Security Policy Framework Outline

Choose an organization from the choices provided (Department of Homeland Security) and prepare a security plan that provides security awareness policy using a security policy framework outline. This plan must be completed and submitted in MS Word format.

Security Policy Framework Outline:

1. Physical Security

A. Access to DHS buildings, rooms, work areas, spaces, and structures housing information systems, equipment, Data shall be limited to authorized personnel.

B. Controls for deterring, detecting, restricting, and regulating access to sensitive areas shall be in place and shall be sufficient to safeguard against possible loss, theft, destruction, damage, hazardous conditions, fire, malicious actions, and natural disasters.

2. Access Control

A. Components shall implement access control policy and procedures that provide protection from unauthorized alteration, loss, unavailability, or disclosure of information.

B. Users shall not provide their passwords to anyone, including system administrators.

3. Network and Communications Security

A. Data communication connections via modems shall be limited and shall be tightly controlled as such connections can be used to circumvent security controls intended to protect DHS networks. Data communication connections are not allowed unless they have been authorized by the Component CISO/ISSM. Approved remote access to DHS networks shall only be accomplished through equipment specifically approved for that purpose. Tethering through wireless PEDs is prohibited unless approved by the appropriate AO.

B. Remote access of PII shall comply with all DHS requirements for sensitive systems, including strong authentication. Strong authentication shall be accomplished via virtual private network (VPN) or equivalent encryption and two-factor authentication. The Risk Assessment and SP shall document any remote access of PII, and the remote access shall be approved by the AO prior to implementation.

4. Network Security Monitoring

A. The DHS EOC shall administer and monitor DHS intrusion detection system (IDS) sensors and security devices.

B. Components shall provide continuous monitoring of their networks for security events or outsource this requirement to the DHS EOC. Monitoring includes interception and disclosure as required for the rendition of service or to protect the Department’s or Component’s rights or property. Service observing or random monitoring shall not be used except for mechanical or service quality control checks. (As per the Electronic Communications Privacy Act) In this instance, “rights”refers to ownership or entitlements or property or information as in intellectual property.

5. Firewalls and Policy Enforcement Points

A. Components shall restrict physical access to firewalls and PEP to authorized personnel.

B. All Department and Component firewalls and PEPs shall be administered in coordination with DHS security operation capabilities, through the DHS EOC or Component SOCs.

6. Internet Security

A. Any direct connection of OneNet, DHS networks, or DHS mission systems to the Internet or to extranets shall occur through DHS TIC PEPs. The PSTN shall not be connected to OneNet at any time.

B. Firewalls and PEPs shall be configured to prohibit any protocol or service that is not explicitly permitted.

7. Email Security

A. Components shall correctly secure, install, and configure the underlying email operating system.

B. Components shall conduct mail server administration in a secure manner. This includes: Performing regular backups, Performing periodic security testing, Updating and patching software and Reviewing audit logs at least weekly.

8. Testing and Vulnerability Management

A. Components shall conduct vulnerability assessments and/or testing to identify security vulnerabilities on information systems containing sensitive information annually or whenever significant changes are made to the information systems. This shall include scanning for unauthorized wireless devices. Evidence that annual assessments have been conducted shall be included in SARs and with annual security control assessments.

B. System Owners shall report the security alert and advisory status of the information system to the AO, Component CISO/ISSM, and DHS CISO upon request and on a periodic basis.

9. Encryption

A. Components shall develop and maintain encryption plans for sensitive information systems.

B. Systems requiring encryption shall comply with the following methods:Products using FIPS 197 Advanced Encryption Standard (AES) algorithms with at least 256 bit encryption that has been validated under FIPS 140-2, National Security Agency(NSA) Type 2, or Type 1 encryption. (Note: The use of triple Data Encryption Standard [3DES] and FIPS 140-1 is no longer permitted.)

10. Identification and Authentication

A. For information systems requiring authentication controls, Components shall ensure that the information system is configured to require that each user be authenticated before information system access occurs.

B. For systems with low impact for the confidentiality security objective, Components shall disable user identifiers after ninety (90) days of inactivity; for systems with moderate and high impacts for the confidentiality security objective, Components shall disable user identifiers after forty-five (45) days of inactivity.