NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Transcription

1 NCS 330 Information Assurance Policies, Ethics and Disaster Recovery NYC University Polices and Standards 4/15/15 Jess Yanarella

2 Table of Contents: Introduction: Part One: Risk Analysis Threats Vulnerabilities Part Two: Policies Importance Team Members Wireless Security Password Requirements USB Drives Part Three: Disaster Recovery Policy Business Continuity Plan Basic Process What If Plan of Action Recovery Part Four: Summary References:

3 Universities and organizations should all have information system policies to protect and define their network and systems. Policies are implemented to create a stable rulebook for all users to follow for their own benefits. The way cyber security is evolving, having a strong policy is a top priority especially at any university. A typical large university in NYC will host around 10,000 15,000 students or even more. All students must be registered in the school databases, which must be secure. Since this university is located in a popular city, it will attract a lot of students. With all the students it brings and the location of the campus it also sets itself up as a target for malicious attacks. The city is a congested area filled with many companies providing Internet access to their users. The school Internet must be widespread so even no students could access it, which makes it vulnerable in a certain sense. The university isn t to far out from Time Square and the people coming in and out will change almost every day. Risk Analysis of vulnerabilities must be performed along with a plan if any disasters were to occur on or near the campus. Risk Analysis is the first of the policies to be created for the University. This contains the threats to resources and assets, which helps outline any vulnerabilities in the system. Anything that compromises Confidentially, Integrity, and Availability is included in the risk analysis plan. This university is very large and has multiple server rooms across the campus. The rooms need to be placed in every building including classrooms, library, and dorms for student access to the network. All of the servers on the campus are considered the biggest asset to the university. All of the schools virtual machines and workstations are hosted on them. If they ever go down, a lot of students will be limited to what they can do for their work. The servers are

4 everywhere in the school, but the main ones are the most protected. Other assets include the database, printers, people, and computers. The threats towards the server range from hacks, DDoS attacks, users, flood/fires, power loss, hard drive failures, and memory loss. Hacks and DDoS attacks are at a medium threat priority because the chances of someone attacking a school virtual machine server aren t too high. The impact if it did happen would be high because it will be dangerous if the wrong people get a hold of the school s server. Careless users are at a level four priority because there is always a chance for any kind of user error. The admins sometime need to tweak and make changes to the server to meet students needs and things can go wrong even though it s usually accidental. Flood/Fires are at a low priority because the likelihood of that happening is low because it hasn t been a problem yet. But if it did happen, everything could be washed away or destroyed in the flames so it receives a high impact. A power loss has a medium likelihood because in NYC, there are always so many things going on and consuming a lot of energy. The impact would be low because the school has generators that most likely work and will start up quickly to ensure the servers are back up and running. Hard drive failures and memory loss has a medium to high threat because with all the virtual machines and workstations running and programs that it is constantly supporting; you never know when one machine might take up too much. For specific classes, the virtual machines are assigned a certain amount of hardware, but with them running all at the same time it causes overflow so it has a high impact.

5 The safeguards for hacks are better firewalls, IDPs, and more secure routers, which could cost up to $100,000 for enterprise equipment. This equipment will be bought straight from the company itself to provide only the best. Careless users can be helped with more training and increased staff with more experience. Not all faculties in the school are aware how technology fully works and they can be doing harmful things without even knowing it. The university will provide free classes for faculty to join and learn more about the proper use of their systems and technology they use everyday. Depending on the training, it can cost up to $500. Floods/fires will only result with replaceable equipment if the school has insurance to pay for it since the server most likely will not be usable after the incident. Say good insurance will cost around $300 a month. Damage to servers from a power loss can be reduced because of power surges and generators, which are in the $10,000 range or more. Hard drive failures and memory loss can be safeguarded by backup drives and expanding the memory to full capacity that the server can hold. Backup drives are very important especially to a large university. They will need more than to constantly run backups of the data. It is so important because there is a lot of information that can t be lost in a university. They keep records of everything and all grades the students receive. With around 10,000 15,000 students, that is a lot of information to backup and store. For more hard drives depending on the size, it will be $1,000 and for memory $500. This leaves the total cost for the university in the final plan for everything to be $112,300.

6 Policies are an important factor when it comes to any kind of organization or university. They are all based off the same thing, but are created to best suit the needs for the company. The university policy in NYC needs to ensure high-end security, but at the same time be user friendly for everyday students to follow. Policies can be strict and topnotch security, but it doesn t mean they will be the most effective. At the university, they hire people who are trained in policy writing. This team also consists of technical writers, system managers, supervisors, and HR specialists. The policy members know what is best for the university, but they need help from the system managers on other equipment and technical writers to make it sound very professional. The policies set a lot of guidelines and things can become restricted so the HR specialists makes sure everything stays in legal boundaries. Without any policies, the university will not have any structure on the information technology side. It is created to help benefit all users of the school and grant them privileges that others outside don t. Policy: Wireless Internet Access Policy The first policy that the university needs is for wireless Internet access. New York City is one of the most populated areas and the network the school is producing needs to be kept only to students and faculty. If it wasn t, the network could be compromised at any time leaving vital information of the school and the registered students to hackers. The wireless access policy states that all students and faculty must install an application client on their machine and pass all tests to be able to gain access to the Internet. Pros: This policy will allow for a more secure and safe network for the people to use.

7 Cons: Some cons are that everyone will need to do extra work in setting up their connection. With the installed client, a few requirements must be met in order for it to pass. Objective: Goals for this policy are to provide students with secure Internet access for everyday needs. Purpose: This policy exists so that only students and faculty will have access to the network. It is trying to be kept as isolated as possible for anyone living near the campus to using the their network without permissions. The city is a congested area with Wi-Fi hotspots being picked up every step someone takes. We need this policy because a lot of classes are based using the Internet and we want the students to be productive and successful in their studies. Since it is such a large school, they can t monitor everything and everyone who connects to it. Audience: It is attended for everyone who goes to the school and is registered. Policy Statements: The policy statement consists of strict rules that must be followed to gain access. All students will need to contact the help desk, which is located in the library. There will be instructions posted on how to download the client and meet it s requirements. The client will run on the background of the users machines and it is safe. Each time it starts, it checks the system for antivirus software and properly configured automatic updates.

8 The university wants everyone to protect themselves from viruses and malware as much as possible. The updates will help patch any vulnerabilities that may be found in software running on the system. The help desk has licensed copies of antivirus software that they will install on anyone s system for free that fails that requirement. The installation of the software is easy to do and should only take them around minutes to finish everything. Once everything is passed and the green light shows, the user can connect to the Internet and have full access. Since other devices like gaming systems can t run the client, they will need special privileges to be used on the network. Each of these devices is given a MAC address and students can submit that to the help desk using a form. This will be put in the system to bypass the client requirement when connecting to the Internet. The key to this client for being so successful is that every time it is ran, the user must sign in with their school account for it to work. Anyone not registered with school can still download the client, but they won t have the proper credentials to sign in so they will be locked out. Exceptions: The only exception to this policy is if your computer system is running some operating system that is not compatible with the client. In the case of this event, the student must bring the machine to the help desk for inspection to make sure it is safe and then the MAC address will be bypassed for total access.

9 Policy 2: Password Policy The next policy that the university wrote is for student and faculty passwords. Each user registered with the school is given an ID and address. This ID is based off the users last name and first initial. It uses the first six letters of the last name and one letter of the first. If the user has a short last name, numbers will be added to the ID. When completing registration for the university, students will be sent their ID. They must take this and go to the attached link to create their accounts, which be used for everything school related. This includes registration for classes, online assignments, and . With the rise of cyber security, passwords need to be strong so a hacker can t easily guess them. If this happened, all the students information will be compromised. Pros: of having this policy is that it will better protect the users confidential information and keep it out of the wrong hands. Cons: are that the password may be hard to remember and will need to be changed every certain amount of days. Objective: The goal of this policy to get all students a secure account and they can use it for all school related work with the university. Every week community mailers will be sent to students on their that give updates for what s going on with the campus. Also, this is the best way to communicate with teachers because they will recognize you by your ID. The university s are provided to students through Gmail. With these accounts, students also get access to everything Google provides including drive storage and cloud based work documents for real time editing. Purpose: This policy exists because if someone s password is very simple, it can be easily guessed or brute forced. This means a program is cracking the password by trying

10 different phrases against it until it receives a match. The university doesn t want anyone to lose power over his or her own account. Audience: This policy is attended for all students and faculty that have an account with the school. Policy Statement: The policy statements say that the password requirements must be followed in order to get an account. When creating a password, it is done on a certain website that checks to make sure the guidelines are met. It will not accept anything that doesn t fit. The first rule is that the password must be an eight-character minimum. Within the password, it must consist of one capital letter and the use of one symbol. These rules are set because the more variety and mix in a password, the more unique it is and can t be easily guessed. The last requirement is that it must be changed every 60 days to a different password that wasn t used before. Exceptions: There are no exceptions for this policy and it is highly enforced. The university really cares about user confidentiality because within these accounts are private information, including birthdate, addresses, and financial aid. Policy 3: USB Drive Policy This policy allows the use of USB drives for students and faculty in any on campus computer system. Pros: Users can save and make backups of their work and bring them to the library or other lab rooms to finish up.

11 Cons: The use of USB drives can be harmful to the systems because they can carry viruses and malware. One user may obtain a virus on their device and once plugged into the system, it can harm the computer and affect future users. Objective: The goal of this policy is to allow students to continue their work from outside their home or dorm. A lot of students may feel more comfortable doing their work in the library and lab, so they can transport any documents or projects via USB drive. Also, students may work on a project in the lab with specific software and can save copies of it on the USB drive for use later on. Purpose: This policy exists because we want students to be able to complete their work from anywhere on campus. The university doesn t want to limit students on how or where they do their assignments. Everything is being done on computers today and the access to systems and files should be allowed. Audience: This policy is attended for all students and staff who attend the university. Policy Statement: The policy statement states that users can save files on USB drives from their local machines and use them on computer systems. They are allowed to plug their own USB devices into machines and access files on them. Users should make sure their device is safe and perform scans on them when possible. Disaster Recovery Policies are created to help out organizations in case of an emergency and equipment and buildings get completely destroyed. This policy is a plan

12 of action for what to do for example a fire or flood occurs. Each company usually has a dedicated team to these types of services. The disaster recovery standards for this policy provide a systematic approach for safeguarding the vital technology and data managed by the Information Technologies and Services Department (Information Technology, 2015). At our university, we need a plan of recovery if anything vital was to happen to the school. Our policy will consist of a Business Continuity Plan. There are three parts to any plan for all organizations. The disaster preparation plan is first and it basically outlines what the school will do if they know a disaster is going to occur like a serve storm approaching the city. For a university, they can maybe cancel classes or shut down certain wings to keep students safe and protect any data loss or equipment failure. Next is the disaster response plan and this needs to be followed the moment right after a disaster happened. If an unexpected disaster occurred and the power was lost or a fire happened, actions have to take place as quick as possible. The university needs to find the source of the problem and analyze any damage that was done. If servers were destroyed, new ones will need to be set up and the image reinstalled from the latest backup made. If anything was to happen to the main servers that handle pay roles or student s personal information, they will need to be brought back up first. The policy will consist of an order of events that things should be brought back up and running. Lastly is the recovery phase of the business continuity plan. A lot of recovery will begin to happen in the previous response plan, but this is where everything is starting to be fixed and brought back to the last current state. Not everything for a university will be technology based in disaster recovery; classrooms

13 and buildings will need repairing as well. Students need to continue their education and that can t be possible if they don t have a safe place to learn. The university hired workers to dedicate their time to creating a solid policy for use. The planning team consists of upper management, information systems/security personnel, and human resources. They have specific roles and responsibilities for creating a disaster recovery policy. Some things they do are perform risk assessments, take inventory of information system assets, and identify critical applications, system and data in the university (Disaster Recovery, 2015). The disaster recovery plan will be reviewed every three months to make sure it s still in affect and add any updates if needed. It is never a bad idea to keep the plan active because disaster can happen at anytime. The disaster team will need an Information Security Manager. This person will be responsible for managing the team and making any critical decisions in tough times. All team members must go off what the manager says to do in a disaster recovery process. The university will make sure that each building with servers will be on a backup plan that creates daily images of the systems. At a large university with that many students, things change so fast so daily backups are definitely needed. These backups will also need to be checked to make sure they are functioning properly. They should consist of the data from financial aid, registration office, and critical data in server rooms that manages the network for all stations across the campus. In the event of a disaster, the school needs to get back up online so students can continue to stay on track with their coursework. Depending on the severity, the university can cancel classes and have teachers post notes and work online in forums. The school will identify the critical servers that will need to back up online first This information will

14 be left for the information security/systems personnel on the disaster team to find out. It is important to have a variety of members for each branch on the team because they each input something different. A certain budget will need to be kept aside in case of a disaster. For the most part, a lot of damage will occur to equipment and buildings and new products will need to be purchased and set up as a soon as possible. Everything that gets changed or replaced must be documented throughout the course of recovery. New products will need to be recorded so if anything happens again; they will know how to handle the new equipment. A large university in NYC has many assets to their organization. The size of the school is huge and the information technology specialists have a lot of expensive equipment to manage. These high-end products that the company has can be at risk to different threats including hacks, DDoS attacks, users, flood/fires, power loss, hard drive failures, and memory loss. These threats range in likelihood against a University. Memory loss and hard drive failure has high chance of occurring because they are working all day everyday to keep the workstations powered up and running. Backups are very important for the school to have because these threats or even disasters could happen at any time. The university is located in the city and wireless networks are popping up everywhere on compatible devices. The network for the school needs to have top security and can only accessed by students and faculty. The policy states that the users need to install a client and sign in with their credentials to be given access to the network. Their credentials will be created using their ID and password that meets the specific requirements. These consist of an eight-character minimum with the use of capital letters and symbols. Access to all these systems are great, but if a disaster happens and things

15 get shutdown and destroyed a lot of users won t be happy. The disaster recovery policy has plans set incase something tragic happens to the university. Backups will need to be installed, registration will need to be brought back up, and teachers will have to precede will education in a different manner most likely online. Policies are a key factor to not only universities but also all organizations. They keep everything within the organization running as expected and secure as possible with a reliable plan of action.

16 Bibliography Disaster Recovery Policy. (n.d.). Retrieved April 11, 2015, from INFORMATION SECURITY RISK MANAGEMENT POLICY. (2014, November 1). Retrieved April 10, 2015, from Information Technology Disaster Recovery Policy. (n.d.). Retrieved April 12, 2015, from