Katie Coleman_DoD Project_Final
.docx
keyboard_arrow_up
School
University of West Alabama *
*We aren’t endorsed by this school
Course
511
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
17
Uploaded by ProfessorSalmon327 on coursehero.com
Project: Department of Defense (DoD) Ready
Katie Coleman
University of West Alabama
CY-511 – Cybersecurity Organization Policy/Management
Dr. Perez
Introduction
After winning a DoD contract, the organization must develop proper DoD security
policies to meet the standards for delivery of technology services to the U.S. Air Force
Cyber Security Center (AFCSC.) The organization has established a cybersecurity
framework that aligns with the DoD’s cybersecurity standards and guidelines. The report
includes policies that are DoD compliant, compliance laws, controls, standards for all
devices, a deployment plan for the implementation of policies, standards, and controls,
and DoD frameworks.
Policies that are DoD Compliant:
The Department of Defense or the DoD has strict policies, standards, and control
to guarantee the security of its information systems. To ensure an organization stays in
compliance with the DoD requirements, the company must implement policies,
standards, and controls. The organization should create policies that are DoD compliant
for the organization’s IT infrastructure.
Access Control Policy ensures that only authorized personnel have access to the
organization’s IT resources, information, and data. Under this policy, the company would
implement strong authentication methods, such as multifactor authentication. The
organization must implement role-based access control to grant permissions based on
job roles and responsibilities. The organization must regularly review and update user
access rights to ensure they are current and relevant.
Network Security Policy safeguards the organization’s network infrastructure
from unauthorized access and cyber threats. Under this policy, the IT department would
implement firewall rules to restrict inbound and outbound traffic and prevent
unauthorized access. The IT department would need to regularly update and patch
network devices to address known vulnerabilities. Also, monitor the network traffic for
signs of unauthorized or malicious activities using intrusion detection and prevention
systems.
The Data Protection and Encryption Policy is to protect sensitive and classified
data from unauthorized access and breaches. The organization must encrypt at rest
and in transit sensitive data using approved encryption protocols. Data must be
classified by labeling standards to clearly identify the sensitivity level of information. The
organization needs to implement data loss prevention mechanisms to prevent
unauthorized data leakage.
Patch Management Policy helps ensure that all systems and software are up to
date with the least security patches. Under this policy, the organization will establish a
regular patch management schedule for servers, applications, and endpoints. The IT
department needs to test patches in a controlled environment before deploying them to
production systems. Through this policy, the organization will define procedures for
emergency patching in response to critical vulnerabilities.
The Endpoint Security Policy protects individual workstations and devices from
malware and unauthorized access. Within this policy, the organization requires the use
of up-to-date antivirus and antimalware software on all endpoints. The organization will
implement host-based intrusion detection systems to monitor for suspicious activities.
The policy will enforce secure configuration settings on endpoints to prevent
unauthorized software installations.
The Email and Web Security Policy will ensure the security and proper use of
email and web resources. Through this policy, email filtering and scanning will be
implemented to detect and prevent phishing attacks and malware. The policy will
address education for users about recognizing and reporting suspicious email
communications. It will also implement the use of web filtering solutions to block access
to malicious or inappropriate websites.
Incident Response and Reporting Policy will establish procedures for responding
to and reporting security incidents. The development of an incident response plan that
outlines steps for containment, elimination, and recovery. The policy will establish a
clear communication for reporting security incidents to the appropriate personnel and
authorities. It will outline post-incident analysis that will identify lessons learned and
areas for improvement.
Backup and Disaster Recovery Policy ensures integrity of data and the
availability of the system in the case of data loss or system failure. The policy will
implement regularly backup of critical data and test the restore process to verify data
recovery. The development of disaster recovery plans for key systems and applications
and will outline procedures for recovery and the continuity of business in the case of an
event.
The Physical Security Policy will protect assets and facilities housing the IT
infrastructure. The policy will implement access controls, surveillance, and monitoring
for data centers, server rooms, and networking equipment. The policy will restrict
physical access to authorized personnel only and log all activities. It will define
procedures for handling equipment disposal to prevent unauthorized data exposure.
User Training and Awareness Policy ensures the education of employees about
cybersecurity best practices and threats. It will provide regular cybersecurity training to
employees that cover topics such as phishing, social engineering, and password
security. Implementing and conducting simulated phishing exercises that will test users’
awareness and responses. The policy will encourage employees to report suspicious
activities to the right personnel in a timely manner.
Compliance Laws
The Organization is required to comply with various laws, regulations, and standards
that pertain to national security, defense, and information assurance. Laws that are
required to be followed by an organization when entering a DoD contract:
1.
Federal Acquisition Regulation also known as FAR outlines requirements for
contracting, procurement, and acquisition processes.
2.
Defense Federal Acquisition Regulation Supplement (DFARS) is tailored for DoD
acquisition and includes additional clauses and requirements that are related to
cybersecurity, safeguarding sensitive information, and other defense-specific
concerns.
3.
National Industrial Security Program Operating Manual (NISPOM) outlines
security requirements and procedures for classified contracts and establishes
standards for safeguarding classified information.
4.
Export Control Regulations which include International Traffic in Arms
Regulations and Export Administration Regulations. The regulations control
export of defense-related articles, technology, and services.
5.
Cybersecurity Maturity Model Certification (CMMC) accesses and certifies the
cybersecurity practices and capabilities of organizations in the defense supply
chain.
6.
Defense Contract Audit Agency Regulation (DCAA) provides audit and financial
advisory services to the DoD and other federal entities.
7.
DoD Information Assurance Certification and Accreditation Process (DIACAP)/
Risk Management Framework (RMF) which defines the steps and controls that
are required to achieve and maintain the authorization to operate for IT systems
that process, store, or transmit DoD information.
8.
DoD 8500 Series includes a set of guideline and instructions related to
information assurance, cybersecurity, and risk management for DoD systems
and networks.
9.
Defense Industrial Base (DIB) Cybersecurity Program which aims to enhance the
cybersecurity posture of organizations in the defense industrial base and the
adoption of cybersecurity best practices.
10.Controlled Unclassified Information (CUI) regulations define the handling and
protection requirements for sensitive but unclassified information that is shared
with contractors and partners.
11.DoD Cloud Computing Security Requirements Guide provides security
requirements for the use of cloud computing services within the DoD.
12.Anti-Trafficking in Persons (ATIP) regulations require organizations to take
measures to prevent human trafficking and forced labor in their operations and
supply chain.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help