module 12 Network policies and procedures

Interoperability Agreement (IA).

Prior to entering into a third-party agreement, it is critical that all aspects of the relationship be agreed upon in writing.

Lighting

Proper lighting can prevent many accidents and reduce crime. Consider the following guidelines: • Implement adequate lighting in parking lots and around employee entrances. • Implement emergency lighting that runs on protected power and automatically switches on when the main power goes off.

The rules of engagement ROE

ROE defines the parameters and limits of the test

Design Process

1. Conducting a needs assessment. 2. Designing the Physical topology. 3. Designing the Logical topology. 4. Planning the network services. 5. Selecting the hardware & software. 6. Planning authentication & authorization system

Fixed

A fixed system is part of a building and typically combines fire detectors with fire suppression technology. • Fire detectors monitor rapid changes in temperature or smoke. • Fixed fire suppression systems usually use water or gas to extinguish fire. o Deluge sprinklers have open sprinklers. The pipes are dry until the fire alarm initiates the deluge valve to open and sends water to all the sprinklers. o Wet pipe sprinklers contain pressurized water that is released when initiated by a heat sensitive device. Wet pipe systems respond faster to fire threats. Be aware that a fixed system might be incapable of extinguishing a fire; in some cases it will only slow down a fire, giving you extra time to evacuate.

Policy

A policy is a document that describes the overall goals and requirements for a network. A policy identifies what should be done, but may not necessarily define how the goal is to be reached. Depending on your network, you might define policies for different areas of implementation, such as policies for: • Administrative delegation • Network documentation • Security

Disposal

After a device has been decommissioned, it needs to be disposed of properly. Several important tasks should be addressed during the disposal phase: • Ensure that any sensitive or proprietary information is thoroughly and permanently removed from the asset before disposal. • Determine whether the asset can be: o Sold as surplus to the public o Destroyed o Disposed of in the common trash o Recycled • Verify that the asset was disposed of in a responsible manner and in compliance with all local laws. For example, assets such as CRT monitors and notebook batteries must be recycled and cannot be thrown away.

Health Insurance Portability and Accountability Act (HIPAA)

defines security guidelines that enforce the privacy of medical records, including the transmission of records.

Master Service Agreement (MSA)

defines terms that will govern future agreements between two parties. The purpose of this document is to allow the parties to quickly negotiate future agreements without having to repetitively renegotiate the same terms over and over.

authorized access

documents access control to company resources and information. This policy specifies who is allowed to access the various systems of the organization.

comprehensive security policy

not just one document but rather a collection of documents, with each one detailing the policies for a specific area of concern.

privacy policy

outlines how the organization will secure private information for employees, clients, and customers. The privacy policy outlines how Personally Identifiable Information (PII) can be used and how it is protected from disclosure.

Disaster Recovery Plan (DRP)

A DRP identifies short-term actions that can stop the incident and restore critical functions so the organization can continue to operate. The DRP is a subset of the BCP and is the plan for IT-related recovery and continuity. A disaster recovery plan (DRP) should include: • Guidelines for restoring applications, data, hardware, communications, and other IT infrastructure in case of disaster. • Consideration of every possible failure. • Plans for converting operations to alternative sites in case of disaster. • Plans for converting back to the original site after the disaster has concluded. • Disaster recovery exercises (such as fire drills) that simulate a possible disaster.

procurement phase

defines processes that should be followed when a new asset needs to be purchased. Several questions should be answered before a new asset is bought: • Why is the asset being purchased? • What business need will it address? • Will it replace an existing asset, or is it a new implementation? • What impacts will the new asset have on the existing network and users? For example, a decommissioned server from an organization's headquarters may be redeployed at a branch office location. • How long is it expected to last before replacement is necessary? • Which vendors sell the asset? After procurement, an asset is implemented in the network during the deployment phase of its lifecycle. • What kind of support is provided by the vendor? • How much will it cost? • Where will the funds come from to pay for the device? • Who has to approve the expenditure?

security policy

defines the overall security outlook for an organization. To be effective, the security policy must be: • Planned. Effective security is the result of good planning. • Maintained. An effective security plan must be constantly evaluated and modified as needs change. • Used. The most common failure of a security policy is the lack of user awareness.

Password policies

detail the requirements for passwords for the organization. This can include the following: • The same password should never be used for different systems. • Accounts should be disabled or locked out after a specified amount of failed login attempts. • Passwords should never contain words, slang, or acronyms. • Users should be required to change their passwords within a certain time frame and to use a rotation policy. • A strong password policy should be enforced. Strong passwords: o Contain multiple character types, uppercase and lowercase letters, numbers, and symbols. o Are a minimum length of eight characters. o Use no part of a username or email address.

Interconnection Security Agreement (ISA)

documents how the information systems of each party in the relationship will be connected and how they will share data.

asset identification

establishes the organization's resources. Asset valuation determines the worth of each resource to the organization, as well as the level of protection appropriate for each asset.

countermeasure

reduces the likelihood of a successful attack. An appropriate countermeasure should: • Provide a security solution to an identified problem. • Not depend on secrecy. • Be testable and verifiable. • Provide uniform or consistent protection for all assets and users. • Be independent of other safeguards. • Require minimal human intervention. • Be tamper-proof. • Have overrides and fail-safe defaults.

Gramm-Leach-Bliley Act (GLBA)

requires all banks and financial institutions to implement the following policies: o The Financial Privacy Rule requires banks and financial institutions to alert customers to their policies and practices in disclosing customer information. o The Safeguards Rule requires banks and financial institutions to develop a written information security plan detailing how they plan to protect electronic and paper files containing personally identifiable financial information. o The Pretexting Protection Rule requires banks and financial institutions to train their staff how to recognize social engineering exploits.

Children's Online Privacy Protection Act (COPPA

requires online services or websites designed for children under the age of 13 to: o Obtain parental consent prior to the collection, use, disclosure, or display of a child's personal information. o Allow children's participation without the need to disclose more personal information than is reasonably necessary to participate.

Sarbanes-Oxley Act (SARBOX)

requires publicly traded companies to adhere to stringent reporting requirements and internal controls on electronic financial reporting systems. A key aspect of the law is the requirement for retaining copies of business records—including email—for a specified period of time.

non-credentialed scan

the security administrator does not authenticate to the system prior to running the scan. A non-credentialed scan can be valuable because it allows the scanner to see the system from the same perspective an attacker. However, a non-credentialed scan does not typically produce the same level of detail as a credentialed scan.

physical penetration test

the tester attempts to enter a building without authorization, access servers or workstations, access wiring closets, and shut down power or other services.

electronic penetration test

the tester attempts to gain access to computer systems and the data on those systems. The following methods may be used: o System scanning o Port scanning o Network monitoring o Sniffing o Fingerprinting scans o Password cracking o Denial of Service attacks o ARP spoofing o Man-in-the-middle attacks o Session hijacking

operations penetration test

the tester attempts to gain as much information as possible using methods such as: o Dumpster diving o Over-the-shoulder reconnaissance o Active social engineering

exposure

the vulnerability of losses from a threat agent.

Qualitative analysis

uses scenarios to identify risks and responses. Qualitative risk analysis is more speculative (based on opinion) and results in relative costs or rankings.

Planning the services that will be provided by the network, such as:

• DHCP servers • DNS servers • Directory servers • File and print servers • Database servers • Web servers

fire safety

Fire safety is a critical concern. Use the following fire emergencies guidelines: • When a fire occurs, your first action should be to ensure the safety of the people within the facility. Everyone should evacuate the area immediately. Information assets and equipment are of secondary concern. • Use your facility's building plans to devise the best escape routes for each area within your organization. Post these escape plans in prominent locations. • Implement an emergency alert system within the facility to warn employees and visitors of emergencies. Regularly test the system to ensure it is working properly. • Conduct emergency drills to verify that the physical safety and security measures you have implemented function correctly. • In most cases, you should not attempt to put out a fire yourself. Fires spread rapidly and can quickly get out of control. • Never go back into a burning building to retrieve data or computer systems. Performing regular backups and storing media offsite is the best way to protect valuable data. • Inspect fire extinguishers regularly for proper pressure. Never reuse a fire extinguisher.

PII items could include:

Full Name • Address • Telephone number • Driver's license • National Identification Number • Credit card numbers • Email address Various laws govern privacy and the organization's responsibility to protect private information. A few of the higher profile laws are identified below. It is the responsibility of network professionals to become aware of and adhere to all of the laws that apply to their respective organizations.

A needs assessment determines

Why the project is being undertaken. What outcomes are expected. When it is expected to be complete.

Statement of Work (SOW)

a document used in the field of project management. An SOW defines project-specific activities, deliverables, and timelines for a vendor providing services to the client.

tangible asset

a physical item, such as a computer, storage device, or document. These items are usually purchased, and their values can easily be determined by the cost of replacing them.

intangible asset

a resource that has value and may be saleable even though it is not physical or material. Intangible assets are typically more difficult to identify and value.

Hazardous materials

Any component that presents a potential hazard ships with a Materials Safety Data Sheet (MSDS). The MSDS explains: • What you should do if you come in contact with something that is potentially dangerous to you. • The proper procedures for disposal of the equipment. For example, some equipment can simply be disposed of in the trash. However, other types of equipment must be recycled. Consult the MSDS for information on physical data, toxicity, health effects, first aid, storage, disposal, and spill procedures for hazardous chemicals. You can download the MSDS from the manufacturer's website or consult with a company representative.

Business Impact Analysis (BIA)

BIA focuses on the impact that losses will have on the organization. A BIA: • Identifies threats that can affect processes and assets. • Establishes the maximum down time (MDT) the corporation can survive without each process and asset. • Estimates tangible impacts (e.g., financial loss) and intangible impacts (e.g., loss of customer trust) on the organization.

physical hazards

Be aware of physical hazards in your work environment. • Arrange your work area to eliminate as many physical hazards as possible. • Keep work areas and floors clear of clutter to help prevent accidents. • Store your tools in a toolbox and keep it out of the way to prevent accidents. • Don't run exposed wires or cords on the floor. If you must, be sure to use gaffers tape to secure the wires to the floor. • Plan out the placement of your equipment. For example, install your racks in locations that won't require you to run cables across the floor. • Prevent back injuries by lifting with your legs, not your back. • If you're lifting very heavy pieces of equipment, be sure to wear a back brace, use a cart, or just simply ask someone for help.

Employee and visitor safety

Be sure to keep the safety of employees and visitors in mind. • Provide adequate lighting in parking lots and around employee entrances. • Implement emergency lighting that runs on protected power and automatically switches on when the main power goes off. • Install fail-open locking systems that allow employees to exit your facility quickly in the event of an emergency. • Devise escape plans that utilize the best escape routes for each area in your organization. Post these plans in prominent locations. • Conduct emergency drills to verify that the physical safety and security measures you have implemented function correctly.

fire classes and the appropriate suppressant type

Class A-Wood, paper, cloth, plastics *Water or soda acid Class B-Petroleum, oil, solvent, alcohol *CO2 or FM-200 Class C-Electrical equipment, circuits, wires *Halon or CO2 Class D-Sodium, potassium *Dry powders Class K-Oil, solvents, electrical wires *Halon, CO2, soda acid

Configuration

Configuration documentation identifies specific configuration information for a device. For example, a configuration document for a firewall might include information about the IP addresses assigned to each interface and opened firewall ports. Document the configuration so: • The device can be restored to the original configuration. • The current configuration can be compared to the desired configuration to identify any changes.

credentialed scan

the security administrator authenticates to the system prior to starting the scan. A credentialed scan usually provides more detailed information about potential vulnerabilities.

Portable

Portable systems are fire extinguishers that can be used to suppress small fires. Be aware of the following facts when using a portable fire extinguisher: • A pin is inserted in the handle of most fire extinguishers to prevent the extinguisher from accidentally being triggered. Remove the pin to use the fire extinguisher • Use the PASS method (Pull, Aim, Squeeze, and Sweep) to administer the fire suppressant. Aim toward the base of the fire. • Fire extinguishers usually have a limited effective range of 3-;8 feet. • Fires spread quickly. In most cases you will be unable to control a fire with just a portable system.

Risk assessment

Risk assessment is the practice of discerning which threats are relevant to the organization and determining the cost of such threats

residual risk

Risk that remains after reducing or transferring risk

egress

The building codes in most municipalities require that employees and visitors be able to quickly leave a building should an emergency occur. You should implement fail open locking systems that allow people to exit your facility quickly in the event of an emergency. For example: • If a mantrap is used for entry, then turnstiles should be used to permit easy exit. • Double entry doors should include crash bars on the inside. To prevent unauthorized access, alarms can be installed that sound when the doors are opened.

onboarding

When the relationship is initiated. During the onboarding phase of a relationship, consider the following issues and formulate a plan to address them: • Compare your organization's security policies and infrastructure against each partner organization's policies and infrastructure, then answer the following questions: o Are the security policies for each organization similar? o Do both organizations have similar incident response procedures? o Are the security controls used by each party similar? o Do both organizations have similar audit policies? o Are the security postures of each party compatible enough to work together, or will the integration expose vulnerabilities in one or more parties? o What are the risks associated with entering into this relationship? If significant differences in the two policies are found, it might be necessary to resolve them or reconsider the relationship altogether. • Identify how data ownership will be determined. Will ownership be determined simply by the storage location, or will ownership be determined by patent, trademark, copyright, or contract law? • Identify who will be responsible for protecting data. Who will be responsible for performing data backups? Will redundancy be used to ensure high availability? • If the data involved in the relationship contains personally identifying information, identify how privacy will be protected. • Identify how data will be shared. In most relationships, there will be only a limited subset of data that must be shared between parties. The rest of each organization's data must remain protected. How will unauthorized data sharing be prevented? If unauthorized data sharing occurs, how will it be detected?

Electrical safety

When working with electronic equipment, you need to take steps to protect yourself and others from electrocution hazards. The relatively high operating frequency of the AC power delivered to wall outlets can be enough to stop a human heart. • Replace worn or frayed power cords. • Be certain that each electrical device is properly grounded. For example, verify that the ground pin on the power plug is intact on all of the computers. • Never work on a device until you have powered it down and unplugged it from the wall outlet. • Never wear an ESD bracelet strap if the equipment it is connected to is still plugged in to an AC power source. • Avoid servicing devices that use AC power, such as monitors and computer power supplies. Treat these devices as Field Replaceable Units (FRUs). You should simply replace an entire failed unit instead of opening it and trying to make repairs.

Regulation

a requirement published by a government or other licensing body, and it must be followed. While you are not responsible for writing regulations, you are responsible for knowing which regulations apply to your organization and making sure that those regulations are understood and adhered to. Policies are often written in response to regulations.

code of ethics

a set of rules or standards that help you to act ethically in various situations. Because issues involved in various situations can be complex, the code of ethics does not prescribe actions to take for every situation. Rather, it identifies general principles of ethical behavior that can be applied to various situations. The code of ethics requires that employees associated with the security policy should: • Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. • Not commit or be a party to any unlawful or unethical act that may negatively affect their professional reputation or the reputation of their profession. • Appropriately report activity related to the profession that they believe to be unlawful and cooperate with resulting investigations.

Baseline

a snapshot of the performance statistics of the network or devices. The baseline is used as a logical basis for future comparison. Baselines enable you to effectively monitor the performance of your system to determine when changes negatively impact performance or when systems need upgrading or replacing. It is important to measure network performance at subsequent intervals to see how your server is performing compared to the baseline.

Procedure

a step-by-step process outlining how to implement a specific action. The design of a procedure is guided by goals defined in a policy, but it goes beyond the policy in that it identifies the specific steps that need to be implemented. The use of procedures will help you meet the goals defined in your policies and will ensure that there is consistency between the actions of multiple administrators.

Blanket Purchase Order (BPO)

an agreement with a third-party vendor to provide services on an ongoing basis. BPOs are typically negotiated to take advantage of a preset discounted pricing structure.

Decommissioning

an asset will need to be replaced because it is obsolete, worn out, or not needed anymore. Several important tasks should occur: • Determine if the asset needs to be replaced, if its functions can be reassigned to another existing asset, or if it is not needed anymore. For example, a server's hard disk needs to be wiped using disk wiping software to erase any trace of the information it used to store. • Identify whether the asset can be redeployed somewhere else in the organization. • Remove the asset from the production network. • Record the removal in the asset management database.

threat agent

an entity that may find and exploit a vulnerability, causing a threat to an asset.

Quantitative analysis

assigns real numbers to the costs of damages and countermeasures. It also assigns concrete probability percentages to risk occurrence.

Business Continuity Plan (BCP)

identifies appropriate disaster responses that allow business operations to be maintained when infrastructure and resource capabilities are restricted or reduced. This ensures that critical business functions (CBF) can be performed when operations are disrupted. Additionally, a BCP identifies actions required to restore the business to normal operation. A BCP: • Identifies and prioritizes critical functions. • Calculates recovery timeframes. • Contains plans, including resource dependencies and response options, to bring critical functions online within an established timeframe. • Specifies procedures for security of unharmed assets and for salvage of damaged assets. • Identifies BCP team members who are responsible for plan implementation. • Should be tested on a regular basis to verify that the plan still meets recovery objectives.

acceptable use

identifies the rights of employees to use company property, such as Internet access and computer equipment, for personal use.

User Management

identify actions that must take place when employee status changes. The administrator of a network for an organization needs to be aware of new employees, employee advancements and transfers, and terminated employees to ensure the security of the system. All of these activities could result in changes to: • Network access • Equipment configuration • Software configuration Failure to properly manage users can create a security risk known as creeping privileges. Creeping privileges is a form of privilege escalation that occurs when users are promoted, or transferred to different departments, and their previous position's privileges are not removed. As a result, the user accumulates privileges over time that are not necessary for their current work tasks.

asset

is a resource that has value to the organization. Assets come in many forms. • Information assets, such as files or databases that contain valuable information. • Infrastructure assets or physical devices, such as routers, firewalls, bridges, and servers. • Support services for the information services.

Wiring schematic

is a type of network diagram that focuses on the physical connections between devices. The wiring schematic typically shows: • The location of drop cables and ports within offices or cubicles. • The path that wires take between wiring closets and offices. • A labeling scheme that matches endpoints in offices and cubicles with specific switch ports or punchdown block locations.

Memorandum of Understanding (MOU)

is a very important document that provides a brief summary of which party in the relationship is responsible for performing specific tasks. In essence, the MOU specifies who is going to do what, and when.

Penetration testing

is intrusive in nature and is designed to evaluate the effectiveness of an organization's security policy, security mechanisms, and countermeasures. A penetration test: • Attempts to circumvent security controls to identify vulnerabilities. • Simulates an actual attack on the network. • Is conducted from outside the organization's security perimeter. The following steps are included in the penetration testing process: • Verifying that a threat exists • Bypassing security controls • Actively testing security controls • Exploiting vulnerabilities

Asset management

is the process of tracking and managing the lifecycle of the assets owned by an organization. An asset is any resource that has value to the organization.

Change/job logs

keeps track of changes to the configuration of a device or the network. Change documentation is often included as a part of the configuration documentation. For example, you might record a change in a device's NIC or a repair to a WAN link. Change documentation is useful for troubleshooting to identify what has been done to a device, and shows the rationale behind the changes.

vulnerability scan

looks for known vulnerabilities in your network environment. A vulnerability scanner passively searches an application, computer, or network for things such as: • Open ports • Active IP addresses • Running applications or services • Missing updates • Default user accounts that have not been disabled • Default or blank passwords • Misconfigurations • Missing security controls Many vulnerability scanners use definition files to ensure that they know how to identify the most current vulnerabilities. These definitions should be updated regularly.

USA Patriot Act

mandates organizations to provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency.

Change and Configuration Management

policy provides a structured approach to secure company assets and to make changes. Change management: • Establishes hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation. • Tracks and documents significant changes to the infrastructure. • Assesses the risk of implementing new processes, hardware, or software. • Ensures that proper testing and approval processes are followed before changes are allowed.

Network diagram

shows the logical and/or physical layout of your network. The network diagram could be a collection of diagrams showing the following information: • The location and IP addresses of hubs, switches, routers, and firewalls. • The relationship between remote locations and the WAN links that connect them. • Subnets within your network, including the subnet addresses and the routers connecting each subnet.

Service Level Agreement (SLA)

specifies exactly which services will be performed by the third party and what level of performance they guarantee. An SLA may also define how disputes will be managed, provide warranties, outline disaster recovery procedures, and specify when the agreement will be terminated.

Business continuity

the activities that are performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities. These activities are performed daily to maintain service, consistency, and recoverability

When selecting hardware and software

the design requires you to decide how many physical servers will be needed and where specific services will be hosted. You must also decide where they will be physically located on the network and what operating systems will be installed on them. There are several important things that you must do: • Arrange for access to support resources provided by hardware and software vendors. • Plan for future growth. Buy hardware that will accommodate increased capacity and demands in the future. • Verify that the hardware is compatible with operating systems, applications, and services you intend to use. • Plan for data protection: o Implement the hardware and software needed to back up network data. o Implement the hardware needed to create redundancy, such as RAID arrays, clustering, and UPS devices. • Check the system requirements of the network operating systems you plan to use and verify that they are compatible with: o Your server hardware. o The network protocols you plan to deploy. o The applications and services you want to use on your network. o The client devices that will connect to them over the network. • Allocate the space necessary in your data center for your server hardware.

risk

the likelihood of a vulnerability being exploited. Reducing the vulnerability or minimizing the threat agent reduces the risk.

threat probability

the likelihood that a particular threat will exploit a specific vulnerability of a system.

operations

the longest phase in the asset lifecycle. Use the information in the asset management database to keep track of where the asset is in its lifecycle. This helps predict when the asset will need to be replaced and how much it will cost to do so. During the operations phase, the asset will require periodic maintenance, including: • Applying updates and patches, such as installing operating system updates on a server. • Performing preventative maintenance, such as implementing an uninterruptable power supply. • Repairing problems as they occur, such as replacing a malfunctioning network interface. • Applying upgrades as they become necessary. For example, you may install a bigger hard drive in a server. • Keeping the asset management database updated any time one of these events occurs. At this point, the asset enters the decommissioning phase of its lifecycle, during which the asset is removed from the production environment.

threat vector

the path or means that an attacker uses to compromise a system. Threat vectors expose a system's vulnerabilities and are exploited by an attacker. Some common threat vectors include: • Email attachments • Web pages with embedded scripts • Browser pop-ups • Social manipulation • Poor programming practices • Unpatched operating systems and applications • Outdated security mechanisms and encryption methods • Breached physical security • Unused applications and services on a system • Enabled USB ports Due to their nature, portable storage devices pose the greatest threat to confidential data. Organizations that handle highly sensitive data should consider disabling the USB ports on all workstations.

residual risk

the portion of risk that remains after the implementation of a countermeasure. Residual risk almost always exists.

Security assessment

the process of identifying security weaknesses in a network. A security assessment can use two different types of tests: • Vulnerability scans • Penetration tests A security assessment is also referred to as a security posture assessment.

Risk management

the process of identifying vulnerabilities and threats and deciding which countermeasures to take. The main objective is to reduce the risk to a level that is deemed acceptable by the organization's senior management.

loss

the real damage to an asset that reduces its confidentiality, integrity, or availability.

The following are best practices for creating the DRP and BCP:

• Document all important decisions before the disaster strikes. When a disaster occurs, staff members simply need to follow the documented procedures. • Divide disaster response into phases: 1. Identify the disaster, ensure safety of personnel, and begin recovery procedures. 2. Implement short-term recovery mechanisms to bring the most critical business systems online (also known as mission critical systems). 3. Stabilize operations by restoring supporting departments and functions. 4. Carry out measures to restore all functions to normal. Switch back from temporary measures to normal operating procedures. • Define the testing and training of team members. Team members should include representatives from all major parts of the corporation. • Conduct regular practices and training exercises to test portions of the plan. Revise the plan and training as necessary. • As a BCP or DRP evolves over time, it is essential to collect and destroy all outdated copies of the plan as a new version is rolled out. • Assign responsibility for ongoing maintenance of the BCP and DRP.

security assessment report

• Document the tests used to perform the assessment. • Specify which systems were assessed. • Identify the risks to security that you found. • Prioritize the risks. • Formulate remediation steps.

Using an asset management process provides several important benefits

• Enables IT equipment inventory control. You know exactly what you own, how much it costs to purchase, how long you have owned it, and when it will need to be replaced. • Reduces costs. Because you know what you already have, you avoid accidentally purchasing duplicate assets. • Ensures that your organization remains in compliance with software and operating system license agreements. • Ensures that obsolete equipment is accounted for and disposed of properly after it is taken out of service. • Helps you plan IT budgets. You can estimate when assets will need to be replaced and how much they will cost.

threat identification

• External threats are events originating outside of the organization that compromise the organization's assets. Examples include hackers, fraud perpetrators, and viruses. • Internal threats are intentional or accidental acts by employees, including: o Malicious acts, such as theft, fraud, or sabotage o Actions that destroy or alter data o Disclosure of sensitive information through snooping or espionage • Natural events are events that can be expected to occur over time (e.g., a fire or a broken water pipe). • Disasters are major events that have significant impact on an organization. Disasters can disrupt production, damage assets, and/or compromise security. Examples of disasters are tornadoes, hurricanes, and floods. In addition to identifying sources of threats, consider common vulnerabilities that can be exploited: • Software, operating system, and hardware vulnerabilities • Lax physical security • Weak policies and procedures

User Education and Awareness Training

• Familiarize employees with the security policy. • Communicate standards, procedures, and baselines that apply to the employee's job. • Facilitate employee ownership and recognition of security responsibilities. • Establish reporting procedures for suspected security violations.

Human resource policies related to security might include the following:

• Hiring policies identify processes to follow before hiring. For example, the policy might specify that pre-employment screening include: o Employment, reference, and education history checks. o Drug screening. o For sensitive positions, a background investigation or credit rating check. • Termination policies and procedures identify processes to be implemented when terminating employees. For example, the termination policy might specify that: o Network access and user accounts are disabled immediately. o Employees are escorted at all times following termination. o All company property is returned. o Appropriate documents are signed. • A requirement for job rotation cross-trains individuals and rotates users between positions on a regular basis. Job rotation helps to catch irregularities that could arise when one person is unsupervised over an area of responsibility. • A requirement for mandatory vacations requires employees to take vacations of specified length. These vacations can be used to audit actions taken by the employee, and provide a passage of time where problems caused by misconduct can become evident

Assets take many forms, including:

• Information assets, such as files or databases that contain valuable information. • Infrastructure assets or physical devices, such as routers, firewalls, bridges, and servers. • Support services for the information services.

Several security tools that can are commonly used for vulnerability scanning include the following:

• Nessus is a comprehensive vulnerability assessment tool. • Microsoft Baseline Security Analyzer (MBSA) is used to evaluate security vulnerabilities in Microsoft products. • Retina Vulnerability Assessment Scanner is used to remotely scan an organization's network for vulnerabilities.

During the ongoing operations phase of the relationship, you should:

• Regularly verify compliance with the IA documents. • Conduct periodic vulnerability assessments to verify that the network interconnections created by the relationship have not exposed or created security weaknesses. • Conduct regular security audits to ensure that each party in the relationship is following the security-related aspects of the IA documents. • Communicate vulnerability assessment and security audit findings with all of the parties in the relationship to maintain risk awareness.

When the relationship with the third party ends, you need to ensure that all of the doors that were opened between organizations during the onboarding phase are closed. Consider the following: off-boarding:

• Reset or disable any VPN, firewall, router, or switch configurations that allowed access to your network from the third party network. • Disable any domain trust relationships that were established between the organizations. • Disable any user and groups accounts used by third parties to access your organization's data. • Reset any passwords used by the third party to access data or applications on your network.

The project scope defines exactly what to do, when to do it, and who will do it. Every project scope contains three elements that must be kept in balance:

• Schedule • Resources • Scale

Risk Response

• Taking measures to reduce (or mitigate) the likelihood of the threat by deploying security controls and other protections. • Transferring (or assigning) risk by purchasing insurance to protect the asset. When the incident occurs, the cost to the asset is covered by insurance. • Accepting the risk and choosing to do nothing. For example, you might decide that the cost associated with a threat is acceptable, or that the cost of protecting the asset from the threat is unacceptable. In the case of the latter, you would plan for how to recover from the threat but not implement any measures to avoid it. • Risk rejection (or denial) is choosing not to respond to a risk of any level. Risk rejection introduces the possibility of negligence and may lead to liability. • Risk deterrence is letting threat agents know of the consequences they face if they choose to attack the asset.

Deployment

• The asset is added to an asset management database. Important information about the asset is recorded, such as: o Make o Model o Serial number o Vendor o Warranty o Location o License information (if applicable) o Configuration information (e.g., its IP address) o Name of the person responsible for managing it • The asset is tested in a sandbox environment to ensure that it won't adversely affect the production network. After deployment, the asset enters the operations phase of its lifecycle, where it is used in the production environment. • The asset is configured and installed in the production environment

To define the logical topology. You need to plan:

• VLAN boundaries. • IP addressing information for each subnet. • Naming conventions that will be used for network hosts. • Protocols that will be used for WAN links. • Routing protocols that will be used. • How data will be routed between: o Networks o Wireless and wired networks o The Internet and your network • Measures that will be implemented to provide network redundancy, such as: o STP o FHRP • Security mechanisms that will be used to: o Protect wired networks, such as switch security measures and firewall ACLs. o Protect wireless networks, such as encryption mechanisms.

To design the physical topology. This involves planning:

• Where network wiring needs to be physically installed to meet the requirements identified in the needs assessment. • Where switches need to be physically located. • Which wire runs will be connected to which switch ports. • How switches will be connected to each other. • Where routers will be located and how they will be interconnected to create subnets. • Where WAN links will be implemented in the network. • Where the broadcast and collision domain boundaries will be. • Where security devices, such as firewalls and IPS devices, will be placed. • How wireless controllers will connect to the wired network. • Where access points will be physically located.

When designing the systems that will control how users will authenticate to the network and be authorized to use network resources. You should identify:

• Where user accounts will be stored: o Will they be stored on a centralized directory server, such as an Active Directory domain controller? o Will they be maintained separately on each individual network device? o Will they be maintained on an AAA system, such as a RADIUS server? • How authorization will be managed. You need to plan out how ACLs will be used to ensure that each user has access to the information they need to do their job, but no more.