Comprehensive Security Management Plan
Colorado Technical University Comprehensive Security Management Plan for Colorado History Individual Project 5 By
Roy A. Kelly II
Colorado Springs, Colorado
December 22, 2012
Table of Contents Project Outline 4 Security Requirements 5 Organizational Chart (Colorado Historical Society, 2012) 5 Proposed Security Working Group 6 Security Business Requirements 9 Capability Maturity Model Integration (CMMI) 9 Capability Levels 11 Base Practices 11 Procedures to review 12 Security Policy 19 Why We Need Security Policies 19 Security Policy Table 19 System Design Principles 22 Open Design 22 Securing the Weakest Link 23 Defense in Depth 23 Failing Securely 24 Least Privilege 25 Separation of Privilege 26 Economy of Mechanism 26 How Security Principles Relate to Us 27 The Training Module 29 User Roles 29 Executive Management 29 Mid-level Management 29 Museum Staff 30 Museum Volunteers 30 IT and Security 30 Courses 30 Introduction to Information Security 31 Information Security for Executives 31 Computer and Network Security Awareness 33 Cloud Security Fundamentals 33 Social Engineering 34 Email, Instant Messaging, and Browsing 35 Training Matrix 35 Measuring Impact 35 References 38
Project Outline
Repurposed: This task contains portions of material that were originally submitted during the Summer 1, 2012 session in CS631 OLA1 with Shawn Murray.
History Colorado is headquartered in Denver, with other offices in Denver, Montrose, and Pueblo; and five museums scattered around the state. Each office has 6 to 10 computers and each museum has 1 to 5 computers that connect to the headquarters over a leased line to make a WAN spanning the entire state. The webserver is in the headquarters and is in a DMZ that is separate from the rest of the network. Guest lecturers and other historians that may work temporarily in our offices may have different operating systems, so we also
Roy A. Kelly II
Colorado Springs, Colorado
December 22, 2012
Table of Contents Project Outline 4 Security Requirements 5 Organizational Chart (Colorado Historical Society, 2012) 5 Proposed Security Working Group 6 Security Business Requirements 9 Capability Maturity Model Integration (CMMI) 9 Capability Levels 11 Base Practices 11 Procedures to review 12 Security Policy 19 Why We Need Security Policies 19 Security Policy Table 19 System Design Principles 22 Open Design 22 Securing the Weakest Link 23 Defense in Depth 23 Failing Securely 24 Least Privilege 25 Separation of Privilege 26 Economy of Mechanism 26 How Security Principles Relate to Us 27 The Training Module 29 User Roles 29 Executive Management 29 Mid-level Management 29 Museum Staff 30 Museum Volunteers 30 IT and Security 30 Courses 30 Introduction to Information Security 31 Information Security for Executives 31 Computer and Network Security Awareness 33 Cloud Security Fundamentals 33 Social Engineering 34 Email, Instant Messaging, and Browsing 35 Training Matrix 35 Measuring Impact 35 References 38
Project Outline
Repurposed: This task contains portions of material that were originally submitted during the Summer 1, 2012 session in CS631 OLA1 with Shawn Murray.
History Colorado is headquartered in Denver, with other offices in Denver, Montrose, and Pueblo; and five museums scattered around the state. Each office has 6 to 10 computers and each museum has 1 to 5 computers that connect to the headquarters over a leased line to make a WAN spanning the entire state. The webserver is in the headquarters and is in a DMZ that is separate from the rest of the network. Guest lecturers and other historians that may work temporarily in our offices may have different operating systems, so we also
References: Barnum, S., Gegick, M. (2005). Design Principles. Retrieved from https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/358-BSI.html Benzel, T., Irvine, C., Levin, T., Bhaskara, G., Nguyen, T Capability Maturity Model Integration (CMMI) [ACQuipedia]. (2012). Retrieved from https://dap.dau.mil/acquipedia/Pages/ArticleDetails.aspx?aid=700579d2-7b76-4dbc-b877-9c97fd18a341 CMMI Institute - the home of Capability Maturity Model Intergration (2012) CMMI Product Team. (2010) CMMI® for Development, Version 1.3. Retrieved from https://campus.ctuonline.edu/pages/MainFrame.aspx?ContentFrame=/Classroom/course.aspx?Class=235253&tid=195 Colorado Historical Society (2012) Garbars, K. (2002). Implementing an Effective IT Security Program. Retrieved from http://www.sans.org/reading_room/whitepapers/bestprac/implementing-effective-security-program_80 Greiner, L Guel, M. (2007). Policy Primer. Retrieved from http://www.sans.org/security-resources/policies/Policy_Primer.pdf Hadnagy, C., Aharoni Saxena, N. (2010). Lecture 6: Security Design Principles. Retrieved from http://isis.poly.edu/courses/cs392-f2010/Lectures/lecture4.pdf Scher, R Scher, R. (2011). Protect Your Company. Retrieved from http://www.social-engineer.org/wiki/archives/NewsArticles/ProtectYourCompany.pdf Schneier, B Shackleford, D. (2012). SEC524: Cloud Security Fundamentals. Retrieved from http://www.sans.org/course/cloud-security-fundamentals Shinder, T Spitzner, L. (2012). Securing the Human. Retrieved from http://www.securingthehuman.org/resources/presentations SSE-CMM Project Team Stout, G. (2012). Live chat presentation 8: Phases 4 & 5. Colorado Springs, CO: CTU Online. Retrieved from CTU Online, Virtual Campus, ICS, 652-1203B-01 https://campus.ctuonline.edu/MainFrame.aspx?ContentFrame=/Default.aspx