policies and prosedures For JK Air Finished

Security Policies and Implementation Issues

1. Acceptable Use Policy...............................................................................................2

2. Business Continuity Plan Policy – Business Impact Analysis....................................3

3. Computer Incident Response Team – Access and Authorization Policy...................5

4. Reporting Security Incidents Policy.........................................................................14

5. IT Security Policy.....................................................................................................16

6. Remote Access Policy.............................................................................................20

7. Security Awareness & Training Policy.....................................................................22

8. Separation of Duties Policy.....................................................................................24

9. Password Policy......................................................................................................26

10. Access Control Policy...........................................................................................27

11. Email Acceptance Policy......................................................................................29

12. Internet Acceptable Use Policy............................................................................30

13. Backup Policy…………………………………………………………………………...31

14. Infrastructure Hardening Policy............................................................................32

15. Extranet(WAN) Security Policy.............................................................................34

16. Summary..............................................................................................................36

1. Acceptable Use Policy

Policy Statement

Internet/Intranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, web browsing, SSH, PuttY, and FTP, are the property of JK Air. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.

Purpose/Objectives

The purpose of this policy is to outline the acceptable use of computer equipment at JK Air. These rules are in place to protect the employee and JK Air. Inappropriate use exposes JK Air to risks including virus attacks, compromise of network systems and services, and legal issues.

Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at JK Air, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by JK Air.

Standards

This policy is to set forth how JK Air will be compliant with Federal Information Security Management Act (FISMA), SOX compliance, ISO 2700 compliance, and IT security best practices.

Whom This Applies To

This policy is applied to every employee, contractor, consultant, temporary, and other workers of JK Air, including all personnel affiliated with third parties.

Enforcement

Any employee, contractor, or other third parties found to have violated this policy may be subject to disciplinary action, up to and including termination of employment using the JK Air employee and contractor disciplinary matrix. Prosecution of any criminal charges could be brought forth if it is deemed that violation of this policy also violates any local, state or federal law.

2. Business Continuity Plan Policy – Business Impact Analysis

P urpose :

This document outlines the method of the business continuity strategies and tactics, identifies document recovery requirements for critical business applications, and also manages backup and archival processes for critical data. Implemented correctly the business will be properly restored and ensuring data integrity, and activities for returning to “normal” business processing. This Business Continuity Plan (BCP) will be updated in response to changes in the business environment. The JK Air staff will review the plan at on a regular basis.

Policy :

1. Department heads in conjunction with executives, human resources, and legal department shall review the business continuity plan once a year to revise, and develop a basic policy, and training methods.

2. Department heads shall conduct training in activities concerning business continuity to related parties inside and outside the company, and obtain their understanding in writing in either the employee handbook or contractor handbook. This policy should be adopted by a resolution of the board of directors or the Department head committee. Department heads should also secure business resources, including the necessary budget and personnel to conduct activities in line with the basic policy. It is also necessary to secure the schedule for participation in ravishment of the continuity plan of the company.

3. Fire emergency shall be handled by the ERT Team in conjunction with the Security department to clear the building of any personnel. Exception will include the building engineer team in order to conduct an investigation of alarm in conjunction with security. Security must contact emergency services immediately, then contact ERT team leaders on the share point list which is updated every Tuesday, then security shall contact VIP’s if non-business hours. During fire related emergencies security shall lock down exterior doors from the outside using the security fire lock down command. This will allow key personnel only to enter and escort emergency personnel to site of emergency. ERT Team leaders shall conduct a head count of employees in their charge and coordinate with security for badge login of any employee not accounted for.

4. Earthquake shall be handled by the ERT Team in conjunction with the Security department to clear the building of any personnel. Exception will include the building engineer team in order to conduct an investigation of alarm in conjunction with security. Security must contact emergency services immediately, then contact ERT team leaders on the share point list which is updated every Tuesday, then security shall contact VIP’s if non-business hours. During fire related emergencies security shall lock down exterior doors from the outside using the security fire lock down command. This will allow key personnel only to enter and escort emergency personnel to site of emergency.

Scope:

This policy applies to employees, contractors, consultants, temp-employees and other personnel at JK Air, this is including all personnel affiliated with third parties vendors. This policy also applies to all equipment, and software applications that is owned, leased, and open sourced by JK Air.

Standards:

This policy is enacted for JK Air to be compliant with Federal Information Security Management Act (FISMA), Government, and IT security best practices.

All Remote Users must follow the security requirements set forth in this standard for any Remote Host accessing to IT Resources prior to such access, as well as any guidelines, procedures, or other requirements issued by their departmental IT units and/or the owners of the IT Resource which are to be remotely accessed.

Remote User responsibilities are described below:Remote User Requirements:

Remote Users must ensure that their VPN connection and Remote Hosts used to access IT Resources meet all security expectations specified in the End User Security Guidelines prior to accessing any resources.

It is the responsibility of Remote Users to take reasonable precautions to ensure their VPN connections and remote access connections are secured from interception, eavesdropping, or misuse by means of encryption protocols set forth by Government standards.

All Remote Users are responsible for following applicable use policy, including all Data transmission and Handling protocols set forth by Government standards, when handling any data remotely accessed within the course of the Remote User’s job function. Policies to follow and actions to perform include, but are not limited to:

All Remote Users are expected to only remotely access data in accordance with Government, and IT policies.

Do not save or store client, or company sensitive or restricted data on any unapproved devices not secured by JK Air.

Whom This Applies To:

This policy is applied to every employee, contractor, consultant, temp-employee, and any other personnel working at JK Air, including all personnel affiliated with third parties.

Enforcement:

Any employee, contractor, or other third parties found to have violated this policy may be subject to disciplinary action, up to and including termination of employment using the JK Air employee and contractor disciplinary matrix. Prosecution of any criminal charges could be brought forth if it is deemed that violation of this policy also violates any local, state or federal law.

3. Computer Incident Response Team – Access and Authorization Policy

Purpose: The purposes of a CIRT plan are as follows:

a) Protect the company IT assetsb) Create a central response team to handle incidentsc) Comply with government regulationsd) Prevent the use of local company systems in attacks against other systems that

could result in legal liability

Objectives: CIRT plan is as follows:a) Limit immediate incident impact to the companyb) Recover from any incidentc) Determine how the incident occurred and attempt to determine the origind) Determine how to avoid further exploitation of the same vulnerabilitye) Update company policies and/or procedures as needed

SCOPE :

The provisions of this Guide apply to the JK Air.

ROLES AND RESPONSIBILITIES:

The following are the Computer Incident Response Team personnel responsible for planning, documenting, coordinating, testing, implementing, and maintaining the CIRT Plan.

Title Name Contact Info

CIRT Leader (714) 423-xxxx

System Administrator (714) 423-xxxx

Network Administrator (949) 417-xxxx

Information Security Levi Williams (949) 417-xxxx

Physical Security (213) 227-xxxx

Human Resources Poncho Via (213) 682-xxxx

Legal Tom Hanks (213)417-xxxx

Communications (PR) Julia Child (214)417-xxxx

INCIDENT IDENTIFICATION AND RESPONSE:

The following are the tasks to be performed in case of an incident and the personnel assigned to that task.

# Task Assignment

1 Identify need for incident response and validate incident. SA

2 If server or network related incident, identify threat. CIRT

ISS Levi Williams

3 Shut down power at primary location. “

4 Notify essential personnel. “

6 Re-establish company network. NA

8 Re-establish product transportation CIRT

EMERGENCY DAMAGE ASSESSMENT / EVALUATION:

The following are the task to be to assess the damage that was caused by the disaster.

# Task

(All completed as quickly as possible after authorization to re-enter the damaged structure.)

Assignment

1 Network Equipment

2 Servers and Workstations

4 Product Transportation

EMERGENCY RESPONSE ASSIGNMENTS:The following are the tasks to be performed in the event a disaster has been declared.

# Tasks Assignment EstimatedCompletion

Time

Date/Time Completed

1 Ensure personnel are accounted for 15 Min

2 Backup data 1 Hr

3 Shutdown network equipment 15 Min

4 Shutdown servers 15 Min

8 Lock all facilities / offices /communication rooms

15 Min

9 Shut down power 5 Min

10 Ensure personnel are moved to hot site and are accounted for

2 Hr

12 Turn on network equipment at hot site( if necessary)

10 Min

14 Ensure all personnel are cared for and living arrangement have been established

1 Hr

POST-EMERGENCY ASSIGNMENTS:

The following are the tasks to be performed after a disaster or after a disaster recovery exercise.

# Post-Disaster Responsibilities Assignment Estimated Completion

Time

Date/Time Completed

1 Evaluate disaster recovery plan 1 week

3 Evaluate hot site establishment 1 week

4 Evaluate window making facilities shutdown and startup

1 week

5 Evaluate network shutdown and restart 1 week

INCIDENT CONTAINMENT:

The following is the list of task that must be performed on a normal basis to keep the plan up to date and the person responsible for doing that task.

# Task Assignment

1 DoS – Limit traffic from attacking networks, reset connections/software/hard.

2 Malware –Disable connectivity to keep from spreading, identify the infection, Update software if required, configure router to block malware from connecting.

3 Unauthorized access – Limit access, reset accounts, disable account if required.

4 Inappropriate usage – Disable account(s), and report to appropriate personnel.

INCIDENT ERADICATION:

The following is the list of task that must be performed on a normal basis to keep the plan up to date and the person responsible for doing that task.

# Task Assignment

1 To eradicate this we will block all well-known ports tell this issue is resolved. Also Hardening the servers properly.

2 Full computer scans will take place. Any virus found will be disinfected, quarantine, or by deleting the infected files. This will be determined by Jim Bowie.

3 Passwords will be reset and be evaluated to see if the strength of the password needs to update if necessary. Passwords will be to a function of length, complexity, and unpredictability to enhance the security.

4 Depending on the problem and how severe it is, employees will be fired.

4. Reporting Security Incidents Policy

Purpose:

This document defines the procedure for reporting an information security incident.

Scope:

This policy applies to all staff and employees of the organization. Users are responsible for ensuring the safety and security of the organizations’ systems and the information that they use or manipulate.

Standards:

This policy is to set forth how JK Air will be compliant with Federal Information Security Management Act (FISMA) government standards and IT security best practices.

Any one person can report an incident; there is a required standard for whom to report to:

IT Help desk IT security Department Physical Security Department

Whom This Policy Covers:

This policy is applied to every employee, contractor, consultant, temp-employee, and any other

personnel working at JK Air, including all personnel affiliated with third parties.

Enforcement/Penalties:

Any employee, contractor, or other third parties found to have violated this policy may be

subject to disciplinary action, up to and including termination of employment using the JK Air

employee and contractor disciplinary matrix. Prosecution of any criminal charges could be

brought forth if it is deemed that violation of this policy also violates any local, state or federal

law.

5. IT Security Policy

Policy:

All personnel will conduct themselves in compliance with the JK Air Code of Conduct.

Purpose/Objective:

Our organization must protect company and client restricted, confidential or sensitive data from

loss to avoid becoming uncompliant with government standards, federal laws and damage

company reputation and to avoid adversely impacting our clients. A collection of global

regulations (such as FISMA) also require the protection of a broad scope of data, which this

policy supports by restricting access to data hosted on devices. As defined by numerous

compliance standards and industry best practice, data encryption is required to protect against

exposure in the event of loss of an asset.

Scope:

Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to

designate themselves as a single covered entity for purposes of FISMA, and SOX.

Availability:

Data or information is accessible and usable upon demand by an authorized person.

Confidentiality:

Data or information is not made available or disclosed to unauthorized persons or

processes.

FISMA:

Federal Information Security Management Act of 2002. The act recognized the

importance of information security to the economic and national security interests of the

United States.

Integrity:

Data or information has not been altered or destroyed in an unauthorized manner.

Involved Persons:

All Personnel in our organization no matter what their status is. This includes physicians,

residents, students, employees, contractors, consultants, temp-employees, volunteers,

interns, etc.

Involved Systems:

All computer equipment and network systems that are operated within the organization’s

environment. This includes all platforms (operating systems), all computer sizes (Tablets,

desktops, mainframes, smart phones, etc.), and all applications and data (whether

developed in-house or licensed from third parties) contained on those systems.

Risk:

The probability of a loss of confidentiality, integrity, or availability of information

resources.

Standards:

This policy is enacted for JK Air to be compliant with Federal Information Security Management

Act (FISMA) SOX, government standards, and IT security best practices.

Information Security Officer: The Information Security Officer (ISO) for each entity is

responsible for working with user management, owners, custodians, and users to develop and

implement prudent security policies, procedures, and controls, subject to the approval of the

company. Specific responsibilities include:

1. Ensuring security policies, procedures, and standards are in place and

adhered to by entity.

2. Providing basic security support for all systems and users.

3. Advising user managers in the identification and classification of

computer resources.

4. Advising systems development and application owners in the

implementation of security controls for information on devices, from the

point of system design, through testing and production implementation.

5. Educating custodian and user management with comprehensive

information about security controls affecting system users and application

systems.

6. Providing on-going employee security education.

7. Performing security audits.

8. Reporting regularly to the organization Oversight Committee on entity’s

status with regard to information security.

Information Owner:

The owner of a collection of information is usually the manager responsible for the

creation of that information or the primary user of that information. This role often

corresponds with the management of an organizational unit. In this context, ownership

does not signify proprietary interest, and ownership may be shared. The owner may

delegate ownership responsibilities to another individual by completing the organization

Information Owner Delegation Form. The owner of information has the responsibility

for:

1. Knowing the information for which she/he is responsible.

2. Determining a data retention period for the information, relying on advice

from the Legal Department.

3. Ensuring appropriate procedures are in effect to protect the integrity,

confidentiality, and availability of the information used or created within

the unit.

4. Authorizing access and assigning custodianship.

5. Specifying controls and communicating the control requirements to the

custodian and users of the information.

6. Reporting promptly to the ISO the loss or misuse of organization

information.

7. Initiating corrective actions when problems are identified.

8. Promoting employee education and awareness by utilizing programs

approved by the ISO, where appropriate.

9. Following existing approval processes within the respective organizational

unit for the selection, budgeting, purchase, and implementation of any

computer system/software to manage information.

User Management:

Organization management who supervise users as defined below. User management is

responsible for overseeing their employees' use of information, including:

1. Reviewing and approving all requests for their employees access

authorizations.

2. Initiating security change requests to keep employees' security record

current with their positions and job functions.

3. Promptly informing appropriate parties of employee terminations and

transfers, in accordance with local entity termination procedures.

4. Revoking physical access to terminated employees, i.e., confiscating keys,

changing combination locks, etc.

5. Providing employees with the opportunity for training needed to properly

use the computer systems.

6. Reporting promptly to the ISO the loss or misuse of organization

information.

7. Initiating corrective actions when problems are identified.

8. Following existing approval processes within their respective organization

for the selection, budgeting, purchase, and implementation of any

computer system/software to manage information.

User:

The user is any person who has been authorized to read, enter, or update information. A

user of information is expected to:

1. Access information only in support of their authorized job responsibilities.

2. Comply with Information Security Policies and Standards and with all

controls established by the owner and custodian.

3. Keep personal authentication devices (e.g. passwords, Secure Cards, PINs,

etc.) confidential.

4. Report promptly to the ISO the loss or misuse of organization information.

5. Initiate corrective actions when problems are identified.




Enforcement:





law

6. Remote Access Policy

Policy:

JK Air is committed to managing the confidentiality, integrity, and availability of their

information technology (IT) networks, systems, and applications (IT Systems). This includes

establishing guidelines for Remote Access to the Organization's critical information assets

maintained within the IT Systems.

Remote Access to JK Air IT Systems is a privilege granted through the user provisioning process

to exempt workforce members, Physicians with active privileges, business associates, vendors,

and/or other individuals (Users) as approved by JK Air Leadership. Remote Access privileges

granted to Users will be restricted to the minimum necessary information required to carry out

job responsibilities, terms of business agreements, or as further defined by JK Air leadership.

Users of Remote Access must have a submitted VPN Remote Access Request form on file with

IT, users of VPN Remote Access to access JK Air must have a signed Confidentiality agreement.

All remote access into JK Air networks across the Internet must use approved VPN technology,

and the remote access must be approved in advance by the Department Authorizer.

Devices that will be used for remote access that are not JK Air owned equipment must be

configured to comply with the provisions of this policy.

Purpose:

This remote access policy is designed to prevent damage to the organizational network or end

user systems and to prevent compromise or loss of data.

Scope:


personnel working at JK Air, including all personnel affiliated with third parties with JK Air

owned or personally-owned computer, mobile device or workstation used to connect to the JK

Air network. This policy applies to remote access connections used to do work on behalf of JK

Air including reading or sending email and viewing intranet web resources. Remote access

implementations that are covered by this policy include, but are not limited to, dial-in modems,

frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.

Standards:


Act (FISMA), SOX, gvernment standards, and IT security best practices.

All Remote Users must follow the security requirements set forth in this standard for any VPN

Remote Host accessing IT Resources prior to such access, as well as any guidelines, procedures,

or other requirements issued by their departmental IT units and/or the owners of the IT Resource

which are to be remotely accessed.

Remote User responsibilities are described below:

Remote User Requirements:

Remote Users must ensure that their Remote Hosts used to access IT Resources meet all

security expectations specified in the End User Security Guidelines prior to accessing

any.

It is the responsibility of Remote Users to take reasonable precautions to ensure their

remote access connections are secured from interception, eavesdropping, or misuse.

All Remote Users are responsible for following applicable policy, including the all

Handling Requirements, when handling any data remotely accessed within the course of

the Remote User’s job function. Policies to follow and actions to perform include, but are

not limited to:

All Remote Users are expected to only remotely access data in accordance with IT

policies.

Do not save or store sensitive or restricted data on the Remote Host used to access




Enforcement:





law.

7. Security Awareness & Training Policy

Policy Statement:

This policy is intended to set the training standard for several key audiences including, but not

limited to: Executives, Business Department Managers and their staff, the Chief Information

Officer and staff, and related personnel who are serviced or otherwise informed by access to

services available on our information systems. This also includes system and application owners,

their contractors and their training coordinators. The success of the awareness and training

program, and the overall awareness of secure business practices, depends upon the ability of all

users to work toward a common goal of protecting the information and technically related

resources.

Purpose/Objectives:

The purpose of the Information Security Awareness and Training Policy is to address security

issues related to the safety and integrity of information maintained on devices on company

systems. This policy is not intended to address the proprietary interests of intellectual property

and/or copyright issues.

Scope:

This policy applies to all staff, and others (e.g. vendors, grant or independent contractors, etc.)

accessing or attaching to computers operated by our company.

Standards:


Act (FISMA), SOX, government standards, and IT security best practices.

Our company conducts multiple training courses as part of its overall security awareness

education program. The overall program includes, at a minimum, the following training courses

or components:

New Hire Security Awareness Training, all new faculty and staff hires must complete an

initial Security Awareness Training course. This course is conducted through the HR

Knowledge Center system and is included in the new hire orientation. HR instructs

employees that the New Hire Security Awareness course must be completed within 30

days of new hire orientation.

Annual Employee Security Awareness Training

An Annual Employee Security Awareness training course will be added to the HR

Knowledge Center system. For the first annual training cycle, all employees will be

required to complete Annual Employee Security Awareness training. Once implemented,

the Knowledge Center will send automatic email reminders to employees 12 months after

course completion, alerting employees to annual refresher training completion deadlines.

IT Employee Security Awareness Training

Each year, all employees in the Information Technologies division will be required to

attend training regarding comprehensive Information Security Program. This training

will review all Information Security Program related policies, standards and procedures.

IT Employee Security Awareness Training course completion records will be maintained

the company’s ISO.

Data Security Contact Training

At least once annually, Data Security Contacts will be required to attend training that

reviews the Administrative Data Access Policy, the Electronic Storage of Highly

Sensitive Data Policy, the Data Classification Standard and the roles and responsibilities

of Data Security Contacts in regard to these policies and standards.




Enforcement:





law.

8. Separation of Duties Policy

Policy Statement:

It is the policy of our organization that information, as defined hereinafter, in all its forms--

written, spoken, recorded electronically or printed--will be protected from accidental or

intentional unauthorized modification, destruction or disclosure throughout its life cycle. This

protection includes an appropriate level of security over the equipment and software used to

process, store, and transmit that information. All policies and procedures must be documented

and made available to individuals responsible for their implementation and compliance. All

activities identified by the policies and procedures must also be documented.

Purpose/Objective:

Our organization must protect company, and client restricted, confidential or sensitive data from

loss to avoid reputation damage and to avoid adversely impacting our customers. A collection of

global regulations (such as Federal Information Security Management Act) also require the

protection of a broad scope of data, which this policy supports by restricting access to data

hosted on devices.

As defined by numerous compliance standards and industry best practice, full disk encryption is

required to protect against exposure in the event of loss of an asset.

Scope:

This policy applies to all staff and employees of the organization. Users are responsible for

ensuring the safety and security of the organizations’ systems and the information that they use

or manipulate.

Standards:

This policy is to set forth how JK Air will be compliant with Federal Information Security

Management Act (FISMA) SOX, government standards and IT security best practices.




Enforcement:





law.

9. Password Policy

Purpose:

The purpose of this Password Policy is to set the appropriate parameters on the requirements for

employees to adhere to and follow in order to mitigate risks that may cause a breach of data in

our Organization.

Scope:

This policy applies to all staff and employees of the organization. Users are responsible for

ensuring the safety and security of the organizations’ systems and the information that they use

or manipulate.

Standards:






Enforcement:





law.

10. Access Control Policy

The purpose of this Access control Policy is to set the appropriate parameters on the

requirements for government standards for employees to adhere to and follow in order to

mitigate risks that may cause a breach of data in our Organization.

Purpose/Objective:

The organization will protect sensitive data from loss to avoid damaging the organization itself

financially and to avoid affecting our customers.

Scope:

Availability:

Data or information is accessible and usable upon demand by an authorized person.

Confidentiality:

Data or information is not made available or disclosed to unauthorized persons or

processes.

FISMA:



United States.

Integrity:

Data or information has not been altered or destroyed in an unauthorized manner.

Risk:

The probability of a loss of confidentiality, integrity, or availability of information

resources.

Standards:



Information Security Officer:

The Information Security Officer (ISO) for each entity is responsible for working with

user management, owners, custodians, and users to develop and implement prudent

security policies, procedures, and controls, subject to the approval of the organization.

Specific responsibilities include:

Information Owner:

The owner of a collection of information is usually the manager responsible for the

creation of that information or the primary user of that information. This role often

corresponds with the management of an organizational unit. In this context, ownership

does not signify proprietary interest, and ownership may be shared. The owner may

delegate ownership responsibilities to another individual by completing the organization

Information Owner Delegation Form.

User Management:

Organization management who supervise users as defined below. User management is

responsible for overseeing their employees’ use of information.

User:

The user is any person who has been authorized to read, enter, or update information.


This policy is applied to every employee, contractor, consultant, temp-employees, and other

personnel of JK Air, including all personnel affiliated with third parties.

Enforcement:





law.

11. Email Acceptance Policy

Purpose:

Email is provided to staff to assist them in carrying out their duties efficiently and effectively.

Email enables effective and efficient communication with other members of staff, other

companies and partner organizations’. This policy is in place to ensure effective use of time, to

prevent illegal and inappropriate use of email.

Scope:

This policy applies to all staff and employees of the organization. All users of the organization’s

IT facilities must understand and use this policy. Users are responsible for ensuring the safety

and security of the organization’s systems and the information that they use or manipulate. All

users have a role to play and a contribution to make to the safe and secure use of email.

Standards:

The latest updated web server browsing utilities unless updated version is improper, than

rollback to previous version until desired result.

FISMA:



United States.




Enforcement:





law.

12. Internet Acceptable Use Policy

Purpose:

Internet access is provided to staff to assist them in carrying out their duties efficiently and

effectively. This facilitates access to a vast range of information available on the world-wide web

and the communication with people outside of the organization. This policy is in place to ensure

effective use of time, to prevent illegal and inappropriate use of the Internet.

Scope:

Internet access is provided to staff to assist them in carrying out their duties efficiently and

effectively. This facilitates access to a vast range of information available on the world-wide web

and the communication with people outside of the organization. This policy is in place to ensure

effective use of time, to prevent illegal and inappropriate use of the Internet.

Standards:


Management Act (FISMA) SOX, goernment standards and IT security best practices.




Enforcement:





law.

13. Backup Policy

Purpose:

This policy defines the strategy for backing up the organization’s information and software

application systems. The aim of the policy is to ensure that it is always possible to recover the

information and application systems.

Scope:

This policy applies to all electronic information stored upon the organization’s servers and PC’s /

laptops. The policy also applies to all application systems, the application software and its

configuration.

Standards:






Enforcement:





law.

Updated and recoverable backup tape, servers, servers standard facility software, updated backup

repositories, planned stored backup on daily, weekly, and monthly basis’s as mentioned below,

and updated applications able to handle backing up unless faulty, then roll back to the previous

update of said application or use an alternate suitable server-based one.

14. Infrastructure Hardening Policy

Statement:

By the nature of operation, the more functions a system performs, the larger the vulnerability

surface. Most systems perform a limited number of functions. It is possible to reduce the number

of possible vectors of attack by the removal of any software, user accounts or services that are

not related and required by the planned system functions. System hardening is a vendor specific

process, as different system vendors install different elements in the default install process.

The possibility of a successful attack can be further reduced by obfuscation. By making it

difficult for a potential attacker to identify the system being attacked, the more easy it is to not

exploit known weaknesses.

Purpose:

This policy defines the procedures to be adopted for infrastructure hardening.

Scope:

This policy applies to all components of the information technology infrastructure and includes:-

Computers

Servers

Application Software

Peripherals

Routers and switches

Databases

Telephone Systems

All staff within the IT Department must understand and use this policy. IT staff are responsible

for ensuring that the IT infrastructure is hardened and that any subsequent changes to systems do

not affect the hardening of systems.

Standards:

Standards:






Enforcement:





law.

All new systems being hardened will be taken over by the IT Senior Management and other

higher ups.

15. Extranet(WAN) Security Policy

Purpose:

A secure extranet is a secure private Wide-Area Network (WAN) which enables secure

interactions between connected organizations. Staff may be required to have access to the

facilities operated on the secure extranet in order for them to carry out their business. This may

include staff having access to a secure email facility. All staff requiring access to the secure

extranet in any way will be required to read and understand this Acceptable Usage Policy (AUP).

Scope:

This policy applies to all staff and employees of the organization. All users of the secure extranet

must understand and abide by this policy. Users are responsible for ensuring the safety and

security of the secure extranet and the information that they use or manipulate. All users have a

role to play and a contribution to make to the safe and secure use of technology and the

information that it holds.

Standards:






Enforcement:





law.

Firewall and DMZ set up, Front face server with one Firewall open to many of the applications

the employees use and the customers use to see their web site store. After that, go through a

DMZ to the back end firewall with many ports closed, including http, ftp, and many of the non-

secure ports for their sensitive server information with everything audited in between if not

blocked by IPS, along with IDS to analyze the information more so for further documentation.

16. Summary

The following list is the compliance laws required for DoD contracts that JK Air must follow:

The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted

July 30, 2002)

Procedures, Guidance, and Information (PGI).

The Federal Information Security Management Act of 2002 ("FISMA", 44

U.S.C. § 3541, et seq.)

The controls that will be placed on the computing devices are Group Policy Objects (GPOs),

Access Control Lists (ACLs), Firewalls, and Intrusion Detection Systems (IDS) or Intrusion

Prevention Systems (IPS). The controls will be placed using the concept of Least Privilege. Least

Privilege states that the user is give the least amount of privileges to get their job done.

Static IP addresses are not supported as standard configuration for network devices. The

organization maintains a dynamic Domain Name Service (DNS) infrastructure that allows a user

to request a static DNS name or Fully Qualified Domain Name (FQDN) of the form:

device.oit.pocotechnologies.com, and will ensure that a device is always reachable by that DNS

name. When a device requires a static IP address, it can be requested by contacting the OIT Help

Desk. Access to the DNS/DHCP administrative interface is limited to those who have a recurring

business or functional need to complete configuration tasks not available via the standard Web

interface. Individuals desiring access to the administrative interface should submit a request to

the OIT Help Desk for access to dnsadmin.DFWtechnologies.com. Access will only be granted

to users physically on the JK Air campus network or connected to the organization’s Virtual

Private Network (VPN). The OIT and relevant organization department supervisors will review

access to the administrative interface annually to verify continued need.

This is would be how the organization would implement these policies, standards, and controls.

Publish Your Policies for the Organization

I would publish the policies in the new clinic by hanging posters in employee areas and give

each employee of the new clinic a copy of the policy and have them sign it.

Communicate Your Policies to the New Employees

I would communicate the policies to the employees of the new clinic through company email

with Read Receipt turned on, so I would know who “read” the email and who did not. The

emails would give a brief overview of each policy and advise them where to access a read-only

pdf file of the policy on the Intranet, so they can access the policy if they ever have questions.

Involve Human Resources & Executive Management

I would try to do this smoothly by making both HR and executive management aware of the

importance of implementing and enforcing the policies in the new clinic and why their support is

very much needed. Only with their complete support and cooperation would the policies be

effective.

Incorporate Security Awareness and Training for the Organization

Right after the new clinic is acquired I would push to have a Security Awareness and Training to

happen as quickly as possible. I would try to make it as fun as possible and not have it merely be

a lecture.

Release a Monthly Organization Wide Newsletter for All

I would try to make this newsletter succinct as possible by only including pertinent information

from department heads and with executive management approval of each article.

Implement Security Reminders on System Login Screens for All

This would be done through Group Policy Objects because it is in the Acceptable Use Policy to

have security reminders on system login screens.

Incorporate On-Going Security Policy Maintenance for All

On-going security policy maintenance will be done will be done through employee feedback and

monitoring of policy compliance through separate logs and software.

Obtain Employee Questions or Feedback for Policy Board

An email inbox would be set up for employees to send questions and feedback about policies.

Members of the Policy Board would be the only ones with access to the email inbox.

policies and prosedures For JK Air Finished

Documents

Transcript of policies and prosedures For JK Air Finished