Katie Coleman_DoD Project_Final

.docx

School

University of West Alabama *

*We aren’t endorsed by this school

Course

511

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

17

Uploaded by ProfessorSalmon327 on coursehero.com

Project: Department of Defense (DoD) Ready Katie Coleman University of West Alabama CY-511 – Cybersecurity Organization Policy/Management Dr. Perez
Introduction After winning a DoD contract, the organization must develop proper DoD security policies to meet the standards for delivery of technology services to the U.S. Air Force Cyber Security Center (AFCSC.) The organization has established a cybersecurity framework that aligns with the DoD’s cybersecurity standards and guidelines. The report includes policies that are DoD compliant, compliance laws, controls, standards for all devices, a deployment plan for the implementation of policies, standards, and controls, and DoD frameworks. Policies that are DoD Compliant: The Department of Defense or the DoD has strict policies, standards, and control to guarantee the security of its information systems. To ensure an organization stays in compliance with the DoD requirements, the company must implement policies, standards, and controls. The organization should create policies that are DoD compliant for the organization’s IT infrastructure. Access Control Policy ensures that only authorized personnel have access to the organization’s IT resources, information, and data. Under this policy, the company would implement strong authentication methods, such as multifactor authentication. The organization must implement role-based access control to grant permissions based on job roles and responsibilities. The organization must regularly review and update user access rights to ensure they are current and relevant. Network Security Policy safeguards the organization’s network infrastructure from unauthorized access and cyber threats. Under this policy, the IT department would implement firewall rules to restrict inbound and outbound traffic and prevent
unauthorized access. The IT department would need to regularly update and patch network devices to address known vulnerabilities. Also, monitor the network traffic for signs of unauthorized or malicious activities using intrusion detection and prevention systems. The Data Protection and Encryption Policy is to protect sensitive and classified data from unauthorized access and breaches. The organization must encrypt at rest and in transit sensitive data using approved encryption protocols. Data must be classified by labeling standards to clearly identify the sensitivity level of information. The organization needs to implement data loss prevention mechanisms to prevent unauthorized data leakage. Patch Management Policy helps ensure that all systems and software are up to date with the least security patches. Under this policy, the organization will establish a regular patch management schedule for servers, applications, and endpoints. The IT department needs to test patches in a controlled environment before deploying them to production systems. Through this policy, the organization will define procedures for emergency patching in response to critical vulnerabilities. The Endpoint Security Policy protects individual workstations and devices from malware and unauthorized access. Within this policy, the organization requires the use of up-to-date antivirus and antimalware software on all endpoints. The organization will implement host-based intrusion detection systems to monitor for suspicious activities. The policy will enforce secure configuration settings on endpoints to prevent unauthorized software installations.
The Email and Web Security Policy will ensure the security and proper use of email and web resources. Through this policy, email filtering and scanning will be implemented to detect and prevent phishing attacks and malware. The policy will address education for users about recognizing and reporting suspicious email communications. It will also implement the use of web filtering solutions to block access to malicious or inappropriate websites. Incident Response and Reporting Policy will establish procedures for responding to and reporting security incidents. The development of an incident response plan that outlines steps for containment, elimination, and recovery. The policy will establish a clear communication for reporting security incidents to the appropriate personnel and authorities. It will outline post-incident analysis that will identify lessons learned and areas for improvement. Backup and Disaster Recovery Policy ensures integrity of data and the availability of the system in the case of data loss or system failure. The policy will implement regularly backup of critical data and test the restore process to verify data recovery. The development of disaster recovery plans for key systems and applications and will outline procedures for recovery and the continuity of business in the case of an event. The Physical Security Policy will protect assets and facilities housing the IT infrastructure. The policy will implement access controls, surveillance, and monitoring for data centers, server rooms, and networking equipment. The policy will restrict physical access to authorized personnel only and log all activities. It will define procedures for handling equipment disposal to prevent unauthorized data exposure.
User Training and Awareness Policy ensures the education of employees about cybersecurity best practices and threats. It will provide regular cybersecurity training to employees that cover topics such as phishing, social engineering, and password security. Implementing and conducting simulated phishing exercises that will test users’ awareness and responses. The policy will encourage employees to report suspicious activities to the right personnel in a timely manner. Compliance Laws The Organization is required to comply with various laws, regulations, and standards that pertain to national security, defense, and information assurance. Laws that are required to be followed by an organization when entering a DoD contract: 1. Federal Acquisition Regulation also known as FAR outlines requirements for contracting, procurement, and acquisition processes. 2. Defense Federal Acquisition Regulation Supplement (DFARS) is tailored for DoD acquisition and includes additional clauses and requirements that are related to cybersecurity, safeguarding sensitive information, and other defense-specific concerns. 3. National Industrial Security Program Operating Manual (NISPOM) outlines security requirements and procedures for classified contracts and establishes standards for safeguarding classified information. 4. Export Control Regulations which include International Traffic in Arms Regulations and Export Administration Regulations. The regulations control export of defense-related articles, technology, and services.
5. Cybersecurity Maturity Model Certification (CMMC) accesses and certifies the cybersecurity practices and capabilities of organizations in the defense supply chain. 6. Defense Contract Audit Agency Regulation (DCAA) provides audit and financial advisory services to the DoD and other federal entities. 7. DoD Information Assurance Certification and Accreditation Process (DIACAP)/ Risk Management Framework (RMF) which defines the steps and controls that are required to achieve and maintain the authorization to operate for IT systems that process, store, or transmit DoD information. 8. DoD 8500 Series includes a set of guideline and instructions related to information assurance, cybersecurity, and risk management for DoD systems and networks. 9. Defense Industrial Base (DIB) Cybersecurity Program which aims to enhance the cybersecurity posture of organizations in the defense industrial base and the adoption of cybersecurity best practices. 10.Controlled Unclassified Information (CUI) regulations define the handling and protection requirements for sensitive but unclassified information that is shared with contractors and partners. 11.DoD Cloud Computing Security Requirements Guide provides security requirements for the use of cloud computing services within the DoD. 12.Anti-Trafficking in Persons (ATIP) regulations require organizations to take measures to prevent human trafficking and forced labor in their operations and supply chain.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help