Final Project

Final Project Proposal Page 1

ITT TECHNICAL INSTITUTE

State Government Department of Finance

and Administration Request for Proposal for Information Security

Assessment Services (ISAS)

RFP Number: 427.04-107-08

Due: February 25, 2012

FINAL PROJECT PROPOSAL

The contents of this document include all requirements for Final Project Proposal for RFP Number 427.04-107-08. Documentation submitted by PCMJ Security Services is for the sole purpose of this proposal.

PCMJ Team members:

Pamela R. Gist Mychal Dudley

Chris Warren John Buchheim

B. Henebry, Instructor


Section A: Section “A” addresses the mandatory requirements of the proposer. The certifications that are held by the employees of PCMJ include Certified

Information Systems Security Professional (CISSP), Certified Information Security

Manger (CISM), Security Essentials Specialist (GSEC) and GIAC Certified Project

Manager (GCPM). We are in good standing with our financial institution, have a positive

business relationship with Dell (our hardware vendor) and Microsoft (our software

vendor), and have a positive rating with all associated credit agencies. We currently

hold liability insurance in the amount of $1,500,000 which exceeds the minimum amount

required by the State. Within our organization we do not have any employees that are

currently employed by the State in any way, nor are there any contracts currently being

worked on for any State Government agencies. We have conducted vulnerability

assessment for other large entities including Proctor and Gamble and Hewlett Packard.

All documentation, certifications, and other forms of proof are available upon request by

the State.

Section B: Section “B” gives further details of the proposer’s current and historical

employee status.

PCMJ is a business partnership between four friends that have spent the

previous years working together on various projects. Our main office is located in

Indiana and our mailing address is as follows:

PCMJ 1234 Main St. Indianapolis, IN 46202


The main point of contact for all questions or concerns is Pamela Gist. Our

company has not been involved in any sales, mergers, or acquisitions in the past ten

years, and there aren’t any current plans for any of these possibilities. The background

checks on all our employees will show that they are all free from any felony convictions,

guilty pleas, or no contest pleas. There are no current litigation hearings involving our

business and there haven’t been any in the past. We are not currently, and have never

filed for bankruptcy or any other means of financial rescue. We have never been the

target of any Securities Exchange Commission investigation in the past, and are not

currently involved in one now.

PCMJ was founded in 2002 and have been successful for 10 years. As of 2012, our

staff is comprised of 22 full-time employees. Currently our staff exceeds the RFP

minimum requirement of employing a Certified Information Systems Security

Professional (CISSP), Certified Information Security Manger (CISM), Security

Essentials Specialist (GSEC) and GIAC Certified Project Manager (GCPM). The team

that will work with the State consists of the following members and their title within the

company:

• Pamela R. Gist, Project Manager • Chris Warren, IT Manager • Mychal Dudley, Client Representative Manager • John Buchheim, Security Manager • Amy Potential, Human Resources Manager • Joshua Great, Compliance Manager • Theodore Ralls, Legal Representative • Paul Johnston, Security Fulfillment Manager


If we require the assistance of any subcontractors the State will be approached for

approval, and will be given documentation on each person including contact

information, their title, and a description of what work they will be performing. We as a

company are dedicated to operating without prejudice towards race, sex, or any other

possible discriminatory factors. Our employees include men and women of different

ages, races, and religious beliefs.

As mentioned previously, we have had contracts with Proctor and Gamble, and

Hewlett Packard. In addition to these two we have worked successfully with the ITT

Corporation, Duke Energy, Bank of America, and Citi Bank. The references from all of

these companies are on file and will be made available upon request. We have never

been under contract to any agency or office of the State in our tem years of existence.

Section C: Section “C” details the proposers understanding of the RFP. The remainder

of this proposal will be broken down by section and number for better clarity.

C.1 The state will require PCMJ to have an office in the state of Ohio with the

mandated licenses and insurances

C.2 Any area of expertise the company has a deficiency in shall, with the approval of

the state, hire a third party vendor to accomplish that task.

C.3 Any third party vendor relied on shall meet the same quality of personal

requirements as PCMJ in that all personal shall pass a state approved background

check.


C.4 Vulnerability assessments shall be done in each of the 7 typical information

system domains. Each domain will be evaluated for operating system, software and

malware signature updates where applicable. Hardware including routers, IDS / IPS,

firewalls and managed switches will have their configurations reviewed.

C.5 Any vulnerability discovered through the assessment process will be prioritized

and a mitigation effort proposed. Documentation of any vulnerability or incident that has

been realized will be used to develop a standard procedure where one does not exist.

and delivered to the appropriate department manager for proper storage.

C.6 PCMJ is able to assess all current Operating systems, Databases, IDS/ IPS

settings, Router Firewall, and Switch settings as well as Access Control Lists.

C.7The review of source code assembled by State contractors and personal shall be

accomplished through a third party vendor that we will contract on behalf of the State in

order to fulfill this Security Evaluation. The code review shall look specifically for

vulnerabilities such as format string mistakes, buffer over flows, memory leaks, input

validation/ sanitization mistakes, weak passwords, administrative back doors,

unnecessary ports access, etc.

C.8 The approved outside vendor will report all findings in a document marked

“Source Code Evaluation” to the Software Development Team, Project Manager, the

IRT team and the Policy Review team headed by PCMJ so that mitigation efforts and

bug fixes can be developed and implemented.


C.9 The contractor we provide to perform the code review will have expert knowledge

in any language the State requires including: COBOL, Java, Pearl, and the more

modern languages.

C.10 “Anonymous example from Scope of services” A port scan on the server located

at 192.160.128.10 has open ports listening on port 3689. This port is used for iTunes

communication and should not be in service unless specifically designed into

proprietary software developed by the State.”

C.11 All background checks will be performed with the state minimum requirements

with special attention on previous employment activities.

Section D: Section D discusses our approach to developing a Security Policy

Frameworks gap analysis.

D.1 Our approach is to protect the accounting department financial files and data on

the network using a layered security approach to harden against any unauthorized

attempts to the network.

D.2 We will ensured that all personally identifiable information (PII) is fully encrypted,

all remote access to the network containing PII will travel over VPN protocol, unique

User and Password ID’s are being put in place.

D.3 To comply with PCI DSS all customer information will be encrypted using DES3,

information and a secure transfer protocol when in transit.


D.4 We will ensure that PII and PHI information is on a separate server behind

layered using both firewalls and routers.

D.5 All current group policies will be updated to allow only those persons with a

‘Principal of Least Privilege’ approach to access objects pertaining to customer and/or

financial information. The files that are subject to the ‘need to know’ access will have

special passwords as well as a Biometric touchpad.

D.6 Banners will be in place on all workstations informing all users that they will not

have access to the Public Internet while on the State’s network, and that we have the

right to, and will, monitor their logging sessions and review all sites that are visited and

attempted file access. The use of Stateful Inspection on packet headers and content will

continuously monitor the traffic into and out of the local area network.

D.7 We will further develop a policy for both internal and remote user access. This

policy is currently under development and we can help to ensure that it is created to

provide the necessary security as well as ease of access for those that require it. These

policies will target the mission critical areas (network, staff and data) first before moving

to the remote site.

D.8 Gaps in the VPN remote user’s policy include a scan of the remote equipment to

ensure that the OS and Firewall / Malware software is up to date. An evaluation of the

current patches and scan results must also be verified. The VPN software being used

now is sufficient to maintain confidentiality.

C.9 A Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) go hand

in hand many times. So much so that there are often familiar faces on both teams. A


BCP team must prioritize those critical business elements that relate to the businesses

core function and be implemented when those functions are threatened or violated. A

Disaster may or may not be declared at this point. If it were to be declared, the Disaster

Recovery Plan (DRP) would be activated and that team would determine how much of

its vastly more extensive plans would be necessary to put into place.

D.10 Currently the access and privilege control policy is also under development. We

will ensure that all users are part of the correct group to allow access with proper

privileges. All employees, regardless of position or title, will read and sign an

‘acceptable use policy’ that states what actions are unacceptable before being assigned

a workstation.

Section E: Section E relates to how we will review and assess current PHI and PII data

handling policies.

E.1 We will be using the best practices described in the National Institute of

Standards and Technology (NIST) Special Publication 800-122 titled Guide to

Protecting the Confidentiality of Personally Identifiable Information (PII) to determine

compliance.

E.2 HIPAA 5010 compliance laws in Ohio are found on file and generally covered in

the NIST 800-122 publication and principle of least privilege.

E.3 The best practices described in the NIST 800 series guide us on what to look for

when evaluating your IT security policies. We will examine your current layered

approach inside and out and make any necessary recommendations.


E.4 The current Active Directory structure of group policies reveals how well the

principal of least privilege is implemented. We also have to look into server structure to

be sure that strong password, proper encryption standards and a narrow set of

administrative rights exit.

E.5 To identify any possible gaps in the control coverage protecting privacy data we

will first review your employee security training to make sure there is a section regarding

illegitimate access to privacy data. We will also look for a review of log files to see if

there is any indication of repeated failed attempts to access privacy data.

E.6 Change local policy to allow read only access for those departments that need

only to view files; allow medical departments both read and write privileges while at the

same time implementing a principal of least privilege on all file structures.

E.7 Privacy data is found in more areas that most companies think. It can be found

among email, internal notes, personal documents, the list goes on. This data can be

client data or employee data. Once it is on a system, it becomes the property of the

State. We will suggest making a Policy change in regards to the Security Training that

each employee takes based on the findings of our initial hunt for PII on your network. If

a corporate culture of saving potentially sensitive data is detected, it can be addressed

in the updated Security Training.

E.8 Any new policy developed in response to a deficiency will be distributed to each

employee for review. Each employee must then sign a document stating they have read

and will abide by the new policy.


Section F: Section F reviews how PCMJ will review each of the domains needed to

fulfill the scope of this RFP.

F.1 With the Critical Business Tasks identified we will devise a matrix that includes

the resources needed to accomplish and maintain those tasks. Those resources can

then be evaluated for threat vectors and vulnerabilities

F.2 The established Policies and Controls can now be reviewed to assure that all

threat vectors and vulnerabilities are taken into consideration. Documentation of

changes and additions to the policies will be noted in an appendix.

F.3 There are many known risks and threats to every network infrastructure. They

typically start from the outward facing points of access like a company website and

remote access. With this in mind, attention to buffer overflows, memory leaks, man in

the middle attacks. Trusted vendors such as Symantec and McAfee make available a

newsletter and website devoted to current threat trends. We monitor these and others

such as the software vendors themselves to keep abreast of current risks, threats and

vulnerabilities.

F.4 IT Infrastructure components have a finite lifespan. Within this lifespan

configurations and software must be kept up to date. There comes a time when a

component must be replaced, not because it has failed, but because its lifespan has

reached a predictable failure rate or the technology has changed enough that new

hardware must be implemented to keep up with this new technology and or remain in

compliance with State or Federal rules.


F.5 Once the critical hardware has been identified in any IT infrastructure, the

Operating Systems and configuration software can be scanned and analyzed for known

bugs using software such as Nessus

F.6 Each risk as it becomes known is put into a matrix that will determine the

criticality of the service affected, the likelihood that the risk will be exploited, the cost per

exploitation and the cost to implement a mitigation effort. Using this chart we can

prioritize a mitigation strategy.

F.7 These are now to be formed into a list by criticality based on a qualitative

analysis of the previous chart.

F.8 The Executive Summary for section F will state each of the security risks as we

have determined them in order of severity. Included will be a mitigation effort list for

each risk and a cost breakdown for those efforts. A schedule can then be developed to

implement each approved mitigation effort.

Section G: Section F is a qualitative analysis of the requirements needed to fulfill the

scope of this RFP.

G.1 The critical functions to needed to carry out the States mission statement are

used to develop the top priorities in a risk assessment.

G.2 In the qualitative risk assessment of the IT Infrastructure all configuration files will

be reviewed as well as the age of the equipment.


G.3 Any equipment that has reached the manufacturer end-of-life status will be

recommended for replacement as soon as possible. Equipment that has reached its

predicted life cycle expectancy will be replaced based on its security function and how

much redundancy is built into the current security structure.

G.4 The core of our security structure is the system / application domain. This is

where the servers reside and is at the center of our layered security approach. Although

the impact of a breach here is high, the risk is smaller as we look deeper into the

“onion”. The risk of a breach on a workstation is considered high but the impact lower as

long as the breach is discovered quickly.

G.5 Severity is measured not only in downtime, but also in potential fines and loss of

customer confidence. We prioritize risk in the amount of money it will cost the company

or organization to recover from a breech.

G.6 Every proposed response to a potential risk is based on the likelihood it will be

realized, the cost per incident, the annual rate of incidents. If a risk is inexpensive to

mitigate and has a high cost per incident, this becomes our high priority risk mitigation

task. If it has a low cost per incident, does not affect customer confidence and has a low

annual rate of incident, it may never have a mitigation process implemented.

G.7 When possible, more than one mitigation response will be developed for each

qualitative risk identified.

G.8 From highest to lowest priority, each qualitative risk will be explained briefly and

a mitigation response(s) will be associated with it. Each mitigation response will have a

clear cost attached.


Section H: Section H is a qualitative analysis of the risk responses developed in

accordance to the RFP.

H.1 The qualitative risk assessment report will have identified those risks that are

most likely to be realized, the rate of occurrence and the costs associated with each

occurrence. Using this information and the input from the State we will devise a

mitigation effort calendar.

H.2 Our risk response report will be outlined in a gantt chart associating prioritization

and resources needed to achieve our mitigation efforts.

H.3 Any risk that is determined to be “High” whose cost is also determined to be

“High” is deemed Critical and must be addressed ASAP. Any risk that that has a high

rate of occurrence and a moderate cost is also one that needs to be addressed ASAP.

Any risk that affects a critical business function must be placed on will also warrant a

response.

H.4 The best response to any item on the prioritized risk response report must have a

Return on Investment (ROI) considered. We must consider future functionality when

choosing a solution.

H.5 A response that affects multiple domains creates a multilayered effect in the

overall security of a network infrastructure. This is what we look for in a proposed risk

mitigation approach


H.6 Implementing these solutions should happen in a protected environment first so

we can foresee any potential complications. Once any needed corrections are

discovered and tested, we can implement our mitigation responses.

H.7 A formal risk response report will be compiled once the needed actions are taken

and implemented. This report will include final mitigation actions and resources

including the costs involved.

Section I: Section I deals with how the Business Impact Analysis, Business Continuity

Plan and Disaster Recovery Plan are designed to keep us going.

I.1 Ensuring operational continuity is a pivotal point of emphasis when looking at any

organization. Our approach revolves around the creation and implementation of policies

that will ensure that if and when there is an emergency, there are solid plans in place to

ensure continuity.

I.2 The first phase is to identify the applications and functions that are critical to keep

your organization running. We will identify the applications that support the key daily

operations, the hardware within the infrastructure that support those applications and

house key data, and also identify the personnel that are needed to continue operating.

I.3 The Business Impact Analysis (BIA) identifies critical functions and weighs the

production costs involved as each function goes down.

I.4 The more costly functions that the BIA identifies are elevated to a more critical

status. When a failure occurs we use this information to prioritize the functions we

restore first.


I.5 Once all the critical resources are identified, we will develop a business continuity

plan (BCP). The BCP is important because it provides the instructions on how to

recover from any type of emergency ranging from power outages to natural disasters. It

will contain steps for both long and short term emergencies and will include the

possibility of relocation if needed.

I.6 The cost of developing a BCP is related more to the staff and conference calls

involved to agree on recommendations. IT will have one set of priorities; HR will have

another and so on. The price is really in what it takes to incorporate all that is agreed

upon. For instance, in this proposal, the required office space needed for a Hot Site is

14,000 sq feet and that does not include furniture and computers.

I.7 The next step in the continuity plan is to develop a disaster recovery plan (DRP).

The DRP is your plan that contains the actual instructions for the recovery process. The

BCP and critical resource list are the basis for the DRP. It will identify the teams that

determine the type of disaster, give the go ahead to launch the DRP, and perform the

recovery itself. This is a step by step blueprint that contains the tasks, assignments and

required times to completely recover from various emergencies.

I.8 Once a disaster has been declared, the DRP team will evaluate the extent of the

damage and recommend what to do next. In the event of a full blown disaster the DRP

we have to make accommodations to activate the hot site (minimal), move and house

(temporarily) the necessary teams to the hot site and begin the BRP phase.

I.9 Creating the BCP and DRP are only part of the complete process. Having a plan

is good, but knowing that the plan actually works is what we are looking for. We will

coordinate with the State to test the recovery plans and their functionality once they


have approved. We will have documentation of the different teams, the individuals on

each team, the responsibilities of the teams, and the contact information as well. We will

test the secondary sight to ensure that it is operational and the data flows to the

datacenter as it is supposed to. There will be test runs so that all employees have some

familiarity with the plans and that the first time they see them isn’t in the event of an

emergency.

Section J: Section J covers the threat vectors for critical resources and data and the

security used to protect it.

J.1 To prevent loss of accounting data and customer information, PCMJ has come

up with a layered security solution that once in place will harden the current security in

place by implementing stronger passwords for all users, limiting access to only those

groups with a need to know, implementing another layer of firewall software for both the

network and the workstations, and complete shutdown of all unused ports to the

network.

J.2 Any resource that is determined to house PII, PHI, database information or

Human resource data will be determined to be determined to be of a high enough

priority to require specific protection from attack or failure.

J.3 Access to these resources will be regulated on a “Principle of Least Privilege”

basis using the GPO function of Active Directory (AD). Furthermore, once identified, this

data will reside on fully encrypted drives and travel over secure channels.


J.4 Checking the sign on logs and what sites that those users are trying to access,

deploying Wireshark to sniff for unwanted traffic, and deploying both IDS and IPS on the

network.

J.5 Since the user domain would more than likely be the weakest point, we will have

in place banners explaining the denial of any access to the Public Internet, workstations

will have anti-malware, pop up blocker, and software firewalls on them, both LAN and

LAN to WAN domain will sit behind proxy servers in the DMZ, adding firewalls and

another router on the WAN domain, sit the two layers of additional firewalls on the

system/application domain, and limiting access for remote users to only business hours

only.

J.6 All sensitive data and will be housed on fully encrypted drives in servers that

house only critical data. All sensitive resources will be housed in climate controlled

locked cabinets within a locked climate controlled server room.

J.7 The effectiveness of these controls are monitored in log files that are kept on a

separate server so that any record of actions that have taken place cannot be easily

altered. Using a baseline of problems that have occurred, we can now determine if the

control actions have been effective.

J.8 There will be in place two levels of passwords and sign on measures to ensure

that if not met that the system will lock them completely out. Monthly vulnerability tests

using white hat techniques to test the strength of the layered security placed on the

seven domains. Creating audit logs to monitor the log on attempts both within the

department and from the remote users onto the network; developing IDS and IPS to

ensure that the layered security in placed is meeting the requirements of the state.


J.9 If our Layered Security Solution invokes a response on each layer and that

response is met with some action then the security approach is working as intended. If

there are threats that make it past the current set of controls then they must be

addressed immediately and an evaluation as to why a control was not put in place

sooner must be determined. Such a new threat may be a user disregarding the AUP

repeatedly or a port being open by an administrator to play WoW during office hours.

Calculated Costs:

Initial Port Scan $3000.00

Formal Policy Review (Based on 18 Policies) 21,150.00

PII PHI Data Scan and Recovery Strategy 35,000.00

Analyze Physical Security and make recommendations 3950.00

Initial Network Audit 3200.00

Assess each domain for vulnerabilities 5,600.00

Testing of Mitigation Efforts, Develop a Sandbox 9,000.00

Test each mitigation effort (Based on 20 mitigation efforts) 16,000.00

Development of a Hot site, Plus Furniture for 500 employees 12,000.00+50,000.00

Order and install Routers, Switches, Servers and Supporting Hardware 70,000.00+34,000.00

14,000 sq. ft. office space lease agreement (annually) 182,000.00

Review GPO and make suggested repairs 6,000.00

Develop Automated Procedures for everyday administrative tasks 10,000.00

Employee Security Training review and redevelopment 22,100.00

Review source code, report and recommend bug fixes and vulnerabilities (Depends upon the number of files and length of code to be reviewed)

~10,000.00

Total $493,000.00

Documents

Final Project