Infrastructure Research

at
Categories
Tags

 

 

Scenario
You are a security professional for Blue Stripe Tech, an IT services provider with approximately 400 employees. Blue Stripe Tech partners with industry leaders to provide storage, networking, virtualization, and cybersecurity to clients.

Blue Stripe Tech recently won a large DoD contract, which will add 30 percent to the revenue of the organization. It is a high-priority, high-visibility project. Blue Stripe Tech will be allowed to make its own budget, project timeline, and tollgate decisions.

As a security professional for Blue Stripe Tech, you are responsible for developing security policies for this project. These policies are required to meet DoD standards for delivery of IT technology services to the U.S. Air Force Cyber Security Center (AFCSC), a DoD agency.

To do this, you must develop DoD-approved policies, standards, and control descriptions for your IT infrastructure (see the “Tasks” section in this document). The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies, standards, or controls in place.

Blue Stripe Tech’s computing environment includes the following:

12 servers running the latest edition of Microsoft Server, providing the following:
Active Directory (AD)
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Enterprise resource planning (ERP) application (Oracle)
A research and development (R&D) engineering network segment for testing, separate from the production environment
Microsoft Exchange Server for email
Email filter
Cloud-based secure web gateway (web security, data loss protection, next-generation firewall, cloud application security, advanced threat protection)
Two Linux servers running Apache Server to host your website
400 PCs/laptops running Microsoft Windows 10, Microsoft 365 office applications, and other productivity tools
Tasks
Develop a list of compliance laws required for DoD contracts.
Determine which policy framework(s) will be used for this project.
List controls placed on domains in the IT infrastructure.
List required standards for common devices, categorized by IT domain.
Develop DoD-compliant policies for the organization’s IT infrastructure.
Describe the policies, standards, and controls that would make the organization DoD compliant.
Develop a high-level deployment plan for implementation of these polices, standards, and controls.

Sample Solution

This is a critical project for Blue Stripe Tech, requiring a meticulous approach to security and compliance. Let’s break down the tasks to ensure a successful DoD-compliant implementation.

1. Compliance Laws Required for DoD Contracts:

  • Federal Information Security Modernization Act (FISMA):
    • Mandates security controls for federal information systems.
  • Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012:
    • Safeguarding Covered Defense Information and Cyber Incident Reporting.  
  • National Institute of Standards and Technology (NIST) Special Publications (SPs):
    • NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) is essential.
    • NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).

     

  • Cybersecurity Maturity Model Certification (CMMC):
    • A framework to ensure DoD contractors have adequate cybersecurity practices.

     

  • Health Insurance Portability and Accountability Act (HIPAA) (if applicable):
    • If the contract involves handling protected health information (PHI), HIPAA compliance is also required.

2. Policy Framework(s) for This Project:

  • NIST SP 800-53:
    • This is the cornerstone for federal information security. It provides a comprehensive catalog of security and privacy controls.
  • CMMC:
    • This framework will be used to demonstrate the level of security maturity that Blue Stripe Tech has achieved.
  • ISO 27001 (Optional):
    • While not strictly required by the DoD, ISO 27001 can provide a valuable framework for managing information security risks.

3. Controls Placed on Domains in the IT Infrastructure:

  • Active Directory (AD):
    • Strong password policies (complexity, length, expiration).
    • Multi-factor authentication (MFA) for administrative accounts.
    • Principle of least privilege (access control).
    • Regular security audits and log monitoring.
    • Group Policy Object (GPO) enforcement of security settings.
  • DNS:
    • DNSSEC (Domain Name System Security Extensions) implementation.
    • DNS logging and monitoring.
    • Access control to DNS servers.
  • DHCP:
    • DHCP snooping and rogue DHCP server detection.
    • Access control to DHCP servers.
    • Logging of DHCP activity.
  • ERP (Oracle):
    • Role-based access control.
    • Data encryption (at rest and in transit).
    • Regular security patching.
    • Audit logging.
  • R&D Network:
    • Network segmentation from the production environment.
    • Strict access control.
    • Regular vulnerability scanning.
    • Data sanitization and destruction policies.
  • Exchange Server:
    • Email encryption (TLS, S/MIME).
    • Spam and malware filtering.
    • Data loss prevention (DLP) policies.
    • MFA.
  • Web Servers (Linux/Apache):
    • Web application firewall (WAF).
    • Regular security patching.
    • Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption.
    • Intrusion detection/prevention systems (IDS/IPS).
  • PCs/Laptops:
    • Endpoint protection (antivirus, anti-malware).
    • Full disk encryption.
    • Patch management.
    • Mobile device management (MDM) for laptops.

4. Required Standards for Common Devices:

  • Servers:
    • Hardening configurations (CIS benchmarks, STIGs).
    • Regular patching and vulnerability scanning.
    • Log management and monitoring.
  • Network Devices (Routers, Switches, Firewalls):
    • Strong password policies.
    • Access control lists (ACLs).
    • Intrusion detection/prevention systems (IDS/IPS).
    • Regular firmware updates.
  • Workstations/Laptops:
    • Endpoint protection (antivirus, anti-malware).
    • Full disk encryption.
    • Patch management.
    • Regular security awareness training.
  • Mobile Devices (if applicable):
    • Mobile Device Management(MDM) software.
    • Data encryption.
    • Remote wipe capabilities.
    • Strong password policies.

5. DoD-Compliant Policies:

  • Access Control Policy:
    • Defines user access management, including password policies, MFA, and least privilege.
  • Incident Response Policy:
    • Outlines procedures for detecting, reporting, and responding to security incidents.
  • Data Protection Policy:
    • Covers data encryption, backup, and recovery.
  • Configuration Management Policy:
    • Establishes standards for configuring and maintaining IT systems.
  • Vulnerability Management Policy:
    • Defines procedures for identifying and remediating vulnerabilities.
  • Security Awareness and Training Policy:
    • Mandates regular security training for all employees.
  • Contingency Planning Policy:
    • Describes disaster recovery and business continuity procedures.
  • Acceptable Use Policy:
    • Defines acceptable uses of IT resources.

6. Policies, Standards, and Controls for DoD Compliance:

  • Implementation of NIST SP 800-53 controls.
  • Achievement of CMMC level appropriate for the contract.
  • Compliance with DFARS 252.204-7012.
  • Regular security assessments and audits.
  • Continuous monitoring of security logs and events.
  • Establishment of a security operations center (SOC) if needed.

7. High-Level Deployment Plan:

  1. Gap Analysis:
    • Identify gaps between current security posture and DoD requirements.
  2. Policy and Standards Development:
    • Develop and document required policies and standards.
  3. Control Implementation:
    • Implement technical controls (e.g., MFA, encryption, IDS/IPS).
    • Configure systems according to hardening guidelines.
  4. Security Awareness Training:
    • Provide security awareness training to all employees.
  5. Testing and Validation:
    • Conduct vulnerability scans and penetration tests.
    • Perform security audits.
  6. Documentation and Accreditation:
    • Document all security controls and procedures.
    • Prepare for CMMC assessment and DoD audits.
  7. Continuous Monitoring:
    • Implement continuous monitoring of security logs and events.
    • Establish a process for regular security updates and patching.
    • Regularly review and update security policies.

This question has been answered.

Get Answer
WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, Welcome to Compliant Papers.
Hi, how can I help?