Security project requirements and documentation for corporate environments

Computer Security: Corporate Security Documentation Suitable for a Large Corporation

Item

(I) in-Depth Defense Measures

(II) Firewall Design

(III) Intrusion Detection System

(IV) Operating System Security

(V) Database Security

(VI) Corporate Contingency of Operation

(VII) Corporate Disaster Recovery Plan

(VIII) Team Members and Roles of Each

(IX) Timeline with Goal Description

(X) Data Schema

(XI) Graphical Interface Design

(XII) Testing Plan

(XIII) Support Plan

(XIV) Schematics

Computer Security: Corporate Security Documentation Suitable for a Large Corporation

(I) In-Depth Defense Measures

Information Technology (IT) Acceptable Use Policy

The intentions of IT for the publication of an Acceptable Use Policy are to ensure that non-restrictions are imposed that are not contrary to the organizations' culture of openness, integrity and trust. IT has a firm commitment to the protection of the company's employees, partners and the company from any individuals that are illegal or that would otherwise cause damage with or without knowledge or intent to the following:

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of the company and these systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.

Required in the effective security initiative is a team effort with full participation and support of each company employee. Each individual in the company that uses a computer has a responsibility to be aware of the guidelines and to follow these guidelines.

The purpose of this publication is to outline the appropriate use of computers in the organization. These rules are for the purpose of protecting the employee and the company against virus attacks and network systems services and to avoid legal situations. This policy is applicable to employees, contractors, consultants, temporaries and any other workers with this organization. Furthermore, included are personnel affiliated with other or third parties.

General Use and Ownership

Good judgment is required to be exercised by all employees and individual departments are responsible for development of guidelines on the personal use of the Internet/Intranet/Extranet systems. Any sensitive information or information considered vulnerable should be encrypted. The network may be monitored by authorized persons including equipment, systems and network traffic at any time for security purposes.

Security and Proprietary Information

The user interface for information included on the related systems will be classified as confidential or alternatively as non-confidential. Confidential information includes but is not limited to the following:

(1) company private information;

(2) corporate strategies;

(3) competitor sensitive information;

(4) trade secrets;

(5) specifications;

(6) customer lists; and (7) research data.

All PCs, laptops and workstations of the company will be security with a password-protected screensaver with automatic activation feature set for ten minutes or less or through logging off when the host is to be unattended. All host computers used by employees in conducting business for the company shall be equipped with an anti-virus program. Activities that are prohibited in general include any activity deemed illegal by local, state, federal or international law. Activities that are strictly prohibited include:

(1) violations of the right of any individual or company protected under copyright, trade secret, patent or other type of intellectual property including any similar laws or regulations.

(2) unauthorized copying of copyrighted material -- this includes photographs from magazines, books or other sources under copyright protection as well as music and any copyright software.

(3) exporting software, technical information, encryption software or technology in violation of international or regional laws controlling exports.

(4) introducing programs that are malicious into the network or server that contain any types of virus, worm, Trojan horse, email bomb or any other type of threat;

(5) revealing their password to others or allowing use of their account by others.

(6) Using the company computer or system to engage in the procurement or transmission of material that violate sexual harassment or hostile workplace laws in the jurisdiction of the company or the user.

(7) Making fraudulent offers relating to products, services, or items that originate from any company account.

(8) making statements concerning express or implied warranties unless that is part of the individual normal and regular tasks with the company.

(9) Committing breaches of security or network communication disruptions.

(10) Scanning ports or security scanning is prohibited unless IT is first informed.

(11) Execution of any type of monitoring on the network that will intercept data not intended for the host of the employee is prohibited.

(II) Firewall Design

The Network Support Organization maintained firewall devices are required to be configured adhering to least-access principles and the organization's business needs. The firewall device is required to be the only access point between the host computers and the company's networks and the Internet. Any type of cross-connection bypassing the company's firewall device is prohibited.

Changes to the original firewall configurations are required to be reviewed and approved by company IT and this includes both general configurations as well as rule sets. If additional security measures are needed these may be instituted by IT for the company. All routers and switches that are not testing or training utilized are under a requirement to conform to the company router and switch standardization documents. All operating systems of host computers internal to the company must be configured to the secure host installation and configuration standards.

Current applicable security patches and hot-fixes for applications that are Internet services must be applied and administrative owners groups must have procedures in place to stay current on the patches and hotfixes that are appropriate. All applicable security patches and hot-fixes that the vendor recommends are required to be installed. Services and applications that are not serving requirements of the company should be disabled.

Company information that is confidential is prohibited to be kept on host computers where company personnel have physical access as required by the information sensitivity classification policy for the company. Remote administration has a requirement of being performed over channels that are secure through use of encrypted network connections.

(III) Intrusion Detection System

The company network will be inclusive of an intrusion detection system (IDS) for the purpose of monitoring network traffic and monitoring for suspicious activity. Should the system detect such incidences the network administrator will be notified. The intrusion detection system utilized by the company will be a network based (NIDS) intrusion detection system. In addition, the company's host computers will have host intrusion detection systems (HIDS) installed for the purpose of monitoring the inbound and outbound packets from the device and which will alert the network administrator should any incidences occur.

Included in the intrusion detection system for the company is a signature-based IDS and an anomaly-based IDS. The signature-based IDS monitors network packets and conducts a comparison of these against a database of signatures from known malicious threats while the anomaly-based IDS will monitor the network traffic and conduct comparison of it against an established baseline that identifies 'normal ' network activity.

(IV) Operating System Security

The work of Heidari (2011) states that operating system security "revolves around the appropriate protection of four elements:

(1) confidentiality;

(2) integrity;

(3) availability; and (4) authenticity.

Confidentiality and integrity "deal with the three important roles of:

(1) protection models;

(2) capability; and (3) assurance. (Heidari, 2011)

Multiprogramming includes resource sharing among users including memory sharing, sharing of I/O devices as well as sharing of programs and data. The Operating System for the company should offer protection that is based on shared access through access limitation involving the operating system (OS) checking the permission levels of each access according to the specific users and the specific object thereby acting as a guard between users and objects and ensuring that the only accesses to occur are those properly authorized. The access control that will be utilized will be 'user-oriented access control' or 'authentication. This is the most commonly used technique for user access control and required an ID and Password.

File sharing will involve several access rights:

(1) reading;

(2) appending; and (3) updating.

These access rights will be granted to different classes of users. When access is granted to more than one individual users to make changes or updates to a file the operating system will enforce discipline with the approach allowing the user to lock the file when it is updated.

The work of Heidari states that there are five common security problems in regards to the operating system including:

(1) improper input validation;

(2) weak cryptographic algorithms;

(3) weak authentication protocols;

(4) insecure bootstrapping; and (5) mistakes in configurations

The first four are such that have a "technical or system-related basis, while the latter is related to organizational problems or management." (Heidari, nd) Therefore, these common security problems must be guarded against by the network administrator and IT department.

(V) Database Security

The largest concern for the system administrator at the server level is that of security because this is where all the action takes place. Microsoft SQL Server 2005 makes provision of effective support for diverse types of data encryption through utilization of symmetric and asymmetric keys along with digital certification. Moreover, management of encryption keys are performed by the system. As management of encryption keys is by far the hardest aspect of key management this is a bonus.

The key encryption hierarchy is shown in the following figure labeled Figure 1 in this document. The database administrator will manage the service master key at the server level and the database master key at the database level. Otherwise, lower keys in the hierarchy are protected by each key's immediate parent and this remains true as the keys move upward in the hierarchy. There is however, one exception and that being when a password is utilized for protection of a symmetric key or certificate. That is the methods used by SQL Server for allowing users to manage their own keys and retain responsibility for keeping the key secret.

Figure 1

Encryption Key Hierarchy

Source: Kieley, Walters and Magrani, (2007)

With Microsoft SQL Server the service master key is the one key that commands all keys as well as SQL Server certificates. The service master key is a symmetric key and it is automatically generated when SQL Server is installed.SQL Server will manage the maser key and maintenance tasks can be performed such as dumping the key into a file, regenerating the key and restoring the key from a file.

Because there is a possibility of key corruption the administrator should back up the service. After the database master key exists, it can be utilized by developers in creating any of three key types based upon the required encryption including the following three types of keys:

(1) Asymmetric keys, used for public key cryptography with a public and private key pair;

(2) Symmetric keys, used for shared secrets where the same key both encrypts and decrypts data; and (3) Certificates, essentially wrappers for a public key. (Kieley, Walters and Magrani, 2007)

Encryption is an effective method of adding extra defense layers to the data of the company but since encryption results in a great amount of processing load to the server the company should use it only to the extent required. Proven standard algorithms will be used including such types as DES, Blowfish, RSA, RC5 and IDEA. These algorithms are representative of the approved applications actual cipher. Network's Associate's Pretty Good Privacy (PGP) is such that utilizes a combination of IDE and RSA or Diffie-Hillman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths are required to be at the minimum 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. The company's key lengths will be under annual review and upgraded in line with new technology.

(XV) Corporate Contingency of Operation

Contingency planning includes addressing planning and backups of the system and the procedures to restore the system as well as the location of the system backup. Additionally, is the planning for the continuity of operations. Included in the contingency plan should be the following elements according to Swanson (1998) in the work entitled "Guide for Developing Security Plans for Technology Systems":

(1) Any agreements for backup processing (e.g., hot site contract with a commercial service provider);

(2) Documented backup procedures including frequency (daily, weekly, monthly) and scope (full backup, incremental backup, and differential backup);

(3) Location of stored backups (off-site or on-site);

(4) Generations of backups kept; and (5) Coverage of backup procedures, e.g., what is being backed up. (p.51)

Therefore, using these guidelines the company's contingency plans are as follows:

(1) Backups -- Backups are to be conducted on a daily basis at the end of each day by the Information Technology Security manager. Daily backups will be incremental in nature with a full backup conducted once per week on the same day of each week. Monthly backups will also be undertaken one time per month on the last business day of each month.

(2) Location of stored backups: Stored backups will be kept in two locations: (a) one backup will be kept on-site in the company fireproof safe; and (b) one backup will be kept off-site in a location to be chosen by the company CEO.

(3) Backups will be kept for a period of three years.

(4) Coverage of Backup procedures -- all company records will be included in the backup process.

(XVI) Corporate Disaster Recovery Plan

The company disaster recovery plan includes the specific procedures that should be enacted in the event of a disaster. Included is identification of "primary and alternate team members and their duties as well as executive management roles, notification procedures and alternate meeting site locations and work around processes to keep the function operational while damaged resources are being restored." (Swanson, 1998, p.51) Included in the plan are: (1) identification of major risks of business interruption; (2) a plan to mitigate or reduce the impact of the risks identified; and (3) training of employees and testing of the plan to ensure effectiveness. Swanson, 1998, p.51)

Business interruption may be due to internal or external causes. It was reported by the CPM and Strohl Survey (2002) that approximately 50% "of the responding continuity planning professionals were most concerned with accidental failures (i.e. internal causes and power outages, equipment failures, software errors and operational errors)." Cerullo and Cerullo, 2004, p.73) The second most cited perceived threat was that of natural disasters including earthquakes, floods and hurricanes. Stated as the third most perceived potential externally causes disasters were such as hackers, terrorism and acts of war, reported at 21%. (Cerullo and Cerullo, 2004, paraphrased) The Business Continuity Benchmark survey results published by CPM/KPMG in 2002 states that multiple causes of business interruptions are documented. Of 624 respondents, over four years of business it is stated that interruptions cited were "due to both internal and external causes: human errors, power outage, service provider failure, communications failure, natural disasters, facilities move, hardware failure and software failure." Cerullo and Cerullo, 2004, p.73) The internal attack on systems is reported as often overlooked or underemphasized as only 41% of the companies in the Ernst and Young Survey 2002 are noted to have been concerned about the possibility of internal attacks on systems and that this is "despite overwhelming evidence of the high number of these attacks." (Cerullo and Cerullo, 2004, p.73) The following chart shows the Business Interruption Risk identified in the Business Continuity Benchmark Survey published by Witter Publishing Corporation (2002)

Figure 1 - Business Interruption risk -- Business Continuity Benchmark Survey (2002)

Source: Cerullo and Cerullo (2004)

The following chart shows the causes for unavailability of critical business systems reported by Ernst and Young, Global Information Security Survey (2002).

Figure 2 -- Causes for Unavailability of Critical Business Systems

Source: Cerullo and Cerullo (2004)

With these factors considered the disaster recovery plan for the company focuses on issues of hardware failure and attacks, both internal and external in nature. Should be company be without power the company has provided an emergency backup electricity generation system that will provide electricity necessary for all information systems operations. Company backup specifications will guard against all possible external and internal attacks on the company's information technology system.

Training of employees on necessary backup processes and testing of the Information Technology Security system is included in disaster recovery planning. This training should be initiated and implemented by the Information Technology Security manager.

(XVII) Team Members and Roles of Each

The following list comprises the team members and the roles of each team member in the business continuity and disaster planning initiative:

(1) Information Technology Security Manager -- Training and education of employees on proper controls and standards for backup operations and procedures.

(2) Information Technology Security Team Members -- Ensure that all hardware and software security is up-to-date with the latest technological standards and system updates.

(3) Department and Divisional Managers -- Ensure that all employees are assigned a password and are trained in the use of the company's information technology security standards and protocols.

(4) CEO -- responsible for securing and storing off-site backup of organization's business records.

Disaster Recovery Planning roles and responsibilities should include the following:

(1) IT Disaster Recovery Planning manager -- Responsible for management and direction of Information Technology Disaster Recovery Planning. Primary activities include the following:

(1) Coordinate stakeholder participation in DR planning and works with IAOs to prioritize critical business processes;

(2) Manage Disaster Recovery program resources;

(3) Define the principles, policies and procedures necessary to support or reconstitute essential business functions after a catastrophic event;

(4) Develop programs of business impact assessment, compliance, training, testing and exercising, technical assessment and plan development;

(5) Implement DR policies through DR arrangements such as regular data backups; secure data archival; backup restoration; secure on- and off-site storage of backup media; provision of alternative IT processing facilities, networks etc.;

(6) Evaluate the overall IT DRP program and state of readiness of IT in relation to BRP and broader CP requirements. (Hinson and Kowalski, 2008, p.41)

Competencies for these individuals include the following stated competencies:

(1) Expert knowledge of Information Technology Disaster Recovery Planning;

(2) Detailed knowledge of the IT systems, networks and applications supporting critical business processes;

(3) Detailed knowledge of project management;

(4) Working knowledge of CP, BCP and BRP;

(5) Working knowledge of the organization's critical business processes;

(6) Working knowledge of certification and accreditation processes [in situations where IT DR plans have to be independently assessed and certified against enterprise-wide criteria and, in some cases, legal/regulatory obligations];

(7) Working knowledge of procurement policies and practices;

(8) Able to contribute proactively to Business Impact Analysis (BIA);

(9) Able to communicate calmly, effectively and authoritatively, including in a crisis. (Hinson and Kowalski, 2008, p.42)

(XVIII) Timeline with Goal Description

The following timeline has been set for the Information Technology Systems from acquisition to rollout.

Action - Acquisition of Information Technology Hardware/Software and Systems

Time required - 6 weeks

Action - Training and Education of Employees

Time Required - 6 weeks

Action - Formulation of Teams and Responsibilities

Time Required - 2 weeks

Action - Implementation and Testing

Time Required - 4 weeks

Action - Disaster Response Testing

Time Required -2 weeks

Action - Business Continuity Testing

Time required - 2 weeks

Action - Rollout

Time required - 2 weeks

Total Time to System Up and Running -- 24 weeks

It is reported that while a computer security plan may be developed at any point in the lifecycle of the system the approach recommended is to drawn the plan up at the start of the computer system life cycle. It is acknowledged that in some instances "the system may at any one time be in several phases of the life cycle." ( ) The example stated is "…a large human resources system may be in the operation/maintenance phase, while the older, batch-oriented, input sub-system is being replaced by a new, distributed, interactive user interface. In this case, the life cycle phases for the system are the disposal phase (data and equipment) related to the retirement of the batch-oriented transaction system, the initiation and acquisition phase associated with the replacement interactive input system, and the operations/maintenance phase for the balance of the system.

Each phase of the lifecycle is listed below:

(1) Initiation Phase

During this phase the need for a system is acknowledged and the systems' purpose documented. A sensitivity assessment is conducted that considers the sensitivity of the information that will be processed and the system as well.

(2) Development Acquisition Phase

The system is designed, purchased, developed, programmed or construction. Security requirements are developed simultaneously to the planning of the system requirements. System requirements include not only technical features but as well access controls and operational practices included awareness and training. Questions addressed in this phase include: (a) During the system design, were security requirements identified? (b) Were the appropriate security controls with associated evaluation and test procedures developed before the procurement action? (c) Did the solicitation documents (e.g., Request for Proposals) include security requirements and evaluation/test procedures? (d) Did the requirements permit updating security requirements as new threats/vulnerabilities are identified and as new technologies are implemented? (e) If this is a purchased commercial application or the application contains commercial, off-the-shelf components, were security requirements identified and included in the acquisition specifications?

(3) The Implementation Phase

This phase involves the configuration of the systems' security features and testing of the system. A design review and systems test should be performed prior to placing the system in operation to make sure that security specifications are met. Additionally, if the application or support system has new controls added, additional acceptance tests of those new controls are required. This makes sure that new controls meet security specifications and to ensure they do not conflict with existing controls or invalidate those controls. There should be full documentation of the design reviews and testing of the system. This documentation is to be maintained in the company's official records.

(4) Operation/Maintenance Phase

This phase involves the system's work being performed and involves ongoing modification as hardware and software is added. Included in this phase are the following:

(a) Security Operations and Administration. Operation of a system involves many security activities. Performing backups, holding training classes, managing cryptographic keys, keeping up with user administration and access privileges, and updating security software are some examples.

(b) Operational Assurance. Operational assurance examines whether a system is operated according to its current security requirements. This includes both the actions of people who operate or use the system and the functioning of technical controls. A management official must authorize in writing the use of the system based on implementation of its security plan.

(c) Audits and Monitoring. To maintain operational assurance, organizations use two basic methods: system audits and monitoring. These terms are used loosely within the computer security community and often overlap. A system audit is a one-time or periodic event to evaluate security. Monitoring refers to an ongoing activity that examines either the system or the users. In general, the more "real-time" an activity is, the more it falls into the category of monitoring. (Kiely, 2005)

(5) Disposal Phase

This phase involves the hardware and software information disposition as follows: (a) Information. Information may be moved to another system, archived, discarded, or destroyed. When archiving information, consider the method for retrieving the information in the future. While electronic information is generally easier to retrieve and store, the technology used to create the records may not be readily available in the future. Measures may also have to be taken for the future use of data that has been encrypted, such as taking appropriate steps to ensure the secure long-term storage of cryptographic keys. It is important to consider legal requirements for records retention when disposing of IT systems. (b) Media Sanitization. The removal of information from a storage medium (such as a hard disk or tape) is called sanitization. Different kinds of sanitization provide different levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by keyboard attack) and purging (rendering information unrecoverable against laboratory attack). There are three general methods of purging media: overwriting, degaussing (for magnetic media only), and destruction.

(XIX) Data Schema

The MySQL Workbench has been chosen for the database design for the company. The following illustration is an example of how My SQL Workbench can be utilized by the company to organize various business operations. My SQL Workbench is a visual database design tool for integration of "SQL development, administration, database design, creation and maintenance into a single development environment." (Database Journal, 2012, p.1) My SQL Workbench is reported as the "…successor to DBDesigner 4 from fabFORCE.net and replaces the MySQL GUI Tools Bundle. The current version is 5.2, the earliest version being 5.0, which emphasized the fact that MySQL Workbench was developed as the successor to DBDesigner4." (Database Journal, 2012, p.1)

Figure 3 - Screenshot of MySQLWorkbench

(XX) Graphical Interface Design

Navicat for SQL Server is reported as a professional database administration and development application and is designed for use with the Microsoft SQL Server. Navicat is reported to work with SQL Server 2000, 2005, and 2008R2 and to support the majority of the latest features including Trigger Function, View, and others. Features in Navicat are such that provide all the specific needs of professional developers and is easy enough for users who are new to SQL Server to learn. Navicat has a well-designed Graphical User Interface (GUI), Navicat for SQL Server lets the developer create, organize, access and share information in a secure and easy way, taking SQL Server administration quickly and very easily . Key features of Navicat for SQL Server include those as follows: