Purpose of the
security program: This document compiles the high level
artifacts for the SolMed security infrastructure. The goal is to secure
the Front and Back Office Applications, infrastructure services, access
profiles for software service providers, and business partners. The
SolMed WAN, Data Centers at Denver, Houston, Jacksonville, Los Angeles,
and Phoenix should all be guided by these policies for enterprise
consistency and scalability. Since SolMed operates in a fast growth
market, this should provide a vehicle to spawn new secured data centers
“on demand” as business requires. This plan should provide the security
related policies and procedures for documentation, testing,
certification, accreditation, operational and disposal of EA components
at all levels of the EA framework.
Principles of IT
security – The prime principle of the security principle is
to provide enterprise authentication and authorization services, with
monitoring, control, audit capabilities, so that vulnerabilities can be
quickly assessed and rectified. It also should be standardized with
centralized control to make changes effectively and quickly – this is
essential because of the constant changing patterns of the attacks to
networks, assets and data. We should have SOPs to execute the purpose of
this document. This should promote security conscious design, assurance,
authentication, and access.
Critical Success Factors
– Success factors include:
-
Security Awareness
-
Incorporate security facets
into all aspects of design
-
Enterprise Security
Training Plans
-
Confidentiality
-
Integrity
-
Availability
-
Risk and Vulnerability
management
Intended Outcomes
– All the critical success factors should be managed by appropriate
metrics. The goal is to provide hardened infrastructure with clear
guidelines for access and account management. It is also intended to
create security awareness that permeates throughout the SolMed
Corporation. We want to make security considerations everyone’s problem,
and not an IT afterthought. There should be no unintended access to the
physical locations or systems, no asset vulnerability, no unsecured
transmission that are possible risks to a distributed computing
environment.
Performance Measures – These follow the critical success
factors:
-
System Uptime
-
Active and Inactive
Accounts
-
Network Latency
-
Failed Logins
-
Physical Access Violations
-
Configuration Management
Metrics by asset, software versions, and patches
-
Configuration Management of
Policy Updates by policy version, date, category
Policy Guidance
– The security policy should cover the areas of: Intranet, Extranet,
encryption email, virus, passwords, 3rd party connections for
partners, and acceptable use. The procedures created by NIST will be
used for reference to develop the security policy. FIPS – 199 System
Categorization, FEA Reference Models, FEA Contexts and Conditions, NIST
800-53 Control Selection are best practice examples of security
publications.
Reporting
Requirements – The IT Security Program Roles and
Responsibilities will be focused around infrastructure, servers,
networks, and applications. Each group will manage its component of the
policies, implementation and communication plans, maintaining milestones
and schedules for updates that need to be coordinated with the other
groups. A IT Security Focal will be responsible to work with the Chief
Architect, and EA Program Office to publish milestones and schedules for
all components of the EA framework. Reporting will include metrics
mentioned in the performance measures section.
Concept of
Operations – IT security focal will engage with the
focals from all the levels of the EA framework to cover identity
management, authentication standards, event recording, certifying
trusted , untrusted facilities, and VLANs, setting asset compliance
standards, and approving systems, and applications as secure. Only
certified components can be moved to production. A Perimeter Design and
Integration Team (PDIT) will review requests to add to the
infrastructure and will govern the implementation of the security
policy.
Security Program
Elements:
-
Physical Security: The new
facility should provide for physical security. All employees and
partners should have a badge for identification. The server rooms need
to be cipher locked with access given to those who are authorized to
maintain the assets. A log should be maintained of who is entering the
facilities and when. Only US persons will have access to the Data
Centers where all the servers will be housed.
-
Operational and data Security:
Data, server, and application backups need to be done regularly to
protect against situations of system outage, corrupt data, damaged
hard disks etc. Also a robust Disaster Recovery Plan needs to be
instituted for fail-over purposes, to minimize data and operational
time loss. SolMed’s Data Center facilities also have uninterrupted
power supply, on-site generators to provide 24/7 service. SolMed also
provides security training on an on-going basis. There are basic
mandatory training courses that are monitored by management, and it is
every employee’s responsibility to complete these courses.
-
Personnel and Informational Security:
SolMed does a background check on all its employees. For partners they
have to sign a Proprietary Information Agreement (PIA) clause, and a
Non-Disclosure Agreement (NDA) to legally protect the information. The
robust authorization process, Access Control Policy, and audit
controls for non-compliance checks ensures personnel and informational
security.
-
Standard Operating
Procedures: A
test and evaluation environment will be setup to enable the
certification and accreditation process. Any change to architecture,
the Policy Enforcement Poiints (PEP), any new application or
technology that needs to be injected into the infrastructure has to go
thru a Risk and Vulnerability Assessment (RVA) review before it is
approved. The assessment team include resources from networking,
application teams, operations team, security, partners, customers.
|