Robert-DOD Project

APERTURE TECHNOLOGIES

INFROMATION ASSUANCE PLAN AND POLICY

Version 1.84/15/23

Revision Date: 4/15/23INFROMATION ASSUANCE PLAN AND POLICY For Internal APERTURE TECHNOLOGIES Use Only, Classified Top Secrete

APERTURE TECHNOLOGIES Version: 1.8

VERSION HISTORY

Version # ImplementedBy

RevisionDate

ApprovedBy

Approval

Date

Reason

1.0 Kevin Hildreth 7/3/2013 Robert Williams 7/3/2013

1.1 Robert Williams 7/10/2013 Robert Williams 7/10/2013

1.2 Anthony Durran 7/17/2013 Robert Williams 7/17/2013

1.3 Diego Isidro 7/24/2013 Robert Williams 7/24/2013

1.5 Kevin Hildreth 8/5/2013 Robert Williams 8/7/2013

1.8 Robert Williams 8/15/2013 Robert Williams 7/17/2013 Revision

2.0 team 8/27/2013 Chief Staff Final Approval and Acceptance

Version: 1.8



Table of Contents

1 INTRODUCTION.....................................................................................................................1

1.1 About Us....................................................................................................................1

1.2 Purpose Of The Poposal.............................................................................................1

1.3 Scope..........................................................................................................................1

1.4 Law compliace...........................................................................................................1

1.5 Summary....................................................................................................................1

1.6 Roles...........................................................................................................................1

1.6.1 Senior Management..............................................................................................1

1.6.2 IT Management.....................................................................................................2

1.6.3 IS Management.....................................................................................................2

1.6.4 Functional Management.......................................................................................2

1.6.5 IS Security Practitioners.......................................................................................2

1.6.6 IT Technicians......................................................................................................2

1.6.7 Security Awareness trainers.................................................................................2

1.6.8 Chief Information Officer (CIO)..........................................................................2

1.6.9 Information Assurance (IA) or Information Security Staff Representative.........2

1.7 Schedule.....................................................................................................................2

2 POLICIES.................................................................................................................................3

2.1 Introduction................................................................................................................3

2.2 Scope..........................................................................................................................3

2.3 policies.......................................................................................................................3

2.3.1 Best Practices........................................................................................................3

2.3.2 Backup and recovery............................................................................................6

2.3.3 Service Level Agreement.....................................................................................8

3 PROJECT PROPOSAL APPROVAL..................................................................................10

5 APPENDIX A: REFERENCES.............................................................................................11

6 APPENDIX B: KEY TERMS...............................................................................................12



1 INTRODUCTION

1.1 ABOUT US

Aperture Technologies is a Network design company that started out in the founder’s garage. Since then we have grown from a small organization to a moderate sized company that has 390 employees and still growing.

Our mission is to be able to provide other companies with efficient, safe and reliable networks. We help companies keep cost down and revenues high. We specialize in ensuring that your network is secure and reliable. Since 2000 we have helped to develop networks for companies such as Gallo Wineries, Modesto Irrigation district, Chicago Title Company, to name a few.

1.2 PURPOSE OF THE POPOSAL

The purpose of this project is to make the U.S. Air Force Cyber Security Center (AFCSC) compliant to Department of Defense (DOD) cybersecurity standards.

1.3 SCOPE

In this project, we will be identifying all possible threats, non-compliance issues, and proper implementation of new policies for the AFCSC. This will ensure that the AFSCS will comply with security best practices as set forth by the Department of Defense (DoD).

1.4 LAW COMPLIACE

Defense Critical Infrastructure Program (DCIP), Defense Information Systems Agency (DISA), and Federal Information Security Act (FISMA).

1.5 SUMMARY

FISMA, Federal Information Security Management Security act states the following:

1. Periodic assessments of risk be evaluated, including they impact they have on operations

2. That policies and procedures are based on said assessment

3. Plans for providing adequate information security for networks.

4. Security awareness training for all employees of the company.

5. Periodic testing of IT security measures and policies in place.

6. Process for planning, implementation, evaluation, and documenting remedial actions to address deficiencies in the implementation, policy, or practices.

1.6 ROLES

The following roles with in the company have contributed to the development of the risk management plan as all of these roles have a stake in the outcome of the plan.

1.6.1 Senior Management

Ensures that the project meets the overall goal of the companies needs to keep the company profitable.



1.6.2 IT Management

Ensures that company guide lines for the network are being followed to keep productivity high. Helps with implementation of policies and procedures.

1.6.3 IS Management

Ensures that all required security requirements and precautions have are met. Develops practices for testing and implementation. Helps to make recommendations about security practices to follow, as well as the development of the DRP.

1.6.4 Functional Management

Helps in the overall development to ensure that functionality across the board is met.

1.6.5 IS Security Practitioners

Responsible for putting the implementation together, testing, documenting, and over management of the system when it goes live. Active scanning and evaluation of the network.

1.6.6 IT Technicians

Responsible for the main installation of all network components, initial configurations, and testing of equipment under the direction of the IT Management.

1.6.7 Security Awareness trainers

To make sure that all end users, employees, contractors, or person that will have a need to understand the policy contained here in this plan based on the duty they need to perform.

1.6.8 Chief Information Officer (CIO).

CIOs are responsible for all organization

telecommunications and information networks and systems. They are best positioned to advice on broad aspects of security and survivability for these types of assets.

1.6.9 Information Assurance (IA) or Information Security Staff Representative

These personnel are best positioned to provide essential detailed technical advice on measures to secure and assure information and telecommunications networks and systems.

1.7 SCHEDULE

The following is rough schedule for completing the proposal report:

Date Action Responsible

June 18 Initial meeting Team

June 25 Research DOD compliance

Robert Williams

July 2 List controls for devices

Kevin Hildreth

July 9 Standards for network devices

Kevin Hildreth



July 16 Develop deliverables Diego Isidro

July 23 DOD frameworks Anthony Durran

July 30 Review policies 1-7 Robert Williams

August 6 Review policies 8-15 Kevin Hildreth

August 13 Revise Robert Williams

August 27 Final summation for approval.

Team

2 POLICIES

2.1 INTRODUCTION

A look at the policies that will be put into place to ensure that all DoD requirements and regulations are met.

2.2 SCOPE

To set policies in place that will act as guidelines to keep AFCSC data and information safe. These policies are what will be followed and modified as newer technologies come available

2.3 POLICIES

2.3.1 Best Practices

Best practices will be deployed on all areas of the security design for the network and systems attached to the network.

2.3.1.1 DCAR-1 Annual Comprehensive IA Review

An annual Information Assurance (IA) review will conducted to ensure that all procedures are current, that consistency is meet, and that they fully support the goals of the program, uninterrupted operations.

2.3.1.2 DCBP-1 Security Design; ECVP-1 anti-virus software

2.3.1.2.1 User Domain

The user domain is where our biggest vulnerability lies. Because users are unpredictable and there is no true way to control what they do, training will ensure that all users sign an AUP, and receive security training that Aperture Technologies will provide. Single sign on will be set up to ensure users do not have to remember too many passwords which would lead to the compromise of a user’s password and username.

2.3.1.2.2 WorkStation Domain



All workstations will be running the network anti-virus and malware programs as well as host anti-virus, anti-malware, and firewalls. All USB ports will be disabled unless there is a proven need that it needs to be useable. No information will be stored on the workstation. All workstations will be virtual machines with no physical hard drives attached so information is not locally stored. This gives us more control to shut down a machine in case of a compromise on the network or malicious activity found from a machine.

All default user names and passwords will be disabled or deleted from the operating system. Machine names will follow a preset naming scheme. Local user account passwords must conform to the established UTHSCSA password standard, which includes password complexity and account lockout configurations. Workstations configuration will be so that manual entering of credentials is required every time. No passwords will be stored or saved to allow for automatic logons. Avoiding storing passwords or shadow files on the workstation is a requirement. If passwords are stored locally, the service is removed as well as the local account. If removal is not possible then the password is encrypted and the account disabled to prevent theft. Workstations must utilize password-protected screen savers, log the user off, or lock the account after a period of inactivity this prevents others from being able to logon to that user’s account and taking information. An automatic screensaver lock should be set to 15 minutes or less, except under unusual circumstances.

2.3.1.2.3 LAN Domain

In order to secure the LAN all network components will have their username and passwords changed. All default settings will be set to DoD required settings. IDS and IPS will be installed to ensure proper monitoring and prevention of attacks. This will help with the cyber forensics in the collection of data when it comes to prosecution. The IDS and IPS will help with the detection of worms and other malware.

The LAN will be divided up in to VLANs to implement segregation on the LAN. The number of VLANS will be set at a later time when the complete departmental segregation map is better known. All traffic will be encrypted for transmission across the LAN. Monitoring will be done continuously to search for script kiddies and actually threats both internally and externally.

2.3.1.2.4 LAN to WAN Domain

The LAN to WAN will be maintained with a DMZ to ensure that all traffic coming from the outside has been checked and scanned for any type of threat that may compromise the system. The DMZ will have anti-malware and virus software running at all times. A firewall will be placed as an initial defense to prevent attacks from gaining access to the network through less known or looked at ports. IPS and IDS will be utilized here to detect, locate, and stop intrusions into the system.

Peer to peer sites and applications will be blocked. Statefull packet filtering will be ran on the machine to ensure that only allowable traffic is passed through the appropriate WAN.

2.3.1.2.5 Wan Domain

The WAN domain is divided between the public and private WANS. The Public WAN will include all traffic for outgoing and incoming public traffic. This would include use of the internet, e-mail intended for organizations outside the AFCSC. Firewalls will be put in



to place and all ports except those needed will be on. Websense® will be responsible for the maintenance of this WAN in accordance to the SLA provided and agreed upon.

The Private WAN, purchased through Websense®, will be for the use of all internal AFCSC traffic. This would include all sensitive, confidential and top secret data that would need to be sent to other branches and government offices. This will safeguard the information being passed from one site to another. Websense® will be responsible for the physical maintenance of the private dedicate lines. The AFCSC, Websense®, and Aperture Technologies will be responsible for the logical maintenance of the dedicates lines. AFCSC will monitor as the bandwidth to ensure that there is nothing wrong with the dedicated line, while, Aperture Technologies will maintain all security controls for the information passed on the line including monitoring all activity. Websense® will consult for troubleshooting.

2.3.1.2.6 System / Application Domain

Critical systems and servers will be contained in a designated locked vault room. RDIF Locks will be put in place, cameras on the outside of the vault room. Inside will be secured by further cameras to monitor all activity. All severs will be places within mounted racks with in a locked security cabinet so that even if access from the outside is granted access is still limited. Access will be granted only to those that need access to the rooms through a key card, code, and biometric confirmation. Temperature and humidity controls will be in place along with proper ventilation that can be sealed. A waterless fire suppression system will be installed to protect the data and equipment.

All severs and data bases will have anti-malware and virus installed on all systems. All defaults will be changed to a DoD compliant theme to ensure that vulnerabilities are limited within the system. A firewall will be placed outside the mission critical area to prevent ports from being exploited. All software, firmware, and operating systems will have the latest patches installed. Access to all servers and services will be restricted through the principle of least privileged and the need to know. ADDS will be used to implement Role Based Access Controls so the only the information obtainable is based on the users job role.

Linux servers will run virtualized servers two on each for load balancing and backed up nightly to a SAN. This will limit the exposure of the physical servers and help with DoS and DDoS attacks.

2.3.1.2.7 Remote Access Domain

Remote access domain will greatly depend on the user and is something we do not have control over. However, the hardware is controllable. All mobile devices that connect, access or contain any information in regards to the DoD, AFCSC, or Aperture Technologies will have to meet the following criteria. All hard drives will be encrypted at all times, access to the drive will require a require upon boot up in order to gain access to the computer. This will be in the form us a USB key that must be present while the operating system starts. Username and password will be accompanied by a third token by means of either a smartcard or biometrics in order to sing in to the operating system. Remote access to the VPN will be granted by once again putting in the same username and password with the same authentication to safeguard against the device being stolen while the user is logged into the operating system.



A map of the remote access architecture will me made and updated, firewalls between VPC access points and the network will be in place, SSL VPNs will be used otherwise IPsec or L2TP, but SSL/TSL is preferred. The VPN Authentication server will authenticate through ADDS and the VPN server will run anti-virus and anti-malware programs. Before connection is complete the VPN will check with the distribution patch server to ensure the connecting device is up to date while scanning for malware prior to connection.

2.3.1.3 DCCT-1 Deployment Procedures

In order to prevent crashes from new patches, upgrades, and new assurance information system applications will be tested to ensure that a smooth implementation is completed and that all bugs and problems are dealt with prior to implementation. This will be done using a separate network that is not attached to the main network. This system will have all software and patches that the main network has but on a small smaller scale. Testing on this will allow us to locate any problems that would prohibit the system operationally. Once there are no problems or found problems have been mitigates or solved then the new software, patch, or upgrade can be completed and “go live”.

2.3.2 Backup and recovery

For compliance with DoD I – 8500.2 we need to ensure that the system is safe and secure. This includes backup and recovery, SLA, recovery drills, authentication best practices, and monitoring. More areas will be discussed.

2.3.2.1 COAS-1 alternate site; CODB-3 Data backup

Hot site back up will be implemented to replicate the production site. In case of Alternate site for DRP restoral in case of catastrophic failure, natural, terrorist, or wartime disaster the site can be promptly brought back online to resume full functionality. This site will be placed somewhere in the united states and will have real time replication. The hot site will be placed in a location that is safe from chemical, biological, Radiological, and Nuclear attacks. This means that it will be in a data center underground manned by a small crew.

2.3.2.2 COBR-1 Protection of Assets

In the event of an attack whether cyber or otherwise, all core networking components will have a copy stored in two places. One will be on a portable device so that setting can be flashed back to the drive. Digital backups will be conducted once a week to ensure that firmware and router tables are kept up to date.

When physical access to core systems is made for configuration purposes, then a print out as well as a new digital copy will be made. The Print out will be placed in the backup folder that pertains to the core network. Logs of firmware upgrades will also be logged in a physical record to ensure that in the event of digital information being lost. These logs will and must be kept in a vault that is fire proof to keep them safe,

In regards to any software such as programs or operating systems that are to be backed up. A system image for all the devices will be used for back up purposes. These images will be kept on a separate portable drive and on a DVD that will remain locked in the vault until that software is replaced.



2.3.2.3 COED-1 Exercising of COOP/DRP

The DRP will be tested and exercised at a minimum of once every year for all systems to ensure that the DRP can still be executed and are up to date. The entire system must be tested at least once a year and a report on all systems will be documented.

2.3.2.4 CODP-1; COED-1 Disaster Recovery Plan

To prepare for the event we need to ensure that there is a smooth transfer from the main production site to the standby site. The Disaster Recovery Plan (DRP) will detail how the Incident Response Team (IRT) will make the transfer should the need arise. Ensuring that all systems transfer over with little to no effect on operations, testing will be done at least once a week during non- peak hours and once a month during peak hours. This will enable the IRT to be able to catch any flaws in the process and see how well the system makes the change under variable conditions. This will allow the IRT and other technicians to become proficient at the transition under stress.

2.3.2.5 COED-2 ; COEF-2 Essential functions identified

When system are brought back on line after a disaster we need to prioritize what needs to be brought up first. This order will be made up with the help of the DoD representative to fulfill the needs of the DoD when a disaster happens. Prioritization based on the needs of the facility will be dealt with to get critical systems back online as fast as possible, short of a government shutdown.

Main systems would first include ADDS servers, DHCP servers, communications that are available, and core systems of the network like routers and switches. Application, file, and data bases would be brought online as soon as the main servers where back up. Any server with in the DMZ would be last on the list to bring up as they are on the outside of the system and may have been the gateway to a cyber-attack. Once the reason for the attack is discovered only internal systems should be up and running for security reasons.

2.3.2.6 COPS-1 Power Generators

All systems: workstations, servers, core network components, and peripherals will have an electrical back up power systems put in place. The initial back up system will be a diesel generator on site in case of power grid loss. This will supply power to the entire building to safeguard data and preserve the work environment. Because the generator is not an instant source of power, there is a lap in the period of the time power is out, and the time the generator kicks on uninterrupted power supply (UPS) units are in place. These will allow the user to run off a battery and no disruption to the workstation or server will take place. The period for power to be supplied is as follows:

Workstations will have 20 minutes of UPS power to give users the time to save their work and to shut down.

Servers will Have 1 hour of ups power. This will ensure that users are able to save their work to the databases and sign of. After the twenty minutes is complete then the servers and data bases will start their shut down sequence to guarantee that information is completely written and intact before shut down is commenced.

2.3.2.7 COSW-1 Back-up Software

Backups of all critical software will be collected and kept in a fire rated vault. This includes both on-site and off-site storage. The vaults will hold all operating systems



images for servers and workstations, mission critical data, and proprietary software to the AFCSC.

All room vaults will have a fire rating of no less than a class 125. This safe guards the tapes, hard drives and other back up media, that will stay at an internal temperature of 70 degrees.

All other software will not be collected and stored with the critical software as replacing this software would be able to be retrieved from third party vendors. This software does not contain the sensitive data the other software does. This would include programs like Microsoft Office, adobe, and other licensed software that is more easily recovered.

2.3.2.8 COTR-1 Recovery Procedures

Documentation of the recovery procedures are available for the purpose of ensuring that recovery of the system is successful. Technical system features shall be in place to ensure that recovery is done in a secure and verifiable manner. Because much of our backs up are offsite and will need to be encrypted for any backup procedure that needs to be completed. A dedicated line to the backup site will also be in place to safeguard the information from man in the middle attacks and packet sniffing.

Any problems that are found during the backups whether it is a test for quality assurance purposes or during an actually recover scenario, all issues have inhibited the process will be documented. Any foresight of problems that would inhibit the process will be documented. Once documented mitigation strategies and procedures will be in place.

2.3.3 Service Level Agreement

2.3.3.1 DCDS-1 Outsourcing Risk Assessment

Aperture Technologies will maintain a dedicated team to ensure that all monitoring will be on hand 24x7. This team will handle all incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services. This team will be on premises for administrating the system and ensuring that monitoring is complete and accurate. All personnel will obtain a Q level clearance in order to handle, administer, and monitor the network.

2.3.3.2 COMS-2 Maintenance support for key IT assets

Aperture Technologies will keep a CIRT on site at all times for an instant response to any outage, intrusion, or any other problem that may warrant an instant response to keep the network operational and data secure.

2.3.3.3 COSP-1 Maintenance spares available within 24 hrs

Aperture Technologies will ensure that all hardware, software, and IA tools are on hand in case of system or component failure. This will ensure that operations will be kept running and that all data is kept safe and secure. Immediate replacement of these critical systems leaves no room for down time and keep these parts on hand at the site and restocked ensures that up time is kept to a 99.999%.



3 PROJECT PROPOSAL APPROVAL

The undersigned acknowledge they have reviewed the Project Proposal for the Defense Logistics Information project. Changes to this Project Proposal will be coordinated with and approved by the undersigned or their designated representatives.

Signature:Date: 4/15/23

Print Name: Robert Williams

Title: Senior Information Assurance Technician

Role:

Signature: Date: 4/15/23

Print Name: Kenith Hildreth

Title: Senior Information Assurance Technician

Role:


Print Name:

Title:

Role:


Print Name:

Title:

Role:

4



5 APPENDIX A: REFERENCES

Defense, D. o. (2009). Management of DoD Information Resources and Information Technology 8000.01. District of Colombia: Department of Defense. Retrieved October 1, 2013, from http://www.dtic.mil/whs/directives/corres/pdf/800001p.pdf

Defense, D. o. (2012). Information Assurance Workforce Improvement Program DoD 8570.01-M. Distric of Colombia: Assistant Secretary of Defense for Networks and Information Integration/Department of Defense Chief Information Officer. Retrieved October 1, 2013, from http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

Department of Defense. (2007). Department of Defense Directive 8500.1. District of Comlombia: Department of Defense. Retrieved October 1, 2013, from http://www.dtic.mil/whs/directives/corres/pdf/850001p.pdf

Depfense, D. o. (2007). Department of Defense Instruction 8510.01. District of Colombia: Department of Defense . Retrieved October 1, 2013, from http://www.dtic.mil/whs/directives/corres/pdf/851001p.pdf

DOD. (2003). Department of Defense Instruction. Department of Defense. Districe of Colombia : Department of Defense. Retrieved October 1, 2013, from http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf

Government, U. S. (2002). Subchapter III of Chapter 35 of title 44, United States Code, FISMA ACT. Distric of Colombia: United State Government. Retrieved October 1, 2013, from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

Instruction, T. a. (1992). No. 4009, "National Information Systems Security Glossary,". District of Colombia : United States Navy.

SANS. (2006, n.d n.d). Acquisition Assessment Policy. Retrieved October 27, 2013, from SANS: http://www.sans.org/security-resources/policies/Aquisition_Assessment_Policy.pdf

SANS. (n.d, n.d n.d). Information Security Policy Templates. Retrieved October 27, 2013, from SANS Website : http://www.sans.org/security-resources/policies/

University of Southern Mississippi. (2008, April 23). Secure Network Infrastructure Policy. Retrieved October 27, 2013, from The Univeristy of Southern Mississippi: http://www.usm.edu/itech/secure-network-infrastructure-policy



6 APPENDIX B: KEY TERMS

The following table provides definitions for terms relevant to the Risk Management PlanTemplate.

Term DefinitionWAN Wide area Network

LAN Local Area Network

SIP Session Initiated Protocol

VoIP Voice over Internet Protocol

Vlan Virtual Local Area Network

WLan Wireless Local Area Network

BGP Boarder Gateway Protocol

ISP Internet Service Provider

OSPF Open Shortest Path First

VLSM Variable Length Subnet Mask

SLA Service License Agreement

VM Virtual Machine

IA Information Assurance


Documents

Robert-DOD Project