Evan Anderson
IS4550
Security Policies and Implementation
Course Project
————————————————————————————————————
Department of Defense (DoD) Ready
Purpose
This course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.
Learning Objective and Outcome
You will be able to develop first pass IT security policies for their organization and apply learning constructs from the course.
Required Source Information and Tools
To complete the project, you will need the following:
- Access to the Internet to perform research for the project:
- DoD instructions or directives: http://www.dtic.mil/whs/directives/
- Department of Defense interim Rule that imposes new security and reporting requirements on contractors: http://www.privsecblog.com/2015/08/articles/cyber-national-security/dod-new-cyber-security-reporting-rules-for-contractors/
- Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services: http://www.esi.mil/contentview.aspx?id=585
- Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018): https://www.federalregister.gov/articles/2015/12/30/2015-32869/defense-federal-acquisition-regulation-supplement-network-penetration-reporting-and-contracting-for
- Department of Defense Proposes New Information Security Requirements for Contractors: http://www.hhdataprotection.com/2010/03/articles/information-security/department-of-defense-proposes-new-information-security-requirements-for-contractors/
- Course textbook
- Project text sheet
This project is due in Unit 11 of the course. You will have ten weeks to prepare for this project.
The project will have weekly status reports originated from your team stating the progress and milestones achieved starting in Unit 3. In that status list your team members. These milestones will be the drafts of the policies you will be creating each week starting in Unit 3 they are defined in the deliverables. Your team will submit to the instructor unit milestones for review and comment prior to the final document being submitted for a grade. These draft submissions are for instructor monitoring and comments only and are not graded, unless the student teams do not submit their team’s milestones, then a 5% grade reduction will occur from the final document, per milestone missed.
You must submit draft work for monitoring and comments to the instructor on units indicated:
Deliverables
Scenario
You work for a technology company that recently has won a large DoD contract. This contract will add over 30% to the revenue of your organization so it is a high priority, high visibility project and you will be allowed to make your own budget, project timeline, and toll gate decisions. This course project will require you to form a team of 2–3 fellow students (co-workers) and develop the proper DoD security policies required to meet DoD standards for delivery of the technology services your organization will deliver to the DoD agency, which is the U.S. Air Force Cyber Security Center (AFCSC). To do this, you must develop DoD approved policies and standards for all your computing equipment (see list below). The policies you create will pass DoD based requirements. Currently, your organization does not have any DoD contracts and thus has no DoD compliant security policies or controls in place, or many at all as you are a new firm of approximately 390 persons.
Your Firms Computing Environment includes the following:
- 12 Servers running Microsoft (MS) Server 2008 R2, providing the following: Active Directory (AD), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), enterprise resource planning (ERP) application (Oracle), research and development (R&D) engineering, Microsoft Exchange Server for e-mail, Symantec e-mail filter, Web sense for Internet use.
- 390 plus personal computers (PCs)/laptops running Microsoft Windows 7, Microsoft Office 2007, Adobe readers, and professional, Visio 2007, MS Project 2007.
- 2 Linux servers running your Web site Apache.
Tasks
You should:
- Create policies that are DoD compliant for all organization computing devices
- Develop a listing of any compliance laws required for DoD contracts
- List controls placed on computing devices listed in project handout
- List standards that would be required for all devices listed by IT domain
- Develop deployment plan for implementation of these polices, standards, and controls
- Develop the project deliverables each unit based on that unit’s content
- List all DoD frameworks that your teams find in the final delivery document
- Hold weekly team meetings with the instructor to be sure your team is proceeding correctly
- Although the project is due in unit 11, it is recommended that you complete it by unit 10 as you have a final exam to take in unit 11.
Deliverables and format:
Submit your answer in a Microsoft Word document in not more than two pages (per draft deliverable).
- Font: Arial 10 point size
- Line Spacing: Double
Self-Assessment Checklist
- I have developed DoD policies and standards for our organization’s computing environment.
- I have involved myself in each of the units and asked questions to the instructor.
- I have found additional references from the original list provided in the project handout.
- I have created an academic paper describing the policies, standards, and controls that would make our organization DoD compliant.
- I have submitted my work per the deliverable timeline to the instructor for monitoring and comment.
Miscellaneous
In your research you will need to use the ITT Tech Virtual Library and other DoD resources to develop your policies so the equipment you send will pass their requirements:
- DoD instructions or directives: http://www.dtic.mil/whs/directives/
- Department of Defense interim Rule that imposes new security and reporting requirements on contractors: http://www.privsecblog.com/2015/08/articles/cyber-national-security/dod-new-cyber-security-reporting-rules-for-contractors/
- Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services: http://www.esi.mil/contentview.aspx?id=585
- Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018): https://www.federalregister.gov/articles/2015/12/30/2015-32869/defense-federal-acquisition-regulation-supplement-network-penetration-reporting-and-contracting-for
- Department of Defense Proposes New Information Security Requirements for Contractors: http://www.hhdataprotection.com/2010/03/articles/information-security/department-of-defense-proposes-new-information-security-requirements-for-contractors/
Click here for a PDF copy of the Course Project assignment sheet. (Please note that this PDF version of the project assignment sheet does not have updated document links.)