RUNNING HEADER: FINAL PROJECT

Innovations Lab
Proposal Document

Student: Frank Ahan

Institution: University of San Diego
Instructor: Ashton Mozano
Class: CSOL-500-01-SU20
Date: 26 June 2020
Innovations Lab Proposal Document 2

Table of Contents

INTRODUCTION ......................................................................................................................................3

STRATEGY ................................................................................................................................................3

ARCHITECTURE ......................................................................................................................................4

IT PLAN FOR THE LAB FOR LEADERSHIP APPROVAL ...................................................................7

CONSIDERATIONS: .................................................................................................................................8

POSSIBLE THREATS AND VULNERABILITIES .................................................................................................... 8

POLICIES THAT NEED TO BE CONSIDERED ........................................................................................................ 9

INCIDENT RESPONSE AND DEFENSE..................................................................................................9

CONCLUSION ......................................................................................................................................... 10

REFERENCES ......................................................................................................................................... 11
Innovations Lab Proposal Document 3

Introduction

The purpose of this document is to set out the strategy, architecture and plan for the new

Innovations lab that the company would like to setup. This lab will accommodate users from

many different government agencies. Security and business continuity, risks, and threats have

been taking into consideration for this proposal.

Strategy

For the innovation lab, it is proposed to use a mixture of the National Institute of Standards

and Technology’s (NIST) Cybersecurity Framework (CSF). The framework’s core has four

elements: Functions, Categories, Subcategories, and Informative References. Within the Functions

there it is organized by cybersecurity activities by the highest levels, and they are Identify, Protect,

Detect, Respond, Recover. Using this basic core and creating different matrixes for different

element of the innovation, it will help ensure that the organizations goals with the lab, as well as

the normal organization business systems and services are put in less risk.
Innovations Lab Proposal Document 4

Figure 1: NIST Cybersecurity Framework Core1

Architecture

The Architecture that is proposed for the Innovation Lab is to have a totally discrete

infrastructure, apart from any development, testing, or production environments from the

organization’s IT Company’s infrastructure. It will be physically located on a different floor and

in a totally separate sever room so as to create an independent lab. This independency will allow

the normal business functions and systems to run without the risk of being brought down with

newly developed projects that the lab will be creating. Also, this will allow the freedom for the

different agencies and users to do things without any creative hinderances.

1
National Institute of Standards and Technology. (2018, May 3). MEP Centers Aid Manufacturers on
Cybersecurity. Retrieved June 26, 2020, from https://www.nist.gov/news-events/news/2018/05/mep-centers-aid-
manufacturers-cybersecurity
Innovations Lab Proposal Document 5

The lab will be divided by the Sever Room, which will contain the Server Farm along with

all the networking equipment that will create the foundation for the lab. All of the environments

will run off virtual servers and virtual machines. There will be some setups that will be self-

contained environments with no access to the internet, in order to ensure security and a more

contained lab and have a controlled data set. Other setups will have access to the Internet, with all

the necessary firewalls and IDS/IPS devices to secure them. There will be no direct access between

the Innovation Lab and the company’s production networks. Each will have their own separate

circuits with a primary and a secondary being installed.

The other part of the Innovation lab will be the lab area itself. Where workstations, and

other equipment will be provided, such as laptop, phones without cellular service, and other such

mobile devices. No outside equipment will be allowed in the lab. If there are any devices that

would be needed it can be requested using the proper procedures.

A cybersecurity infrastructure plan and policy will be put in place, following guidelines

from the NIST. Some elements would include

• Identifying Critical Functions: Organizational Goals, and Compliance requirements

• Baseline Infrastructure: Inventory, Future plans, scalability

• Risk Assessment: Likelihood, Business Impact

• Defense-in-Depth: Secure Perimeter, Authentication, Authorization, Accounting, Least

Privilege

• Monitoring the Network: Collection, detection, analysis

• Securing Software: OS, Web, dbase, Apps

Innovations Lab Proposal Document 6

• Securing Behavior: Incident Response, Admin Controls

Layered Security and controls should also be built into the whole infrastructure, which falls

under Defense-in-Depth.

Figure 2: Defense-in-depth, layered security, featuring controls2

2
https://www.imperva.com/. (2020). What is Defense in Depth | Benefits of Layered Security | Imperva. Retrieved
June 26, 2020, from https://www.imperva.com/learn/application-security/defense-in-depth/
Innovations Lab Proposal Document 7

IT Plan for the Lab for Leadership Approval

The following is the proposed plan for Leadership’s approval to proceed with the

Innovation Lab.

• Server Room commercial grade HVAC and fire suppression

• Access Control equipment

• Servers and racks

• Modems, routers, switches, WAP, and other networking equipment

• Workstations, laptops, phone, mobile devices

• Firewall, IDS/IPS devices with licenses

• Software Licenses: VM, Microsoft, Linux, Github, etc.

• Redundancies: Power, HVAC, BCP devices and software, backup software

• Desks, chairs, monitor, stands, etc.

• VPN setups for international users

For access to the lab, there will be policies and vetting from the various agencies that would

like to participate and use the Innovations lab. Only vetted personnel may be permitted to use and

access the lab. Physical access to the lab will be via company issued access cards. These access

cards will be continuously monitored and will need to be renewed every quarter of a year. The

vetting process will be done again but in a more abridged process. Every entry, for each single

user, per room will need to have a card swipe. Access to the lab will only be permitted while being

accompanied by IT personnel of the company. All entries should be logged and the reason for

entry should be logged as well.

Innovations Lab Proposal Document 8

General user policy for access to workstations and the various VM environments will be

controlled by a domain controller. Usernames and Passwords will be managed by the IT team of

the company. These accounts will be audited along with the quarter end audits of user’s access

control. Entry and exits logs will be audited as well by the IT Security team. For international

users, workstations and laptops will be provided sent out and manage by the company. All VPN

traffic will be monitored. There will be no access to the Innovations lab if not connected to the

correct VPN with the proper encryptions.

Lastly, above and beyond the security audit done by the internal team, an outside vetted

security consultant will do a Security and Risk Assessment on the Innovations Lab. Not

prescheduled but done randomly at the discretion of the consultant agency. This test will be done

at least bi-annually and no more than once a quarter. This will help keep the IT team alert and will

simulate real life security situations.

Considerations:

Possible Threats and Vulnerabilities

There are possible threats and vulnerabilities that can come about with opening the

Innovations Lab. With so many different non internal users it will be hard to spot and thwart a

threat. Hopefully, with the proper vetting from agencies and given the least access with the access

cards it will help to reduce these threats and vulnerabilities.

Another consideration to be kept in mind is infiltrations of malware or bad code. But the

same goes for any exfiltration of data. The innovations lab is meant to be open and creative but
Innovations Lab Proposal Document 9

within the walls of the lab itself. Staff and anyone involved in the Innovation lab should be extra

vigilant of anything that is brought in or taken out of the lab.

Policies that need to be considered

As mentioned above, there are some policies that should be considered. Vetting of users

and guest of the lab should be a requirement. There should not be any external devices allowed

into the Lab, such as any laptops, mobile devices, cameras, or usb devices. These external devices

can be a means where malicious code is introduced, or files may be exfiltrated.

Incident Response and Defense

Part of the Security Policy will entail the Incident response team and what actions are to

be done when. This response team will be cross departmental and will also consist of the Security

consultant agency. The security policy will not be the same as the Company’s overall security

policy but the Innovation Lab will have its own drawn up. That way there is no confusion on who

and what will be addressed if there is an incident that requires action.

If the systems are setup correctly, the first line of defense will be affirmative action from

the IDS/IPS systems that have been setup. The next line of defense will the engineer assigned to

the task of first response once an alert has been made. The engineer will need to verify that the

alert is not a false positive and proceed with next actions to slow down or stop the threat or incident.

If the engineer is not able to handle or stop the incident it should immediately be escalated until

the incident has been taken care of. A post actions and follow up report should be drawn up within

the next 12 hours and submitted to the Incident Response team. Any conclusions and finding
Innovations Lab Proposal Document 10

should be taken note of. Next actions and new solutions should follow close behind to help avoid

with any new incidents from happening.

Conclusion

For the Innovations Lab, it is proposed to have a separate discrete setup from all normal

business systems and functions. This way threats and risks will be minimized, with outside users

international or domestic will have. Tools and equipment will be issued by the company for use

by the users. There will be a security policy setup along with an incident response team specifically

for the Innovations Lab. Lastly, to help ensure the security of the lab, there will be a security

consultant that will work with the IT Security team, but also will be conducting risk assessments

randomly.
Innovations Lab Proposal Document 11

References

National Institute of Standards and Technology. (2018, May 3). MEP Centers Aid

Manufacturers on Cybersecurity. Retrieved June 26, 2020, from

https://www.nist.gov/news-events/news/2018/05/mep-centers-aid-manufacturers-

cybersecurity

https://www.imperva.com/. (2020). What is Defense in Depth | Benefits of Layered Security |

Imperva. Retrieved June 26, 2020, from https://www.imperva.com/learn/application-

security/defense-in-depth/