Professional Documents
Culture Documents
Security Plan
Jesus Luna
SNOWBE ONLINE
TABLE OF
CONTENTS
INTRODUCTION.........................................................1
SCOPE........................................................................ 1
DEFINITIONS.............................................................1
WAIVER..................................................................... 5
VERSION STATUS APPROVED BY DESC. DATE
INTRODUCTION
This document provides a conceptual plan towards adoption and full implementation,
and some general guidance regarding what works and what does not. The plan is based
on experiences with hundreds of other organizations across a spectrum of sizes and
industries.
SCOPE
The standards and procedures set down in the SBO Security Plan apply to all information
systems and resources connecting to the SBO System network.
DEFINITIONS
Authentication: Is the process of determining whether someone or something is, in fact,
who or what it is declared to be. Depending on the transactions, a more stringent
authentication process may be required
Credentials – a combination of a username and password that prove the identity of the user
Encryption or encrypted data – The most effective way to achieve data security. To read an
encrypted file, you must have access to a secret key or password that enables you to decrypt it.
Unencrypted data is called plain text.
Firewall: Any hardware and/or software designed to examine network traffic using policy
statements (ruleset) to block unauthorized access while permitting authorized
communications to or from a network or electronic equipment.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning
programming languages and computer systems and can often be considered an expert on the
subject(s).
Hash Function - An algorithm that computes a value based on a data object thereby mapping
the data object to a smaller data object.
Intranet: A private network for communications and sharing of information that, like the
Internet, is based on Transmission Control Protocol/Internet Protocol (TCP/IP), but is accessible
only to authorized employees within an organization. An organization’s intranet is usually
protected from external access by a firewall
Internet: A global system interconnecting computers and computer networks. The computers
and networks are owned separately by a host of organizations, government agencies,
companies, and colleges.
LDAP (Lightweight Directory Access Protocol) - A software protocol for enabling anyone to
locate organizations, individuals, and other resources such as files and devices in a network,
whether on the public Internet or on a corporate Intranet.
2
Man-in-the-middle Attack - An attack in which an attacker is positioned between two
communicating parties in order to intercept and/or alter data traveling between them
Personally Identifiable Information (PII) - Any data that could potentially identify a specific
individual. Any information that can be used to distinguish one person from another and can be
used for de-anonymizing anonymous data can be considered
Protected Health Information (PHI) - Under US law is any information about health status,
provision of health care, or payment for health care that is created or collected by a "Covered
Entity" (or a Business Associate of a Covered Entity) and can be linked to a specific individual.
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data. See PII and
PHI above.
SDLC - The software development life cycle (SDLC) framework maps the entire development
process. It includes all stages—planning, design, build, release, maintenance, and updates, as
well as the replacement and retirement of the application when the need arises.
Strong Encryption - Strong cryptography or cryptographically strong are general terms applied
to cryptographic systems or components that are considered highly resistant to cryptanalysis
3
Strong Password: A strong password is a password that is not easily guessed. It is normally
constructed of a sequence of characters, numbers, and special characters, depending on the
capabilities of the operating system. Typically, the longer the password, the stronger it is. It
should never be a name, dictionary word in any language, an acronym, a proper name, a
number, or be linked to any personal information about the password owner such as a birth
date, social security number, and so on.
User Authentication: A method by which the user of a system can be verified as a legitimate
user independent of the computer or operating system being used
World Wide Web (www) - A system of Internet hosts that supports documents formatted in
Hypertext Markup Language (HTML) that contains links to other documents (hyperlinks) and to
audio, video, and graphic images. Individuals can access the Web with special applications called
browsers, such as Microsoft Internet Explorer.
Virtual Private Network (VPN) - A private network that extends across a public network or
internet. It enables users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network. Some VPNs allow employees
to securely access a corporate intranet while located outside the office
These are specific individuals or groups within the SBO System and their responsibilities in
relation to SBO Health information security standards and procedures.
4
Chaired by the OIS Director, the ISW advises the ISM on the development and maintenance of
standards and guidelines that help other SBO users and administrators maintain the
confidentiality, integrity, and availability of the data they handle. It also assists the OIS Director
in evaluating risk analysis surveys completed by individual SBO units and is responsible for
incorporating methods for a systematic, SBO-wide, risk assessment framework through which
appropriate changes in policy, standards, and guidelines are implemented and enforced.
Incident Response Team (IRT) – with a primary goal of protecting the overall computing
infrastructure of SBO, the IRT is responsible for responding quickly to identify threats to the data
infrastructure, assess the level of risk, and take immediate steps to mitigate risks considered
significant and harmful to the integrity of SBO information system resources. IRT members
notify the appropriate department leads of any Page 7 of 14 incident involving their resources.
The IRT consists of the OIS Director and key members of the company network administration
and security staff.
Change Management Policy (5009-CMP) - Applications and systems are increasingly more
complex in their function, interaction, and form. There is an increasing dependency between
resources and applications that can negatively impact operations if not managed and
orchestrated in an organized fashion.
Data Breach policy (5004-DBP)- The purpose of the policy is to establish the goals and the vision
for the breach response process. This policy will clearly define to whom it applies and under
what circumstances, and it will include the definition of a breach, staff roles and responsibilities,
standards, and metrics (e.g., to enable prioritization of the incidents), as well as reporting,
remediation, and feedback mechanisms
E-Commerce Policy (5003-ECP) - SBO recognizes the importance of electronic commerce (e-
commerce) activities to its present-day operations. SBO is committed to using e-commerce
activities in a cost-effective manner that promotes accuracy, safety, security, and efficiency.
These activities bring automation and efficiencies to traditional manual tasks and allow quicker
access to information resulting in improved member service
5
Information Flow Policy (5014-IFP) - This policy will work alongside other information flow
policies to ensure that information is communicated effectively through any communication
equipment.
Internet Usage Policy (5002-IUP) - Internet connectivity presents the company with new risks
that must be addressed to safeguard the facility’s vital information assets.
Log Management Policy (5008-LMP) - Logging from critical systems, applications, and services
can provide key information and potential indicators of compromise and is critical to have for
forensics analysis.
PCI Policy Plan (5006-PCI) – The purpose of this policy plan is to ensure that we have other
policies in place to ensure PCI Compliance. If the company is not PCI Compliant, then we are
unable to make transactions and store customer data which would result in SBO losing revenue
and ultimately going under.
Privacy Engineering Policy Plan (5013-PEP) - Privacy engineering is the practice of building tools
and processes that apply privacy protections to personal data.
Remote Access Policy (5005-RAP) - Remote access to our corporate network is essential to
maintain our Team’s productivity, but in many cases this remote access originates from
networks that may already be compromised or are at a significantly lower security posture than
our corporate network.
Security Maturity Policy (5017-SMP) - This paper proposes an Information Security Policy
Maturity Model (ISPMM) inspired by the Security Systems Engineering Capability Maturity
Model (SSE-CMM)’s Process Areas and Capability Maturity levels.
Systems Audit Policy (5011-SAP) - Audit controls and effective security safeguards are part of
normal operational management processes to mitigate, control, and minimize risks that can
negatively impact business operations and expose sensitive data.
6
Systems Integrity Policy (5012-SIP) - Systems Integrity is essential for company trust and the
well-being of the company’s system. Furthermore, by having a policy in place that ensures the
integrity of a system, we can prevent data from being altered.
VPN Policy (5007-VPNP) - This policy is to protect SBO’s electronic information from being
inadvertently compromised by authorized personnel connecting to the SBO network locally and
remotely via VPN
WAIVER
Waivers from certain policy provisions may be sought following the SBO Waiver Process.
RESOURCES
PurpleSecure Library
FRSecure
CDE State
Utah State
Research Gate
CisSecurity