policies and prosedures For JK Air Finished
-
Upload
levi-williams -
Category
Documents
-
view
26 -
download
0
Transcript of policies and prosedures For JK Air Finished
1. Acceptable Use Policy...............................................................................................2
2. Business Continuity Plan Policy – Business Impact Analysis....................................3
3. Computer Incident Response Team – Access and Authorization Policy...................5
4. Reporting Security Incidents Policy.........................................................................14
5. IT Security Policy.....................................................................................................16
6. Remote Access Policy.............................................................................................20
7. Security Awareness & Training Policy.....................................................................22
8. Separation of Duties Policy.....................................................................................24
9. Password Policy......................................................................................................26
10. Access Control Policy...........................................................................................27
11. Email Acceptance Policy......................................................................................29
12. Internet Acceptable Use Policy............................................................................30
13. Backup Policy…………………………………………………………………………...31
14. Infrastructure Hardening Policy............................................................................32
15. Extranet(WAN) Security Policy.............................................................................34
16. Summary..............................................................................................................36
1. Acceptable Use Policy
Policy Statement
Internet/Intranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, web browsing, SSH, PuttY, and FTP, are the property of JK Air. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.
Purpose/Objectives
The purpose of this policy is to outline the acceptable use of computer equipment at JK Air. These rules are in place to protect the employee and JK Air. Inappropriate use exposes JK Air to risks including virus attacks, compromise of network systems and services, and legal issues.
Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at JK Air, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by JK Air.
Standards
This policy is to set forth how JK Air will be compliant with Federal Information Security Management Act (FISMA), SOX compliance, ISO 2700 compliance, and IT security best practices.
Whom This Applies To
This policy is applied to every employee, contractor, consultant, temporary, and other workers of JK Air, including all personnel affiliated with third parties.
Enforcement
Any employee, contractor, or other third parties found to have violated this policy may be subject to disciplinary action, up to and including termination of employment using the JK Air employee and contractor disciplinary matrix. Prosecution of any criminal charges could be brought forth if it is deemed that violation of this policy also violates any local, state or federal law.
2. Business Continuity Plan Policy – Business Impact Analysis
P urpose :
This document outlines the method of the business continuity strategies and tactics, identifies document recovery requirements for critical business applications, and also manages backup and archival processes for critical data. Implemented correctly the business will be properly restored and ensuring data integrity, and activities for returning to “normal” business processing. This Business Continuity Plan (BCP) will be updated in response to changes in the business environment. The JK Air staff will review the plan at on a regular basis.
Policy :
1. Department heads in conjunction with executives, human resources, and legal department shall review the business continuity plan once a year to revise, and develop a basic policy, and training methods.
2. Department heads shall conduct training in activities concerning business continuity to related parties inside and outside the company, and obtain their understanding in writing in either the employee handbook or contractor handbook. This policy should be adopted by a resolution of the board of directors or the Department head committee. Department heads should also secure business resources, including the necessary budget and personnel to conduct activities in line with the basic policy. It is also necessary to secure the schedule for participation in ravishment of the continuity plan of the company.
3. Fire emergency shall be handled by the ERT Team in conjunction with the Security department to clear the building of any personnel. Exception will include the building engineer team in order to conduct an investigation of alarm in conjunction with security. Security must contact emergency services immediately, then contact ERT team leaders on the share point list which is updated every Tuesday, then security shall contact VIP’s if non-business hours. During fire related emergencies security shall lock down exterior doors from the outside using the security fire lock down command. This will allow key personnel only to enter and escort emergency personnel to site of emergency. ERT Team leaders shall conduct a head count of employees in their charge and coordinate with security for badge login of any employee not accounted for.
4. Earthquake shall be handled by the ERT Team in conjunction with the Security department to clear the building of any personnel. Exception will include the building engineer team in order to conduct an investigation of alarm in conjunction with security. Security must contact emergency services immediately, then contact ERT team leaders on the share point list which is updated every Tuesday, then security shall contact VIP’s if non-business hours. During fire related emergencies security shall lock down exterior doors from the outside using the security fire lock down command. This will allow key personnel only to enter and escort emergency personnel to site of emergency.
Scope:
This policy applies to employees, contractors, consultants, temp-employees and other personnel at JK Air, this is including all personnel affiliated with third parties vendors. This policy also applies to all equipment, and software applications that is owned, leased, and open sourced by JK Air.
Standards:
This policy is enacted for JK Air to be compliant with Federal Information Security Management Act (FISMA), Government, and IT security best practices.
All Remote Users must follow the security requirements set forth in this standard for any Remote Host accessing to IT Resources prior to such access, as well as any guidelines, procedures, or other requirements issued by their departmental IT units and/or the owners of the IT Resource which are to be remotely accessed.
Remote User responsibilities are described below:Remote User Requirements:
Remote Users must ensure that their VPN connection and Remote Hosts used to access IT Resources meet all security expectations specified in the End User Security Guidelines prior to accessing any resources.
It is the responsibility of Remote Users to take reasonable precautions to ensure their VPN connections and remote access connections are secured from interception, eavesdropping, or misuse by means of encryption protocols set forth by Government standards.
All Remote Users are responsible for following applicable use policy, including all Data transmission and Handling protocols set forth by Government standards, when handling any data remotely accessed within the course of the Remote User’s job function. Policies to follow and actions to perform include, but are not limited to:
All Remote Users are expected to only remotely access data in accordance with Government, and IT policies.
Do not save or store client, or company sensitive or restricted data on any unapproved devices not secured by JK Air.
Whom This Applies To:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be subject to disciplinary action, up to and including termination of employment using the JK Air employee and contractor disciplinary matrix. Prosecution of any criminal charges could be brought forth if it is deemed that violation of this policy also violates any local, state or federal law.
3. Computer Incident Response Team – Access and Authorization Policy
Purpose: The purposes of a CIRT plan are as follows:
a) Protect the company IT assetsb) Create a central response team to handle incidentsc) Comply with government regulationsd) Prevent the use of local company systems in attacks against other systems that
could result in legal liability
Objectives: CIRT plan is as follows:a) Limit immediate incident impact to the companyb) Recover from any incidentc) Determine how the incident occurred and attempt to determine the origind) Determine how to avoid further exploitation of the same vulnerabilitye) Update company policies and/or procedures as needed
SCOPE :
The provisions of this Guide apply to the JK Air.
ROLES AND RESPONSIBILITIES:
The following are the Computer Incident Response Team personnel responsible for planning, documenting, coordinating, testing, implementing, and maintaining the CIRT Plan.
Title Name Contact Info
CIRT Leader (714) 423-xxxx
System Administrator (714) 423-xxxx
Network Administrator (949) 417-xxxx
Information Security Levi Williams (949) 417-xxxx
Physical Security (213) 227-xxxx
Human Resources Poncho Via (213) 682-xxxx
Legal Tom Hanks (213)417-xxxx
Communications (PR) Julia Child (214)417-xxxx
INCIDENT IDENTIFICATION AND RESPONSE:
The following are the tasks to be performed in case of an incident and the personnel assigned to that task.
# Task Assignment
1 Identify need for incident response and validate incident. SA
2 If server or network related incident, identify threat. CIRT
ISS Levi Williams
3 Shut down power at primary location. “
4 Notify essential personnel. “
6 Re-establish company network. NA
8 Re-establish product transportation CIRT
EMERGENCY DAMAGE ASSESSMENT / EVALUATION:
The following are the task to be to assess the damage that was caused by the disaster.
# Task
(All completed as quickly as possible after authorization to re-enter the damaged structure.)
Assignment
1 Network Equipment
2 Servers and Workstations
4 Product Transportation
EMERGENCY RESPONSE ASSIGNMENTS:The following are the tasks to be performed in the event a disaster has been declared.
# Tasks Assignment EstimatedCompletion
Time
Date/Time Completed
1 Ensure personnel are accounted for 15 Min
2 Backup data 1 Hr
3 Shutdown network equipment 15 Min
4 Shutdown servers 15 Min
8 Lock all facilities / offices /communication rooms
15 Min
9 Shut down power 5 Min
10 Ensure personnel are moved to hot site and are accounted for
2 Hr
12 Turn on network equipment at hot site( if necessary)
10 Min
14 Ensure all personnel are cared for and living arrangement have been established
1 Hr
POST-EMERGENCY ASSIGNMENTS:
The following are the tasks to be performed after a disaster or after a disaster recovery exercise.
# Post-Disaster Responsibilities Assignment Estimated Completion
Time
Date/Time Completed
1 Evaluate disaster recovery plan 1 week
3 Evaluate hot site establishment 1 week
4 Evaluate window making facilities shutdown and startup
1 week
5 Evaluate network shutdown and restart 1 week
INCIDENT CONTAINMENT:
The following is the list of task that must be performed on a normal basis to keep the plan up to date and the person responsible for doing that task.
# Task Assignment
1 DoS – Limit traffic from attacking networks, reset connections/software/hard.
2 Malware –Disable connectivity to keep from spreading, identify the infection, Update software if required, configure router to block malware from connecting.
3 Unauthorized access – Limit access, reset accounts, disable account if required.
4 Inappropriate usage – Disable account(s), and report to appropriate personnel.
INCIDENT ERADICATION:
The following is the list of task that must be performed on a normal basis to keep the plan up to date and the person responsible for doing that task.
# Task Assignment
1 To eradicate this we will block all well-known ports tell this issue is resolved. Also Hardening the servers properly.
2 Full computer scans will take place. Any virus found will be disinfected, quarantine, or by deleting the infected files. This will be determined by Jim Bowie.
3 Passwords will be reset and be evaluated to see if the strength of the password needs to update if necessary. Passwords will be to a function of length, complexity, and unpredictability to enhance the security.
4 Depending on the problem and how severe it is, employees will be fired.
4. Reporting Security Incidents Policy
Purpose:
This document defines the procedure for reporting an information security incident.
Scope:
This policy applies to all staff and employees of the organization. Users are responsible for ensuring the safety and security of the organizations’ systems and the information that they use or manipulate.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security Management Act (FISMA) government standards and IT security best practices.
Any one person can report an incident; there is a required standard for whom to report to:
IT Help desk IT security Department Physical Security Department
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement/Penalties:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
5. IT Security Policy
Policy:
All personnel will conduct themselves in compliance with the JK Air Code of Conduct.
Purpose/Objective:
Our organization must protect company and client restricted, confidential or sensitive data from
loss to avoid becoming uncompliant with government standards, federal laws and damage
company reputation and to avoid adversely impacting our clients. A collection of global
regulations (such as FISMA) also require the protection of a broad scope of data, which this
policy supports by restricting access to data hosted on devices. As defined by numerous
compliance standards and industry best practice, data encryption is required to protect against
exposure in the event of loss of an asset.
Scope:
Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to
designate themselves as a single covered entity for purposes of FISMA, and SOX.
Availability:
Data or information is accessible and usable upon demand by an authorized person.
Confidentiality:
Data or information is not made available or disclosed to unauthorized persons or
processes.
FISMA:
Federal Information Security Management Act of 2002. The act recognized the
importance of information security to the economic and national security interests of the
United States.
Integrity:
Data or information has not been altered or destroyed in an unauthorized manner.
Involved Persons:
All Personnel in our organization no matter what their status is. This includes physicians,
residents, students, employees, contractors, consultants, temp-employees, volunteers,
interns, etc.
Involved Systems:
All computer equipment and network systems that are operated within the organization’s
environment. This includes all platforms (operating systems), all computer sizes (Tablets,
desktops, mainframes, smart phones, etc.), and all applications and data (whether
developed in-house or licensed from third parties) contained on those systems.
Risk:
The probability of a loss of confidentiality, integrity, or availability of information
resources.
Standards:
This policy is enacted for JK Air to be compliant with Federal Information Security Management
Act (FISMA) SOX, government standards, and IT security best practices.
Information Security Officer: The Information Security Officer (ISO) for each entity is
responsible for working with user management, owners, custodians, and users to develop and
implement prudent security policies, procedures, and controls, subject to the approval of the
company. Specific responsibilities include:
1. Ensuring security policies, procedures, and standards are in place and
adhered to by entity.
2. Providing basic security support for all systems and users.
3. Advising user managers in the identification and classification of
computer resources.
4. Advising systems development and application owners in the
implementation of security controls for information on devices, from the
point of system design, through testing and production implementation.
5. Educating custodian and user management with comprehensive
information about security controls affecting system users and application
systems.
6. Providing on-going employee security education.
7. Performing security audits.
8. Reporting regularly to the organization Oversight Committee on entity’s
status with regard to information security.
Information Owner:
The owner of a collection of information is usually the manager responsible for the
creation of that information or the primary user of that information. This role often
corresponds with the management of an organizational unit. In this context, ownership
does not signify proprietary interest, and ownership may be shared. The owner may
delegate ownership responsibilities to another individual by completing the organization
Information Owner Delegation Form. The owner of information has the responsibility
for:
1. Knowing the information for which she/he is responsible.
2. Determining a data retention period for the information, relying on advice
from the Legal Department.
3. Ensuring appropriate procedures are in effect to protect the integrity,
confidentiality, and availability of the information used or created within
the unit.
4. Authorizing access and assigning custodianship.
5. Specifying controls and communicating the control requirements to the
custodian and users of the information.
6. Reporting promptly to the ISO the loss or misuse of organization
information.
7. Initiating corrective actions when problems are identified.
8. Promoting employee education and awareness by utilizing programs
approved by the ISO, where appropriate.
9. Following existing approval processes within the respective organizational
unit for the selection, budgeting, purchase, and implementation of any
computer system/software to manage information.
User Management:
Organization management who supervise users as defined below. User management is
responsible for overseeing their employees' use of information, including:
1. Reviewing and approving all requests for their employees access
authorizations.
2. Initiating security change requests to keep employees' security record
current with their positions and job functions.
3. Promptly informing appropriate parties of employee terminations and
transfers, in accordance with local entity termination procedures.
4. Revoking physical access to terminated employees, i.e., confiscating keys,
changing combination locks, etc.
5. Providing employees with the opportunity for training needed to properly
use the computer systems.
6. Reporting promptly to the ISO the loss or misuse of organization
information.
7. Initiating corrective actions when problems are identified.
8. Following existing approval processes within their respective organization
for the selection, budgeting, purchase, and implementation of any
computer system/software to manage information.
User:
The user is any person who has been authorized to read, enter, or update information. A
user of information is expected to:
1. Access information only in support of their authorized job responsibilities.
2. Comply with Information Security Policies and Standards and with all
controls established by the owner and custodian.
3. Keep personal authentication devices (e.g. passwords, Secure Cards, PINs,
etc.) confidential.
4. Report promptly to the ISO the loss or misuse of organization information.
5. Initiate corrective actions when problems are identified.
Whom This Applies To:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law
6. Remote Access Policy
Policy:
JK Air is committed to managing the confidentiality, integrity, and availability of their
information technology (IT) networks, systems, and applications (IT Systems). This includes
establishing guidelines for Remote Access to the Organization's critical information assets
maintained within the IT Systems.
Remote Access to JK Air IT Systems is a privilege granted through the user provisioning process
to exempt workforce members, Physicians with active privileges, business associates, vendors,
and/or other individuals (Users) as approved by JK Air Leadership. Remote Access privileges
granted to Users will be restricted to the minimum necessary information required to carry out
job responsibilities, terms of business agreements, or as further defined by JK Air leadership.
Users of Remote Access must have a submitted VPN Remote Access Request form on file with
IT, users of VPN Remote Access to access JK Air must have a signed Confidentiality agreement.
All remote access into JK Air networks across the Internet must use approved VPN technology,
and the remote access must be approved in advance by the Department Authorizer.
Devices that will be used for remote access that are not JK Air owned equipment must be
configured to comply with the provisions of this policy.
Purpose:
This remote access policy is designed to prevent damage to the organizational network or end
user systems and to prevent compromise or loss of data.
Scope:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties with JK Air
owned or personally-owned computer, mobile device or workstation used to connect to the JK
Air network. This policy applies to remote access connections used to do work on behalf of JK
Air including reading or sending email and viewing intranet web resources. Remote access
implementations that are covered by this policy include, but are not limited to, dial-in modems,
frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
Standards:
This policy is enacted for JK Air to be compliant with Federal Information Security Management
Act (FISMA), SOX, gvernment standards, and IT security best practices.
All Remote Users must follow the security requirements set forth in this standard for any VPN
Remote Host accessing IT Resources prior to such access, as well as any guidelines, procedures,
or other requirements issued by their departmental IT units and/or the owners of the IT Resource
which are to be remotely accessed.
Remote User responsibilities are described below:
Remote User Requirements:
Remote Users must ensure that their Remote Hosts used to access IT Resources meet all
security expectations specified in the End User Security Guidelines prior to accessing
any.
It is the responsibility of Remote Users to take reasonable precautions to ensure their
remote access connections are secured from interception, eavesdropping, or misuse.
All Remote Users are responsible for following applicable policy, including the all
Handling Requirements, when handling any data remotely accessed within the course of
the Remote User’s job function. Policies to follow and actions to perform include, but are
not limited to:
All Remote Users are expected to only remotely access data in accordance with IT
policies.
Do not save or store sensitive or restricted data on the Remote Host used to access
Whom This Applies To:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
7. Security Awareness & Training Policy
Policy Statement:
This policy is intended to set the training standard for several key audiences including, but not
limited to: Executives, Business Department Managers and their staff, the Chief Information
Officer and staff, and related personnel who are serviced or otherwise informed by access to
services available on our information systems. This also includes system and application owners,
their contractors and their training coordinators. The success of the awareness and training
program, and the overall awareness of secure business practices, depends upon the ability of all
users to work toward a common goal of protecting the information and technically related
resources.
Purpose/Objectives:
The purpose of the Information Security Awareness and Training Policy is to address security
issues related to the safety and integrity of information maintained on devices on company
systems. This policy is not intended to address the proprietary interests of intellectual property
and/or copyright issues.
Scope:
This policy applies to all staff, and others (e.g. vendors, grant or independent contractors, etc.)
accessing or attaching to computers operated by our company.
Standards:
This policy is enacted for JK Air to be compliant with Federal Information Security Management
Act (FISMA), SOX, government standards, and IT security best practices.
Our company conducts multiple training courses as part of its overall security awareness
education program. The overall program includes, at a minimum, the following training courses
or components:
New Hire Security Awareness Training, all new faculty and staff hires must complete an
initial Security Awareness Training course. This course is conducted through the HR
Knowledge Center system and is included in the new hire orientation. HR instructs
employees that the New Hire Security Awareness course must be completed within 30
days of new hire orientation.
Annual Employee Security Awareness Training
An Annual Employee Security Awareness training course will be added to the HR
Knowledge Center system. For the first annual training cycle, all employees will be
required to complete Annual Employee Security Awareness training. Once implemented,
the Knowledge Center will send automatic email reminders to employees 12 months after
course completion, alerting employees to annual refresher training completion deadlines.
IT Employee Security Awareness Training
Each year, all employees in the Information Technologies division will be required to
attend training regarding comprehensive Information Security Program. This training
will review all Information Security Program related policies, standards and procedures.
IT Employee Security Awareness Training course completion records will be maintained
the company’s ISO.
Data Security Contact Training
At least once annually, Data Security Contacts will be required to attend training that
reviews the Administrative Data Access Policy, the Electronic Storage of Highly
Sensitive Data Policy, the Data Classification Standard and the roles and responsibilities
of Data Security Contacts in regard to these policies and standards.
Whom This Applies To:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
8. Separation of Duties Policy
Policy Statement:
It is the policy of our organization that information, as defined hereinafter, in all its forms--
written, spoken, recorded electronically or printed--will be protected from accidental or
intentional unauthorized modification, destruction or disclosure throughout its life cycle. This
protection includes an appropriate level of security over the equipment and software used to
process, store, and transmit that information. All policies and procedures must be documented
and made available to individuals responsible for their implementation and compliance. All
activities identified by the policies and procedures must also be documented.
Purpose/Objective:
Our organization must protect company, and client restricted, confidential or sensitive data from
loss to avoid reputation damage and to avoid adversely impacting our customers. A collection of
global regulations (such as Federal Information Security Management Act) also require the
protection of a broad scope of data, which this policy supports by restricting access to data
hosted on devices.
As defined by numerous compliance standards and industry best practice, full disk encryption is
required to protect against exposure in the event of loss of an asset.
Scope:
This policy applies to all staff and employees of the organization. Users are responsible for
ensuring the safety and security of the organizations’ systems and the information that they use
or manipulate.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, government standards and IT security best practices.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
9. Password Policy
Purpose:
The purpose of this Password Policy is to set the appropriate parameters on the requirements for
employees to adhere to and follow in order to mitigate risks that may cause a breach of data in
our Organization.
Scope:
This policy applies to all staff and employees of the organization. Users are responsible for
ensuring the safety and security of the organizations’ systems and the information that they use
or manipulate.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, government standards and IT security best practices.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
10. Access Control Policy
The purpose of this Access control Policy is to set the appropriate parameters on the
requirements for government standards for employees to adhere to and follow in order to
mitigate risks that may cause a breach of data in our Organization.
Purpose/Objective:
The organization will protect sensitive data from loss to avoid damaging the organization itself
financially and to avoid affecting our customers.
Scope:
Availability:
Data or information is accessible and usable upon demand by an authorized person.
Confidentiality:
Data or information is not made available or disclosed to unauthorized persons or
processes.
FISMA:
Federal Information Security Management Act of 2002. The act recognized the
importance of information security to the economic and national security interests of the
United States.
Integrity:
Data or information has not been altered or destroyed in an unauthorized manner.
Risk:
The probability of a loss of confidentiality, integrity, or availability of information
resources.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, government standards and IT security best practices.
Information Security Officer:
The Information Security Officer (ISO) for each entity is responsible for working with
user management, owners, custodians, and users to develop and implement prudent
security policies, procedures, and controls, subject to the approval of the organization.
Specific responsibilities include:
Information Owner:
The owner of a collection of information is usually the manager responsible for the
creation of that information or the primary user of that information. This role often
corresponds with the management of an organizational unit. In this context, ownership
does not signify proprietary interest, and ownership may be shared. The owner may
delegate ownership responsibilities to another individual by completing the organization
Information Owner Delegation Form.
User Management:
Organization management who supervise users as defined below. User management is
responsible for overseeing their employees’ use of information.
User:
The user is any person who has been authorized to read, enter, or update information.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employees, and other
personnel of JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
11. Email Acceptance Policy
Purpose:
Email is provided to staff to assist them in carrying out their duties efficiently and effectively.
Email enables effective and efficient communication with other members of staff, other
companies and partner organizations’. This policy is in place to ensure effective use of time, to
prevent illegal and inappropriate use of email.
Scope:
This policy applies to all staff and employees of the organization. All users of the organization’s
IT facilities must understand and use this policy. Users are responsible for ensuring the safety
and security of the organization’s systems and the information that they use or manipulate. All
users have a role to play and a contribution to make to the safe and secure use of email.
Standards:
The latest updated web server browsing utilities unless updated version is improper, than
rollback to previous version until desired result.
FISMA:
Federal Information Security Management Act of 2002. The act recognized the
importance of information security to the economic and national security interests of the
United States.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
12. Internet Acceptable Use Policy
Purpose:
Internet access is provided to staff to assist them in carrying out their duties efficiently and
effectively. This facilitates access to a vast range of information available on the world-wide web
and the communication with people outside of the organization. This policy is in place to ensure
effective use of time, to prevent illegal and inappropriate use of the Internet.
Scope:
Internet access is provided to staff to assist them in carrying out their duties efficiently and
effectively. This facilitates access to a vast range of information available on the world-wide web
and the communication with people outside of the organization. This policy is in place to ensure
effective use of time, to prevent illegal and inappropriate use of the Internet.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, goernment standards and IT security best practices.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
13. Backup Policy
Purpose:
This policy defines the strategy for backing up the organization’s information and software
application systems. The aim of the policy is to ensure that it is always possible to recover the
information and application systems.
Scope:
This policy applies to all electronic information stored upon the organization’s servers and PC’s /
laptops. The policy also applies to all application systems, the application software and its
configuration.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, government standards and IT security best practices.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
Updated and recoverable backup tape, servers, servers standard facility software, updated backup
repositories, planned stored backup on daily, weekly, and monthly basis’s as mentioned below,
and updated applications able to handle backing up unless faulty, then roll back to the previous
update of said application or use an alternate suitable server-based one.
14. Infrastructure Hardening Policy
Statement:
By the nature of operation, the more functions a system performs, the larger the vulnerability
surface. Most systems perform a limited number of functions. It is possible to reduce the number
of possible vectors of attack by the removal of any software, user accounts or services that are
not related and required by the planned system functions. System hardening is a vendor specific
process, as different system vendors install different elements in the default install process.
The possibility of a successful attack can be further reduced by obfuscation. By making it
difficult for a potential attacker to identify the system being attacked, the more easy it is to not
exploit known weaknesses.
Purpose:
This policy defines the procedures to be adopted for infrastructure hardening.
Scope:
This policy applies to all components of the information technology infrastructure and includes:-
Computers
Servers
Application Software
Peripherals
Routers and switches
Databases
Telephone Systems
All staff within the IT Department must understand and use this policy. IT staff are responsible
for ensuring that the IT infrastructure is hardened and that any subsequent changes to systems do
not affect the hardening of systems.
Standards:
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, government standards and IT security best practices.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
All new systems being hardened will be taken over by the IT Senior Management and other
higher ups.
15. Extranet(WAN) Security Policy
Purpose:
A secure extranet is a secure private Wide-Area Network (WAN) which enables secure
interactions between connected organizations. Staff may be required to have access to the
facilities operated on the secure extranet in order for them to carry out their business. This may
include staff having access to a secure email facility. All staff requiring access to the secure
extranet in any way will be required to read and understand this Acceptable Usage Policy (AUP).
Scope:
This policy applies to all staff and employees of the organization. All users of the secure extranet
must understand and abide by this policy. Users are responsible for ensuring the safety and
security of the secure extranet and the information that they use or manipulate. All users have a
role to play and a contribution to make to the safe and secure use of technology and the
information that it holds.
Standards:
This policy is to set forth how JK Air will be compliant with Federal Information Security
Management Act (FISMA) SOX, government standards and IT security best practices.
Whom This Policy Covers:
This policy is applied to every employee, contractor, consultant, temp-employee, and any other
personnel working at JK Air, including all personnel affiliated with third parties.
Enforcement:
Any employee, contractor, or other third parties found to have violated this policy may be
subject to disciplinary action, up to and including termination of employment using the JK Air
employee and contractor disciplinary matrix. Prosecution of any criminal charges could be
brought forth if it is deemed that violation of this policy also violates any local, state or federal
law.
Firewall and DMZ set up, Front face server with one Firewall open to many of the applications
the employees use and the customers use to see their web site store. After that, go through a
DMZ to the back end firewall with many ports closed, including http, ftp, and many of the non-
secure ports for their sensitive server information with everything audited in between if not
blocked by IPS, along with IDS to analyze the information more so for further documentation.
16. Summary
The following list is the compliance laws required for DoD contracts that JK Air must follow:
The Sarbanes–Oxley Act of 2002 (Pub.L. 107–204, 116 Stat. 745, enacted
July 30, 2002)
Procedures, Guidance, and Information (PGI).
The Federal Information Security Management Act of 2002 ("FISMA", 44
U.S.C. § 3541, et seq.)
The controls that will be placed on the computing devices are Group Policy Objects (GPOs),
Access Control Lists (ACLs), Firewalls, and Intrusion Detection Systems (IDS) or Intrusion
Prevention Systems (IPS). The controls will be placed using the concept of Least Privilege. Least
Privilege states that the user is give the least amount of privileges to get their job done.
Static IP addresses are not supported as standard configuration for network devices. The
organization maintains a dynamic Domain Name Service (DNS) infrastructure that allows a user
to request a static DNS name or Fully Qualified Domain Name (FQDN) of the form:
device.oit.pocotechnologies.com, and will ensure that a device is always reachable by that DNS
name. When a device requires a static IP address, it can be requested by contacting the OIT Help
Desk. Access to the DNS/DHCP administrative interface is limited to those who have a recurring
business or functional need to complete configuration tasks not available via the standard Web
interface. Individuals desiring access to the administrative interface should submit a request to
the OIT Help Desk for access to dnsadmin.DFWtechnologies.com. Access will only be granted
to users physically on the JK Air campus network or connected to the organization’s Virtual
Private Network (VPN). The OIT and relevant organization department supervisors will review
access to the administrative interface annually to verify continued need.
This is would be how the organization would implement these policies, standards, and controls.
Publish Your Policies for the Organization
I would publish the policies in the new clinic by hanging posters in employee areas and give
each employee of the new clinic a copy of the policy and have them sign it.
Communicate Your Policies to the New Employees
I would communicate the policies to the employees of the new clinic through company email
with Read Receipt turned on, so I would know who “read” the email and who did not. The
emails would give a brief overview of each policy and advise them where to access a read-only
pdf file of the policy on the Intranet, so they can access the policy if they ever have questions.
Involve Human Resources & Executive Management
I would try to do this smoothly by making both HR and executive management aware of the
importance of implementing and enforcing the policies in the new clinic and why their support is
very much needed. Only with their complete support and cooperation would the policies be
effective.
Incorporate Security Awareness and Training for the Organization
Right after the new clinic is acquired I would push to have a Security Awareness and Training to
happen as quickly as possible. I would try to make it as fun as possible and not have it merely be
a lecture.
Release a Monthly Organization Wide Newsletter for All
I would try to make this newsletter succinct as possible by only including pertinent information
from department heads and with executive management approval of each article.
Implement Security Reminders on System Login Screens for All
This would be done through Group Policy Objects because it is in the Acceptable Use Policy to
have security reminders on system login screens.
Incorporate On-Going Security Policy Maintenance for All
On-going security policy maintenance will be done will be done through employee feedback and
monitoring of policy compliance through separate logs and software.
Obtain Employee Questions or Feedback for Policy Board
An email inbox would be set up for employees to send questions and feedback about policies.
Members of the Policy Board would be the only ones with access to the email inbox.