Report
Your firm’s computing environment includes the following:
12 servers running Microsoft Server 2012 R2, providing the following:
Active Directory (AD)
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Enterprise Resource Planning (ERP) application (Oracle)
A Research and Development (R&D) Engineering network segment for testing, separate from the production environment
Microsoft Exchange Server for e-mail
Symantec e-mail filter
Websense for Internet use
Two Linux servers running Apache Server to host your Web site
390 PCs/laptops running Microsoft Windows 7 or Windows 8, Microsoft Office 2013, Microsoft Visio, Microsoft Project, and Adobe Reader
Tasks
You should:
Create policies that are organizational compliant for the organization’s IT infrastructure.
Develop a list of compliance laws required for government contracts.
List controls placed on domains in the IT infrastructure.
List required standards for all devices, categorized by IT domain.
Develop a deployment plan for implementation of these polices, standards, and controls.
List all applicable organizational frameworks in the final delivery document.
Write a professional report that includes all of the above content-related items.
.
Submission Requirements
· Format: Microsoft Word
· Font: Times New Roman, Size 12, Double-Space
· Citation Style: Must use APA 6th or 7th edition Guide
· Length: 4–6 pages (Introduction is must)
· PPT : 6 slides
Running head: IT INFRASTRUCTURE REPORT 1
IT INFRASTRUCTURE REPORT 8
University of Cumberland
Project Name: IT Infrastructure Reports
Project Sponsor: Dr. Richmond Ibe
Project Group 4
Names of Team Members
Anish Kumar Polasani (002850395)
Naga Rajendra Dileep Kumar Ponnaganti (003026371)
Anirudh Koundinya Ravi Chander (003025736)
Date:
Table of Contents
Introduction
The Information Technology Infrastructure is important in identifying and managing the organization IT risks. The policies provide the essential benchmark that monitors and measures the level of compliance to the risk management policy of the IT infrastructure. Organizations must therefore develop and build a security risk management policy that fosters its growth and development. Organizational policies enhance the stakeholders’ interaction with one another and the organization’s infrastructure to reduce and check insecurity risks. My organization has 12 servers which runs Microsoft Server 2012 R 2, that include Active Directory (AD), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Enterprise Resource Planning (ERP) application (Oracle), A Research and Development (R&D) Engineering network segment for testing, Microsoft Exchange Server for e-mail, Symantec e-mail filter, and Web-sense for Internet use. the infrastructure also has Two Linux servers operating Apache Server that hosts the Web site, 390 PCs/laptops on Microsoft Windows 7, 8 and Microsoft Office 2013, Microsoft Project, Microsoft Visio, and Adobe Reader. My organization must set appropriate policies, procedures and standards that comply with the existing DOD for federal government IT infrastructure (Kim & Solomon, 2013).
Appropriate Policies Comment by Richmond Ibe: Delete all these. I don need justification just create the policy. Tell me the appropriate policy that will protect the IT infrastructure.
Appropriate policies that will ensure the organizational compliance to IT infrastructure security are as follows:
One, the organization needs an Acceptable Use Policy (AUP). This policy will help stipulate practices and constraints employees must agree before accessing corporate organizational network. Employees will read, understand and sign to comply with the provisions of the policy before taking any responsibility in the organization. Two, the organization will need to develop an Access Control Policy (ACP). This policy will outline and guide employees to accessibility to information system and databases of the organization. The third policy is the change management policy. This policy will guide the formal process of changing the IT infrastructure, development of software, and security operations. Fourth, the policy of the Information Security will be important to cover security controls of the organization. The policy will protect the organizations sensitive information and guide its usage among employees and other stakeholders. The fifth policy is the Incident Response Policy (IRP). This policy will guide the response undertakings of the organization in relation to security breach incidence and remediation of the impact to organization’s operations. The policy objective is to guide response management and mitigate damages to the operations of the organization. It will also manage time spend to attain full recovery to normalcy while regulating the cost of the actions. The sixth policy the company will develop is the Remote Access Policy. This policy will guide and direct appropriate actions and methods that will enable remote connectivity of the stakeholders to the organizations networks. The seventh policy appropriate for the organization is the Email or Communication Policy. The policy will outline employees’ use of the organization’s electronic communication media. The eighth policy is the Disaster Recovery Policy. This policy will stipulate the entire plan that should be followed in the event a security disaster occurs in the IT infrastructure for continuity in operations. The policy will align the incident response policy with organizations continuity plan to check the impact of the incident, mitigate impact and regain full operations earliest possible. Other important policies will include the User-IDs and Passwords, which will manage employees identity and passwords in the system. The Anonymous User-IDs and Password Policies will be vital for controlling user’s access to corporate information through screening of their identity in the organization. The policies will also stipulate the actions that should be undertaken in the event the organization receives information with anonymity identity (Kruse, 2002).
Compliance Laws for Government Contracts
The government engages contractors to support its service provision to the public and therefore operates to maximize on the public trust. Therefore, the government requires the contractors to abide by set laws and regulations to attain this. The laws the government expects the contracts to comply to include:
The first law is the Anti-Bribery/Gratuities law that prohibits any offer “of “things of any value” to the government officers to influence a public act. The second law is the Anti-Kickbacks Act. This law prohibits any soliciting for offers among prime contractors or subcontractors to receive favorable treatment. The third requirement is the contingent fee. The contractors are not expected to pay any other agency to win the contract or receive recommendation for successful completion of the contract. The fourth law is the anti-procurement Integrity law. This law prohibits the contractor from disseminating any information that taints the contracts proprietary information. A contractor that participates in such an activity is prohibited from future participation in competitive procurements processes. Fifth, the hiring from government law prohibits contractors from liaising with government personnel to offer employment to the contractors that trades with the government (Geldon, 2019). Comment by Richmond Ibe: How does these laws connect to the organizational policy? What are the policies you created for the organization that the user will be compliant with? Why not use the laws that are related to IT organization? Example, Non-disclosure agreement, HIPPA laws, and data transmission etc. How does these regulations affect the organization? Is there any policy that could protect the organization from violating these laws?
Infrastructure Controls in IT infrastructure Domains Comment by Richmond Ibe: Before implementing these controls, did perform risk assessment?
The controls placed on the domains in the IT infrastructures in the organization depend on the domains (Kim & Solomon, 2013).
1. In the User Domain, the access control includes the:
i. Policies and Procedures Comment by Richmond Ibe: You have itemized the policy, but why not explain them? How would user understand what to do and what not to do?
ii. Authentication Controls
iii. Data Classification
iv. Security Awareness Training
v. Incident/Problem Reporting
These controls are implemented in the organisational culture, within workstations by individual employees.
2. In the Workstation Domain, the following control infrastructures are placed:
i. Latest and updated Anti-Virus programs
ii. Workstations equipped with Security patches and latest OS versions
3. In the LAN Domain, the control infrastructure placed includes:
i. Preventing unauthorized access to organisation’s network system, data, and applications
ii. Monitors all incoming and outgoing access to the organisation network access
iii. Ensure C-I-A. The LAN Domain consists of NIC –card, Ethernet LAN Router, UTP pair cabling, LAN switch, and Layer 2 switch.
4. In the LAN to WAN Domain, the controls placed include perimeter firewall to monitor and control log in, configuration and implementation of the firewall. .
5. In the WAN Domain, the controls placed include Access Point Policy, to identify and root out potential security concerns in inter-LAN connectivity. Other controls include band witch, and traffic segmentation.
6. In remote Access Domain, contain VPN policy. This control secures all remote controls, maintains data confidentiality and integrity.
7. The System/Application Domain consists of the Patch Management Policy which patches OS and other softwares on time.
Standards for IT Domain Devices
The organisation will formulate and implement the following standards for its IT Domain devices : Top-Level Host Names, Subdomains, Foreign Domain Names, Naming Convention, Organizational Entity, and IPAM (IP Address Management). These will enhance the organization’s DNS use clarity, and maintain the consistency in the subdomains naming standards (Stair & Reynolds, 2012).
Implementation Deployment Plan
Introduction
The IT security incidences are on the rise. Organizations need standards, policies and controls to check IT risks.
Purpose
The purpose for the plan is to implement standards, policies and controls in IT system.
Method
The employees and Information supervisors will be trained on the aspects of consistent IT system monitoring and reporting of potential risks.
Lines of Effort
1. Strong Authentication
This line will increase strong user identify and reduce anonymity thus improve security of network. Users will be provided with two or more authentication factors like password and key codes.
2. Device Hardening
To avoid exploitation of the system vulnerabilities, the organisation will deploy infrastructures that mitigate the risks. These include STIGs and IAVM programs that comply with DoD standards.
3. Reduce Attack Surface
The organization will review internet-facing assets to certify they run in DoD DMZ. All assets without operational requirement will be disconnected.
4. Alignment to Cyber security system
The organization will ensure the “computer network defence service” provider operates within the recommended boundaries. The defence system will be maintained and updated after every three months.
Applicable DoD Organizational Frameworks
The organization will apply the following DoD organizational frameworks: Joint Capabilities Integration and Development (JCIDS), Systems Engineering (SE), Planning, Programming, Budgeting, and Execution (PPBE), Operational Planning (OPLAN), and Defense Acquisition System (DAS).
References
Geldon, F. (2019, October 14). Special Compliance Requirements for Government Contractors. Why Government Contracting Compliance Is Different, Part 1. Corporatecomplianceinsights.com. Retrieved from
Kim, D., & Solomon, M. G. (2013). Fundamentals of information systems security. Jones & Bartlett Publishers.
Kruse, D. E. (2002). The Reliability Mandate: Optimizing the Use of Highly Reliable Parts, Materials, and Processes (PM&P) to Maximize System Component Reliability in the Life Cycle. NAVAL POSTGRADUATE SCHOOL MONTEREY CA.
Stair, R., & Reynolds, G. (2012). Fundamentals of information systems. Cengage Learning.