information Assets 
Contracts 
Social security numbers 
Health records 

Sample Security Plan

All of the following bulleted items were marked 'no' on the Security Checklist.  The Sample department is taking corrective action as indicated by the statements with target dates. The items should be discussed between departmental administration (Dean, Director, Administrator) and the Systems Administrator (UCS, Computing Manager) to determine if there is a need to consider these as possible deficiencies and implement additional security processes, policies or improvements based on the Asset Inventory and Risk Analysis.

Please also consider if your current infrastructure is sufficient condition to support additional measures.

The Sample department will implement the following improvements for security purposes with the following target dates: 
(Items (below) from the Checklist marked negative) 
 

  • Regular testing of UPSs will take place monthly on the 1st.
  • Maintain diagnostic software onsite-diagnostic software will be researched and purchased at the discretion of the Systems Administrator.  Said software will be locked in the storeroom.
  • Target date to move database to new software-Database will take place within two months (target date)
  • Provisions to continue operations in the event central services (RIAS) software is not available-A team will be created to develop a plan for business continuity in the event of central services downtime.
  • Network documentation for computers and network devices-Part-time students will be hired for the purpose of creating documentation.
  • Physical and software access to network devices-Access will be discussed at staff meetings until resolved beginning (target date).
  • WAN failure department functionality-Staff will have sufficient software to support short term network problems.  TD will provide a long-term solution.
  • Staff duties and standards-Security duties and responsibilities will be designated in job descriptions and standards evaluated at regular intervals (semi-annually).
  • Documentation to explain how to perform all IT security related duties-Those responsible will document IT related duties for review by the Systems Administrator and Director.
  • Additional training (target dates and suggested training)-Security training will be provided to the Systems Administrator.
  • Delegation of authority-Authority for security related issues will be delegated by policy, or by decision of the Director.
  • Funding-A sincere effort will be made to provide additional security measures and personnel.  Initially, 1% of the budget will be devoted to security related purchases.
  • Non disclosure agreements-All IT staff will be asked to endorse a nondisclosure agreement for confidentiality purposes.
  • Enforce and check strong passwords (authorize)-Strong passwords will be requested, however, neither the Director nor the Systems Administrator find it an enforceable issue.
  • Account removal process-A policy and procedure will be created to address account removal within the next six months (target date).
  • Unauthorized users-Staff will be provided with a workshop on Security Awareness and Social Engineering to make them aware of security practices and responsibility.
  • Remote access authorization not known-The Systems Administrator will do a survey of alternative methods for remote access including modems, VPN, wireless, network connections and mobile devices.
  • Document physical security procedures-Information on security procedures will be sought from RUPD website (target date).
  • Procedure for disposing of confidential and sensitive material on hard drives, tapes, CDs, hard copy etc.-System Administrator will provide process and documentation by (target date) with the help of part-time students.
  • Network diagram that includes IP addresses, room numbers and responsible parties-Part-time students will research and diagram (target date)
  • Log retention standard-Systems Administrator will research (target date)
  • Need protection for clear-test passwords that are embedded in SQL scripts-Systems Administrator will consult with IPS (target date)
  • Data integrity software-Systems Administrator will research data integrity software (i.e., Tripwire) (target date)
  • Inventory of devices attached to the network-Part-time students will inventory (target date)
  • Room jacks mapped to a switch port-Systems Administrator will check with TD for advice
  • Written contingency plan-Director will create a team to research and document contingency plan (target date)
  • Plan to continue departmental business in the event that Central Systems are down-Director will create a team to research and document contingency plan (target date)
  • Should the department store back-up media off site-Director will create a team to research and document contingency plan and back-up storage (target date)
  • Regular dates to test to verify backup capabilities-Back-up capabilities will be tested in June and January
  • Configuration/asset control plan-The Director and Systems Administrator will discuss IT plans and needs twice annually after backup capabilities have been tested and reported.
  • Only trained authorized individuals install computer equipment and software-Experience and training guidelines will be established by the Systems Administrator and approved by the Director
  • Plan and funding for upgrades-Director will set aside funding for regular upgrades/evergreening and security improvements
  • No any way of telling they have been or are being attacked (IDS) (firewall)-Systems Administrator will research scanning

The Sample department will write and implement the following additional policies, standards and processes 

  • Password 
  • Account removal 
  • Elimination of chat clients 
  • Trusted workstation security

The following recommendations for workstations will be followed: 

  • CD-ROM Autorun feature disabled on all workstations 
  • Password caching disabled on all workstations 
  • Chat clients (Internet Messenger, etc.) are not allowed at departmental workstations 
  • ActiveX, Javascript, and Java disabled in web browsers and email programs for all workstations 
  • The XP internal firewall been activated on Windows XP machines 
  • Remote desktop and remote assistance been turned off on all machines 
  • Web servers are set to only accept traffic on port 80 
  • The web server is set to reject attempts to remotely administer it 
  • The web server is set to authenticate certain user traffic 
  • Sample files, scripts, help and development files been removed from the web server 
  • File sharing is not permitted on any workstation in the department 
  • All workstations are required to implement a password-protected screensaver with a 5 minute max time 
  • Users were instructed on how to lock workstations when they step away

With recommendations from the Information Protection and Security Division, the Sample department will be implementing perimeter security which controls access to critical network applications, data and services so that only legitimate users and information can pass through the network.

Recommendations for trusted systems with 'high' security needs:

  • Departmental and host firewalls 
  • Security monitoring 
  • Integrity monitoring (http://tripwire.com)