9-Iron Country Club Case Study
Scope
Design a remote access solution for the 9-Iron Country Club. This report includes the following considerations:
Needs and desires of customers and club members – available services, time availability, and network design
Risk management or assessment – protection of confidential and personally identifiable Information (PII)
Data classification and security requirements – what measures will be implemented to protect the three states of data
The nature of telework and remote access technologies – permitting access to protected resources from external networks and often external hosts as well, generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal …show more content…
resources made available to teleworkers through remote access (Scarfone, 2009).
The most common security objectives for telework and remote access technologies are:
Confidentiality – ensure that remote access communications and stored user data cannot be read by unauthorized parties
Integrity – detect any intentional or unintentional changes to remote access communications that may occur in transit
Availability - ensure that users can access resources through remote access whenever needed (Scarfone, 2009).
Risk Management or Assessment/Major Security Concerns
Lack of Physical Security Controls – primary mitigation strategies are encrypting the client device’s storage or not storing sensitive data on the client device
Unsecured Networks – Risk from using unsecured networks can be mitigated but not eliminated. Us encryption technologies to protect the confidentiality and integrity of communications, as well as using mutual authentication mechanisms to verify the identities of both endpoints
Infected Devices on Internal Networks – Use appropriate anti-malware technologies; network access control (NAC), possible use of a separate network for telework client devices
External Access to Internal Resources – Servers made available through external access should be appropriately hardened against external threats and access to the resources are limited to the minimum necessary firewalling and access control mechanisms (Scarfone, 2009).
Data Classification and Security Requirements
Encrypting Data at Rest – encrypt all sensitive data when it is at rest on the device and on removable media used by the device. Employ storage encryption
technology
Using Virtual Machines – the organization has limited enforcement of policies over PCs personally owned by a teleworker. Running a VM hypervisor (bare metal) that will be compliant with security policies
Backing Up Data On Telework Devices – sensitive information performed at external locations needs additional security. Encryption with integrity verified is necessary. For non-portable forms of storage encryptions, such as full disk encryption, data needs to be decrypted on the telework device and then encrypted for storage on the backup media (Scarfone, 2009).
References
Scarfone, K. a. (2009, June nd). Guide to Enterprise Telework and Remote Access Security. Retrieved from nist.gov: http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf
Design a remote access solution for the 9-Iron Country Club. This report includes the following considerations:
Needs and desires of customers and club members – available services, time availability, and network design
Risk management or assessment – protection of confidential and personally identifiable Information (PII)
Data classification and security requirements – what measures will be implemented to protect the three states of data
The nature of telework and remote access technologies – permitting access to protected resources from external networks and often external hosts as well, generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal …show more content…
resources made available to teleworkers through remote access (Scarfone, 2009).
The most common security objectives for telework and remote access technologies are:
Confidentiality – ensure that remote access communications and stored user data cannot be read by unauthorized parties
Integrity – detect any intentional or unintentional changes to remote access communications that may occur in transit
Availability - ensure that users can access resources through remote access whenever needed (Scarfone, 2009).
Risk Management or Assessment/Major Security Concerns
Lack of Physical Security Controls – primary mitigation strategies are encrypting the client device’s storage or not storing sensitive data on the client device
Unsecured Networks – Risk from using unsecured networks can be mitigated but not eliminated. Us encryption technologies to protect the confidentiality and integrity of communications, as well as using mutual authentication mechanisms to verify the identities of both endpoints
Infected Devices on Internal Networks – Use appropriate anti-malware technologies; network access control (NAC), possible use of a separate network for telework client devices
External Access to Internal Resources – Servers made available through external access should be appropriately hardened against external threats and access to the resources are limited to the minimum necessary firewalling and access control mechanisms (Scarfone, 2009).
Data Classification and Security Requirements
Encrypting Data at Rest – encrypt all sensitive data when it is at rest on the device and on removable media used by the device. Employ storage encryption
technology
Using Virtual Machines – the organization has limited enforcement of policies over PCs personally owned by a teleworker. Running a VM hypervisor (bare metal) that will be compliant with security policies
Backing Up Data On Telework Devices – sensitive information performed at external locations needs additional security. Encryption with integrity verified is necessary. For non-portable forms of storage encryptions, such as full disk encryption, data needs to be decrypted on the telework device and then encrypted for storage on the backup media (Scarfone, 2009).
References
Scarfone, K. a. (2009, June nd). Guide to Enterprise Telework and Remote Access Security. Retrieved from nist.gov: http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf