1

CS 651 Computer Systems Security - Individual Project

Information Systems Security (ISS) Governance Committee

Saurav Vaidya

Jan 27, 2016

Table of Contents

Executive Overview
 2

Statement of Work
Document Control
Security Governance
Security Domains
Layers of security

Executive Overview
In today’s world security is one of the most important quality attributes for any system.
The system may be user friendly, performant and reliable but if it does not have security
embedded, it is lacking the most fundamental building block. It will thrive in the world where
intrusions, attacks and malwares are part of everyday life.
We are Information Systems Security (ISS) governance team that is assigned the task to
protect Mountain High School’s online learning platform known as Desire to Learn (D2L). D2L is
used by the entire student body which stands at about 4400 students. The ISS governance shall
protect the assets concerning the D2L which are the school’s web portal and the database.
They contain all the student records including Personally Identifiable Information (PII), class
information, grade reports, archived student records, credit card information, faculty information
etc. These are system critical data that cannot be compromised. Hence for continual online
presence and making education available 24/7 these assets need to be protected. The ISS
governance team shall primarily focus on the 10 common body of knowledge security domains.
Covering up these 10 domains will ensure that we are able to address confidentiality, integrity
and availability of the system. The ISS governance shall also implement 8 layers of security so
that we become capable of identifying, assessing and blocking modern cyber threats. The
security governance will be enforced and implemented by the ISS team which includes a panel
of network security experts, database architects, web security professionals and the Lead
Security Technical Officer who is heading the effort. School wide training including the faculty
and students will be provided to ensure that everyone is aware of the risk and common ways to
protect themselves and their data. Some key areas where the ISS governance shall pay special
attention are access control (authentication and authorization), Virtual Private Network (VPNs),
firewalls, antivirus and backups.

Statement of Work
 3

Document Control
The ISS governance team shall maintain the policy and procedures set forth. They
would be responsible for governing the process end to end and also foresee any security issues
that may come by. The IT department which comprises of Network Security Engineers,
Database Architects, System Administrators, Network Technicians, Lead Security Technical
Officer, Project Managers and Team Managers would be responsible for implementing the
policy and architecture as soon as the policy goes in effect. The ISS governance team would
also revise the policies and infrastructure as the need arises. With this rapidly changing industry
it wouldn’t be a surprise if things need to shift pretty often.

Background: The ISS governance team has been assigned to better protect the school’s
assets and provide students a new and improved learning platform. There has been multiple
accounts when the school has reported the portal being down and students not being able to
submit their assignments. Tracking these incident reports has given us insight that more than
handful of the cases are linked to attacks and hacks from external sources. The DBA team have
also reported of database backups being leaked and other database inconsistencies. The ISS
governance team plans to eliminate all the Severity 1,2 and 3 security vulnerability on the web
portal along with providing more secure infrastructure to the database.

Scope: ISS governance shall address IS confidentiality, IS integrity and IS availability. It will
cover the following listed domains:
● Access Control
● Telecommunication and Network Security
● Information Security Governance and Risk Management
● Software Development Security
● Cryptography
● Security Architecture and Design
● Security Operations
● Business Continuity and Disaster Recovery Planning
● Legal, Regulations, Investigation and Compliance
● Physical Security

It will also cover the following layers of security

● Virtual Private Network

● Firewalls
● Demilitarized zones (DMZ)
● Account Management
● Patch Management
● Virus Scanners
 4

Design and Implementation Schedule:

Table below showing the design schedule

Who What Date

ISS Executive Overview 2/3/16

ISS Statement of work 2/24/16

ISS Security governance

ISS Presentation N/A

Table below showing the implementation schedule

Who What Date

IT Dept Security Architecture and Design; Security

Operations; Legal, Regulations, Investigation and
Compliance

IT Dept Telecommunication and Network Security; Virtual

Private Network; Firewalls; Demilitarized zones

IT Dept Information Security Governance and Risk

Management; Patch Management

IT Dept Software Development Security and

Cryptography

IT Dept Access Control; Account Management

IT Dept Business Continuity and Disaster Recovery

Planning

IT Dept Physical Security; Virus Scanners

 5

Issue tracking and resolution: The ISS governance shall enforce policies and procedures to
track and resolve issues that come up. Here is the guideline for it:
1. The issue will be documented by the individual who found the issue. It shall be done as
soon as the issue is verified and all relevant information is found out.
2. The ISS governance team then will create an investigation team as soon as the issue is
logged.
3. The same team will then start investigating the issue. The team may need to reach out
to respective professionals to gather more domain specific knowledge.
4. The ISS team then will list solutions.
5. The ISS team then will work to get approvals for the proposed solutions.

Training: The ISS governance training module shall train the management, staff and the IT
department. Different training sessions will be held for different audiences. The training would
cover the following topics.

● Access Control
● Telecommunication and Network Security
● Information Security Governance and Risk Management
● Software Development Security
● Cryptography
● Security Architecture and Design
● Security Operations
● Business Continuity and Disaster Recovery Planning
● Legal, Regulations, Investigation and Compliance
● Physical Security
● Virtual Private Network
● Firewalls(pg:628)
● Demilitarized zones (DMZ)
● Account Management
● Patch Management
● Virus Scanners

These topics are important as it's supposed to generate awareness and bring behavioral
changes among the people. This will enable delivering a world class D2L experience to all the
users. The training will consists of conferences, hands-on training and online exercises.

Sustainment: A life cycle sustainment plan (LCSP) will be developed to study the ISS
Governance feasibility and success mapping. This tool will be continually be used and updated
throughout the life cycle of the system. The Product Support Manager will be collaborating with
functional areas expertise to ensure that the LCSP and any other documents pertaining strategy
are in the same page. They will be also be responsible for identifying sustainment requirements,
assure the sustainment performance meets the metrics, meeting the planned evaluation
timeframe and the objective.
 6

Features:
● Virtual Private Network: A secure tunnel that uses encryption and tunnelling protocols to
transfer data.
● Firewalls: A software or a hardware appliance that restricts access of one network from
another.
● Demilitarized zones (DMZ): A network segment located between the protected and the
unprotected network. It usually consists of web, mail and DNS servers.
● Secure Architecture: Security design that addresses the risk assessment,
implementations and monitoring.
● Account Management: Management of the account credentials and authorization.
● Rule-based Access Control: Permissions and firewalls based on the pre-defined set of
rules.
● Patch Management: Strategy which determines how patches or fixes in a software or
technology are managed.
● Virus Scanners: A software that scans for viruses.
● Identification: A user trying to prove to be someone by showing his id, entering his
username and password etc.
● Authentication is the process of verifying the user based on the information provided.
● Authorization is using preset criteria to determine whether the user has permission to
make changes to objects.
● Accountability would be monitoring and logging all the activities.

Glossary:
● Issue Log: A collection of closed and open issues.
● Project Manager Role: Project manager’s responsibility of planning, executing and
monitoring the project’s scope.
● Assistant Project Manager Role: Assist the project manager.
● Project Team Responsibilities: To perform the given set of tasks.

Signature and Approvals:

Security Governance
ISS Governance talking points:
How does your ISS governance section address confidentiality, integrity, availability and non-
repudiation?
Why is your ISS gov section protecting the asset?
How does your gov section identify, or address modern cyber threats?
Base all gov sections on your knowledge of threats
Who or what is impacted by your section of governance?
 7

Why is the domain (the one you are writing about) important?
Who cares about the domain?

Begin sentences with

Assigned personnel shall…
Authorized personnel shall...

Security Domains
● Information Security Governance and Risk Management

Availability, integrity and confidentiality are the building blocks of security that all architecture
must implement. Authorized group shall ensure we have load balancing capabilities along with
web servers being located on Data Centers that are off-site. Data Center Operators shall make
sure the data is backed up every night, the facility has backup power supply and it has roll-back
capabilities. Database architects and database administrators shall hand pick the database that
best fits the environment. The database shall provide benefits but are not limited to elastic
scalability and performance, data distribution, client-to-node encryption, authentication
configuration for internal users, fail-over detection and roll-back functions. Authorized personnel
shall implement layers of security comprising of virus scanners, access control, demilitarized
zones(DMZ), firewalls and virtual private network(VPN) to better protect the asset. All systems
are susceptible to a threat. Understanding the risk associated to the threat would help better
prepare ourselves. The risk management team must be aware of risk associated to physical
damage, human interaction, equipment malfunction, attacks and misuse or loss of data.
Authorized personnel shall identify assets and assign values to them along with identifying
vulnerabilities and threats. Authorized personnel shall use risk analysis tools to be more efficient
and also estimate future expected losses.Project manager shall perform job rotation so that
there are more than one person sharing the same knowledge and it also helps identify
fraudulent activities. All confidential and private data must be protected by a minimum 4 layers
of security and any sensitive data to have at least 2 layers of security. Project Lead shall publish
security policy, procedures and standards where it as accessible to all the team members and
also ensure everyone is aware of it. Mandatory company wide security training will be carried
out twice a year and certification programs will be available year long. Members will receive
training based on their area of work and topics would cover 10 domains and 6 layers of security.

● Access Control

Access control is the first line of defense for any given system. The four pillars of access control
are identification, authorization, authentication and accountability. Lead security technical officer
shall form Team X whose responsibility will be to manage access control. So a centralized
access control with Role-Based Access Control (RBAC) model will be amended. Team X shall
be responsible for administrative, physical and technical controls. All authorization related
activities will be handled and monitored by the team. No transaction or connection will be
considered authenticated and authorized until the services by this team verifies it. Web servers
 8

in place will make use of Web Access Management (WAM) software which then talks to Policy
server to authenticate and authorize the user. The team shall use OpenID Connect 1.0 as their
authorization scheme and OAuth 2.0 for third party login services from websites such as from
google, facebook or microsoft.
Password management policies will be strictly enforced to all the staff, faculty and
students. Authorized personnel shall enforce 120 day password validity for all students and
faculty whereas 60 day password validity for all the IT department. This will give a hacker limited
window of opportunity to attempt to crack the password. All password will also have minimum
strength requirements which are:
1. Password must be atleast 8 characters.
2. Password must contain a number and a capital letter.
3. Password must not use your username.
4. Password must contain at least one special character like !,@,$,% etc.
The maximum number of logon attempts will be 5. Any attempt after that will lock the account
and will require an administrator to unlock the account. Authorized personnel shall implement
self-service password reset feature on all applications. Password will also be hashed with MD5
algorithm during its transmission.
Authorized personnel shall ensure constrained user interfaces are applied on all
applications. This will prevent users from access to unauthorized content. Similarly database
administrator shall apply Database views to restrict access to data. Authorized personnel shall
ensure all remote users use the VPN server for their connection. The VPN server is connected
to the TACACS+ server which will provide authentication, authorization and auditing
capabilities. Since TACACS+ encrypts all the data being transmitted they are not vulnerable.
Authorized personnel shall ensure auditing and logging cover system-level, application-level
and user-level events. This will give detailed insight on logon information, devices, security
violations, error events, commands executed etc. Authorized personnel shall review audited
information anytime a need arises or on a yearly basis. The audit logs must be protected using
digital signatures.

● Telecommunication and Network Security

● Software Development Security
● Cryptography
● Security Architecture and Design
● Security Operations
● Business Continuity and Disaster Recovery Planning
● Legal, Regulations, Investigation and Compliance
● Physical Security

Layers of security
 9

● Virtual Private Network

● Firewalls
● Demilitarized zones (DMZ)
● Account Management
● Patch Management
● Virus Scanners

Payment Card Industry Data Security Standard is information security standard for the facility
that handle certified credit cards from the major cards.

Personal privacy protection:

End users are responsible for their own privacy. Authorized personnel shall encourage every
end users to protect their system by using simple methods like, firewall, anti viruses, protect
personal information like credit card number, social security numbers and many more. Such that
they may not suffer from that sort of problems.

Liability and its ramification:

Liability basically means the state of being responsible of something. So, an authorized
personnel shall know the responsibilities of an organization regarding their security. In some
circumstances, an organization could be held liable for their negligence as personal information,
hacker intrusion and third party risk.

Investigation:
As computer crimes are increasing, investigation steps must be forwarded. Authorized
personnel shall investigate on the issue if in case it takes place in their organization.
Investigation basically includes;
-Incident management, which includes proactiveness and reactiveness
-Incident response procedures, which includes triage, investigation, containment, analysis,
tracking and recovery.
-Computer forensic and gathering information about the investigation

An investigator can perform network analysis, media analysis, software analysis and hardware
device analysis.

The forensic investigation process includes identification, preservation, collection, examination,

analysis, presentation and decision.

Some of the attack types that an authorized personnel shall know about are;
 10

Salami attack, in which attackers perform minute attacks such that large overall attack is
unnoticed.

Data diddling attack, in which an existing data is altered.

Password sniffing attack, in which sniffing network traffic takes place with the hope of
obtaining password being sent between computers.

IP spoofing attack, in which an attacker changes their I address such that they are not caught.

Dumpster diving attack, in which an attacker goes through a trash to find out confidential data.

Wiretapping attack, in which an attacker listens a conversation.

http://resources.infosecinstitute.com/cissp-domain-legal-regulations-investigations-and-
compliance/#article
Ethics:
Computer ethics is basically a part of philosophy which focuses on making decisions on
professional and social conducts. There are some rules or computer ethics in which, an
authorized personnel shall be aware of and spread awareness among the members of an
organization, such that no one among the organization’s member fall into the crime. Basically,
what rule says is that, an individual:
-Shall not use computer to harm others.
-Shall not hinder with other people’s computer.
-Shall not eavesdrop with other people’s file in a computer.
-Shall not steal valuable informations through computer.
-Shall not use computer to carry out false testimony.
-Shall not use or make a pirated software.
-Shall have proper approval before using other people’s computer.
-Shall think about the consequences in the society due to the program or system that one
created.
-Shall not disrespect other people through computer.
-Shall not appropriate other people’s intellectual output.