Security professional for Tech R Us, an IT (Information Technology) services
You are a security professional for Tech R Us, an IT (Information Technology) services provider with approximately 400 employees. Tech R Us partners with industry leaders to provide storage, networking, virtualization, and cybersecurity to clients. -Tech R Us recently won a large DoD (U. S. Department of Defense) contract, which will add 30 percent profit to the revenue of the organization. It is a high-priority, high-visibility project. Tech R Us will be allowed to make its own budget, project timeline, and tollgate decisions. (Note: a tollgate decision refers to the gates methodology, which is a process of project progressive definition based on a planned and standardized evaluation at the end of each phase. a gate or tollgate is a standardized control point where the projects phase is reviewed ad/or audited and approved (or not) to continue with the next phase)-As security professionals for Tech R US, you are responsible for developing security policies for this project. These policies are required to meet DoD standards for delivery of IT technology services to the U. S. Air Force Cyber Security Center (AFCSC), a DoD agency.-To do this, you must develop DoD-approved policies, standards, and control descriptions for your IT infrastructure. The policies you create must pass DoD-based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD-compliant security policies, standards, or controls in place.-
Sample Solution
Tech R Us is a rapidly growing IT services provider that has recently won a large contract with the US Department of Defense (DoD). This contract is a high-priority, high-visibility project, and Tech R Us will be required to meet all DoD security standards in order to deliver its services.
This document provides a set of DoD-approved security policies, standards, and control descriptions for Tech R Us' IT infrastructure. These policies, standards, and controls are designed to protect DoD data and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Policies
1. Access Control
- All access to DoD systems and data must be controlled.
- Access must be granted on a need-to-know basis.
- Access must be revoked when no longer needed.
2. Awareness and Training
- All personnel working on DoD projects must be aware of DoD security policies and procedures.
- Personnel must be trained on how to protect DoD data and systems.
- Training must be provided on a regular basis.
3. Audit and Accountability
- All access to DoD systems and data must be audited.
- Audit logs must be reviewed on a regular basis to detect suspicious activity.
- Personnel must be held accountable for their actions.
4. Configuration Management
- All DoD systems and data must be properly configured.
- Changes to DoD systems and data must be controlled and documented.
- Systems and data must be configured in accordance with DoD security standards.
5. Contingency Planning
- Tech R Us must have a contingency plan in place to respond to security incidents.
- The contingency plan must be tested on a regular basis.
6. Incident Response
- Tech R Us must have an incident response plan in place to respond to security incidents.
- The incident response plan must be tested on a regular basis.
- Tech R Us must report all security incidents to DoD in a timely manner.
7. Information Security
- Tech R Us must protect DoD data from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Tech R Us must implement security controls to protect DoD data, including encryption, access control, and physical security.
8. Maintenance
- Tech R Us must maintain its DoD systems and data in a secure manner.
- Tech R Us must apply security patches and updates to DoD systems on a timely basis.
- Tech R Us must perform regular security audits of its DoD systems and data.
9. Media Protection
- Tech R Us must protect DoD media from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Tech R Us must implement security controls to protect DoD media, including encryption, access control, and physical security.
10. Personnel Security
- Tech R Us must screen all personnel working on DoD projects.
- Tech R Us must conduct background checks on all personnel working on DoD projects.
- Tech R Us must terminate the employment of any personnel who violate DoD security policies or procedures.
11. Physical Security
- Tech R Us must protect its DoD systems and data from unauthorized physical access.
- Tech R Us must implement physical security controls, such as access control systems, surveillance systems, and intrusion detection systems.
12. Risk Management
- Tech R Us must identify, assess, and manage the risks to its DoD systems and data.
- Tech R Us must implement security controls to mitigate the risks to its DoD systems and data.
- Tech R Us must monitor the risks to its DoD systems and data on a regular basis.
13. System Security
- Tech R Us must protect its DoD systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Tech R Us must implement security controls to protect its DoD systems, including access control, intrusion detection, and intrusion prevention.
14. Transmission Security
- Tech R Us must protect DoD data in transit from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Tech R Us must implement security controls to protect DoD data in transit, such as encryption and authentication.
Standards
The following standards are applicable to all DoD systems and data:
- Risk Management Framework (RMF)
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- DoD Information Security Program (DISP)
- DoD Instruction 8500.01E: Information Assurance (IA) Program
Control Descriptions
The following control descriptions are applicable to all DoD systems and data:
- Access Control: All access to DoD systems and data must be controlled. Access must be granted on a need-to-know basis. Access must be revoked when no longer needed.
- Awareness and Training: