Week 7 Worksheet 4: LAN/WAN Compliance and Auditing Course Learning Outcome(s) Analyze information security systems compliance requirements within the Workstation and LAN Domains. Design and implement ISS compliance within the LAN-to-WAN and WAN domains with an appropriate framework As auditors, we presume that no data produced on a computer is 100% secure regardless of whether it’s a standalone device or connected to a local area network (LAN) or a wide area network (WAN). Organizations implement controls, which are developed and implemented based on regulations and best security practices. Security is implemented throughout an organizations enterprise – from the host the user sits and throughout the devices data traverses or is stored. Here’s an example of a basic enterprise and the security controls that may be implemented. Remember, controls can be physical or logical devices, software or encryption. Host – A host is a computer, tablet or other device that a user interfaces with to perform a function. The device you’re reading this on is a host. The security controls that could be implemented onto a host include a Host Based Intrusion Detection Systems (HIDS), Host Based Intrusion Prevention System (HIPS), a software Firewall, and Antivirus protection. Policy controls implemented on a host include Role Based Access Control (RBAC), Discretionary Access Control (DAC), Mandatory Access Control (MAC), Login requirements, lockout settings and others that restrict what a user can and can’t do while logged into a host and software to manage (allow and deny) policies electronically (ePo). Local Area Network – Think of a LAN as an internal network used by an organization that allows user to execute functions using various applications and storage while also having the ability to connect to other organizations using the Internet or Virtual Private Networks (VPN’s). A host connects to a switch and data is routed to a router where it either access systems on the LAN or to a router where it’s going to exchange data with another LAN or WAN. The devices that comprise a LAN and WAN are similar with a difference in that a WAN is built to a much larger scale. As stated, in a network, there are many devices, servers, switches, routers, storage, Call Managers (for VoIP communications), firewalls, web content filters, security appliances that manage Network Intrusion Detection Systems (NIDS), Network Intrusion Prevention Systems (NIPS) and other organization unique systems. Often as a cost savings measure, services such as security, web content filtering, storage, IP telephony, Software licensing (SaaS) and others can be outsourced to a third party vendor. An agreement is made between the organization and the vendor on the expected requirements and documented in the contract. These requirements are known as Service Level Agreements (SLA).At no point does an organization relieve itself of regulatory requirements for data protection by contracting it out to a third party or organization external to itself. Regulatory controls must be incorporated into the SLA’s and audited by the company contracting services out to ensure compliance. Repercussions for not meeting SLA requirements should also be included in the SLA. Read the scenario below and complete the associated worksheet. Tidewater LLC is an organization that produces and sells apparel for men, women and children online. The company has grown 70% over the past 2 years and is building a new facility to support the continued growth. All current services with the exception of managing their website are hosted by various third party vendors. Because of the growth, the leadership within the organization has not been able to validate compliance of the SLA’s and feel that the vendors do not have the best interest of Tidewater LLC in mind. Currently, there is a CIO and web developer acting as the IT staff. Tidewater LLC is in the process of recovering all IT services into the server facility being housed in their new facility. Tidewater LLC wishes establish and staff an IT department with a system administrator, network administrator, two general technicians, cyber security specialist and a full time system auditor. The new office is a 2000sqft open office with the server room located in an adjacent room. Hardware supporting the organizations IT services include 100 desktop computers supporting the staff, network switches, routers, a firewall, Maciffy Security Appliance to provide intrusion detection, prevention and antivirus protection, Network Attached Storage (NAS) for users to have a home drive as well as a shared networked drive for collaboration and sharing, an IIS server for website management and a call manager for VoIP. Wi-Fi access points will be added as the network installation progresses. Email will be managed by an exchange server. The only service outsourced is a100mbps connection for Internet and VPN’s between the organization and its suppliers. Current employees are assigned desk with computer. There are no prerequisite requirements such as training for users to have accounts created. All data is stored by a third party vendor in a shared environment. No controls are implemented to prevent any user from accessing any other user’s files or folders. You’ve been retained as an organizations auditor and your first task is to determine what controls need to be implemented so that the organization achieves a high level of sustained security and compliance. Utilizing the NIST 800-53A, develop a control sheet that the organization should implement and will not impede with the organization’s mission. This control sheet should encompass controls that apply to the users and systems within the organization. You will brief these controls to the CEO and CIO and explain why you choose these controls and any impact it will have to the organization. From the Access Control (AC) family of the NIST 800-53A, select three controls you would recommend be implemented. Control Definition Why Chosen From the Security Awareness and Training Policy and Procedures (AT) of the NIST 800-53A, select three controls you would recommend be implemented. Control Definition Why Chosen From the Audit and Control (AU) section of the NIST 800-53A, select three controls you would recommend be implemented. Control Definition Why Chosen From the Configuration Management (CM) section of the NIST 800-53A, select four controls you would recommend be implemented. Control Definition Why Chosen From the Security Assessment and Authorization (CA) section of the NIST 800-53A, select three controls you would recommend be implemented. Control Definition Why Chosen From the Contingency Planning (CP) section of the NIST 800-53A, select two controls you would recommend be implemented. Control Definition Why Chosen From the Identification and Authentication Policy and Procedures (IA) section of the NIST 800-53A, select three controls you would recommend be implemented. Control Definition Why Chosen

    Compliance and Auditing

    Adit Guide (AC) race of the NIST 800-53A

    Guide DefinitionWhy Chosen
    Adit guide planIdentity enforcementTo restraintmalize adit procedures and to adapt the utensilation of rules adit guides plan (Jansen et al, 2011).
    Unsuccessful login attemptsPassword treatment toolTo limit/ bind the reckon of orderly fails when the user is hard to log into the rule using a password (Soupaya et al, 2013).
    Counsel sharing and collaborationGroup requestsTo adapt counsel sharing and to fullot adit to verified partners.

    Safeprotector Awareness and Trailing Plan and Procedures (AT) of the NIST 800-53A

    Guide DefinitionWhy Chosen
    Safeprotector awarenessCompliance auditorTo succor mention whether the structure uses useful exercises and certainprotector drills to impersonate developed certainprotector breaches during trailing.
    Safeprotector trailingCompliance auditorTo mention whether the structure provides refresher courses to staff established on relative roles.
    Trailing chroniclesCompliance auditorTo mention whether the structure maintains exceeding and courteous specific chronicles with respects to trailing and monitors the trailing and awareness programs.

    Audit and Guide (AU) exception of the NIST 800-53A

    Guide DefinitionWhy Chosen
    Procedures restraint Audit accountability Compliance auditorTo adapt the automation of the auditing and accountability policies that oration the intention, roles and design.
    Interval stamps restraint chroniclesIdentity enforcerGeneration of real-interval interval stamps restraint full audit chronicles
    Audit counsel protectionCompliance auditorTo certain protector audit tools and audit counsel from adit, revision or deletion by unverified personnel.

    Conformation Treatment (CM) exception of the NIST 800-53A

    Guide DefinitionWhy Chosen
    Baseline conformationCompliance auditorTo mention whether there are automated mechanisms in assign that the structure uses to detain a baseline conformation counsel rule that is  courteous updated, considerate, entire and preparedly available
    Conformation transmute guideCompliance auditorTo succor mention whether the structure conducts exceeding testing, validation and documentation restraint counsel rules transmutes antecedently and when they are life utensiled in the unreserved rule.
    Safeprotector collision analysisCompliance auditorTo succor stir counsel rules certainprotector transmutes and contact procedures and to mention the virtual of certainprotector issues that could be brought about by such transmutes
    Conformation settingsIdentity enforcementTo succor compose automated  mechanisms that can be used to mould, utensil and confirm rule conformation settings.

    Safeprotector Toll and Authorization (CA) exception of the NIST 800-53A

    Guide DefinitionWhy Chosen
    Safeprotector tollIdentity stirrTo utensil certainprotector toll and authorization procedures and achieve tolls on certainprotector guides to mention whether they are efficient and propagate certainprotector reports established on these tolls.
    Safeprotector authorizationIdentity enforcerTo adapt provision of user adit privileges and responsibilities established on the toil style and toil requirements of an particular
    Continuous toll and monitoringIdentity stirrTo adapt a continued monitoring of rules conformation and certainprotector treatment procedures and critique the collision of the certainprotector measures utensiled (Kissel et al, 2011).

    Contingency Planning (CP) exception of the NIST 800-53A

    Guide DefinitionWhy Chosen
    Evidence counsel feedbackPassword mouldrTo cloke the counsel on user evidence during the user identification and evidence order. To close the user evidence counsel.
    Cryptographic module evidenceIdentity enforcerTo succor compose a cryptographic evidence module that meets the structure down rules and regulations and which is correspondent to full totalowable requirements.

    Identification and Evidence Plan and Procedures (IA) exception of the NIST 800-53A

    Guide DefinitionWhy Chosen
    User identification and evidenceIdentity enforcerTo adapt the automation of user identification and evidence policies and to coordinate full structureal certainprotector and guide entities (Jansen et al, 2011).
    Identity mouldrIdentity enforcerAdapt the utensilation of user identifiers restraint the rule and particular devices and automation of user example treatment.
    User evidence treatmentIdentity enforcerRestraint evidence of users and devices and to adapt the automation of administrative guides and to certainprotector user evidence counsel.

    References

    Jansen, W., & Grance, T. (2011). Sp 800-144. guidelines on certainprotector and seclusion in notorious overcast computing.

    Kissel, R. (Ed.). (2011). Glossary of explanation counsel certainprotector terms. Diane Publishing.

    Souppaya, M., & Scarfone, K. (2013). Guidelines restraint managing the certainprotector of movable devices in the enterprise. NIST distinctive notoriousation, 800, 124.