Task 1

Word count for charter:  2500 words - 1.5 spacing, wide margins, page numbers.

Presentation length:  12 slides, including title slide

Referencing Requirements:

• Must use at least 6 scholarly journals (peer reviewed) - not trade journals
• Must use 3 trade journal.
• Must use 6 references from a variety of government reports/ releases, non-for-profit reports, media articles, website.
• APA 6^th Edition Referencing
• Plagiarism Report provided.

Task

Using the Threat and Risk Assessment Report from the previous initiative (information provided at end in yellow) devise an Information Security Roadmap that selects and articulates the business benefit for 5 individual Information Security Initiatives for EvolveNet. The Information Security Initiatives must involve the implementation of controls that provide the most benefit to the organisation. Controls can be in the form of administrative, technical,

The Information Security Roadmap consists of two deliverables:

1. An Information Security Roadmap Charter Document

2. An Information Security Roadmap Executive Presentation

Information Security Roadmap Charter Document

The charter document must contain a section for each selected initiative that articulates the following:

• Introduction (including business problem/threat scenario)
• Scope
• Business benefits
• Functional business requirements
• Key success indicators
• Required resources
• Indicative budget
• Two possible products and technical solutions - have provided 1 already- CyberArk
• Estimated delivery timeframe

The document clearly describes initiatives and the benefit to the business. Initiative costs and resources are realistic. Selected solutions satisfy business requirements, align with strategy and demonstrate knowledge of the organisation.

Each recommendation must be defined, referenced as evidence as a valid control.

Information Security Roadmap Executive Presentation

The executive presentation must contain:

• An introductory slide summarising the overall intent of the Information Security Roadmap
• A slide for each initiative that contains:
• Initiative executive summary (business problem and benefit)
• Initiative solution summary
• A graphic or image representing the initiative
• Estimated costs and resources
• A slide summarising all initiatives in a single list (including total roadmap costs)

The document clearly describes and illustrates the selected initiatives. Initiative costs and resources are realistic. Initiatives address risks and align with business strategy. The presentation provides a compelling argument for initiative implementation.

NOTE: EXTRACT FROM TRA - utilise the yellow highlight as the basis of the 5 initiatives. More detail has been provided to assist with some of the requirements, success indicators, implementation etc.

Recommendations / Initiatives from Threat and Risk Assessment Report

• ISSUE 1 - Privileged Access Management:
  • Unauthorised access into privileged assets (systems, applications and data) test or development environment is occurring. No separation.
  • Access privileges have not been validated regularly or logged to ensure reasonable justification/ need still exists.

Recommendations

o   Conduct a privileged access management audit exercise (including review of remote access)

o   Implement a privileged access management automated tool (CyberArkPAM) - single identities issued (not group/shared) and rules based on defined factors. Privileged users are forced to use multi-factor authentication.

o   Design network segmentation and boundaries restricting network isolation requirements and restricting access to production and non-production environment using production credentials.

o   Release policies, processes and procedure documentation and training sessions for personnel.

o   Develop and run interface for all logs to be collected into Security Information and Event Management tool and for privileged access changes to be monitored.

o   Conduct regular reviews and audit of privileged access ensuring requirement is still valid.

• ISSUE 2 - Portable assets (such as laptops, tablets, mobile devices) are issued without being logged in inventory.Not all workstations have antivirus installed and there are no technical controls to restrict software installation or access to web/internet facing services.

Recommendations

o   Conduct asset management audit exercises - baselining assets.

o   Develop and implement an automated asset management tool or list.

o   Centralise management and standardise (install or update) operating systems, applications, configurations, release of antivirus, patching and changes all centrally managed by Security. This includes hardening.

o   Consider restricting the use of web-based email and social media to limited number of staff members or consider SSL/TLS inspection.

o   Implement Host-based intrusion detection/prevention system (HIDS/HIPS)

o   Implement Endpoint Detection and Response (EDR) software to improve intrusion detection capability. EDR logs and generates a continuous stream of event data and other system telemetry to the SIEM to improve incident detection and response timeline.

o   Implement Data Loss Prevention tool to avoid risk of business interruption, loss and theft.

o   Release policies, processes and procedure documentation and training sessions for personnel.

o   Develop and run interface for all logs to be collected into Security Information and Event Management (SIEM) tool and for asset changes to be monitored.

o   Set up rules and alerts for anomalous behaviour on assets.

o   Conduct regular reviews of assets to ensure compliance.

• ISSUE 3 - Event logs have no protection from alteration.

Recommendations

• Review security protocols for logs (including creation, capturing, transfer and storage).
• Change access control, denying changes to logs (including develop/modify Group Policies for Windows).Create rule/s and alert/s for any modification and directly interface with the SIEM.
• Document and socialise changes as required (including incident response scenario).
• Communicate disciplinary procedures to personnel to ensure awareness of unauthorised behaviour.
• ISSUE 4 - Sensitive information from customers is routinely sent vie email and instant messaging applications.

Recommendations

• Deny/disable copy and paste functionality of sensitive/customer data.
• Encrypt email and chat applications.
• Communicate and distribute policies, processes and procedures through training and awareness sessions (particularly around data sensitivity, disciplinary actions). Run security awareness campaigns for phishing, malware etc.
• Check location of e-mail server and functionality (behind a firewall on a different network segment) employing demilitarized zone (DMZ).
• Run email and malware scanning on email applications.
• Implement Domain-base Message Authentication Reporting and Conformance (DMARC) and Domain Keys Identified Mail (DKIM) to improve email threat identification. Implement a behaviour-based capability to sandbox, analyse and potentially block transmission of data containing malicious software rather than relying on signature-based identification of malware - before breaching the network perimeter.
• ISSUE 5 - Unauthorised physical access can occur due to lack of enforcement.

Recommendations

• Review extant physical security controls, perimeters and boundaries.
• Implement changes as necessary (including smart card physical auto-log in/outs).
• Biometric and access control cards for infrastructure, production environments - controlled identity and access management solution.
• Implement defence-in-depth perimeters.
• Develop interface for logs to be sent to Physical Control system + SIEM
• Conduct regular exercises to raise user/ personnel awareness and penalties.