Purpose of the
security program: This document compiles the high level
artifacts for the Kitty Hawk Aviation security infrastructure. The goal
is to secure the Front and Back Office Applications, infrastructure
services, access profiles for software service providers, and business
partners. The KHA WAN, Data Centers domestically and internationally
should all be guided by these policies for enterprise consistency and
scalability. Since KHA operates in a fast European market, this should
provide a vehicle to spawn new secured data centers “on demand” as
business requires. This plan should provide the security related
policies and procedures for documentation, testing, certification,
accreditation, operational and disposal of EA components at all levels
of the EA framework.
Principles of
IT security – The prime principle of the security principle
is to provide enterprise authentication and authorization services, with
monitoring, control, audit capabilities, so that vulnerabilities can be
quickly assessed and rectified. It also should be standardized with
centralized control to make changes effectively and quickly – this is
essential because of the constant changing patterns of the attacks to
networks, assets and data. We should have SOPs to execute the purpose of
this document. This should promote security conscious design, assurance,
authentication, and access.
Critical
Success Factors –
Success factors include:
-
Security Awareness
-
Incorporate security facets
into all aspects of design
-
Enterprise Security
Training Plans
-
Confidentiality
-
Integrity
-
Availability
-
Risk and Vulnerability
management
Intended
Outcomes – All the critical success factors should be managed
by appropriate metrics. The goal is to provide hardened infrastructure
with clear guidelines for access and account management. It is also
intended to create security awareness that permeates throughout KHA. We
want to make security considerations everyone’s problem, and not an IT
afterthought. There should be no unintended access to the physical
locations or systems, no asset vulnerability, no unsecured transmission
that are possible risks to a distributed computing environment.
Performance
Measures – These
follow the critical success factors:
-
System
Uptime
-
Active
and Inactive Accounts
-
Network
Latency
-
Failed
Logins
-
Physical Access Violations
-
Configuration Management
Metrics by asset, software versions, and patches
-
Configuration Management of
Policy Updates by policy version, date, category
Policy
Guidance – The security policy should cover the areas of:
Intranet, Extranet, encryption email, virus, passwords, 3rd
party connections for partners, and acceptable use. The procedures
created will be used for reference to develop the security policy. FIPS
– 199 System Categorization, FEA Reference Models, FEA Contexts and
Conditions, NIST 800-53 Control Selection are best practice examples of
security publications.
Reporting
Requirements – The IT Security Program Roles and
Responsibilities will be focused around infrastructure, servers,
networks, and applications. Each group will manage its component of the
policies, implementation and communication plans, maintaining milestones
and schedules for updates that need to be coordinated with the other
groups. An IT Security Focal will be
responsible to work with the Chief Architect, and EA Program Office to
publish milestones and schedules for all components of the EA framework.
Reporting will include metrics mentioned in the performance measures
section.
Concept of
Operations – IT security focal will engage with the
focals from all the levels of the EA framework to cover identity
management, authentication standards, event recording, certifying
trusted , untrusted facilities, and VLANs, setting asset compliance
standards, and approving systems, and applications as secure. Only
certified components can be moved to production. A Perimeter Design and
Integration Team (PDIT) will review requests to add to the
infrastructure and will govern the implementation of the security
policy.
Security
Program Elements:
-
Physical Security:
All facilities should
provide for physical security. All employees and partners should have
a badge for identification. The server rooms need to be cipher locked
with access given to those who are authorized to maintain the assets.
A log should be maintained of who is entering the facilities and when.
Only US persons will have access to the Data Centers where all the
servers will be housed.
-
Operational and data
Security: Data,
server, and application backups need to be done regularly to protect
against situations of system outage, corrupt data, damaged hard disks
etc. Also a robust Disaster Recovery Plan needs to be instituted for
fail-over purposes, to minimize data and operational time loss. KHA
Data Center facilities also have uninterrupted power supply, on-site
generators to provide 24/7 service. KHA also provides security
training on an on-going basis. There are basic mandatory training
courses that are monitored by management, and it is every employee’s
responsibility to complete these courses.
-
Personnel and Informational
Security: KHA
conducts complete background check(s) on all its employees. For
partners they have to sign a Proprietary Information Agreement (PIA)
clause, and a Non-Disclosure Agreement (NDA) to legally protect the
information. The robust authorization process, Access Control Policy,
and audit controls for non-compliance checks ensures personnel and
informational security.
-
Standard Operating
Procedures: A
test and evaluation environment will be setup to enable the
certification and accreditation process. Any change to architecture,
the Policy Enforcement Points (PEP), any new application or technology
that needs to be injected into the infrastructure has to go thru a
Risk and Vulnerability Assessment (RVA) review before it is approved.
The assessment team includes resources from networking, application
teams, operations team, security, partners, and customers.
|